Jump to ContentJump to Main Navigation
Transborder Data Flows and Data Privacy Law$

Christopher Kuner

Print publication date: 2013

Print ISBN-13: 9780199674619

Published to Oxford Scholarship Online: September 2013

DOI: 10.1093/acprof:oso/9780199674619.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (www.oxfordscholarship.com). (c) Copyright Oxford University Press, 2017. All Rights Reserved. Under the terms of the licence agreement, an individual user may print out a PDF of a single chapter of a monograph in OSO for personal use (for details see http://www.oxfordscholarship.com/page/privacy-policy). Subscriber: null; date: 26 February 2017

(p.189) Appendix Data Protection and Privacy Law Instruments Regulating Transborder Data Flows (as of January 2013)

(p.189) Appendix Data Protection and Privacy Law Instruments Regulating Transborder Data Flows (as of January 2013)

Source:
Transborder Data Flows and Data Privacy Law
Publisher:
Oxford University Press

Author's note

The following tables contain English versions of provisions in data protection and privacy law instruments from around the world that specifically regulate transborder data flows (ie, instruments and provisions dealing with data transfers in general are not included, except in a few cases). It is current as of 1 January 2013. Unless otherwise noted, only legally binding instruments that are currently in force (in most cases legislation), or influential non-binding instruments promulgated by leading international institutions, have been included. While substantial effort has been made regarding the accuracy of the citations and the translations, and official sources have been used for the latter when available, no guarantees are made in this regard, and in some cases it has been necessary to rely on unofficial translations. The text is a quotation from the relevant provision, except in a few cases where it has been summarized (listed as a ‘paraphrase’). The formatting and numeration is that used in the original text of the provisions.

A. International instruments (binding and non-binding)

Name

Provisions

Text or translation (excerpts; notes are given in italics)

APEC

APEC Privacy Framework

(can be voluntarily implemented in the 21 APEC Member Economies: Australia; Brunei Darussalam; Canada; Chile; the People's Republic of China; Hong Kong, China; Indonesia; Japan; Republic of Korea; Malaysia; Mexico; New Zealand; Papua New Guinea; Peru; The Philippines; Russia; Singapore; Chinese Taipei; Thailand; the United States of America; and Vietnam)

Principle IX (Accountability)

A personal information controller should be accountable for complying with measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.

Council of Europe

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, ETS 108 (1981)

Article 12 Transborder flows of personal data and domestic law

  1. 1. The following provisions shall apply to the transfer across national borders, by whatever medium, of personal data undergoing automatic processing or collected with a view to their being automatically processed.

  2. 2. A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.

  3. 3. Nevertheless, each Party shall be entitled to derogate from the provisions of paragraph 2:

    1. a. insofar as its legislation includes specific regulations for certain categories of personal data or of automated personal data files, because of the nature of those data or those files, except where the regulations of the other Party provide an equivalent protection;

    2. b. when the transfer is made from its territory to the territory of a non-contracting State through the intermediary of the territory of another Party, in order to avoid such transfers resulting in circumvention of the legislation of the Party referred to at the beginning of this paragraph.

NOTE: For the states that have ratified or acceded to Convention 108, seehttp://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=108&CM=1&DF=&CL=ENG

Additional Protocol

Article 2 Transborder flows of personal data to a recipient which is not subject to the jurisdiction of a Party to the Convention

  1. 1. Each Party shall provide for the transfer of personal data to a recipient that is subject to the jurisdiction of a State or organisation that is not Party to the Convention only if that State or organisation ensures an adequate level of protection for the intended data transfer.

  2. 2. By way of derogation from paragraph 1 of Article 2 of this Protocol, each Party may allow for the transfer of personal data:

    1. a. if domestic law provides for it because of:

      • specific interests of the data subject, or

      • legitimate prevailing interests, especially important public interests, or

    2. b. if safeguards, which can in particular result from contractual clauses, are provided by the controller responsible for the transfer and are found adequate by the competent authorities according to domestic law.

NOTE: For the states that have ratified or acceded to the Additional Protocol, seehttp://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=181&CM=2&DF=&CL=ENG

Recommendation No. R(87)15 of the Committee of Ministers to Member States regulating the use of personal data in the police sector (17 September 1987)

5.4. International communication

Communication of data to foreign authorities should be restricted to police bodies. It should only be permissible:

  1. a. if there exists a clear legal provision under national or international law,

  2. b. in the absence of such a provision, if the communication is necessary for the prevention of a serious and imminent danger or is necessary for the suppression of a serious criminal offence under ordinary law, and provided that domestic regulations for the protection of the person are not prejudiced.

Economic Community of West African States (ECOWAS)

Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS (16 February 2010)

Article 36

  1. 1) The data controller shall transfer personal data to a non-member ECOWAS country only where such a country provides an adequate level of protection for privacy, freedoms and the fundamental rights of individuals in relation to the processing or possible processing of such data.

  2. 2) The data controller shall inform the Data Protection Authority prior to any transfer of personal data to such a third country.

European Union

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ L281/31 (binding on the 27 EU and the three EEA Member States, see under Section B.)

Article 25

  1. 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

  2. 2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

  3. 3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

  4. 4. Where the Commission finds, under the procedure provided for in Article 31(2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

  5. 5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

  6. 6. The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

    Member States shall take the measures necessary to comply with the Commission's decision.

Article 26

  1. 1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) may take place on condition that:

    1. (a) the data subject has given his consent unambiguously to the proposed transfer; or

    2. (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or

    3. (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

    4. (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

    5. (e) the transfer is necessary in order to protect the vital interests of the data subject; or

    6. (f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

  2. 2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

  3. 3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2. If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31(2). Member States shall take the necessary measures to comply with the Commission's decision.

  4. 4. Where the Commission decides, in accordance with the procedure referred to in Article 31(2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the institutions and bodies of the Community and on the free movement of such data, [2001] OJ L8/1 (applies to the EU institutions)

Article 9

  1. 1. Personal data shall only be transferred to recipients, other than Community institutions and bodies, which are not subject to national law adopted pursuant to Directive 95/46/EC, if an adequate level of protection is ensured in the country of the recipient or within the recipient international organisation and the data are transferred solely to allow tasks covered by the competence of the controller to be carried out.

  2. 2. The adequacy of the level of protection afforded by the third country or international organisation in question shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the recipient third country or recipient international organisation, the rules of law, both general and sectoral, in force in the third country or international organisation in question and the professional rules and security measures which are complied with in that third country or international organisation.

  3. 3. The Community institutions and bodies shall inform the Commission and the European Data Protection Supervisor of cases where they consider the third country or international organisation in question does not ensure an adequate level of protection within the meaning of paragraph 2.

  4. 4. The Commission shall inform the Member States of any cases as referred to in paragraph 3.

  5. 5. The Community institutions and bodies shall take the necessary measures to comply with decisions taken by the Commission when it establishes, pursuant to Article 25(4) and (6) of Directive 95/46/EC, that a third country or an international organisation ensures or does not ensure an adequate level of protection.

  6. 6. By way of derogation from paragraphs 1 and 2, the Community institution or body may transfer personal data if:

    1. (a) the data subject has given his or her consent unambiguously to the proposed transfer; or

    2. (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request; or

    3. (c) the transfer is necessary for the conclusion or performance of a contract entered into in the interest of the data subject between the controller and a third party; or

    4. (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

    5. (e) the transfer is necessary in order to protect the vital interests of the data subject; or

    6. (f) the transfer is made from a register which, according to Community law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in Community law for consultation are fulfilled in the particular case.

  7. 7. Without prejudice to paragraph 6, the European Data Protection Supervisor may authorise a transfer or a set of transfers of personal data to a third country or international organisation which does not ensure an adequate level of protection within the meaning of paragraphs 1 and 2, where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

  8. 8. The Community institutions and bodies shall inform the European Data Protection Supervisor of categories of cases where they have applied paragraphs 6 and 7.

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, [2008] OJ L350/60

Article 13 Transfer to competent authorities in third States or to international bodies

  1. 1. Member States shall provide that personal data transmitted or made available by the competent authority of another Member State may be transferred to third States or international bodies, only if:

    1. (a) it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

    2. (b) the receiving authority in the third State or receiving international body is responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

    3. (c) the Member State from which the data were obtained has given its consent to transfer in compliance with its national law; and

    4. (d) the third State or international body concerned ensures an adequate level of protection for the intended data processing.

  2. 2. Transfer without prior consent in accordance with paragraph 1(c) shall be permitted only if transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third State or to essential interests of a Member State and the prior consent cannot be obtained in good time. The authority responsible for giving consent shall be informed without delay.

  3. 3. By way of derogation from paragraph 1(d), personal data may be transferred if:

    1. (a) the national law of the Member State transferring the data so provides because of:

      1. (i) legitimate specific interests of the data subject; or

      2. (ii) legitimate prevailing interests, especially important public interests; or

    2. (b) the third State or receiving international body provides safeguards which are deemed adequate by the Member State concerned according to its national law.

  4. 4. The adequacy of the level of protection referred to in paragraph 1(d) shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations. Particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the State of origin and the State or international body of final destination of the data, the rules of law, both general and sectoral, in force in the third State or international body in question and the professional rules and security measures which apply.

Excerpts from Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, proposed by the European Commission on 25 January 2012

Article 40 General principle for transfers

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.

Article 41 Transfers with an adequacy decision

  1. 1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.

  2. 2. When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements:

    1. (a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;

    2. (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and

    3. (c) the international commitments the third country or international organisation in question has entered into.

  3. 3. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

  4. 4. The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.

  5. 5. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).

  6. 6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.

  7. 7. The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.

  8. 8. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commission.

Article 42 Transfers by way of appropriate safeguards

  1. 1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

  2. 2. The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

    1. (a) binding corporate rules in accordance with Article 43; or

    2. (b) standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or

    3. (c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or

    4. (d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.

  3. 3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

  4. 4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

  5. 5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.

Article 43 Transfers by way of binding corporate rules

  1. 1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:

    1. (a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings, and include their employees;

    2. (b) expressly confer enforceable rights on data subjects;

    3. (c) fulfil the requirements laid down in paragraph 2.

