Data Protection (Amendment) Act 2003

Restriction on transfer of personal data outside State.

12.—The following section is substituted for section 11 of the Principal Act:

“11.—(1) The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to—

(a)  the nature of the data,

(b)  the purposes for which and the period during which the data are intended to be processed,

(c)  the country or territory of origin of the information contained in the data,

(d)  the country or territory of final destination of that information,

(e)  the law in force in the country or territory referred to in paragraph (d),

(f)  any relevant codes of conduct or other rules which are enforceable in that country or territory,

(g)  any security measures taken in respect of the data in that country or territory, and

(h)  the international obligations of that country or territory.

(2) (a) Where in any proceedings under this Act a question arises—

(i)  whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, and

(ii) a Community finding has been made in relation to transfers of the kind in question,

the question shall be determined in accordance with that finding.

(b)  In paragraph (a) of this subsection ‘Community finding’ means a finding of the European Commission made for the purposes of paragraph (4) or (6) of Article 25 of the Directive under the procedure provided for in Article 31(2) of the Directive in relation to whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area.

(3) The Commissioner shall inform the Commission and the supervisory authorities of the other Member States of any case where he or she considers that a country or territory outside the European Economic Area does not ensure the adequate level of protection referred to in subsection (1) of this section.

(4) (a) This section shall not apply to a transfer of data if—

(i)  the transfer of the data or the information constituting the data is required or authorised by or under—

(I)  any enactment, or

(II) any convention or other instrument imposing an international obligation on the State,

(ii)  the data subject has given his or her consent to the transfer,

(iii) the transfer is necessary—

(I)  for the performance of a contract between the data subject and the data controller, or

(II) for the taking of steps at the request of the data subject with a view to his or her entering into a contract with the data controller,

(iv) the transfer is necessary—

(I)  for the conclusion of a contract between the data controller and a person other than the data subject that—

(A) is entered into at the request of the data subject, and

(B) is in the interests of the data subject, or

(II) for the performance of such a contract,

(v) the transfer is necessary for reasons of substantial public interest,

(vi) the transfer is necessary for the purpose of obtaining legal advice or for the purpose of or in connection with legal proceedings or prospective legal proceedings or is otherwise necessary for the purposes of establishing or defending legal rights,

(vii) the transfer is necessary in order to prevent injury or other damage to the health of the data subject or serious loss of or damage to property of the data subject or otherwise to protect his or her vital interests, and informing the data subject of, or seeking his or her consent to, the transfer is likely to damage his or her vital interests,

(viii) the transfer is of part only of the personal data on a register established by or under an enactment, being—

(I)  a register intended for consultation by the public, or

(II) a register intended for consultation by persons having a legitimate interest in its subject matter,

and, in the case of a register referred to in clause (II) of this subparagraph, the transfer is made, at the request of, or to, a person referred to in that clause and any conditions to which such consultation is subject are complied with by any person to whom the data are or are to be transferred, or

(ix) the transfer has been authorised by the Commissioner where the data controller adduces adequate safeguards with respect to the privacy and fundamental rights and freedoms of individuals and for the exercise by individuals of their relevant rights under this Act or the transfer is made on terms of a kind approved by the Commissioner as ensuring such safeguards.

(b)  The Commissioner shall inform the European Commission and the supervisory authorities of the other states in the European Economic Area of any authorisation or approval under paragraph (a)(ix) of this subsection.

(c)  The Commissioner shall comply with any decision of the European Commission under the procedure laid down in Article 31.2 of the Directive made for the purposes of paragraph 3 or 4 of Article 26 of the Directive.

(5) The Minister may, after consultation with the Commissioner, by regulations specify—

(a)  the circumstances in which a transfer of data is to be taken for the purposes of subsection (4)(a)(v) of this section to be necessary for reasons of substantial public interest, and

(b)  the circumstances in which such a transfer which is not required by or under an enactment is not to be so taken.

(6) Where, in relation to a transfer of data to a country or territory outside the European Economic Area, a data controller adduces the safeguards for the data subject concerned referred to in subsection (4)(a)(ix) of this section by means of a contract embodying the contractual clauses referred to in paragraph 2 or 4 of Article 26 of the Directive, the data subject shall have the same right—

(a)  to enforce a clause of the contract conferring rights on him or her or relating to such rights, and

(b)  to compensation or damages for breach of such a clause,

that he or she would have if he or she were a party to the contract.

(7) The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from the State to a place outside the State unless such transfer is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the State.

(8) In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.

(9) A prohibition under subsection (7) of this section shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.

(10) A prohibition notice shall—

(a)  prohibit the transfer concerned either absolutely or until the person aforesaid has taken such steps as are specified in the notice for protecting the interests of the data subjects concerned,

(b)  specify the time when it is to take effect,

(c)  specify the grounds for the prohibition, and

(d)  subject to subsection (12) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the prohibition specified in the notice within 21 days from the service of the notice on him or her.

(11) Subject to subsection (12) of this section, the time specified in a prohibition notice for compliance with the prohibition specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (10)(d) of this section and, if an appeal is brought against the prohibition, the prohibition need not be complied with and subsection (15) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(12) If the Commissioner—

(a) by reason of special circumstances, is of opinion that a prohibition specified in a prohibition notice should be complied with urgently, and

(b)  includes a statement to that effect in the notice,

subsections (10)(d) and (11) of this section shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the prohibition before the end of the period of 7 days beginning on the date on which the notice is served.

(13) The Commissioner may cancel a prohibition notice and, if he or she does so, shall notify in writing the person on whom it was served accordingly.

(14) (a) This section applies, with any necessary modifications, to a transfer of information from the State to a place outside the State for conversion into personal data as it applies to a transfer of personal data from the State to such a place.

(b) In paragraph (a) of this subsection ‘information’ means information (not being data) relating to a living individual who can be identified from it.

(15) A person who, without reasonable excuse, fails or refuses to comply with a prohibition specified in a prohibition notice shall be guilty of an offence.”.