Citation and commencement

1. This Order may be cited as the Data Protection (International Co-operation) Order 2000 and shall come into force on 1st March 2000.

Interpretation

2. In this Order:

“the Act” means the Data Protection Act 1998;

“supervisory authority” means a supervisory authority in an EEA State other than the United Kingdom for the purposes of the Data Protection Directive;

“transfer” means a transfer of personal data to a country or territory outside the European Economic Area.

Information relating to adequacy

3. —(1) Subject to paragraph (2), this article applies in any case where the Commissioner is satisfied that any transfer or proposed transfer by a data controller has involved or would involve a contravention of the eighth principle.

(2) In cases where an enforcement notice has been served in respect of a contravention of the eighth principle, this article shall not apply unless—

(a) the period within which an appeal can be brought under section 48(1) of the Act has expired without an appeal being brought; or

(b) where an appeal has been brought under section 48(1), either—

(i) the decision of the Tribunal is to the effect that there has been a breach of that eighth principle, or

(ii) where any decision of the Tribunal is to the effect that there has not been a breach of that eighth principle, the Commissioner has appealed successfully against that finding.

(3) In cases to which this article applies, the Commissioner shall inform the European Commission and the supervisory authorities of the reasons why he is satisfied that any transfer or proposed transfer has involved or would involve a contravention of the eighth principle.

(4) In this article, “the eighth principle” means the eighth principle set out in paragraph 8 of Part I of Schedule 1 to the Act, having regard to paragraphs 13, 14 and 15 of Part II of that Schedule.

Objections to authorisations

4. —(1) This article applies where—

(a) a transfer has been authorised by another Member State in purported compliance with Article 26(2) of the Data Protection Directive, and

(b) the Commissioner is satisfied that such authorisation is not in compliance with that Article.

(2) The Commissioner may inform the European Commission of the particulars of the authorisation together with the reasons for his view that the authorisation is not in compliance with Article 26(2) of the Directive.

Requests from supervisory authorities in relation to certain data controllers

5. —(1) This article applies in any case where a data controller is processing data in the United Kingdom—

(a) in circumstances other than those described in section 5(1) of the Act, and

(b) within the scope of the functions of a supervisory authority in another EEA State.

(2) The Commissioner may, at the request of a supervisory authority referred to in paragraph (1)(b), exercise his functions under Part V of the Act in relation to the processing referred to in paragraph (1) as if the data controller were processing those data in the circumstances described in section 5(1)(a) of the Act.

(3) Where the Commissioner has received a request from a supervisory authority under paragraph (2), he shall—

(a) in any case where he decides to exercise his functions under Part V of the Act, send to the supervisory authority as soon as reasonably practicable after exercising those functions such statement of the extent of the action that he has taken as he thinks fit; and

(b) in any case where he decides not to exercise those functions, send to the supervisory authority as soon as reasonably practicable after making the decision the reasons for that decision.

Requests by Commissioner in relation to certain data controllers

6. —(1) This article applies in any case where a data controller is processing data in another EEA State in circumstances described in section 5(1) of the Act.

(2) The Commissioner may request the supervisory authority of the EEA State referred to in paragraph (1) to exercise the functions conferred on it by that EEA State pursuant to Article 28(3) of the Data Protection Directive in relation to the processing in question.

(3) Any request made under paragraph (2) must specify—

(a) the name and address in the EEA State, in so far as they are known by the Commissioner, of the data controller; and

(b) such details of the circumstances of the case as the Commissioner thinks fit to enable the supervisory authority to exercise those functions.

General exchange of information

7. The Commissioner may supply to the European Commission or any supervisory authority information to the extent to which, in the opinion of the Commissioner, the supply of that information is necessary for the performance of the data protection functions of the recipient.