  2. 2. The binding corporate rules shall at least specify:

    1. (a) the structure and contact details of the group of undertakings and its members;

    2. (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

    3. (c) their legally binding nature, both internally and externally;

    4. (d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;

    5. (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

    6. (f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;

    7. (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;

    8. (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;

    9. (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;

    10. (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;

    11. (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.

  3. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.

  4. 4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

Article 44 Derogations

  1. 1. In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:

    1. (a) the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or

    2. (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; or

    3. (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or

    4. (d) the transfer is necessary for important grounds of public interest; or

    5. (e) the transfer is necessary for the establishment, exercise or defence of legal claims; or

    6. (f) the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or

    7. (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or

    8. (h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.

  2. 2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

  3. 3. Where the processing is based on point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.

  4. 4. Points (b), (c) and (h) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.

  5. 5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.

  6. 6. The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and shall inform the supervisory authority of the transfer.

  7. 7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying ‘important grounds of public interest’ within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.

Article 45

International co-operation for the protection of personal data

  1. 1. In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

    1. (a) develop effective international co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data;

    2. (b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

    3. (c) engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;

    4. (d) promote the exchange and documentation of personal data protection legislation and practice.

  2. 2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 41(3).

Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM(2012) 10/3, proposed by the European Commission on 25 January 2012

Article 33

General principles for transfers of personal data

Member States shall provide that any transfer of personal data by competent authorities that is undergoing processing or is intended for processing after transfer to a third country, or to an international organisation, including further onward transfer to another third country or international organisation, may take place only if:

  1. (a) the transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and

  2. (b) the conditions laid down in this Chapter are complied with by the controller and processor.

Article 34

Transfers with an adequacy decision

  1. 1. Member States shall provide that a transfer of personal data to a third country or an international organisation may take place where the Commission has decided in accordance with Article 41 of Regulation (EU) ..../2012 or in accordance with paragraph 3 of this Article that the third country or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.

  2. 2. Where no decision adopted in accordance with Article 41 of Regulation (EU) ..../2012 exists, the Commission shall assess the adequacy of the level of protection, giving consideration to the following elements:

    1. (a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law as well as the security measures which are complied with in that country or by that international organisation; as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;

    2. (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, for assisting and advising the data subject in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and

    3. (c) the international commitments the third country or international organisation in question has entered into.

  3. 3. The Commission may decide, within the scope of this Directive, that a third country or a territory or a processing sector within that third country or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 57(2).

  4. 4. The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.

  5. 5. The Commission may decide within the scope of this Directive that a third country or a territory or a processing sector within that third country or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 57(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 57(3).

  6. 6. Member States shall ensure that where the Commission decides pursuant to paragraph 5, that any transfer of personal data to the third country or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, this decision shall be without prejudice to transfers under Article 35(1) or in accordance with Article 36. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.

  7. 7. The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing sectors within a third country or an international organisation where it has decided that an adequate level of protection is or is not ensured.

  8. 8. The Commission shall monitor the application of the implementing acts referred to in paragraphs 3 and 5.

Article 35

Transfers by way of appropriate safeguards

  1. 1. Where the Commission has taken no decision pursuant to Article 34, Member States shall provide that a transfer of personal data to a recipient in a third country or an international organisation may take place where:

    1. (a) appropriate safeguards with respect to the protection of personal data have been adduced in a legally binding instrument; or

    2. (b) the controller or processor has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with respect to the protection of personal data. 1. The decision for transfers under paragraph 1 (b) must be made by duly authorised staff. These transfers must be documented and the documentation must be made available to the supervisory authority on request.

Article 36

Derogations

By way of derogation from Articles 34 and 35, Member States shall provide that a transfer of personal data to a third country or an international organisation may take place only on condition that: (a) the transfer is necessary in order to protect the vital interests of the data subject or another person; or (b) the transfer is necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides; or (c) the transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third country; or (d) the transfer is necessary in individual cases for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or (e) the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal penalty.

Article 37

Specific conditions for the transfer of personal data

Member States shall provide that the controller informs the recipient of the personal data of any processing restrictions and takes all reasonable steps to ensure that these restrictions are met.

Article 38

International co-operation for the protection of personal data

  1. 1. In relation to third countries and international organisations, the Commission and Member States shall take appropriate steps to:

    1. (a) develop effective international co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data;

    2. (b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

    3. (c) engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data;

    4. (d) promote the exchange and documentation of personal data protection legislation and practice.

  2. 2. For the purposes of paragraph 1, the Commission shall take appropriate steps to advance the relationship with third countries or with international organisations, and in particular their supervisory authorities, where the Commission has decided that they ensure an adequate level of protection within the meaning of Article 34(3).

OECD

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

  1. 15. Member countries should take into consideration the implications for other Member countries of domestic processing and re-export of personal data.

  2. 16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.

  3. 17. A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.

  4. 18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.

(p.190) (p.191) (p.192) (p.193) (p.194) (p.195) (p.196) (p.197) (p.198) (p.199) (p.200) (p.201) (p.202) (p.203) (p.204) (p.205) (p.206) (p.207) (p.208) (p.209) (p.210)

B. National data protection and privacy legislation in force

Country

Source

Text or translation (excerpts; notes are given in italics

EU and EEA Member States

EU Data Protection Directive 95/46/EC, Articles 25 and 26 (see under ‘European Union’ in Section A)

Local or regional data protection laws in many EU Member States regulate transborder data flows

The 27 EU Member States (Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom) and the three EEA Member States (Iceland, Liechtenstein, and Norway) have all adopted the provisions of the EU Data Protection Directive (including restrictions on transborder data flows) and implemented them into their national laws. Croatia is expected to join the EU on 1 July 2013.

For example: German federal state of Hessen, Hessisches Datenschutzgesetz (applies only to the public law sector and entities subject to public law):§ 17

  1. (1) The provisions of this Act apply to the permissibility of transferring personal data within the area of application of the EU Data Protection Directive.

  2. (2) A transfer to recipients outside the area listed in para. 1 is only permissible based on this Act if it exclusively accrues to the benefit of the individual or an adequate level of data protection with the recipient is assured. The DPA of Hessen is to be consulted before any decision about adequacy is made. If an adequate level of protection is not assured, then personal data may only be transferred if:

    1. 1. the individual has consented;

    2. 2. the transfer is necessary for protection of an overriding public interest or to assert, exercise or defend legal claims before a court;

    3. 3. the transfer is necessary to protect the vital interests of the individual, or

    4. 4. the transfer is conducted from a register designed for the information of the public and that is accessible either by the public or by all persons who can show a legitimate interest in consulting it, insofar as the legal requirements are fulfilled in a particular case.

The recipient to whom the data are transferred must be informed that the transferred data may only be processed for purposes that are consistent with those for the fulfilment of which the data are being transferred.

Albania

Law No. 9887 on the Protection of Personal Data (10 March 2008)

Article 8 International transfer

  1. 1. The international transfer of personal data is done with recipients from states which have an adequate level of personal data protection. The level of personal data protection for a state is established by assessing all circumstances related to processing, nature, purpose and duration of processing, country of origin and final destination, legal provisions and security standards in force in the recipient state. States that have an adequate level of data protection are specified by a decision of the Council of Ministers.

  2. 2. International transfer of personal data with a state that does not have an adequate level of personal data protection may be done when:

    1. a) it is authorised by international acts ratified by the Republic of Albania and are directly applicable [sic];

    2. b) data subject has given his/her consent for the international transfer;

    3. c) it constitutes a contractual obligation concluded between the controller and data subject or a third party to the interest of the data subject;

    4. ç)[sic] it is a legal obligation of the controller;

    5. d) it is necessary for protecting vital interests of the data subject;

    6. dh)[sic] it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right;

    7. e) transfer is done from a register that is open for consultation and provides information to the general public.

  3. 3. Exchange of personal data to the diplomatic representations of foreign governments or international institutions in the Republic of Albania shall be considered an international transfer of data.

Article 9 International transfer of data that need to be authorized

  1. 1. In cases other than those provided for in Article 8 herein, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorization from the Commissioner.

  2. 2. The Commissioner, after making an assessment, may give the authorisation for transfer of personal data to the recipient State by defining conditions and obligations.

  3. 3. The Commissioner issues instructions in order to allow certain categories of personal data international transfer to a state that does not have an adequate level of personal data protection. In these cases, the controller is exempted from the authorisation request.

  4. 4. The controller shall submit a request for authorisation to the Commissioner prior to the data transfer. In the authorization request, the controller shall guarantee the observance of the interests of the data subject to protection of confidentiality outside the Republic of Albania.

Andorra

Qualified Law 15/2003 of December 18, on the Protection of Personal Data, 2003 (‘LQPDP’)

Article 35

International data communications may not take place when the destination country of the data does not establish, in its regulations, a level of protection for personal data equivalent, at least, to that established by this Law.

Angola

Law No. 22/11 on the Protection of Personal Data

Article 33 Data transfers to countries that ensure an adequate level of protection

  1. 1. The international transfer of data to countries that ensure adequate protection is subject to notification to the Data Protection Agency.

  2. 2. It is acknowledged that foreign countries ensure an adequate level of protection when they guarantee, at minimum, a level of protection as the one provided in this law.

  3. 3. The Data Protection Agency decides by opinion whether a country ensures adequate protection.

  4. 4. The adequacy of the level of data protection appreciated by the Data Protection Agency as a function of all the circumstances surrounding the data transfer or set of data transfers, takes account especially of the nature of the data, the purpose and duration of the intended processing activity, the countries of final destination and their laws, both general and sector-specific, that are in force in the state concerned, including the professional rules and security measures which are complied with in that state.

