Very soon, life will theoretically get easier for data controllers looking to outsource data processing jobs offshore. A new “Commission Decision” has ratified new standard contractual clauses to legitimise otherwise illegal controller to processor data exports. Stephen Groom kicks the privacy tyres.
Who: The European Commission
When: 5 February 2010
Law stated as at: February 2010
What happened: The European Commission signed off a new set of model clauses for use in contracts governing the export of personal data from within the European Economic Area (the EU plus Iceland, Liechtenstein and Norway) to a country ("Third Country") whose data protection laws are not recognised by the European Commission as "adequate".
The clauses are only for use in a contract between a "data controller" within the EEA and a "data processor" located in a Third Country, and should not be used in contracts that are signed and effective before (Saturday) 15 May 2010. This is the date from which all member states have to give effect to Commission Decision 2010/87/EU ratifying the new clauses and they will have no validity before that date.
These clauses will completely supersede the existing clauses for such data transfers. These have been in use since 2002 after being promulgated by Commission Decision 2002/16/EC.
Quick recap on EEA/"Third Country" personal data exports
To recap, the default position for all exports of personal data from within the EEA to Third Countries is that they are illegal, unless one of a small number of gateways to legal data export is used.
One such gateway is available if the importer is established in the US and has signed up to the EC-approved "safe harbor" data export scheme. Another gateway opens up if the export is absolutely necessary for the performance of the contract in question.
Another such gateway is the use of the relevant, EC-approved model clauses in the contract between the exporter and importer.
This is where these new clauses come into play, but they will not apply to personal data exports between data controllers, only exports by data controllers to data processors (anyone apart from an employee of the data controller who processes personal data on behalf of a data controller).
The new clauses are at the link below, marked up to show the differences between these and the 2002 version.
Key points to note are:
- Subprocessing: The importing data processor may now engage subprocessors provided that: (a) the data controller has given its prior consent; (b) there is a written subprocessing agreement imposing the same obligations on the subprocessor as are imposed on the data importer under the model contract; (c) the subprocessing agreement is governed by the law of the data exporter; and (d) the data importer sends the data exporter a copy of the subprocessing agreement (see clauses 11 and 5(j)). Helpfully, the clauses suggest that these requirements can be fulfilled by the subprocessor becoming a party to the model clauses between the data importer and data exporter (see footnote 3 at clause 11);
- No arbitration: Data importers can no longer seek to try to refer disputes with data subjects to arbitration. The data subject has discretion whether to refer a dispute to a local regulator, to mediation or to local courts (see clause 7).
- Regulatory audit: Local regulators' audit rights extend to subprocessors in addition to data importers (see clause 8).
- Commercial terms: The parties are expressly permitted to add commercial terms to the model contract (see clause 10) provided they do not contradict the requirements of the clauses.
- Sub-processor lists: A list of all sub-processors must be kept by the data controller, updated annually and made available to its national data protection authority (in the UK the Information Commissioner's Office).
- Liability to data subjects: if breaches of the model terms give rise to rights of action by individuals ("data subjects") whose data has been abused, they can proceed against the importing data processor if the exporting data controller has ceased to exist in law or become insolvent. If the same fate befalls the data processor, then the data subject can sue the sub processor if it is their breach that has given rise to the claim.
Why this matters:
The original data controller/data processor data export model terms were roundly criticised for lack of business friendliness. These new clauses were intended to address those concerns. However, they are already being criticised.
For instance the ability of data subjects to sue sub processors direct if both the data controller and "head" data processor are defunct has been condemned. One wonders, however, how often this will happen in practice given that in the UK at least, claims by data subjects in their own country are few and far between.
Also, many sub-processors may not be happy with their contract with the head processor having to be governed by the law of the data controller's country.
Subject to these reservations and others that will no doubt be expressed as day to day use starts, these new clauses certainly look to be a major advance on the 2002 set and are unlikely to be further revised any time soon, so data exporters will have to learn to live with them.