Dear rich80,
The EU directives that bear directly on data privacy are 95/46/EC and
2002/58/EC. Since the UK is an EU member, you should already be complying
with these directives in your domestic operations.
European Union: Directive 95/46/EC: Article 1
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&numdoc=31995L0046&model=guichett&lg=en
European Union: Directive 2002/58/EC: Article 1
http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML
In particular, Article 8 of 95/46/EC forbids you to collect and store
certain kinds of personal data.
1. Member States shall prohibit the processing of personal
data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership,
and the processing of data concerning health or sex life.
Directive 95/46/EC: Article 8
There are, however, a number of exceptions to this law. You may deal with
the above kinds of data if the subject gives consent, if the subject
makes such data public, or if it is necessary for you to do so in the
course of making a legal claim. Several other, more esoteric exceptions
are also listed.
2. Paragraph 1 shall not apply where:
(a) the data subject has given his explicit consent to the
processing of those data, except where the laws of the Member
State provide that the prohibition referred to in paragraph 1
may not be lifted by the data subject's giving his consent; or
(b) processing is necessary for the purposes of carrying out the
obligations and specific rights of the controller in the field
of employment law in so far as it is authorized by national law
providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of
the data subject or of another person where the data subject is
physically or legally incapable of giving his consent; or
(d) processing is carried out in the course of its legitimate
activities with appropriate guarantees by a foundation,
association or any other non-profit-seeking body with a political,
philosophical, religious or trade-union aim and on condition that
the processing relates solely to the members of the body or to
persons who have regular contact with it in connection with its
purposes and that the data are not disclosed to a third party
without the consent of the data subjects; or
(e) the processing relates to data which are manifestly made
public by the data subject or is necessary for the establishment,
exercise or defence of legal claims.
Directive 95/46/EC: Article 8
The more recent directive, 2002/58/EC, does not alter the terms of the
earlier one, but affirms them and spells out the ways in which companies
must safeguard their customers' data. Those types of data that are
considered to form part of a customer's private life may not be stored
without explicit permission. They may, however, be collected and used for
the purpose of conducting a transaction or effecting payment. Once the
transaction has ended, for example by the termination of a phone call,
you must immediately delete all of the private data thus collected.
(26) The data relating to subscribers processed within
electronic communications networks to establish connections
and to transmit information contain information on the private
life of natural persons and concern the right to respect for
their correspondence or concern the legitimate interests of
legal persons. Such data may only be stored to the extent that
is necessary for the provision of the service for the purpose
of billing and for interconnection payments, and for a limited
time. Any further processing of such data which the provider of
the publicly available electronic communications services may
want to perform, for the marketing of electronic communications
services or for the provision of value added services, may
only be allowed if the subscriber has agreed to this on the
basis of accurate and full information given by the provider
of the publicly available electronic communications services
about the types of further processing it intends to perform and
about the subscriber's right not to give or to withdraw his/her
consent to such processing. Traffic data used for marketing
communications services or for the provision of value added
services should also be erased or made anonymous after the
provision of the service. Service providers should always keep
subscribers informed of the types of data they are processing
and the purposes and duration for which this is done.
(27) The exact moment of the completion of the transmission
of a communication, after which traffic data should be erased
except for billing purposes, may depend on the type of electronic
communications service that is provided. For instance for a voice
telephony call the transmission will be completed as soon as
either of the users terminates the connection. For electronic mail
the transmission is completed as soon as the addressee collects
the message, typically from the server of his service provider.
Directive 2002/58/EC
As for transferring data between countries, you won't have any trouble
as long as the transfer takes place between EU member countries. Article
1 of 95/46/EC makes this clear in paragraph 2.
1. In accordance with this Directive, Member States shall protect
the fundamental rights and freedoms of natural persons, and in
particular their right to privacy with respect to the processing
of personal data.
2. Member States shall neither restrict nor prohibit the free
flow of personal data between Member States for reasons connected
with the protection afforded under paragraph 1.
EU: Directive 95/46/EC: Article 1
So there are no restrictions on the flow of personal data between member
countries, but the flow of data to non-member countries is very much
a subject of scrutiny. Such transmissions are referred to in the EU
legislation as "transfer to a third country". Article 25 of 95/46/EC
requires that the third country ensure "an adequate level of protection".
1. The Member States shall provide that the transfer to a third
country of personal data which are undergoing processing or are
intended for processing after transfer may take place only if,
without prejudice to compliance with the national provisions
adopted pursuant to the other provisions of this Directive,
the third country in question ensures an adequate level of
protection. [...]
EU: Directive 95/46/EC: Article 25
And what constitutes an adequate level of protection? There is no hard and
fast ruling on this. It is up to the European Commission to decide which
countries afford adequate protection to what kinds of personal data. So
far, Switzerland, Canada, and Argentina have won blanket approval from
the Commission. India has not been approved at all.