Article 34 Data transfers to countries that do not ensure an adequate level of protection

  1. 1. The international transfer of data to a country that does not ensure adequate protection is subject to authorization by the Data Protection Agency, which may be granted only under one of the following circumstances or based on other specific legislation:

    1. a) if the data subject has given unambiguous, expressed and written consent;

    2. b) if the international data transfer occurs during the application of international treaties or agreements where the Republic of Angola is a party;

    3. c) if the data transfer has the sole purpose of responding to or requesting humanitarian aid;

    4. d) if the data transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject's request;

    5. e) if the data transfer is necessary for the conclusion or performance of the contract concluded in the interest of the data subject between the controller and a third party;

    6. f) if the data transfer is necessary or legally required to protect public interest or for the establishment, exercise or defence of legal claims;

    7. g) if the data transfer is necessary to protect the vital interests of the data subject or for the purpose of medical prevention, treatment or diagnosis if the data subject is physically or legally incapable of giving consent;

    8. h) if the data transfer is performed from publicly accessible sources;

    9. i) if the recipient of the data guarantees to the data exporter by contractual clauses, an adequate level of protection for the data transferred.

  2. 2. The Data Protection Agency determines the specific conditions required for the contract referred to in subsection i) above.

  3. 3. In the event of international transfers of data between companies of the same group, an adequate level of protection can be achieved by laying down uniform rules on internal privacy and data protection with which compliance is mandatory.

Argentina

Personal Data Protection Act (4 October 2000), Act No. 25,326

Section 12 International transfer

  1. 1. Transfer of personal data of any kind to any country or international or supranational organisation is hereby forbidden if adequate protection is not provided.

  2. 2. This shall not apply in the following events:

    1. a) International judicial cooperation;

    2. b) Exchange of medical data, if required by the patient's treatment, or by an epidemiological research, provided that it is carried out under the terms of sub Article e) of the previous Article;

    3. c) Bank or stock exchange transfers, relating to the respective transactions and in accordance with applicable laws;

    4. d) Whenever transfer has been agreed upon within the framework of international treaties signed by the Argentine Republic;

    5. e) Whenever the purpose of the transfer is international cooperation among intelligence organisations to fight against organized crime, terrorism and drug-trafficking.

Armenia

Law of the Republic of Armenia on Personal Data (8 October 2002)

Article 6 Legality of Personal Data Processing

  1. 1. Processing of personal data is considered legal:

    1. 1) When the personal data is processed with the consent of the data subject;

    2. 2) When the personal data is processed for the protection of data subject's critical interests when there is no basis to assume that he/she will disagree when being informed about the processing;

    3. 3) When the processing of the personal data is envisaged by legislation or is necessary for execution of law requirements;

    4. 4) When processing of the personal data is required for the protection of state and public security from immediate peril.

  2. 2. The consent of the data subject is the absolute voluntary permission to process his/her personal data expressed in any form. The data subject may withdraw his/her consent at any time. The withdrawal of consent has no retrospective [sic] effect.

Article 13 Transfer of Personal Data to Foreign Countries

Personal data are transferred to foreign countries according to international treaties of Armenia and on the basis stipulated under Article 6 of this Law.

Australia

Privacy Act 1988, as amended on 14 September 2006

NOTE: Amendments to the Privacy Act regarding transborder data flows are being considered by the Australian government, see Parliament of the Commonwealth of Australia, House of Representatives, ‘Privacy Amendment (Enhancing Privacy Protection) Bill 2012’, Section 16C

Schedule 3, Principle 9—Transborder data flows

An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

  1. (a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

  2. (b) the individual consents to the transfer; or

  3. (c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or

  4. (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

  5. (e) all of the following apply:

    1. (i) the transfer is for the benefit of the individual;

    2. (ii) it is impracticable to obtain the consent of the individual to that transfer;

    3. (iii) if it were practicable to obtain such consent, the individual would be likely to give it; or

  6. (f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

Bahamas

Data Protection (Privacy of Personal information) Act (11 April 2003)

Section 17 Prohibition on the transfer of personal data outside Bahamas

  1. (1) The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from The Bahamas to a place outside The Bahamas, in such cases where there is a failure to provide protection either by contract or otherwise equivalent to that provided under this Act.

  2. (2) In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.

  3. (3) A prohibition under subsection (1) shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.... .

Benin

Law No. 2009–09 on the Protection of Personal Data (27 April 2009)

Article 9

The data controller shall not transfer any personal data abroad unless the foreign country provides a sufficient level of protection for privacy rights and the rights and freedoms of data subjects in relation to the processing of personal data.

The level of protection provided by the country shall be assessed in light of data protection laws and security measures that are applied in the foreign country, such as for the purpose, duration, nature, origin and the intended destination of the personal data.

Article 43(h)

The following processing activities are subject to prior approval and investigation by the DPA due to concerns about rights and freedoms, or circumstances where the nature or the purpose of the processing activity may have an impact on the privacy of the data subject:

  1. (h) Any processing activity involving the transfer of personal data to foreign countries when the process ensures a sufficient level of protection for privacy rights, rights and freedoms of data subjects, in particular standard contractual clauses or binding corporate rules.

Bosnia and Herzegovina

Law on the Protection of Personal Data (27 July 2001)

Article 8 Data Transfer Abroad

Personal data shall not be transferred from the country to a data controller or data processor abroad, whatever the data medium or the mode of transmission is, unless the conditions of Article 5 of this Law are complied with and provided that the same principles of data protection are obeyed by the foreign controller in respect of the data.

NOTE: The proposed transfer abroad of special categories of data requires prior notification to the DPA (Article 11 (h)).

Burkina Faso

Law No. 010–2004/An Regarding the Protection of Personal Data (20 April 2004)

Article 24

The transfer of personal data from the territory of Burkina Faso abroad, which is subject to automatic processing as prescribed by Article 19, is possible only if it complies with the requirements of this Act. However, in exceptional circumstances, a transfer may be authorized by decree with the approval of the DPA.

Canada

Federal level: Personal Information Protection and Electronic Documents Act (PIPEDA) and interpretation of it by Canadian courts and regulators

Provincial level:

Personal Information Protection and Electronic Documents Act (PIPEDA), Schedule 1, section 4.1 Principle 1: Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles …

See Office of the Privacy Commissioner of Canada, ‘Guidelines for Processing Personal Data across Borders’ (2009) 5, 〈http://www.priv.gc.ca/information/guide/2009/gl_dab_090127_e.pdf〉:

‘PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. However under PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement’.

Alberta: Personal Information Protection and Electronic Documents Act, § 40(1)(g)—permits the disclosure of personal information controlled by a public body in response to a subpoena, warrant, or order issued by a court only when the court has ‘jurisdiction in Alberta’.

British Columbia: Freedom of Information and Protection of Privacy Amendment Act, § 30.1—requires each public body to ensure that ‘personal information in its custody or under its control is stored only in Canada and accessed only in Canada’; some exceptions are provided.

Nova Scotia: Personal Information International Disclosure Protection Act (2006), § 5(1)—requires that a public body ensure that ‘personal information in its custody or under its control … is stored only in Canada and accessed only in Canada’; some exceptions are provided.

Qu ébec:

  1. 1. Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information (2006), § 70.1—requires that before ‘releasing personal information outside Québec or entrusting a person or a body outside Québec with the task of holding, using or releasing such information on its behalf’, public bodies must ensure that the information receives protection ‘equivalent’ to that afforded under provincial law.

  2. 2. Act Respecting the Protection of Personal Information in the Private Sector, § 17—provides that an organization doing business in Québec that entrusts a person outside Québec with ‘holding, using or communicating such information on its behalf’ must take ‘all reasonable steps to ensure’ that the information will be used only for the purposes for which consent was obtained and will not be ‘communicated to third parties’ without such consent.

Colombia

Law 1266 of 2008

Article 5 Circulation of information

The personal information collected or provided as established by law to the operators, which is part of the managed data bank, may be provided orally, in writing, or placed at the disposal of the following individuals and in the following terms:

  1. (f) …If the receiver of the information were a foreign data bank, the delivery without authorization of the data subject may only be made leaving written evidence of the delivery of the information and upon prior verification by the operator that the laws of the respective country or the receiver provide sufficient guarantees for the protection of the rights of the data subject.

Law 1581 of 17 October 2012

Transfer of data to third countries

Article 26 Prohibition

The transfer of personal data to countries that do not provide an adequate level of data protection is prohibited. It is acknowledged that a country provides an adequate level of data protection when it complies with the relevant standards set by the Industry and Commerce Superintendence, which in no case shall be lower than this law requires for the data recipients. This prohibition shall not apply in the case of:

  1. a) Information for which the data subject has given its express and unambiguous consent to the transfer;

  2. b) The exchange of medical data, when required for medical reasons related to the data subject or for public health;

  3. c) Stock exchange or banking transfers, according to applicable legislation;

  4. d) Transfers agreed in the framework of international treaties where the Republic of Colombia is a party, based on the principle of mutuality;

  5. e) Transfers necessary for the performance of a contract between the data subject and the controller, or the implementation of precontractual measures as long as there is permission of the data subject;

  6. f) Transfers necessary or legally required on public interest grounds or for the establishment, exercise or defense of a right in judicial proceedings;

Paragraph 1. For cases not covered by the derogations of this Article, the Industry and Commerce Superintendence shall declare whether compliance concerning the international transfer of personal data is ensured. For this purpose, the Superintendent is empowered to require information and implement the measures designed to establish compliance with the budget ensuring the viability of the operation.

Paragraph 2. The provisions of this Article shall apply to all personal data, including those covered by Law 1266 of 2008.

Costa Rica

Law No. 8968/2011 on the Protection of Personal Data

Article 14 Transfer of personal data

The controller of a public or private database may only transfer data containing in them when the data subject has explicitly and validly provided its consent and the transfer was made without violating the principles and rights under this law.

Article 31 Serious Violations

Serious violations for the purposes of this Act are considered:…

f) The transfer of personal information of Costa Ricans or foreigners residing in the country to databases in third countries without the consent of the data subjects.

