Honing in on the new rules for the transfer of personal data outside of the EEA
(LONDON) Although no major legislative milestones for the EU Data Protection Regulation have occurred since March 2014 (see status update here), there has been some progress over the late spring and early summer of 2014. One key item that will be of interest to US companies is the Council’s compromise position on a key piece of the Regulation, the rules for the transfer of personal data to countries outside of the European Economic Area (EEA), published on May 28, 2014.
The current mechanisms for legitimizing such transfers, including adequacy assessments, Binding Corporate Rules, model contracts, and express consent, are retained. Also, an important “derogation” for infrequent, small transfers has been endorsed.
The Council’s full wording for the infrequent, small transfer derogation is as follows:
. . . the transfer, which is not large scale or frequent, is necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and where the controller (…) has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and (…) based on this assessment adduced suitable safeguards with respect to the protection of personal data.
This promises to be a useful tool for companies when a relatively small set of data needs to be transferred, particularly in circumstances (such as employee data) where the EU’s views on the validity of consent makes it difficult to rely on consent as a basis for the transfer.