In our previous post where we outlined the progress of the draft EU Data Protection Regulation, we noted that the current draft includes a clause to the effect that transfers to authorities outside the EU will not be permitted except on the basis of EU Law, and that data subjects have a right to know when their data has been revealed. This clause was included in the initial draft of the regulation in January 2012, removed following lobbying in particular from the US, and is now back in as a result of the revelations surrounding the PRISM program, where international organisations passed personal data of their users to the NSA.
This development could potentially place conflicting obligations on such organisations. On the one hand, failure to comply with an instruction from the NSA to transfer personal data, without the knowledge of the data subject, can be treated as contempt of court in the USA. On the other hand, organisations may decide that is an expensive choice, as carrying out those instructions could lead to a fine of €100,000,000 or 5% of global turnover in the EU under the draft Regulation. No doubt this will be a central point of debate as the draft regulation winds its way through the EU legislative process.