E-commerce: Does the Data Protection Act 1998 apply

August 31, 2000

The Data Protection Act 1998 imposes myriad obligations on allbusinesses that process personal data. To what extent can a business choose tolocate itself offshore so that the Act, and data protection legislation ingeneral, does not apply? This article considers the extent to which ane-business located outside the UK can ignore potentially burdensome dataprotection legislation. The starting point should be to consider some of theobligations imposed on e-businesses by data protection law. It should beremembered that data protection law applies only to the processing of‘personal data’. Personal data are those data that identify a livingindividual (eg name, address, e-mail address, date of birth, geneticinformation, etc) and processing is virtually anything that can be done withdata, including storing it on a hard drive, displaying it on a web site andprinting it to paper. All personal data must be processed in accordance with theEight Data Protection Principles – essentially a code of good conduct andpractice for all personal data processing operations. The Principles require,amongst other things, that the data be processed fairly and lawfully, be kept‘secure’, be made available to data subjects who request its access, andusually not be exported outside the European Economic Area without the consentof the relevant data subject.

The possible advantage for an e-business inoperating outside the reach of the Act is that it will not have to undertake allthose measures which are essential for its domestic rivals, including:

  • incorporating data protection notices on a Web-site data capture page (eg user registration area)

  • having to set up procedures to ensure appropriate compliance with subject access requests

  • having to be concerned about applying appropriate security measures (such as encryption) to the processing of data

  • ensuring compliance with the personal data export ban.

However, there are a number of factors to be considered whichcomplicate the seemingly straightforward analysis. These factors lead to theinescapable conclusion that merely locating an e-business offshore will not, ofitself, obviate the need for that e-business to comply with data protectionlegislation.

The EU Data Protection Directive
The Member States of the European Union were required to implement Directive95/46/EC by 24 October 1998. The Directive imposes substantially the sameobligations on data controllers in respect of personal data processing as doesthe UK Act. This, of course, is no coincidence as the UK Act is theDirective’s implementing legislation. But in practical terms what this meansis that moving one’s e-commerce business from the UK to, for example, Irelanddoes not get around the need to comply with data protection legislation. Themere fact that the data controller is established in an EU Member State willlead to the application of the legislation.

It is, of course,true that some Member States have not yet passed domestic legislation to enact95/46/EC but the Directive will nevertheless have direct effect due to the datefor implementation (24 October 1998) having passed. In any event the laggardsare currently being forced to comply – the EU Commission has issued legalproceedings against Denmark, Germany, France, Ireland, Luxembourg and theNetherlands – and are all are commencing the necessary steps towardsimplementation.

Extra-territorial Application of the UK Act
So what is the position of an e-business which establishes itself bothoffshore and outside the EU? The answer is that even this strategy may notremove the e-business (‘data controller’ under data protection law speak)from the reach of the 1998 Act. By virtue of s5(1) of the 1998 Act, thelegislation applies to a data controller in respect of any data if:

a. the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or

b. the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.

Here we areobviously concerned with subsection (b) which describes those circumstanceswhere the 1998 Act will apply to businesses located in third countries. Therehas, as yet, been no judicial interpretation of s5(1)(b). On one construction,the UK Act would apply to e-commerce businesses throughout the world by virtueof the fact that all online dealings with UK customers would necessarily involvethe use of equipment in the UK. This literal interpretation of s5(1)(b) is basedon the fact that in a transaction involving an online purchase of goods by a UKconsumer there will necessarily be use of equipment (the PC of the purchaser andthe server of his domestic ISP) that is based in the UK.

But, as a matter ofcommon sense, a UK Act should not have global application; this leads us to an alternative construction, and one that is favoured by theUK Data Protection Commissioner, Elisabeth France. It is that, for s5(1)(b) toapply, the equipment mentioned in that sub-section must be owned by the relevante-business. Such a view derives from a strained interpretation of the Act buthas the virtue of leading to a sensible and logical result which, interestingly,is strongly favoured by the German Data Protection Commissioner, Dr HansjurgenGarstka. This interpretation would mean that foreign companies such as AOL thatoperate servers in the UK which they own would be bound to comply with the Act.But foreign companies that do not own equipment in the UK would not be directlysubject to the Act’s provisions.

