Regulators push for fairer, easier data protection compliance in outsourcing deals

OUT-LAW News, 01/07/2009

The European Commission should make sure that outsourcing providers who process personal data are bound by consistent rules irrespective of whether they are based inside or outside the EU, data protection watchdogs have said.

The European Union's Article 29 Working Party, which consists of the privacy regulators from the 27 EU nations, have published an opinion on an as-yet unpublished European Commission policy change on the transfer of personal data outside the European Economic Area (EEA).

It said that the Commission needs to adopt a more consistent approach in its policy governing processors.

Companies that handle personal data are required by the EU's Data Protection Directive to make sure that any outsourcing providers they use give adequate protection and security for that data, even if those providers are outside the EU and so not directly bound by the Directive.

Organisations commonly use European Commission-produced model contracts to pass those obligations on, but these only cover the signatories of the contract; they do not pass liability on to sub-contractors used by the outsourcing provider.

This has caused complications for businesses and the Commission has produced an unpublished proposal to change the rules to make the process more attractive to businesses. The Working Party has published its opinion on those proposals, though, and it has some criticisms of them.

The Working Party opinion suggests that the Commission has proposed allowing outsourcing providers to pass on data to subcontractors with only an authorisation from the organisation that owns the data for that transfer and sub-processing.

It said, though, that the Commission plans to make those outsourcing providers that are established in the EEA and which want to sub-contract to firms outside the EEA use full model contracts, meaning that their obligations are more onerous than those of non-EEA suppliers.

"The Working Party is aware that the adoption of this Draft Commission Decision would introduce a remarkable flexibility in processing services," said its opinion. "However, this flexibility would not apply equally to the different players in an increasingly global market."

"The Draft Commission Decision would allow a processor established in a third country to carry out onward transfers for the purposes of sub-processing only with an authorization granted by the controller, while those processors established in the EU/EEA and which would like to subcontract part of their processing activities to a sub processor in a third country should continue to use the current legal system," it said. "This situation could cause a competitive disadvantage for European companies that would be required to bear an administrative burden greater than that of their equivalents in third countries, in order to perform equivalent processing as service providers."

The Working Party said that a solution exists which would create a level playing field between those outsourcing providers in the EEA and those outside it.

"The Working Party urges the Commission to develop promptly a new separate and specific legal instrument that allows international sub-processing by processors established in the Union to sub-processors in a third country," it said. "Such an instrument could for instance take the form of a new set of Standard Contractual Clauses, through which the controller and the processor established in the EU/EEA could provide for trans border sub-processing, in accordance with the necessary and adequate guarantees for such transfers."

The Working Party also recommends that Commission rules include a provision forcing outsourcing suppliers to get the explicit permission of a company before using sub-processors, and that all sub-processors should be bound by the same terms as a model contract, 'cascading' those controls through the processing chain.

"Applying contractual clauses to all different layers of sub-processing operations will introduce greater uniformity in business as all subcontracts of processing operations covered by the standard contractual clauses shall be subject to the same clauses and stipulations. In addition this will simplify current situation by increasing legal certainty," it said.

To ensure that the use of personal data is appropriate, the Working Party also said that the data protection regulator of the country in which the originating company is based should have the right to audit all the processing, that that right should be a part of the contract which is 'cascaded' down the chain.

Data protection law expert Rosemary Jay said that the proposals should be welcomed, even if they are not all likely to be adopted.

"Some of these are not entirely realistic, but the Working Party has produced a single, coherent code to govern sub-processing, and that should be welcomed by businesses because it would produce a level playing field in the competitive outsourcing sector," she said.

"It is good that there is at least some action being taken in an area that businesses have long seen as a problem," said Jay. "It is good that the Working Party have backed the cascading approach, but they have not come up with a way to make that approach any more flexible."

See: The Article 29 Working Party's opinion (7-page / 43KB PDF)

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer