The European Commission recently reviewed EU use of approved standard clauses for compliant export of personal data from the EEA to countries without ‘adequate’ data laws. The ensuing EC ‘Staff Working Document’ did not present an optimal picture by any means.
Who: The European Commission
When: January 2006
The European Commission ("EC") published a "Staff Working Document" on standard data transfer contract clauses for the transfer of personal data to third countries ("Clauses").
Data Protection Principle Eight of the EC Data Protection Directive 95/46/EC and the UK's Data Protection Act 1998 imposes restrictions on the transfer of personal data from within the European Economic Area to countries outside the EEA that are not recognized as having "adequate" data protection laws.
To date only the data protection laws of Argentina, Canada, Guernsey and Switzerland have been so recognized, so transfers of personal data from for example the UK to the USA will be in breach of data protection law unless a limited number of what we will call "gateways" are used.
One of those gateways is the effecting of the personal data transfer pursuant to a written contract between the transferor and the transferee whose terms will be acceptable to EU data protection authorities as conferring by contractual means similar protection on personal data as in the EU comes by way of the Directive.
In 2001 and 2004 the EC published decisions setting out the Clauses that would be acceptable for these purposes. The January 2006 "Staff Working Document" focuses on these Clauses and their use by businesses since their introduction.
The document reprises the various sets of Clauses for such transfers published by the Commission since 2001. Under all the relevant decisions the Commission was required to evaluate the operation of the Clauses and submit a report of its findings to the relevant EC Committee. This was thought necessary because otherwise member states were not obliged to notify the Commission as to the extent of use of the Clauses in their country.
State obligations to monitor transfers
However Member States are obliged to monitor the transfer of personal data to third countries and Member States' practices in this regard differ. Some states for example impose on data controllers an obligation to notify the data transfer to the regulatory authority and file a copy of the contract. Others rely on ex post facto audits of companies' data transfers.
Evaluation reveals limited use of Clauses
The evaluation on which this document reports is based on the results of questionnaires distributed among Member States, data protection authorities and concerned business associations. The evaluation revealed the following:
(a) member states have very little information on the use of Clauses as well as poor information on data transfers in general, which seem to result from insufficient controls in place. For instance no notifications in respect of transfers have been received since October 1998 ( the coming into force of the Directive) from the UK, France, Italy, Ireland, Greece, Sweden or Luxembourg;
(b) there are no major reported problems or incidents related to the use of Clauses in the EU, but some adjustments may facilitate the use of Clauses by data controllers;
(c) the vast majority of notified transfers (66 out of 78) related to EU-US transfers;
(d) data controller to data controller Clauses have been used more commonly than data controller to data processor Clauses;
(e) it was very common for intra corporate group transfers to be governed by Clauses without adapting them to specific needs;
(f) the limited information received by the EC about relevant data transfers made it difficult to extract definitive conclusions on the operation of the Clauses. In future Member States should improve their monitoring of transfers;
(g) the lack of data suggested poor implementation of the member state obligation to monitor transfers and raised the question of whether systematic non compliant data transfers were occurring; and
(h) there was no clear evidence of widespread use of the Clauses, which indicated there was a need for greater promotion amongst businesses of the existence and usefulness of the Clauses.
Arising out of these findings, the Commission decided on the following going forward:
(a) to monitor use of the latest, 2004 Clauses and consider consolidating all Clauses in one instrument plus uniform rules for the deposit of transfer contracts with regulatory authorities
(b) a number of reported constraints related to the logistics of using the Clauses suggested a more flexible approach to some issues raised may remove the perceived constraints. Three examples cited were:
(i) execution of a single master agreement including the Clauses by numbers of companies. This seemed unobjectionable to the Commission provided each executing company gave the same level of clarity and specificity to the additional information required by Appendix 1;
(ii) clearer rules and Clauses for onward transfers of personal data from transferee data controllers to data processors. The Commission was to ask the Article 29 Working Party (the EU data protection "star chamber" with representatives of each EU member state's data protection authority) to consider this issue further; and
(iii) member state transfer licensing systems were found by the International Chamber of Commerce to be cumbersome but the Commission was comfortable with them provided that they did not introduce deterring delays.
The overall assessment is that the operation of the Clauses shows a "mixed situation." There are no major reported problems related to the Clauses but little information on the use of Clauses.
Coming out of this exercise, therefore, the Commission is committed to improving member state monitoring of transfers, encouraging greater use of the Clauses and promoting more awareness that they are there for businesses to use.
Why this matters
As this EC report suggests, there is clearly much exporting of personal data that goes on in the EU that is outwith the Directive and non compliant. The contractual solution to ensuring compliance with data protection principle eight when exporting personal data remains the least onerous "gateway".
Evidently, however, much still needs to be done to engender greater awareness of the EC standard Clauses and perhaps to develop further versions that are more business friendly. So far as obligations to register data transfers are concerned, UK data controllers would certainly find such a requirement deeply unattractive. Other EU states have introduced such a system, however, and if the next review demonstrates continuing ignorance and non compliance it may only be a matter of time before the EC proposes compulsory EU-wide registration of all ex EEA personal data transfers.