Section 5(1)(b)must of course be interpreted in light of the Directive which it implements.Does the Directive steer us more towards one of the above two interpretations?Article 4 of the Directive provides that:

1. Each Member State shall apply the national provisions itadopts pursuant to this Directive to the processing of personal data where:

a. the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same data controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

b. the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

c. the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1(c), thecontroller must designate a representative established in the territory of thatMember State, without prejudice to legal actions which could be initiatedagainst the controller himself.

The wording of theDirective is thus substantially similar to that of the Act and takes us nofurther. It is clear that the reference to ‘transit’ (which appears in boththe Directive and the Act) refers to that situation where an e-commercetransaction is merely routed via a particular country and does not thereforeapply to a regular e-commerce contract as envisaged by this contract.

There is a thirdpossible interpretation that could conceivably adopted by a court. It derivesfrom the perceived need to apply laws to those persons who have taken specificsteps to deliberately circumnavigate a particular legislative provision. Thiswould lead to the Act applying in any of the following three scenarios:

a. the e-business is established in the UK (s5(1)(a));

b. the e-business is not established in the UK but operates equipment in the UK which it owns (s5(1)(b) incorporating the ‘ownership interpretation’); or

c. the e-business is neither established in the UK nor owns equipment in the UK but has deliberately established itself offshore for the reason of removal from the sphere of European data protection legislation.

This lastpossibility comes neither from the Act nor the Directive but is an example ofthe application of the ‘mischief rule’ of statutory interpretation.Practical advice for e-businesses for the time being should be that Europeandata protection legislation will not directly apply to those e-commercebusinesses that are physically located outside the European Union and do not ownequipment within the UK. However, the possibility of the third point aboveshould not be ignored and should be incorporated into any relevant advice givento e-commerce start-ups.

Third Country Adherence to the Legislation
It should be remembered that compliance with many aspects of European dataprotection legislation will, in any event, be necessary as a result of the newprohibition on exports of personal data outside of the European Economic Area.The Eighth Data Protection Principle provides that personal data must not betransferred outside the EEA unless the ‘third country’ concerned (the placeof the transferee) ensures an adequate level of protection for the rights andfreedoms of data subjects. Locating an e-business in a country that does nothave data protection legislation thus effectively prohibits the free flow ofpersonal data between any EEA-based individual and that e-business. There are,of course, exemptions to the application of the Eighth Principle which could beused in appropriate circumstances. Examples include the obtaining of the consentof the data subjects to the processing and contractual necessity.

One attempt tocircumvent the draconian effect of the Eighth Principle is a set of rules whichhas been drawn up under consultations between the US Department of Commerce andthe EU Commission. Known as the ‘Safe Harbor Principles’, adherence to thisset of rules would effectively allow personal data to flow across the Atlanticby obliging a US company importer to be able to receive personal data. The SafeHarbor principles effectively bind US companies to comply with all the mainrequirements of Directive 95/46/EC. However, although the Safe Harbor Principleswere agreed by the US and EU Commission (and by each Member State) in June 2000,the EU Parliament rejected them as a satisfactory means of ensuring a datasubject’s rights and freedoms in early July 2000. The latest estimate is thatthe Principles will come into effect in November 2000.

Most UK e-businesses will be engaged in the processing of personal dataonline. Merely locating a business offshore will not of itself circumvent theneed to comply with data protection legislation. The EU Data ProtectionDirective is pervasive in its application, not least due to the ban on personaldata exports contained in the Eight Data Protection Principle. An e-businesswhich is established outside the EU and which does not own ‘equipment’within the EU will technically escape application of both the Act and theDirective. But such a business must be aware of the implications of thelegislation and, in any event, may be ‘forced’ to comply with similarprinciples due to the existence of ‘safe harbor’ or other self-regulatorycodes of conduct.

In any event othercountries (even the US) are eyeing the EU Directive with interest and have begunthe process of enacting their own data protection measures.

Peter Carey is a solicitor specialising in data protectionand e-commerce law at Charles Russell, London. He is the author of DataProtection UK(Blackstone Press) and can be contacted at peterwc@cr-law.co.uk oron 020 7203 5000.