OUT-LAW reported earlier this month that the European Commission had updated its 'model clauses' for overseas transfers of personal data. The new model clauses have since been published. Contracts entered into from 15th May 2010 should include these clauses.
A cornerstone principle of the Data Protection Directive, which applies across the EU, limits the right to transfer personal data outside the European Economic Area. There are a few options for complying with the principle but the only realistic one in many cases is use of contractual clauses that were published by the European Commission in 2001. These 'model clauses' were updated for the first time this month in a formal Decision by the Commission.
Louise Townsend, a data protection law expert with Pinsent Masons, the law firm behind OUT-LAW.COM, welcomed the update.
"The previous clauses did not reflect the increasingly complex data transfers that we see in practice, particularly in outsourcing," said Townsend. "This was because they only covered the situation where an EU data controller was transferring to a non-EU data processor, but they did not cover what happened when the data processor sub-contracted to a further data processor."
A data controller bears responsibility for compliance with the Data Protection Directive but a data processor does not. Using the model clauses, the controller will enter into a contract with the processor to pass on the controller's duties under the Directive, such as the need for security, to the processor.
If a data processor, such as an outsourcing company, wanted to sub-contract certain work, the data controller had to determine how to comply with its own duties for the transfer to the sub-contractor.
"The data controller could prohibit sub-contracting but this is often unrealistic," said Townsend. "The data controller could allow sub-contracting provided that the data processor imposed equivalent obligations on the sub-contractor – the problem with this is that even if the data processor got the sub-contractor to sign the model clauses with the data processor, this was not automatically compliant as the clauses only covered a data controller to data processor situation and not a data processor to data processor situation."
Nevertheless, this was one common route taken by UK controllers, according to Townsend.
"The argument was that if such clauses were used, the controller could argue that it had taken adequate steps to protect the data and had assessed adequacy for itself," she said. "Another route was to require the data processor to require that any sub-contractor entered into the model clauses direct with the data controller."
"That was a less risky approach but one that could be onerous if there were multiple sub-contractors, and it imposed direct liability on sub-contractors. Commercially, it's hard to get sub-contractors to agree to that, so they resist that or seek to limit it," she said.
The new clauses accommodate a non-EU processor sub-contracting to one or more non-EU sub-processors.
"The new clauses say that consent for this is required from the data controller," said Townsend.
The data processor is then required to put in place a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data processor under the model clauses.
"In practice this is often what a head contract has required anyway, but the new clauses legitimise this approach and mean that the transfer to the sub-processor is automatically adequate if this approach is followed," said Townsend.
Where the sub-processor fails to fulfil its data protection obligations under the written agreement, the data processor remains fully liable to the data controller for the performance of the sub-processor’s obligations under the agreement.
According to Townsend, this was often reflected in a head contract anyway. "But the agreement must also include a third party beneficiary clause which allows data subjects to enforce it directly in the event that something happens to both the data controller and the data processor, something which commercially will be unattractive to the sub-contractor," she said.
The sub-contract must also be subject to the law of the data controller, i.e. the law of whichever EU state the data controller is established in. "That may be commercially unattractive to the overseas processor and sub-contractor," said Townsend. It could mean, for example, that a sub-contract between a US processor and an Indian sub-processor would be subject to English law or at least the data protection parts of it would be.
Among the other requirements of the new model clauses, a data processor has to provide the data controller with a copy of the sub-contract and the data controller has to maintain a list of sub-contracts and update this at least annually.
Townsend said that one thing was missing.
"What the clauses do not provide is the sub-contract itself – a set of model clauses to be entered into between the data processor and the sub-contractor, so this will still have to drafted, or the obligations of the model clauses incorporated," she said.
A footnote to the new model clauses provides that the sub-contractor can co-sign the model clauses with the data controller and data processor. "That would work for one sub-contractor but would not seem to work where there are new sub-contractors added at a later date," said Townsend.
Townsend said that, overall, the new approach will be welcomed by companies.
"It is obviously helpful for data controllers that the new clauses give data controllers a way of automatically legitimising a data transfer to a sub-processor without the need for a direct contract," she said. "The clauses will perhaps cut down on the deliberations that data controllers and data processors go through as to how to achieve compliance."
"The real burden with the clauses lies with the data processors and the sub-processors because they have to find a model for incorporating the clauses into their relationship," she said. "They have to consider their liability to the data controller and potentially to data subjects."
"In reality, though, data protection provisions are already a prerequisite to doing business with anyone who themselves does business within the EU, and there will be greater visibility of this with the requirement to submit contracts to the data controller," said Townsend.