Croatia

Act on Personal Data Protection (12 June 2003), No. 1364–2003 (as amended by Act on Amendments to the Personal Data Protection Act, No. 2616–2006)

NOTE: Croatia is expected to join the EU on 1 July 2013, in which case EU law will apply

Article 13 Personal data transfer abroad from the Republic of Croatia

Personal data filing systems or personal data contained in personal data filing systems may be transferred abroad from the Republic of Croatia for further processing only if the state or the international organisation the personal data is being transferred to have adequately regulated the legal protection of personal data and have ensured an adequate level of protection.

Prior to transferring personal data abroad from the Republic of Croatia, the personal data filing system controller shall, in case of reasonable doubt regarding the existence of adequate personal data protection system or whether an adequate level of protection is in place, obtain an opinion regarding this issue from the Personal Data Protection Agency.

The adequate level of protection which is provided by the state or by an international organisation shall be evaluated in terms of the circumstances connected with the presentation of personal data, and in particular in terms of the type of the data concerned, the purpose and duration of the processing thereof, the country to which the data refer, the legal provisions in force in the country in question, and the professional rules and security measures applicable in the country concerned. By way of derogation from paragraph 1 of this Article, personal data forming part of personal data filing systems may be taken out of the Republic of Croatia to states or to international organisations which do not provide for an adequate level of protection within the meaning of paragraph 2 of this Article only in the following cases:

  • if the data subject consents to the transfer of the personal data,

  • if the transfer is essential to protect the life or the physical well-being of the data subject, or

  • if the personal data filing system controller provides sufficient guarantees regarding the protection of privacy and the fundamental rights and freedoms of individuals, which might arise from the contractual provisions, for which the Personal Data Protection Agency establishes that they are appropriate in accordance with the valid regulations which regulate the protection of personal data.

Article 34 Notification requirement

If during supervision the Agency determines that legal provisions establishing personal data processing have been violated, it shall be entitled to warn or notify the personal data filing system controller about the irregularities in the personal data processing and issue a decision prohibiting the transfer of personal data abroad from the Republic of Croatia …

Dubai International Financial Centre (DIFC, a self-legislating free financial zone administered by the government of Dubai

DIFC Data Protection Law 2007, Law no. 1 of 2007 (applicable only to the Dubai International Financial Centre)

Article 11 Transfers out of the DIFC—Adequate Level of Protection

  1. (1) A transfer of Personal Data to a Recipient located in a jurisdiction outside the DIFC may take place only if:

    1. (a) an adequate level of protection for that Personal Data is ensured by laws and regulations that are applicable to the Recipient, as set out in Article 11(2); or

    2. (b) in accordance with Article 12.

  2. (2) For the purposes of Article 11(1), a jurisdiction has an adequate level of protection for that Personal Data if that jurisdiction is listed as an acceptable jurisdiction under the Regulations or with the written approval of the Commissioner of Data Protection.

Article 12 Transfers out of the DIFC in the Absence of an Adequate Level of Protection

  1. (1) A transfer or a set of transfers of Personal Data to a Recipient which is not subject to laws and regulations which ensure an adequate level of protection within the meaning of Article 11 may take place on condition that:

    1. (a) the Commissioner of Data Protection or his delegate has granted a permit or written authorisation for the transfer or the set of transfers and the Data Controller applies adequate safeguards with respect to the protection of this Personal Data;

    2. (b) the Data Subject has given his written consent to the proposed transfer;

    3. (c) the transfer is necessary for the performance of a contract between the Data Subject and the Data Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;

    4. (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the Data Controller and a Third Party;

    5. (e) the transfer is necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims;

    6. (f) the transfer is necessary in order to protect the vital interests of the Data;

    7. (g) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;

    8. (h) the transfer is necessary for compliance with any legal obligation to which the Data Controller is subject or the transfer is made at the request of a regulator, police or other government agency;

    9. (i) the transfer is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the Data Subject relating to the Data Subject's particular situation; or

    10. (j) the transfer is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or the prevention or detection of any crime that apply to a Data Controller.

Faroe Islands

Act on Processing of Personal Data, Act No. 73 of 8 May 2001, as amended by Act No. 24 of 17 May 2004

Article 16 Transfer of personal data to foreign countries

Transfer to a foreign country of personal data may take place only if the foreign country in question ensures an adequate level of protection. The adequacy of the level of protection afforded by a foreign country shall be assessed in the light of all the circumstances surrounding a data transfer operation, the purpose and duration of the processing operation, the nature of the data, the rules of law in force in the foreign country in question and the professional rules and security measures which are complied with in that country. Permission is required from the Data Protection Agency cf. Article 35, Part 6.

Part 2. In spite of Part 1, the Minister of Justice may, after having received a statement from the Data Protection Agency, decide provisions for, to [sic] which foreign countries personal data can be transferred without permission from the Data Protection Agency.

Article 17 Exceptions

The Data Protection Agency may authorize a transfer of personal data to foreign countries, cf. Article 35, Part 6 even if the foreign country in question do [sic] not ensures an adequate level of protection if:

  1. 1) the data subject has given his explicit consent to the transfer,

  2. 2) the transfer is required by international conventions or because of membership in an international community,

  3. 3) the transfer is necessary for the performance of a contract with the data subject or to do what is required, to implement pre-contractual measures taken in response to the data subject's request,

  4. 4) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject with a third party,

  5. 5) the transfer is necessary in order to protect the vital interests of the data subject,

  6. 6) the transfer is necessary in order to identify, submit in to force or protect a legal claim,

  7. 7) the transfer is necessary or legally required on important public interest grounds, or

  8. 8) Statutory authority exists when data is required from a public register.

Part 2. The Data Protection Agency may authorise a transfer of personal data to a foreign country, which does not comply with the provisions laid down in Part 1, where the controller adduces adequate safeguards with respect to the protection of the rights of the data subject. More detailed conditions may be laid down for the transfer….

Gabon

Law No. 001/2011 (25 September 2011) on the Protection of Personal Data

Transfer of personal data

Article 94

The data controller may only transfer personal data to another State if that State ensures an adequate level of protection of privacy, and the freedoms and fundamental rights of individuals with regard to the processing of personal data. The adequacy of the level of protection provided by a State is notably assessed taking into account the provisions in force in that State, the implemented security measures, the characteristics of the processing, such as its purpose and duration, as well as the nature, the origin and the destination of the processed data. The National Commission for the Protection of Personal Data guarantees and publishes a list of States providing an adequate level of protection with respect to any transfer of personal data.

Article 95

The data controller may also transfer personal data to a State not meeting the requirements of section 99 below if the data subject has expressly consented to the transfer or the transfer is necessary for one of the following purposes:

  • The protection of the data subject's life;

  • The protection of public interest;

  • To comply with obligations ensuring the establishment, exercise or defence of legal claims;

  • For consulting, under legitimate grounds, a register which, under law or regulations is intended to provide information to the public and is open to consultation by any person who can demonstrate legitimate interest;

  • The performance of a contract between the data controller and the data subject, or the implementation of pre-contractual measures taken in response to the data subject's request;

  • The conclusion or performance of a current or a future contract between the data controller and a third party concluded in the interest of the data subject. An exception to the prohibition mentioned in Article 94 above can be made by decision of the National Commission for the Protection of Personal Data or, in case of the processing mentioned in Article 55 above, by a decree following a reasoned and public opinion of the Commission, when the processing ensures a sufficient level of the protection of privacy as well as the freedoms and fundamental rights of individuals, particularly on the basis of contractual clauses or internal regulations pertaining to the processing. The Commission shall inform the recipient States about any decisions authorizing the transfer of personal data that it takes under the preceding paragraph.

Article 96

If the National Commission for the Protection of Personal Data has found that a State does not ensure an adequate level of protection with regard to a transfer of personal data, it shall issue a note prohibiting the data transfer. For this purpose, it shall promptly inform the official authorities and the public. Upon receipt by the Commission of a notification filed under section 52 or 53 above, demonstrating that personal data are being transferred to that State, the Commission shall deliver a note and order the data controller to suspend or cancel the data transfer, depending on the case. If the Commission later observes that the State to which the transfer is intended now ensures an adequate level of protection, it notifies the data controller of the end of the suspension of the transfer.

Ghana

Data Protection Act 2012

Section 18

(2) A data controller or processor shall in respect of foreign data subjects ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.

Section 47

  1. (1) An application for registration as a data controller shall be made in writing to the Commission and the applicant shall furnish the following particulars:

    1. (g) the name or description of the country to which the applicant may transfer the data …

Guernsey

Data Protection (Bailiwick of Guernsey) Law (2001), as amended by the Data Protection (Bailiwick of Guernsey) (Amendment) Ordinance (2010)

8th principle Transfer of data abroad

Personal data shall not be transferred to a country or territory outside the Bailiwick unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Section 13

An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to:

  1. (a) the nature of the personal data;

  2. (b) the country or territory of origin of the information contained in the data;

  3. (c) the country or territory of final destination of that information;

  4. (d) the purposes for which and period during which the data are intended to be processed;

  5. (e) the law in force in the country or territory in question;

  6. (f) the international obligations of that country or territory;

  7. (g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases); and

  8. (h) any security measures taken in respect of the data in that country or territory.

Section 14

The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the Committee may by Order provide.

India

Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (2011)

Rule 7 Transfer of information

A corporate body or any person on its behalf may transfer sensitive personal data or information to any other corporate body or person located in India or in another country that ensures the same level of data protection as the one that the corporate body adheres to, as provided under these Rules. The transfer is allowed only if it is necessary for the performance of a lawful contract between the corporate body or a person on its behalf and the provider of information or where the data subject has consented to the data transfer.

Isle of Man

Data Protection Act (2002)

8th Principle

Personal data shall not be transferred to a country or territory outside the Island unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Section 21

An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to –

  1. (a) the nature of the personal data,

  2. (b) the country or territory of origin of the information contained in the data,

  3. (c) the country or territory of final destination of that information,

  4. (d) the purposes for which and period during which the data are intended to be processed,

  5. (e) the law in force in the country or territory in question,

  6. (f) the international obligations of that country or territory,

  7. (g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

  8. (h) any security measures taken in respect of the data in that country or territory.

