Data Protection and Offshore Outsourcing: Did he or didn’t he?

April 30, 2005

In most cases the Data Protection Act 1998 (and the data protection directive, 95/46/EC) demands that any ‘data controller’ responsible for processing ‘personal data’ (ie data that relates to an individual) must obtain that person’s prior consent before processing begins. So, does the Act define ‘consent’? Not a word.

In the special case of ‘sensitive personal data’ (ie particularly private and/or sensitive information) the law requires that consent be ‘explicit’. So does this mean that inexplicit consent – ie the type that is required, one presumes, for the processing of non-sensitive personal data – requires only a nod and a wink? The law is again silent.

Did he mean this? Or that?

The problems caused by this selective silence are many and varied. For a start, and importantly in the context of outsourcing arrangements, it is fair to ask what this undefined concept of ‘consent’ covers? Does an individual give consent only to the processing of his/her personal data for certain purposes? Or does the consent also extend to the manner in which the data are processed?

If, for example, a prospective insurance customer ticks the data protection box on his application form, and thereby consents to the processing of his or her personal data for the purpose of taking out an insurance policy, the law is pretty clear that the insurance company cannot use that personal data to sell him a car (unless, of course, the insurance company had specified this additional purpose next to the ticked box).

But has the customer also consented to the specific manner in which the insurance company processes data at the time the consent is given?

If the insurance company then closes an office, or launches a new internet service, or perhaps changes its IT systems, does it then have to go back to the customer and seek a fresh consent?

And what if the insurance company decides, as many have, to outsource call centre functions to a service provider based in India? Then things get doubly tricky because there is a second consent-related issue to contend with when an organisation wants to transfer personal data outside of the European Economic Area (EEA).

A far away place

The law says that a data controller cannot transfer personal data outside the EEA unless: (a) the recipient country offers adequate protection for personal data; or, (b) one (but not all) of a number of specified conditions are met, the most important of which is, of course, that the individual has consented to the transfer (either in addition to, or as part of, the general processing consent).

So where does this leave us in practical terms? As to whether there is adequate protection; this can be provided either by the recipient country’s existing laws (some countries have adopted a data protection regime similar to the EU’s for this very purpose), or by ensuring that the transfer is made under conditions that ensure an adequate level of protection. In layman’s terms, the latter route typically requires that the data controller and the recipient enter into a ‘data transfer contract’ under which the recipient agrees to be contractually bound by European-compliant data protection requirements.

Where the transfer is made under an outsourcing arrangement, this contract is between the UK organisation and the offshore service provider. In the particular case of India (which does not yet have a data protection regime), a UK company seeking to overcome the cross-border transfer prohibition would typically seek to acquire either fresh data subject consents or a data transfer contract.

Whether or not to seek new customer consents (either for the outsourcing alone or for the cross-border data transfer as well) is an issue that faces many UK companies wanting to send services offshore to lower-cost jurisdictions such as India. In our experience of Indian offshore deals this is particularly true of large institutions with lots of customer data. Indeed, for some the consent question amounts to a significant commercial issue.

As you might imagine the business case for going offshore could be demolished entirely if an organisation had to carry the additional cost of a time-consuming and inherently inefficient process to refresh hundreds of thousands – if not millions – of individual consents before call centre operatives in India could be allowed access to customers’ personal data. And then there is the very real associated risk of customer attrition during the consent-gathering process, which could be an even larger deterrent to offshoring.

No surprise then to see the press speculating about whether or not this aspect of data protection law might provide a basis for challenging the offshoring trend. The idea that a UK organisation might need to refresh its customer consents before going offshore is further bolstered by the fact that sensitive personal data will, in many cases, be involved in the transfer and, therefore, explicit (rather than implied) consent will be required. Even in the case of, say, a bank’s current account data, it is likely that sensitive personal data could be involved.

Nor is this the end of the problem. There is a supplementary argument that, in relation to customer data, an offshore service provider is not a data processor (ie, someone who does not determine the purposes for which personal data are processed) but is, instead, a data controller. There is no dispute that where an organization wants to disclose personal data to another data controller, consent is probably required.

A way through

By now you probably have your head in your hands. Weep no more.

In most cases the law provides a solution to these problems that enables UK organisations to avoid much of the cost and confusion, though not without recourse to intensive interpretative guidance from UK and European regulatory authorities and a heavily technical interpretation of the legislative provisions.

First the consents: the Data Protection Act is clearly focused on the purposes for which personal data are to be processed, not the method used. However, to avoid misleading data subjects who have already provided a consent, and to ensure that the processing is fair, the Data Protection Act does require data controllers to provide information concerning “the specific circumstances” in which personal data are processed.

For this reason we advise that even where an organisation is otherwise compliant in its offshoring activities it should nevertheless provide its customers with notification of (as opposed to obtaining consent for) the cross-border data transfers and, of course, if you choose to put a compliant data transfer contract in place, then you remove any need for a secondary, specific consent for the purposes of the cross-border data transfer prohibition under the Data Protection Act.

With regard to the argument that the service provider is a ‘data controller’ rather than a ‘data processor’: care needs to be taken to ensure that the service provider’s role is correctly interpreted in the light of these definitions because (again) the law is far from black and white on the difference between them. However, in our experience an outsource provider’s activities, generally speaking, fall within the ‘data processor’ definition. Hence no consent is required.

Finally, a note of caution: the specific facts of an offshore data transfer can change the analysis. For example, what if an organisation which has publicly declared that, as a matter of policy, it will not outsource offshore subsequently changes its mind? In our view, any customers that had chosen the organisation partly because of its original no offshoring policy could have a genuine complaint under the Data Protection Act if prior consent for the change of heart had not subsequently been sought.

Tim Pullan is a partner in the IT and Outsourcing Group at Lawrence Graham LLP. He can be contacted on 020 7759 6987 or at