Companies regularly are asked to transfer data from the United Kingdom to the United States – often in response to US litigation/electronic discovery obligations or demands from US regulators. Whilst many such requests carry the force of law, companies are often unclear on whether such transfers can be made in compliance with the EU Data Protection Directive (the “EU Directive”) and the UK Data Protection Act 1998 (the “UK Act”). In general, such transfers are not favoured under data protection regulations, which seek to protect employees’ personal data and assume that non-EU jurisdictions — including the US — are less protective of data than under EU law. The EU Directive and the UK Act do, however, provide for a number of ways that UK-to-US data transfers can be made in compliance with the requirements of the EU Directive and the UK Act. These include:
• With the consent of employees whose data is to be transferred
• If required for the defence of legal claims (although for US litigation parties probably need to follow Hague Convention procedures prior to the transfer)
• Pursuant to pre-approved contractual provisions
• Pursuant to contractual clauses drafted for a particular transfer
• Transfers to companies with approved “binding corporate rules” and
• Pursuant to the US government’s “safe harbor” program.
This white paper summarises the relevant provisions in the EU Directive and the UK Act and analyses each exception to the data transfer ban.
Companies can enhance their compliance with the EU and UK data protection requirements by utilising EnCase® Enterprise solutions, which enable a company to document compliance by maintaining a detailed log of every investigation and collection. With such documentation, the company can later prove in court precisely what employee information was collected and transferred, evidencing that the company struck a balance between its legitimate purposes and the legitimate privacy rights of its employees. EnCase® nterprise can also help a company prevent inadvertent cross-border collections of data due to ts highly granular, role-based permissioning, which can help prevent US entities from collecting data belonging to UK employees.