Israel

Protection of Privacy Law, 5741–1981 (2001)

Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761–2001—implementing Article 36(2) of the Protection of Privacy Law, 5741–1981

Article 36(2

The Minister of Justice is charged with the implementation of this Law and may, with the approval of the Constitution, Law and Justice Committee of the Knesset, make regulations as to any matter relating to its implementation, and inter alia—

(2) conditions of transmitting information to or from databases outside the boundaries of the State.

Limitation on transfer of data

  1. 1. A person shall not transfer, nor shall he enable, the transfer abroad of data from databases in Israel, unless the law of the country to which the data is transferred ensures a level of protection no lesser, mutatis mutandis, than the level of protection of data provided for by Israeli Law, and the following principles shall apply:

    1. (1) Data shall be gathered and processed in a legal and fair manner;

    2. (2) Date shall be held, used and delivered only for the purpose for which it was received;

    3. (3) Data gathered shall be accurate and up to date;

    4. (4) The right of inspection is reserved to the data subject;

    5. (5) The obligation to take adequate security measures to protect data in databases is mandatory.

    Conditions to the transfer of data abroad

  2. 2. Notwithstanding Regulation 1, a database owner may transfer data or enable the transfer of data from his database in Israel abroad, provided that one of the following conditions is met:

    1. (1) The data subject has consented to the transfer;

    2. (2) The consent of the data subject cannot be obtained and the transfer is vital to the protection of his health or physical wellbeing;

    3. (3) The data is transferred to a corporation under the control of the owner of the database from which the data is transferred, and he has guaranteed the protection of privacy after the transfer; In this Paragraph, the meaning of ‘control’ is as defined in the Securities Law, 5728–1968;

    4. (4) The data is transferred to a person bound by an agreement with the owner of the database from which the data is transferred, to comply with the conditions for the ownership and use of the data applying to a database in Israel, mutatis mutandis;

    5. (5) The data was made available to the public or was opened for public inspection by legal authority;

    6. (6) The transfer of data is vital to public safety or security;

    7. (7) The transfer of data is mandatory according to Israeli Law;

    8. (8) The data is transferred to a database in a country—

      1. (1) which is a Party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data;

      2. (2) which receives data from Member States of the European Community, under the same terms of acceptance;

      3. (3) in relation to which the Registrar of Databases announced, in an announcement published in the Official Gazette (‘Reshumot’), that it has an authority for the protection of privacy, after reaching an arrangement for cooperation with the said authority.

    Guarantee to ensure privacy

  3. 3. When transferring data according to Regulation 1 or Regulation 2, the owner of the database shall ensure, in a written guarantee by the recipient of the data, that recipient of the data is taking adequate measures to ensure the privacy of the data subjects….

Jersey

Data Protection (Jersey) Law, 2005 (L.2/2005)

8th Principle

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Section 13 Eighth principle: what is adequate protection in foreign country

For the purposes of the eighth principle, an adequate level of protection is one that is adequate in all the circumstances of the case, having regard in particular to –

  1. (a) the nature of the personal data;

  2. (b) the country or territory of origin of the information contained in the data;

  3. (c) the country or territory of final destination of that information;

  4. (d) the purposes for which and period during which the data are intended to be processed;

  5. (e) the law in force in the country or territory in question;

  6. (f) the international obligations of that country or territory;

  7. (g) any relevant codes of conduct or other rules that are enforceable in that country or territory (whether generally or by arrangement in particular cases); and

  8. (h) any security measures taken in respect of the data in that country or territory.

Section 14 Exceptions to eighth principle

The eighth principle does not apply to a transfer falling within any of paragraphs 1–9 of Schedule 4, except in such circumstances and to such extent as may be prescribed by Regulations …

Macau (Macau Special Administrative Region (MSAR) of the People's Republic of China

Personal Data Protection Act (Act 8/2005)

Article 19 Principles

  1. 1. The transfer of personal data to a destination outside the MSAR may only take place subject to compliance with this Act and provided the legal system in the destination to which they are transferred ensures an adequate level of protection.

  2. 2. The adequacy of the level of protection referred to in the previous number shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the place of origin and place of final destination, the rules of law, both general and sectoral, in force in the destination in question and the professional rules and security measures which are complied with in that destination.

  3. 3. It is for the public authority to decide whether a legal system ensures an adequate level of protection referred to in the previous number.

Article 20 Derogations

  1. 1. A transfer of personal data to a destination in which the legal system does not ensure an adequate level of protection within the meaning of No. 2 of the previous article may be allowed on condition that the public authority is notified, and that the data subject has given his consent unambiguously to the proposed transfer, or if that transfer:

    1. (1) is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request;

    2. (2) is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party;

    3. (3) is necessary or legally required on important public interest grounds, or for the establishment, exercise of defence of legal claims;

    4. (4) is necessary in order to protect the vital interests of the data subject;

    5. (5) is made from a register which according to laws or administrative regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided the conditions laid down in law for consultation are fulfilled in the particular case.

  2. 2. Without prejudice to No. 1 the public authority may authorise a transfer or a set of transfers of personal data to a destination in which the legal system does not ensure an adequate level of protection within the meaning of No. 2 of the previous article, provided the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with respect to their exercise, particularly by means of appropriate contractual clauses.

  3. 3. A transfer of personal data which is necessary for the protection of defence, public security and public health, and for the prevention, investigation and prosecution of criminal offences, shall be governed by special legal provisions or by the international conventions and regional agreements to which the MSAR is party.

The former Yugoslav Republic of Macedonia

Law on Personal Data Protection (25 January 2005)

Article 27

The controller shall keep records of each personal data collection which shall contain:

8) transfer of personal data to other states …

VII. Transfer of personal data to other states

Article 31

The personal data transfer to other countries may be carried out only if the other state provides adequate degree of personal data protection.

During the evaluation of degree of appropriateness of the personal data protection, all circumstances will be separately addressed which refer to the operation or operations for personal data transmitted, especially the nature and the origin of personal data which are transmitted, the goals and duration of operational processing, the state where they are transmitted, the rules regulating for personal data protection in that state and regulations regulating the rules of the profession and the security measures. The degree of appropriateness of the personal data protection of other states is estimated by the Directorate.

Article 32

If the state where the data are to be transmitted does not provide appropriate degree of personal data protection, the Directorate shall not allow transmission of personal data.

Article 33

As an exception to the Article 31 of this Law, the transmission of personal data transfer may be realized in the following cases:– if the personal data subject had given explicit written consent on the data transmission;

  • when the transmission is necessary for realization of the contract between the personal data subject and the controller or realization of the pre-agreed measures undertaken as a reply to the personal data subject's request;

  • the transmission is necessary for signing or realization of the contract concluded in the interest of the personal data subject, the controller and a third party;

  • the transmission is necessary for protection of the public interest or protection of the fundamental freedoms and rights of the citizens, and

  • the transmission is necessary for protection of the life or the physical and moral integrity of the personal data subject.

  • The Directorate may allow personal data transmission in other state which does not provide appropriate degree of their protection if the controller states the existence of adequate restrictions for privacy protection, the fundamental rights and freedom of the personal data subject, arising from valid provisions of the contract.

Mauritius

Data Protection Act 2004, Act No. 13 of 2004

Article 31—Transfer of personal data

  1. (1) Subject to subsection (2), no data controller shall, except with the written authorization of the Commissioner, transfer personal data to a third country.

  2. (2) The Eighth data protection principle specified in the First Schedule shall not apply where—

    1. (a) the data subject has given his consent to the transfer;

    2. (b) the transfer is necessary—

      1. (i) for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller;

      2. (ii) for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract;

      3. (iii) in the public interest, to safeguard public security or national security.

    3. (c) the transfer is made on such terms as may be approved by the Commissioner as ensuring the adequate safeguards for the protection of the rights of the data subjects.

  3. (3) For the purpose of subsection (2)(c), the adequacy of the level of protection of a country shall be assessed in the light of all the circumstances surrounding the data transfer, having regards in particular to—

    1. (a) the nature of the data;

    2. (b) the purpose and duration of the proposed processing;

    3. (c) the country of origin and country of final destination;

    4. (d) the rules of law, both general and sectoral, in force in the country in question; and

    5. (e) any relevant codes of conduct or other rules and security measures which are complied with in that country.

Mexico

Decree issuing the Federal Law on Protection of Personal Data Held by Private Parties (2010)

Article 36

Where the data controller intends to transfer personal data to domestic or foreign third parties other than the data processor, it must provide them with the privacy notice and the purposes to which the data owner has limited data processing. Data processing will be done as agreed in the privacy notice, which shall contain a clause indicating whether or not the data owner agrees to the transfer of his data; moreover, the third party receiver will assume the same obligations as the data controller that has transferred the data.

Article 37

Domestic or international transfers of data may be carried out without the consent of the data owner in the following cases:

  1. I. Where the transfer is pursuant to a Law or Treaty to which Mexico is party;

  2. II. Where the transfer is necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management;

  3. III. Where the transfer is made to holding companies, subsidiaries or affiliates under common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies;

  4. IV. Where the transfer is necessary by virtue of a contract executed or to be executed in the interest of the data owner between the data controller and a third party;

  5. V. Where the transfer is necessary or legally required to safeguard public interest or for the administration of justice;

  6. VI. Where the transfer is necessary for the recognition, exercise or defense of a right in a judicial proceeding; and

  7. VII. Where the transfer is necessary to maintain or fulfil a legal relationship between the data controller and the data owner.

Moldova

Law No. 17-XVI of 15 February 2007 on the Protection of Personal Data (modified by Law No. 141-XVI of 26.06.2008, in force as of 1 August 2008)

Article 16 Transborder transfer of personal data

  1. (1) The present Article is applied in the case of transfer across national borders, whatever support is used, of personal data, which are subject to processing or are collected with the purpose to be subject of such processing.

  2. (2) Personal data, that are on the territory of the Republic of Moldova and destined to be transferred to other states, are protected in accordance with the present law.

  3. (3) The transborder transfer of personal data, that are subject to a processing or are going to be processed after the transfer, can be made in the case when the respective state ensures an adequate level of protection of the rights of personal data subjects and of the data destined for the transfer, as well as in other cases according to the international agreements the Republic of Moldova is party of.