The Council and the European Parliament have given the Commission
the power to determine, on the basis of Article 25(6) of directive
95/46/EC whether a third country ensures an adequate level of
protection by reason of its domestic law or of the international
commitments it has entered into. The adoption of a (comitology)
Commission decision based on Article 25.6 of the Directive
involves:
* A proposal from the Commission,
* an opinion of the group of the national data protection
commissioners (Article 29 working party)
* An opinion of the Article 31 Management committee delivered
by a qualified majority of Member States.
* A thirty-day right of scrutiny for the European Parliament,
to check if the Commission has used its executing powers
correctly. The EP may, if it considers it appropriate, issue
a recommendation.
* The adoption of the decision by the College of Commissioners.
The effect of such a decision is that personal data can flow from
the 25 EU member states and three EEA member countries (Norway,
Liechtenstein and Iceland) to that third country without any
further safeguard being necessary. The Commission has so far
recognized Switzerland, Canada, Argentina, Guernsey, Isle of Man,
the US Department of Commerce's Safe harbor Privacy Principles,
and the transfer of Air Passenger Name Record to the United
States' Bureau of Customs and Border Protection as providing
adequate protection.
EU: Commission decisions on the adequacy of the protection of personal
data in third countries
http://europa.eu.int/comm/internal_market/privacy/adequacy_en.htm
As with Article 8, however, the legislation spells out a number of
provisions under which you may indeed transfer personal data outside
the EU. These are similar to the exceptions laid out for the collection
of racial, religious, and political data. If the customer has given his
permission, or if the transfer is necessary to carry out a contract with
the customer or to make a legal claim, you are on safe ground.
1. By way of derogation from Article 25 and save where otherwise
provided by domestic law governing particular cases, Member
States shall provide that a transfer or a set of transfers
of personal data to a third country which does not ensure an
adequate level of protection within the meaning of Article 25
(2) may take place on condition that:
(a) the data subject has given his consent unambiguously to the
proposed transfer; or
(b) the transfer is necessary for the performance of a contract
between the data subject and the controller or the implementation
of precontractual measures taken in response to the data subject's
request; or
(c) the transfer is necessary for the conclusion or performance
of a contract concluded in the interest of the data subject
between the controller and a third party; or
(d) the transfer is necessary or legally required on important
public interest grounds, or for the establishment, exercise or
defence of legal claims; or
(e) the transfer is necessary in order to protect the vital
interests of the data subject; or
(f) the transfer is made from a register which according to
laws or regulations is intended to provide information to the
public and which is open to consultation either by the public
in general or by any person who can demonstrate legitimate
interest, to the extent that the conditions laid down in law
for consultation are fulfilled in the particular case.
EU: Directive 95/46/EC: Article 25
Unless you qualify under one of the above provisions, India is
currently not a good choice of destination for the transfer of personal
data. Although Indian government and industry are fully cognizant of
the EU directives and are taking steps to institute better controls,
they have not yet been granted EU approval or even the imprimatur of
any American agency. Legal privacy protections in the U.S. are so far
below those of the EU that India will have a great deal of work left to
do even after it has met American standards.
After rushing to shift telemarketing and back-office work to India
in recent years to tap low wages, U.S. and European companies
are under growing pressure from regulators and legislators
to guarantee the privacy of their customers' financial and
health-care data. India's $3.6 billion business-process services
industry is eager to defuse the issue. [...]
India's IT industry is addressing those vulnerabilities. Nasscom
is working with the government to bring India's data-privacy laws
more in line with the U.S. And it intends to have the security
practices of all its 860 members audited by international
accounting firms.
Business Week: Outsourcing: Fortress India?
http://www.businessweek.com/magazine/content/04_33/b3896073.htm
Finally, you ask about Eastern Europe. The trouble is that the Eastern
European countries with the most advanced business environments tend to
be EU members or EU applicants already, so the same laws will apply as
for Western Europe. Eastern countries already in the EU are as follows.
Estonia
Latvia
Lithuania
Czech Republic
Hungary
Poland
Slovakia
Slovenia
It is expected that these will eventually be joined by the following
applicant nations.
Bulgaria
Croatia
Romania
The remainder, which are neither EU members nor applicants, are the
following.
Belarus
Russia
Ukraine
Moldova
Albania
Bosnia and Herzegovina
Macedonia
Serbia and Montenegro
If you do want to set up a call center in, say, Albania or Russia,
you will have to meet the same standards in transmitting data from
the EU to those destinations as you would in the case of India. Again,
you may be able to take advantage of the exceptions enumerated above,
or to avoid such transmissions entirely by pursuing self-contained
operations outside the EU. For example, if your Indian or Russian call
center collects personal data under the loose or nonexistent data-privacy
laws of those countries, they will not fall under the purview of EU law
as long as you make no attempt to use that data inside the EU.
Regards,
leapinglizard |
