Countries outside of the European Economic Area (EEA) will be able to receive personal data from businesses within EU member states under a standard contractual clause newly adopted by the European Commission.
The EU Data Protection Directive 1998 says member states should ensure that transfer of personal data to a country outside the EU only happens if that country "ensures an adequate level of data protection." The new contractual clause will provide a loophole for companies wishing to transfer customer data to countries outside the EU, while maintaining their compliance with European legal safeguards.
The measure is designed to protect personal data against "accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access or any other unlawful forms of processing." The contract will be governed by the local law of the EU country in which the data exporter is located.
Use of the standard contractual clause will be entirely voluntary, but those businesses that do use it will have to make sure that appropriate technical and organisational security measures are in place before the personal data is processed.
At the end of 2001, the European Commission ruled that Canada should be the third non-EU country to be allowed to transfer personal data with EU businesses. Switzerland and Hungary had previously been the only other non-EU countries whose laws were deemed to be compliant with the EU Data Protection Directive.
The transfer of consumer data in the US is currently self-regulated, whereas in the European Union, fines can be imposed for contravening data protection laws. Within the UK, the information commissioner has the power to issue an enforcement notice to any organisation found to be in breach of any of the principles of the Data Protection Act 1998, which could result in a £5,000 fine in magistrate's court, or an unlimited fine in a crown court.
A so-called Safe Harbour agreement came into effect last summer, which was designed to regulate transborder data flows from the EU to the US. It provides guidance for US organisations on how to provide "adequate protection" for personal data from Europe as required by the EU Directive on Data Protection. But to date only 110 organisations have signed up to the agreement.