  4. (4) The level of protection is established by the Center, taking into consideration the conditions in which the data transfer is performed, especially the nature of the data, the purpose of the data transfer and processing, the country of final destination, the legislation of the requesting state.

  5. (5) In the case when the Center concludes that the level of protection offered by the state of destination is unsatisfactory, it may prohibit the data transfer.

  6. (6) The transfer of personal data to the states that do not ensure an adequate level of protection, can be made only:

    1. (a) with the written consent of the personal data subject;

    2. (b) in case of the need to sign or execute an agreement or a contract between the personal data subject and their holder, or between the holder of these data and a third party in the interest of the personal data subject;

    3. (c) if the transfer is necessary to protect the rights, freedoms or interests of the personal data subject;

    4. (d) in case when personal data are accessible to the public.

Monaco

Law No. 1.165—Act Concerning the Processing of Nominal Information (23 December 1993)

Article 8 (8)

To be admissible, the declaration envisaged in the first subparagraph of Article 6 … must include:

(8) mention, when necessary, that the data processing is intended for the communication of data abroad, even if it results from operations previously carried out outside Monaco.

NOTE: Article 6 refers to the obligation that persons or entities under private law must file a declaration of their processing activities with the DPA

Morocco

Law No. 09–08 Relative to the Protection of Individuals with regards to their Personal Data (5 March 2009)

Chapter 5, Article 43 The transfer of data to a foreign country

The data controller shall not transfer any personal data to a foreign country unless that country ensures a sufficient level of protection for privacy rights and freedoms.

The level of protection provided by the foreign country shall be assessed in light of the regulations and security measures applicable in that country, the characteristics of the processing such as the purpose, duration, nature, origin and intended destination of personal data.

The DPA has established a list of countries that comply with the provisions mentioned above.

Article 44

As an exception to the provisions of Article 43 above, the data controller may transfer personal data to a foreign country that does not fulfil the requirements mentioned if the data subject gave its express consent for such a transfer or:

  1. 1. if the transfer is justified by one of the following conditions:

    1. a) for the protection of the data subject's life;

    2. b) in the public's interest;

    3. c) for reasons of contractual obligations between the data controller and the data subject;

    4. d) at the conclusion or execution of a contract in the interest of the data subject by the data controller and a third party;

    5. e) at the conclusion or execution of a contract or a contract to be concluded, in the interest of the data subject, between the data controller and a third party;

    6. f) at the execution of an international mutual assistance agreement on judicial matters;

    7. g) for the prevention, diagnosis and treatment of medical diseases.

  2. 2. If the transfer is made in compliance with a bilateral or multilateral agreement to which Morocco is a party.

  3. 3. At the express authority of the DPA, when the processing ensures a sufficient level of protection for privacy rights, rights and freedoms of data subjects, such as through standard contractual clauses or binding corporate rules.

New Zealand

Privacy Act 1993 (as amended in 2010 by the Privacy (Cross-Border Information) Amendment Bill, excerpts only)

Part 11A Transfer of personal information outside New Zealand

114A Interpretation

In this Part, unless the context otherwise requires,—

‘OECD Guidelines’ means the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data

‘State’ includes any State, territory, province, or other part of a country

‘transfer prohibition notice’ means a notice given under section 114B prohibiting the transfer of personal information from New Zealand to another State.

114B Prohibition on transfer of personal information outside New Zealand

  1. (1) The Commissioner may prohibit a transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that—

    1. (a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and

    2. (b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 5A.

  2. (2) In determining whether to prohibit a transfer of personal information, the Commissioner must also consider, in addition to the matters set out in subsection (1) and section 14, the following:

    1. (a) whether or not the transfer affects, or would be likely to affect, any individual; and

    2. (b) the general desirability of facilitating the free flow of information between New Zealand and other States; and

    3. (c) any existing or developing international guidelines relevant to transborder data flows, including (but not limited to)—

      1. (i) the OECD Guidelines:

      2. (ii) the European Union Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

  3. (3) Subsection (1) does not apply if the transfer of the information, or the information itself, is—

    1. (a) required or authorised by or under any enactment; or

    2. (b) required by any convention or other instrument imposing international obligations on New Zealand …

Peru

Law No. 29733/2011 on the Protection of Personal Data

Article 11. Principle of adequate level of protection

In the event of trans-border data flows, the recipient country must have an adequate level of protection for the personal data to be processed or at least a level of protection comparable to the one provided by this Law. The scope of the adequate level of protection in the recipient country must at least ensure compliance with the guiding principles for the protection of personal data under this Title and an effective system of guarantees.

Article 15. Trans-border flow of personal data

The data controller and the data processor of the database including personal data may engage in trans-border flows of personal data only if the recipients guarantee an adequate level of protection in accordance with this Law. The National Authority for the Protection of Personal Data will supervise the compliance with this requirement. The provisions of the previous paragraph do not apply in the following cases:

  1. 15.1 Agreements under international treaties where the Republic of Peru is a party.

  2. 15.2 International judicial cooperation.

  3. 15.3 International cooperation between intelligence agencies for the fight against terrorism, illegal drug trafficking, money laundering, corruption, human trafficking and other forms of organized crime.

  4. 15.4 When the personal data are necessary to perform a contract to which the data subject is a party.

  5. 15.5 In case of bank or stock exchange transfers, concerning the respective transactions in accordance with applicable Law.

  6. 15.6 When the trans-border flow of personal data takes place for the prevention, diagnosis or medical or surgical treatment of the data subject or when it is necessary to carry out epidemiological or similar studies, provided that adequate dissociation procedures are applied.

  7. 15.7 When the data subject has given his prior, informed, express and unambiguous consent.

  8. 15.8 In others cases established by regulation of this Law.

Russia

Federal Law of the Russian Federation of 27 July 2006 No. 152-FZ on Personal Data (as amended by Law of 25 July 2011 No. 261-FZ)

Article 12

  1. 1. Cross-border transfer of personal data to foreign countries that are parties of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [Council of Europe Convention 108], as well as to the territory of foreign States that ensure adequate protection of the rights of subjects of personal data is performed in accordance with the present Federal Law and may be forbidden or restricted with the aim of protecting the principles of the constitutional regime of the Russian Federation, morality, health and the rights and lawful interests of citizens, and ensuring the country's defence and the State's security.

  2. 2. The competent authority for the protection of the rights of subjects of personal data shall approve the list of foreign States that are not parties of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data but ensure adequate protection of the rights subjects of personal data. A foreign State that is not a party of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data may be included in the list of foreign States that ensure adequate protection of the rights of subjects of personal data, if that State ensures that its law complies with the provisions of the Convention and provides appropriate data security guarantees.

  3. 3. Before commencing cross-border transfer of personal data the operator is obliged to assure himself that the foreign State to the territory of which personal data is being transferred ensures adequate protection of the rights of subjects of personal data.

  4. 4. Cross-border transfer of personal data to the territory of States which do not ensure adequate protection of the rights of subjects of personal data may be performed in the following cases:

    1. 1) with the written consent of the subject of personal data;

    2. 2) in the cases provided by international treaties of the Russian Federation;

    3. 3) in the cases provided by Federal Laws, if this is necessary for the purpose of protection of the principles of the constitutional regime of the Russian Federation, ensuring the country's defence and the State's security, as well as the security of stable and safe operation of the transport sector, the interests of the individual, the society and State in the transport industry against acts of unlawful intervention;

    4. 4) for fulfilment of a contract, to which the subject of personal data is a party;

    5. 5) for protection of the life, health or other vital interests of the subject of personal data or of other persons when it is impossible to obtain the written consent of the subject of personal data.

San Marino

Act on Collection, Elaboration and Use of Computerised Personal Data, 1983, as amended by Act No. 70/95 (1995)

Article 4

The transfer abroad of data concerning San Marino fiscal or legal persons is subject to the prior and reasoned authorization of the data protection authority under Article 15.

Senegal

Law No. 2008–12 of 25 January 2008, on the Protection of Personal Data

Article 49

The data controller shall not transfer any personal data abroad unless the foreign country ensures a sufficient level of protection for privacy rights, rights and freedoms of data subjects in relation to the processing of personal data. Before any transfer of personal data to a foreign country, the data controller shall inform the DPA.

Before any process of personal data coming from abroad, the DPA shall ensure that the data controller provides a sufficient level of protection for privacy rights, rights and freedoms of data subjects in relation to the processing of personal data.

The level of protection provided by the data controller shall be assessed in light of security measures which are applied in compliance with the Act, and criteria of the process such as its purposes, duration, nature, origin and destination of data.

Article 50

The data controller may transfer personal data to a foreign country that does not fulfil the requirements mentioned in the article above if the transfer is limited, not substantial and if the data subject gave its express consent to the transfer or if the transfer is justified by one of the following conditions:

  1. 1) protection of data subject's life;

  2. 2) protection of public interest;

  3. 3) compliance with mandatory rules regarding judicial process; or

  4. 4) contractual obligations between the data controller and the data subject.

Article 51

The DPA may authorize, upon request, the transfer of personal data or a group of transfers to a foreign country that does not provide an adequate level of protection if the data controller offers guarantees regarding privacy rights, rights and freedoms of data subjects and their ability to exercise those rights.

Serbia

Law on Personal Data Protection (October 2008)

Article 53

Data can be transferred from the Republic of Serbia to a state party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Data may be transferred from the Republic of Serbia to a state that is not a party to the Convention referred to in paragraph 1 of this Article or an international organization if such state or international organization has a regulation or a data transfer agreement in force which provides a level of data protection equivalent to that envisaged by the Convention.

In cases of transborder transfer of data referred to in paragraph 2 of this Article, the Commissioner shall determine whether the requirements are met and safeguards put in place for the transfer of data from the Republic of Serbia and shall authorize such transfer.

South Korea

Personal Information Protection Act, Law 10465 (2011)

Article 17(3)

When a personal information manager provides a third person at any overseas location with personal information, he/she shall notify the subject of information of the matters referred to in each subparagraph or paragraph (2) and obtain the consent thereto, and shall not enter into a contract concerning the trans-border transfer of personal information stipulating any details contravening this Act.

