In this global economy it is important for you to know, understand and follow the data protection laws in all the countries where you have offices, have customers, store personally identifiable information (PII) and from where PII is accessed. Each country has nuances within their laws that could create quite a big obstacle if you are doing business there and find you must suddenly stop because you are out of compliance with their data protection laws.
Do you have offices, employees, customers, business partners, or are otherwise associated via PII, in Spain? If so you need to know about a new report issued July 18 from the Spanish Data Protection Agency (AEPD), “Report on International Data Transfers.”
I find these type of reports very interesting and revealing. You should too, particularly as they relate to data transfer activities that your organization is doing.
Most organizations have not really considered or addressed international PII data transfer issues. However, it is important to know, understand and take actions to be in compliance with applicable laws and regulations.
The report describes the regulatory framework organizations must follow for making international transfers of PII. The report also explains the process for requesting AEPD authorization of data transfers to countries whose data protection practices are considered as being inadequate.
Yes, the U.S. is on that inadequate list.
This regulatory framework process supports Article 33 and Articl 34 of Spain’s data protection law, Organic Law 15/1999.
Article 33 generally allows data transfers of PII only to countries with levels of protection considered to be comparable to those provided in Spain.
Article 34 lists 11 exceptions to the general rule, meaning data transfers may be able to be approved despite of the receiving country being considered as having inadequate data protection. These exceptions fall under the following high-level topics:
* Transfers resulting from treaties or agreements
* Judicial requests
* Medical necessity
* Data subject authorization
* Transfers made in the public interest
It is interesting to note that the report provides statistics about data transfer requests that were approved by the agency through July 1, 2007. The AEPD had knowledge of:
* 8,483 data transfers in 2007
* 8,311 data transfers in 2006.
* 2,614 data transfers in 2002
Yes, the trend is upward.
PII data transfers were overwhelmingly made to countries in the European Economic Area, as well as to countries and territories labeled as having adequate data protection laws, such as Switzerland, Argentina, Guernsey and the Isle of Man.
Some data transfers were also approved to specific organizations that were determined by the AEPD to be following Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), as well as to some U.S. organizations within the U.S. Commerce Department’s Safe Harbor program.
Some other interesting statistics…
The AEPD received special requests to authorize 236 data transfers under the exceptions outlined in Article 34 from 2000 – 2007.
* 87 of these exceptional transfers were made to the United States
* 15 exceptional transfers were to Chile
* 7 exceptional transfers to Morocco
* 7 exceptional transfers to India
* 7 exceptional transfers to Colombia
* 7 exceptional transfers to Peru
* The rest basically 1 or 2 transfers to other countries
What were some of the reasons for the PII data transfers?
* Management, maintenance and technical support of computer systems
* Management of human resources, customers and suppliers PII
* Administrative help involving PII
* Telecommunications companies for their customer service call centers (22% of the data transfers where to Latin America)
The report indicated the AEPD had a concern particularly for the customer service PII data transfers.
58% of data transfer authorizations were made for multinational organizations with headquarters outside Spain.
Discuss Law 15/1999 with your legal counsel to determine how this impacts your company.
Tags: AEPD, awareness and training, data protection, government, Information Security, international data transfer, IT compliance, Organic Law 15/1999, personal privacy, PII, policies and procedures, privacy, Report on International Data Transfers, Spain