Although we cannot understand why we have to wait until then, in Spring 2005 life should get easier for those shifting personal data out of the European Economic Area. We look at the new EC-approved model clauses for transferor/transferee contracts.
The European Commission and the International Chamber of Commerce and Others
The European Commission has approved a set of model clauses for a contract by which personal data can be compliantly transferred out of the European Economic Area (the EU plus Iceland, Liechtenstein and Switzerland) to a country that is not recognised by the European Commission as having "adequate" data protection laws.
Under EU Member State data protection laws, transfers of personal data out of the European Economic Area are problematic. In essence, there are only a limited number of ways in which transfers can compliantly take place.
There is no special exemption for transfers within corporate groups, but one way in which data transfers can be done legally is if they are done with the "unambiguous" consent of the data subject, bearing in mind that such consent must also be specific, informed and freely given.
Another way in which transfers can compliantly occur is if the transferee country is recognised by the European Commission as having "adequate" data protection laws. To date the relevant countries are Argentina, Canada, Guernsey, the Isle of Man and Switzerland.
Another compliant transfer "gateway" is if the transfer is "necessary" for the purposes of performing a contract to which the data subject is a party. However, simply because the transfer has to occur because this is the way in which an international corporate grouping is structured is not sufficient to render the transfer "necessary" so far as the UK's Information Commission is concerned.
Assuming none of these routes are available, then there is always the possibility of the transfer occurring pursuant to a bilateral contract which imposes suitable obligations on the parties transferring and receiving the data.
For transfers between data controllers. Commission decision of 15/6/01 (2001/497/EC) contains model clauses for a governing contract. For transfers between a data controller within the EEA and a data processor outside, Commission decision of 27/12/01 (2002/16/EC) contains approved clauses.
Separately, there is an initiative to facilitate intra-group data transfers by way of what have been called "binding corporate rules", though currently this does not look terribly attractive based on the UK Information Commission Office's take on what is involved.
Most recently, the European Commission has approved a set up model clauses for transfers between data controllers which have been submitted for EC approval by a consortium of seven business associations including the CBI, FEDMA and the International Chamber of Commerce. These are regarded as being more flexible and in line with business realities than the Commission approved model clauses of 2001.
ICC Date Transfer Agreement
The approved "data transfer agreement" includes in Annex B a set of "data processing principles" and in Annex B a description of the transfer of data involved, identifying the categories of data subjects, the purposes of the transfer, the categories of data being transferred, the recipients to whom the data is to be disclosed, and details of any sensitive data being transferred.
Unlike the EU approved clauses of 2001, these alternative provisions do not contain a joint and several liability clause. Instead, they place due diligence requirements on both importer and exporter and make each party liable only for the damages it causes itself.
Other clauses allow access to be denied for requests which are obviously abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. The clauses also allow the exporter and the importer to "outsource" to the importer the task of responding to enquiries from national data protection authorities.
Also, the Commission's 2001 clause requiring the importer to abide by "the advice" of the local data protection authority has come out. The ICC clause requires compliance with a decision of the competent court of the data protection enforcement authority "which is final and against which no further dispute is possible".
As regards termination, whereas the old European Commission clauses contained just a single sentence, the alternative ICC clauses contain much more detailed provisions.
Disclosures to data subjects
On the notice to be given to data subject about what is to happen to that data, the new clauses allow the importer to tell the data subject that the countries to which data will be transferred "may have different data protection standards" rather than saying that "there is not an adequate level of protection of the privacy of individuals" in such countries as required by the Commission's clauses.
Why this matters:
These new approved clauses are shorter and more commercial than the 2001 European Commission model provisions. They open the way to much lower-maintenance ex EEA data transfers and early reference to them is recommended.
Strangely, the clauses will only be legally valid for transfers as of 1st April 2005, but there will be no harm in getting the agreements signed and procedures in place well in advance.