St Lucia

Data Protection Act 2011

Article 28

  1. 1. Subject to subsection (2), a data controller shall not transfer personal data to a country or territory outside Saint Lucia unless—

    1. a. with the written consent of the Commissioner; and

    2. b. that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

  2. 2. Subsection (1)(b) shall not apply where—

    1. a. the data subject has given his or her consent to the transfer;

    2. b. the transfer is necessary—

      • for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller;

      • for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract;

      • it is in the public interest or section 34 applies;

    3. c. the transfer is made on such terms as may be approved by the Commissioner as ensuring the adequate safeguards for the protection of the rights of the data subject.

  3. 3. For the purposes of subsection (2)(c), the adequacy of the level of safeguards of a country or territory shall be assessed in the light of all the circumstances surrounding the transfer of personal data, having regard in particular to—

    1. a. the nature of the personal data:

    2. b. the purpose and duration of the proposed processing;

    3. c. the country or territory of origin and country of final destination;

    4. d. the rules of law in force in the country or territory in question; and

    5. e. any relevant codes of conduct or other rules and security measures which are complied with in that country or territory.

NOTE: The only official source available for this Act is the Privacy and Data Protection Bill of 17 March 2010, but authoritative sources have confirmed that the Bill was passed in December 2011

Switzerland

Federal Act on Data Protection (19 June 1992) (as amended on 1 January 2008)

Art. 6 Cross-border disclosure

  1. 1. Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered thereby, in particular due to the absence of legislation that guarantees adequate protection.

  2. 2. In the absence of legislation that guarantees adequate protection, personal data may be disclosed abroad only if:

    1. a. sufficient safeguards, in particular contractual clauses, ensure an adequate level of protection abroad;

    2. b. the data subject has consented in the specific case;

    3. c. the processing is directly connected with the conclusion or the performance of a contract and the personal data is that of a contractual party;

    4. d. disclosure is essential in the specific case in order either to safeguard an overriding public interest or for the establishment, exercise or enforcement of legal claims before the courts;

    5. e. disclosure is required in the specific case in order to protect the life or the physical integrity of the data subject;

    6. f. the data subject has made the data generally accessible and has not expressly prohibited its processing;

    7. g. disclosure is made within the same legal person or company or between legal persons or companies that are under the same management, provided those involved are subject to data protection rules that ensure an adequate level of protection.

  3. 3. The Federal Data Protection and Information Commissioner (the Commissioner, Art. 26) must be informed of the safeguards under paragraph 2 letter a and the data protection rules under paragraph 2 letter g. The Federal Council regulates the details of this duty to provide information.

Trinidad & Tobago

Act No. 13/2011 on the Protection of Personal Privacy and Information

Section 72 Cross border disclosure of personal information

  1. (1) Where a mandatory code of conduct is developed pursuant to section 71, it shall require at a minimum that personal information under the custody or control of an organization shall not be disclosed by that organization to any third party without the consent of the individual to whom it relates, except in general, where such information is disclosed for the purposes

    1. (a) for which the information was collected or for use consistent with that purpose;

    2. (b) of a Court Order; or

    3. (c) of complying with any written law.

  2. (2) Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization shall inform the individual to whom it relates of the

    1. (a) purpose for which the information is being collected once that purpose is known to the organisation;

    2. (b) identity of

      • the person requesting the information; and

      • the relevant public body with responsibility for Data Protection in the other jurisdiction, and obtain his consent before disclosing the information.

  3. (3) Where a person under subsection (2) does not consent to the release of his personal information, the organization shall not so disclose.

  4. (4) Where a person under subsection (2) consents to the disclosure of his information and the organization is

    1. (a) satisfied that the jurisdiction to which the information is being sent has comparable safeguards as provided by this Act, the organization shall disclose the personal information;

    2. (b) not satisfied that the jurisdiction to which the information is being sent has comparable safeguards, the organization shall refer the matter to the Commissioner for a determination as to whether the other jurisdiction has comparable safeguards as provided by this Act and inform the individual to whom the personal information relates of the referral.

  5. (5) Upon a referral under subsection (4), the Commissioner shall make a determination whether the other jurisdiction has or does not have comparable safeguards as provided by this Act, and inform the organization accordingly.

  6. (6) Where the organization is informed that the jurisdiction to which the information is being sent

    1. (a) has comparable safeguards, the organization shall inform the person concerned and disclose the personal information; or

    2. (b) does not have comparable safeguards, the organization shall inform the person concerned and obtain his consent for the disclosure

      • without limitation on the personal information; or

      • with limitation on the personal information sharing to the extent necessary to ensure the protection of personal privacy and information.

Tunisia

Law No. 2004–63 of 27 July 2004, on the Protection of Personal Data (2004)

Article 50

The transfer of personal data to a foreign country is prohibited when it may endanger public security or Tunisia's vital interests.

Article 51

The transfer of personal data to a foreign country for the purpose of processing or for the future purpose of processing, is not permitted if the country does not provide an adequate level of protection. The adequate level of protection shall be assessed in light of the nature, purpose for which and period during which the personal data are intended to be processed; where the data shall be transferred to; and the security measures taken to ensure the safety of the personal data. In any case, the transfer of personal data must be carried out in accordance with the provisions of the Act.

Article 52

In any case, the DPA's authorization is required before the transfer of personal data abroad. The DPA shall issue its decision within one month from the date of receipt of the application.

Whenever the personal data to be transferred concerns minors, an application for authorization must be made before a juvenile and family court judge.

Ukraine

Law of Ukraine No. 2297-VI of 1 June 2010 on Protection of Personal Data

Article 29(3)

Transfer of personal data to foreign subjects of relations related to personal data shall be performed on conditions of providing appropriate protection of personal data and with an appropriate permission in cases established by law or international treaty of Ukraine and according to the rules stipulated by national legislation. Personal data shall not be transferred for a purpose other than the purpose for which they have been collected.

Uruguay

Data Protection Act, No. 18.331 (2008)

Article 23 Data transferred internationally

It is prohibited to transfer personal data of any type to countries or international bodies that do not provide adequate levels of protection in accordance with the standards of international or regional law in this regard. The prohibition shall not apply in cases of:

  1. 1) international judicial cooperation, in conformity with the respective international instrument, such as a treaty or a convention, according to the circumstances of the case;

  2. 2) exchange of medical data, when the situation demands that the affected person be treated for reasons of public health or hygiene;

  3. 3) banking or stock-market information transfers, in relation to the respective transactions and in conformity with the legislation applicable to such transfers;

  4. 4) agreements within the framework of international treaties to which the Oriental Republic of Uruguay is party;

  5. 5) international cooperation between intelligence agencies for combating organised crime, terrorism and drug trafficking.

The international transfer of data shall also be permissible in the following circumstances:

  1. A) the interested party has given his/her unequivocal consent to the proposed transfer;

  2. B) the transfer is necessary for the performance of a contract between the interested party and the data controller or for the execution of precontractual measures taken at the request of the interested party;

  3. C) the transfer is necessary for the execution or performance of a contract entered into, or to be entered into, in the interests of the interested party, between the data controller and a third party;

  4. D) the transfer is necessary or legally required for the safeguarding of an important public interest, or for the recognition, exercise or defence of a right in a judicial proceeding;

  5. E) the transfer is necessary for the safeguarding of the vital interest of the interested party.

  6. F) The transfer is made from a register which, by virtue of legal or regulatory provisions, is designed to facilitate the provision of information to the public and is open to consultation by the general public or by any person who can demonstrate a legitimate interest, provided, in each individual case, the conditions established by law for its consultation are satisfied.

Without prejudice to the provisions of the first paragraph of this article, the Unidad Reguladora y de Control de Protección de Datos Personales [Data Protection Authority may authorise a transfer or a series of transfers of personal data to a third-party country that does not guarantee an adequate level of protection when the data controller offers sufficient guarantees regarding the protection of privacy, fundamental human rights and liberties, and regarding the exercise of the respective rights. These guarantees may derive from appropriate contractual clauses.

(p.211) (p.212) (p.213) (p.214) (p.215) (p.216) (p.217) (p.218) (p.219) (p.220) (p.221) (p.222) (p.223) (p.224) (p.225) (p.226) (p.227) (p.228) (p.229) (p.230) (p.231) (p.232) (p.233) (p.234) (p.235) (p.236) (p.237) (p.238) (p.239) (p.240) (p.241) (p.242) (p.243) (p.244) (p.245)

C. Other important instruments

Name

Source

Text or translation (excerpts; notes are given in italics

European Union (voluntary measures

Binding Corporate Rules: Article 29 Working Party, ‘Working Document setting up a framework for Binding Corporate Rules’ (WP 154, 24 June 2008), at 7

Paraphrase: Binding corporate rules must contain ‘an explanation of the measures in place to restrict transfers and onward transfers outside of the group’, and a commitment that all transfers to external controllers and processors located outside of the EU must respect EU rules on transborder data flows.

Standard Contractual Clauses:Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, [2010] OJ L39/5

Paraphrase: Clause 11: The non-EU data importer must not transfer the data to a sub-processor unless EU-based legal standards are complied with.

Commission Decision 2004/915/EC of 27 December 2004 amending Decision (EC) 2001/497 as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, [2004] OJ L385/74

Paraphrase: Clause II(h): The non-EU data importer must process the personal data transferred in accordance with EU-based legal standards.

Paraphrase: Clause II(i): The non-EU data importer must not transfer the data to a third party located outside the EEA unless EU-based legal standards are complied with.

Safe Harbor Privacy Principles issued by the US Department of Commerce on 21 July 2000, and recognized as ‘adequate’ under European Commission Decision 2000/520/EC of 26 July 2000, [2000] OJ L215/7

ONWARD TRANSFER To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

European Union and Australia

Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service, [2008] OJ L213/49

Article 3

Compliance with this Agreement by Customs shall, within the meaning of relevant EU data-protection law, constitute an adequate level of protection for EU-sourced PNR data transferred to Customs for the purpose of this Agreement.

