I got a great question from a business friend of mine, and I wanted to provide my answer here, too, because it is something all multi-national organizations need to think about. Eric Nelson, who heads Secure Privacy Solutions asked, “If a company collects and manages PII from another country, e.g., India or the U.S., and transfers that PII to the E.U. for some type of processing or storage or even just transit, does the E.U. Data Directive apply once that PII leaves a country within the E.U.?”
First the disclaimer (that you know well)…I am not a lawyer so this should not be interpreted as legal advice. Always speak to your organization’s legal counsel to make any type of decision regarding legal compliance! However, do as much research, and take your legal counsel as much information, as possible about the topic…do not assume a lawyer will intimately know every detail of every law; that would be impossible for anyone.
My understanding of the EU Data Protection Directive 95/46/EC is that it applies to ANY time that ANY PII travels over any of the 27 EU countries’ borders.
An important portion of the Directive related to this question is found under Article 3 (Scope) and Chapter IV (transfer to third countries).
First consider the definition of “personal data” under the Directive: “(a) ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”
This definition does not indicate that the applicable individual has to be a citizen of one of the EU countires. It simply defines the characteristics of personal data.
Next consider the scope:
Article 3
Scope
1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Directive shall not apply to the processing of personal data:
– in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
– by a natural person in the course of a purely personal or household activity.
This scope does not explicitly limit the personal data to the EU country citizens, either. Item 2 may be a point that lawyers could debate.
Then consider that transfer to other countries can only occur if the other country 1) is considered to have appropriate safeguards in place (the U.S. and India are not considered as such); or if 2) the organization has made arrangements and provided acceptable assurances (e.g., contractual, Safe Harbor, BRC, etc.) that the personal data will be protected.
I also could not find anything within the Directive that limited the protection to only citizens of EU countries.
With these key points in mind, I would say that, yes, the EU Data Protection Directive applies to any personal data when it flows over any EU country borders. However, I’ve never heard of any situations where this particular scenario was challenged or made into a formal case by the EU. Perhaps if a privacy breach occurs involving this type of data the Directive would come into play.
Also, it is important to keep in mind that there may be some specific restrictions within some of the 27 EU country laws related to this question and impacting the answer depending upon the country you are considering.
This is a great question for all organizations who do PII sharing around the world to consider! If you believe otherwise, or if you hear differently from anyone, please let me know!
Tags: awareness and training, cross border data flow, EU Data Protection Directive, Information Security, IT compliance, IT training, personal information, personally identifiable information, PII, policies and procedures, privacy training, risk management, security training