It’s pretty common to see businesses operating on an international basis, both within global group structures as well as with networks of suppliers and customers. The internet and other networks allow for the rapid and convenient transmission of data across national borders. As we’ve introduced in previous articles, European data protection legislation is considerably more stringent than in other areas. It is known for building in a standard of protection of data transfers outside of Europe. This article takes a look at model clauses which facilitate international transfers of personal data.
International Data Transfers
The European Commission permits transfers from a European Union/European Economic Area member state to recipients outside the EU/EEA only if the laws of the recipient country ensure adequate levels of data protection. There are, of course exceptions to this rule, which are discussed elsewhere. The European Commission has decided that certain countries have an adequate level of protection. These countries are:
- Faroe Islands
- Isle of Man
The European Commission’s Decision 2002/87/EU determined that organizations may transfer personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection, as long as they have entered into a data transfer agreement using one of the three sets of EU-approved standard contractual clauses. Two sets applied to transfers from data controllers to other data controllers (controller-to-controller), while the third set was created for transfers from data controllers to recipients who act as data processors only (controller-to-processor).
On February 5, 2010, the European Commission modified the standard contractual clauses for “controller to processor” transfers of personal data. According to the Commission, it became necessary to adjust existing standard contractual clauses in order to respond to the increasing challenges of global outsourcing. More businesses were transferring personal data to processors several sub-processors located outside of the EU/EEA, which made the original contractual clauses irrelevant. These changes were set to come into force on May 15, 2010.
One of the most important changes the European Commission made in 2010 was to include a specific sub-contracting clause, which imposes stringent requirements on businesses that intend to use sub-processors.
Essentially, all parties need to verify that they have complied with data protection standards which meet the requirements of the Data Protection Directive. Data importers are prohibited from sub-contracting without securing prior written consent of the data exporter.
Data importers must also have a written agreement which imposes the same obligations on the sub-processor as the model clauses impose on the data importer. Sub-processor agreements are required to mirror the terms of the controller-to-processor agreement. In certain situations, this requirement may be met by having the sub-processor cosign the data transfer agreement between controller and processor including the standard contractual clauses.
The new sub-contracting clause also outlines liability provisions. For instance, should the sub-processor fail to fulfill its data protection obligations, the data processor continues to be fully liable to the data controller for the performance of the sub-processor’s contractual obligations. The contract between the processor and sub-processor also needs to include a third-party beneficiary clause, should individuals be unable to bring a claim for compensation against the data controller or processor.
Finally, the sub-contracting clause opens the possibility for European data protection authorities to audit the full chain of sub-processing. Data protection authorities are also permitted to take binding decisions on the data controller, processor and sub-processor under applicable data protection law.
This article takes a look at the issue of international data transfers and model clauses within the European Union/European Economic Area (EU/EEA). The European Commission permits international data transfers only if the recipient state has data protection legislation that has been deemed adequate. Model clauses, first designed in 2002, ensure compliance with data protection laws. In February 2010, the Commission made some substantial adjustments to these model clauses, in order to keep them relevant with the realities of contracting and subcontracting internationally.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Europe (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:
- International data transfers – model contracts (II.I.d.)