European Union and United States

Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, [2012] OJ L215/5

Article 19

In consideration of this Agreement and its implementation, DHS shall be deemed to provide, within the meaning of relevant EU data protection law, an adequate level of protection for PNR processing and use. In this respect, carriers which have provided PNR to DHS in compliance with this Agreement shall be deemed to have complied with applicable legal requirements in the EU related to the transfer of such data from the EU to the United States.

Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program, [2010] OJ L8/11

Paraphrase: see Article 5, proving protections to personal data transferred from the EU to the US for the purposes of the Terrorist Finance Tracking Program.

Reports by the High Level Contact Group (HLCG) on information sharing and privacy and personal data protection (23 November 2009), 〈http://register.consilium.europa.eu/pdf/en/09/st15/st15851.en09.pdf

Principle 12

Where personal information is transmitted or made available by a competent authority of the sending country or by private parties in accordance with the domestic law of the sending country to a competent authority of the receiving country, the competent authority of the receiving country may only authorise or carry out an onward transfer of this information to a competent authority of a third country if permitted under its domestic law and in accordance with existing applicable international agreements and international arrangements between the sending and receiving country. In the absence of such international agreements and international arrangements, such transfers should moreover support legitimate public interests consisting of: national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences, breaches of ethics of regulated professions, or the protection of the data subject. In all cases transfers should be fully consistent with these common principles, especially the limitation/purpose specification.

Infocomm Development Authority of Singapore (IDA) and the National Trust Council of Singapore (NTC)

Voluntary Model Data Protection Code for the Private Sector (Version 1.3 final)

Principle 4.1.1

Where data are to be transferred to someone (other than the individual or the organisation or its employees), the organisation shall take reasonable steps to ensure that the data which is to be transferred will not be processed inconsistently with this Model Code.

NOTE: The Implementation and Operational Guidelines to the provision explain that ‘the restrictions on the onward transfers of personal data under this principle apply to transfers to another organisation whether the organisation is located in Singapore or not’

Madrid Resolution

International Standards on the Protection of Personal Data and Privacy (non-binding)

15 International Transfers

  1. 1. As a general rule, international transfers of personal data may be carried out when the State to which such data are transmitted affords, as a minimum, the level of protection provided for in this Document.

  2. 2. It will be possible to carry out international transfers of personal data to States that do not afford the level of protection provided for in this document where those who expect to transmit such data guarantee that the recipient will afford such level of protection; such guarantee may for example result from appropriate contractual clauses. In particular, where the transfer is carried out within corporations or multinational groups, such guarantees may be contained in internal privacy rules, compliance with which is mandatory.

  3. 3. Moreover, national legislation applicable to those who expect to transmit data may permit an international transfer of personal data to States that do not afford the level of protection provided for in this Document, where necessary and in the interest of the data subject in the framework of a contractual relationship, to protect the vital interests of the data subject or of another person, or when legally required on important public interest grounds.

Applicable national legislation may confer powers on the supervisory authorities referred to in section 23 to authorize some or all of the international transfers falling within their jurisdiction, before they are carried out. In any case, those who expect to carry out an international transfer of personal data should be capable of demonstrating that the transfer complies with the guarantees provided for in this Document and in particular where required by the supervisory authorities pursuant to the powers laid down in paragraph 23.2.

Treasury Board of Canada

Taking Privacy into Account before Making Contracting Decisions (2006)

Guidance which requires public bodies when contracting (including situations when this will result in personal data being transferred outside of Canada) to apply a context-specific test regarding the risk to privacy, under which agencies are to evaluate the following factors:– the sensitivity of the personal information, including whether the information is detailed or highly personal, and the context in which it was collected;

  • the expectations of the individuals to whom the personal information relates; and

  • the potential injury if personal information is wrongfully disclosed or misused, including the potential for identity theft or access by foreign governments.

(p.246) (p.247) (p.248) (p.249)

D. Data protection and privacy legislation not yet fully in force

Country

Source and Status

Text or translation (excerpts; notes are given in italics

Barbados

Data Protection Act—draft bill, still in the legislative process

Section 4(2)(h) Eighth Principle

(2) The data protection principles referred to under subsection (1) are as follows:…

(h) Eighth Principle: personal data shall not be transferred to a country or territory outside Barbados unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Hong Kong (Special Administrative Region of the People's Republic of China

Personal Data (Privacy) Ordinance (Chapter 486)—the Ordinance is in force, but Section 33 on transborder data flows is not

Section 33 Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances

  1. (1) This section shall not apply to personal data other than personal data the collection, holding, processing or use of which—

    1. (a) takes place in Hong Kong; or

    2. (b) is controlled by a data user whose principal place of business is in Hong Kong.

  2. (2) A data user shall not transfer personal data to a place outside Hong Kong unless—

    1. (a) the place is specified for the purposes of this section in a notice under subsection (3);

    2. (b) the user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, this Ordinance;

    3. (c) the data subject has consented in writing to the transfer;

    4. (d) the user has reasonable grounds for believing that, in all the circumstances of the case—

      • the transfer is for the avoidance or mitigation of adverse action against the data subject;

      • it is not practicable to obtain the consent in writing of the data subject to that transfer; and

      • if it was practicable to obtain such consent, the data subject would give it;

    5. (e) the data are exempt from data protection principle 3 by virtue of an exemption under Part VIII; or

    6. (f) the user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under this Ordinance.

  3. (3) Where the Commissioner has reasonable grounds for believing that there is in force in a place outside Hong Kong any law which is substantially similar to, or serves the same purposes as, this Ordinance, he may, by notice in the Gazette, specify that place for the purposes of this section.

  4. (4) Where the Commissioner has reasonable grounds for believing that in a place specified in a notice under subsection (3) there is no longer in force any law which is substantially similar to, or serves the same purposes as, this Ordinance, he shall, either by repealing or amending that notice, cause that place to cease to be specified for the purposes of this section….

Malaysia

Personal Data Protection Bill (2010)—enacted by royal assent on 2 June 2010, but not yet in force

Transfer of personal data to places outside Malaysia

129.

  1. (1) A data user shall not transfer any personal data of a data subject to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.

  2. (2) For the purposes of subsection (1), the Minister may specify any place outside Malaysia if—

    1. (a) there is in that place in force any law which is substantially similar to this Act, or that serves the same purposes as this Act; or

    2. (b) that place ensures an adequate level of protection in relation to the processing of personal data which is at least equivalent to the level of protection afforded by this Act.

  3. (3) Notwithstanding subsection (1), a data user may transfer any personal data to a place outside Malaysia if—

    1. (a) the data subject has given his consent to the transfer;

    2. (b) the transfer is necessary for the performance of a contract between the data subject and the data user;

    3. (c) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which—

      1. (i) is entered into at the request of the data subject; or

      2. (ii) is in the interests of the data subject;

    4. (d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;

    5. (e) the data user has reasonable grounds for believing that in all circumstances of the case—

      1. (i) the transfer is for the avoidance or mitigation of adverse action against the data subject;

      2. (ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and

      3. (iii) if it was practicable to obtain such consent, the data subject would have given his consent;

    6. (f) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act;

    7. (g) the transfer is necessary in order to protect the vital interests of the data subject; or

    8. (h) the transfer is necessary as being in the public interest in circumstances as determined by the Minister.

  4. (4) Where the Commissioner has reasonable grounds for believing that in a place as specified under subsection (1) there is no longer in force any law which is substantially similar to this Act, or that serves the same purposes as this Act—

    1. (a) the Commissioner shall make such recommendations to the Minister who shall, either by cancelling or amending the notification made under subsection (1), cause that place to cease to be a place to which personal data may be transferred under this section; and

    2. (b) the data user shall cease to transfer any personal data of a data subject to such place with effect from the time as specified by the Minister in the notification.

  5. (5) A data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

  6. (6) For the purposes of this section, ‘adverse action’, in relation to a data subject, means any action that may adversely affect the data subject's rights, benefits, privileges, obligations or interests.

Singapore

Personal Data Protection Bill (Bill No 24/2012)—still in the legislative process

Transfer of Personal Data outside Singapore

26.—

  1. (1) An organization shall not transfer any personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under this Act to ensure that the organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act.

  2. (2) The Commission may, under the application of any organization, by notice in writing exempt the organization from any requirement prescribed pursuant to subsection (1) in respect of any transfer of personal data by that organization.

  3. (3) An exemption under subsection (2)—

    1. (a) may be granted subject to such conditions as the Commission may specify in writing; and

    2. (b) need not be published in the Gazette and may be revoked at any time by the Commission.

  4. (4) The Commission may at any time add to, vary or revoke any condition imposed under this section.

South Africa

Protection of Personal Information Bill (2012)—still in the legislative process

Chapter 9, Clause 72 Transfers of personal information outside Republic

72.

  1. (1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country unless—

    1. (a) the third party who is the recipient of the information is subject to a law, binding corporate rules, binding agreement or a memorandum of understanding entered into between two or more public bodies, which provide an adequate level of protection that—

      1. (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and

      2. (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;

    2. (b) the data subject consents to the transfer;

    3. (c) the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject's request;

    4. (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or

    5. (e) the transfer is for the benefit of the data subject, and—

      1. (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and

      2. (ii) if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

  2. (2) Where the transfer of personal information, as referred to in subsection (1), is made in terms of a non-binding memorandum of understanding the public body remains accountable for purposes of this Act for the protection of the personal information.

  3. (3) For the purpose of this section—

    1. (a) ‘accountable’ means that where the recipient of the information, who is a party to a non-binding memorandum of understanding, processes the personal information of a data subject in a manner that would have constituted an interference with the privacy of the data subject in terms of this Act had the information been processed in the Republic, the processing will be regarded as an interference with the privacy of the data subject in terms of this Act and will be regarded as having been processed by the responsible party;

    2. (b) ‘binding corporate rules’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and

    3. (c) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings.

(p.250) (p.251) (p.252) (p.253) (p.254) (p.255) (p.256)