If a living individual (“data subject”) suffers damage or distress by reason of a contravention in the United Kingdom of any of the requirements of the Data Protection Act 1998, he or she can bring proceedings in the civil courts against the person holding or processing data that relates to him or her (“data controller”)
for compensation under s.13 or for an order for the rectification, blocking, erasure or destruction of the data under s.14 of the Act. Similar remedies are available under the data protection laws of other EU and EFTA member states.
It is not so easy to obtain redress if the damage or distress is occasioned by a data controller in the United States as there is no comparable data protection legislation in that country. For that reason, art 25 of the Data Protective Directive (Directive 95/46/EC) requires member states to ensure an adequate level of protection before personal data are transferred to the United States. There are two ways of doing that:
- The data importing organization can contract with the data exporting organization to provide such protection. A model contract to that effect is annexed to Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.
- Alternatively, a company or other organization in the United States that wishes to import personal data can subscribe to the “Safe Harbor” principles. These are guidelines for processing personal data that have been issued by the United States Department of Commerce together with a set of Frequently Asked Questions. Decision dated the 26 July 2000 the Commission decided that the Safe Harbor Principles provide an adequate level of protection for personal data.
The Safe Harbor principles require:
“(a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide;
(b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and
(c) obligations to remedy problems arising out of a failure to comply with the principles.
Sanctions must be sufficiently rigorous to ensure compliance by the organization.”
This requirement is amplified by the “FAQ on Enforcement and Dispute Resolution”.
NIPC Arbitration has been invited by two US companies to provide dispute resolution services in accordance with the Safe Harbor principles and has received enquiries from several more. An overview of the service is available here and advice on how to use the service is here. The service is modelled on the Uniform Domain Name Dispute Resolution Policy and all the neutrals are members of the WIPO Arbitration and Mediation Centre’s domain name dispute resolution panel. The arbitrator’s fee of £500 will be divided equally between the parties.
For more information, call 0800 962 0055 or complete my contact form.