Citation and commencement

1.  This Order may be cited as the Data Protection (International Co-operation) Order 2000 and shall come into force on 1st March 2000.

Interpretation

2.  In this Order:

“the Act” means the Data Protection Act 1998;

“supervisory authority” means a supervisory authority in an EEA State other than the United Kingdom for the purposes of the Data Protection Directive;

“transfer” means a transfer of personal data to a country or territory outside the European Economic Area.

Information relating to adequacy

3.—(1) Subject to paragraph (2), this article applies in any case where the Commissioner is satisfied that any transfer or proposed transfer by a data controller has involved or would involve a contravention of the eighth principle.

(2) In cases where an enforcement notice has been served in respect of a contravention of the eighth principle, this article shall not apply unless—

(a)the period within which an appeal can be brought under section 48(1) of the Act has expired without an appeal being brought; or

(b)where an appeal has been brought under section 48(1), either—

(i)the decision of the Tribunal is to the effect that there has been a breach of that eighth principle, or

(ii)where any decision of the Tribunal is to the effect that there has not been a breach of that eighth principle, the Commissioner has appealed successfully against that finding.

(3) In cases to which this article applies, the Commissioner shall inform the European Commission and the supervisory authorities of the reasons why he is satisfied that any transfer or proposed transfer has involved or would involve a contravention of the eighth principle.

(4) In this article, “the eighth principle” means the eighth principle set out in paragraph 8 of Part I of Schedule 1 to the Act, having regard to paragraphs 13, 14 and 15 of Part II of that Schedule.

Objections to authorisations

4.—(1) This article applies where—

(a)a transfer has been authorised by another Member State in purported compliance with Article 26(2) of the Data Protection Directive, and

(b)the Commissioner is satisfied that such authorisation is not in compliance with that Article.

(2) The Commissioner may inform the European Commission of the particulars of the authorisation together with the reasons for his view that the authorisation is not in compliance with Article 26(2) of the Directive.

Requests from supervisory authorities in relation to certain data controllers

5.—(1) This article applies in any case where a data controller is processing data in the United Kingdom—

(a)in circumstances other than those described in section 5(1) of the Act, and

(b)within the scope of the functions of a supervisory authority in another EEA State.

(2) The Commissioner may, at the request of a supervisory authority referred to in paragraph (1)(b), exercise his functions under Part V of the Act in relation to the processing referred to in paragraph (1) as if the data controller were processing those data in the circumstances described in section 5(1)(a) of the Act.

(3) Where the Commissioner has received a request from a supervisory authority under paragraph (2), he shall—

(a)in any case where he decides to exercise his functions under Part V of the Act, send to the supervisory authority as soon as reasonably practicable after exercising those functions such statement of the extent of the action that he has taken as he thinks fit; and

(b)in any case where he decides not to exercise those functions, send to the supervisory authority as soon as reasonably practicable after making the decision the reasons for that decision.

Requests by Commissioner in relation to certain data controllers

6.—(1) This article applies in any case where a data controller is processing data in another EEA State in circumstances described in section 5(1) of the Act.

(2) The Commissioner may request the supervisory authority of the EEA State referred to in paragraph (1) to exercise the functions conferred on it by that EEA State pursuant to Article 28(3) of the Data Protection Directive in relation to the processing in question.

(3) Any request made under paragraph (2) must specify—

(a)the name and address in the EEA State, in so far as they are known by the Commissioner, of the data controller; and

(b)such details of the circumstances of the case as the Commissioner thinks fit to enable the supervisory authority to exercise those functions.

General exchange of information

7.  The Commissioner may supply to the European Commission or any supervisory authority information to the extent to which, in the opinion of the Commissioner, the supply of that information is necessary for the performance of the data protection functions of the recipient.

Explanatory Note

(This note is not part of the Order)

Section 54(3) of the Data Protection Act 1998 provides that the Secretary of State may by Order make provision as to co-operation between the Data Protection Commissioner, the European Commission and other supervisory authorities in EEA States.

Article 3(3) of this Order obliges the Commissioner to give to the European Commission and supervisory authorities his reasons for being satisfied that a transfer or proposed transfer has involved or would involve a transfer to a country or territory outside the EEA which has inadequate protection for the rights and freedoms of data subjects in relation to the processing of personal data. Such a transfer would be a breach of the eighth data protection principle in Part I of Schedule 1 to the 1998 Act. Where another Member State or its supervisory authority has authorised a transfer to such a third country or territory, article 4 allows the Commissioner to inform the European Commission.

Article 5 of the Order extends the enforcement powers of the Commissioner under Part V of the Act so that they can be exercised in relation to certain data controllers who are processing data in the United Kingdom but to whom the Act does not apply by virtue of section 5 of the Act (which relates to jurisdiction). The powers can only be exercised by the Commissioner following a request from the supervisory authority of the EEA State the laws of which apply to the data controller. Article 6 allows the Commissioner to make similar requests for assistance where a data controller within the scope of the Commissioner’s functions is processing data in another EEA State.

Article 7 permits the Commissioner to supply other information to the European Commission or supervisory authorities where that information is necessary for the discharge of their data protection functions.

This Order contributes to the implementation of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

A Regulatory Impact Assessment was prepared for the Data Protection Bill as it was then and the statutory instruments to be made under it, and was placed in the libraries of both Houses of Parliament. The Regulatory Impact Assessment is now available on the internet at www.homeoffice.gov.uk. Alternatively, copies can be obtained by post from the Home Office, LGDP Unit, 50 Queen Anne’s Gate, London SW1H 9AT.