Can I transfer personal data out of Europe if I have the person’s consent?

Written on 4 Feb 2016

Businesses that collect personal data about their European customers (and to which the European data protection regime applies) tend to be aware that certain legal hurdles must be overcome before they can transfer that data outside the European Economic Area (“EEA”). That might, for example, include US businesses that wish to store the data on their own local IT systems, or organizations wishing to transfer data to a third party service provider whose servers are located outside the EEA.

Transferring data outside the EU

In the EU, there’s a general prohibition on transferring personal data outside the EEA unless the recipient country ensures an “adequate level of protection” for the data. No such adequacy exists in relation to the US, and much has already been written about the recent declaration of invalidity of the Safe Harbor framework, although it looks as though this will soon be replaced with the EU-US Privacy Shield. However, there are several exemptions from this principle, which allow data to be transferred even though there is no adequate protection. 

The consent exemption

One such exemption allows businesses to transfer personal data overseas if the data subject (i.e. the individual(s) that the personal data is about) consents. Many organizations seek consent by providing a clear notice to customers setting out their intentions with regard to personal data, typically in the form of a privacy policy. Customers are then asked to agree to the terms of that notice, e.g. via an opt-in tick box. 

Sounds like a great get-out, right? Maybe, but just how easy is it to rely on? 

Relying on the consent exemption

  • Best practice suggests that businesses should always try to establish adequate protection in relation to personal data, even where relying on the “consent” exemption. 
  • Consent needs to be freely given, specific and informed. That means you should be able to provide evidence of the consent, and evidence that the data subject was fully informed of the circumstances surrounding the data transfer (including the countries to which their data will be sent). It is not always clear whether consent has been “freely” given and, unless it is certain that individuals have read the applicable privacy policy, consent may not be “informed”. 
  • Data subjects must be able to object to the data transfer without penalty and must be able to withdraw consent if they subsequently change their mind. 
  • There are other specific legal principles that apply to the transfer of personal data, e.g. in relation to the retention of data and the purposes for which it is used, and these will still need to be taken into account. 
  • The rules on obtaining consent are different across the various European jurisdictions. Germany has stricter requirements than the UK, for example, so local laws must be taken into account. 
  • For many businesses, particularly those with a large customer base or those that process huge data sets, obtaining individual consent from every data subject is simply not practicable. 

For these reasons, obtaining individual consent might not be quite such a good solution as it first appears. The European data protection working party itself says that “relying on consent may…prove to be a ‘false good solution’, simple at first glance but in reality complex and cumbersome”. That’s not to say that it can’t be done, but it will typically be easier to use one of the other existing data transfer solutions, such as EC-approved Model Clauses. 

Impact of the European General Data Protection Regulation on the consent exemption

It’s worth mentioning that the new European General Data Protection Regulation, expected to be adopted in early 2016 and to become effective two years later, will provide a strengthened and harmonized approach to consent. The position may not change a great deal where an organization relies on consent as the basis for processing data, but businesses will need to be aware of the higher level of consent, and additional obligations relating to consent, following implementation of the new legislation.