Currently, the EU's Data Protection Directive requires all
personal data transferred to countries outside the Union to benefit
from "adequate protection". Use of these standard contractual
clauses will be voluntary but will offer companies and
organisations a straightforward means of complying with their
obligation to ensure "adequate protection" for personal data
transferred to countries outside the EU which have not been
recognised by the Commission as providing adequate protection for
such data.
Internal Market Commissioner Frits Bolkestein said:
"This new practical measure will make it
easier for companies and organisations to comply with their
obligation to ensure "adequate protection" for personal data
transferred from the Community to the rest of the world while
safeguarding individuals' right to privacy."
The standard contractual clauses contain a legally enforceable
declaration whereby both the "data exporter" and the "data
importer" undertake to process the data in accordance with basic
data protection rules and agree that individuals may enforce their
rights under the contract.
The Commission Decision obliges Member States to recognise the
contractual clauses annexed to the Decision as providing adequate
safeguards and fulfilling the requirements of the Directive for
data transfers to non-EU countries that do not provide for an
adequate level of protection for personal data.
However, the standard contractual clauses are neither compulsory
for businesses, nor are they the only way of lawfully transferring
data to third countries. They add a new possibility to those
already existing under the Data Protection Directive, which
establishes several cases where data may still be transferred to
countries where the data protection regime is not adequate.
These include cases where individuals have given their
unambiguous consent for data to be transferred outside the EU and
where the transfer is necessary for the conclusion or performance
of a contract in the interest of the data subjects. In addition,
Member States' data protection authorities may authorise such
transfers on a case by case basis when they are satisfied the data
enjoys "adequate protection".
Contractual clauses are not necessary for the transfer of data
to Switzerland or Hungary, whose own data protection regimes have
been recognised by the Commission as offering adequate protection,
or to US companies adhering to the Safe Harbor Privacy Principles
issued by the US Department of Commerce.
Data Protection Authorities in the Member States retain powers
to prohibit or suspend data flows in exceptional circumstances, but
the effect of this Decision is that they cannot refuse data
transfers made under contracts that incorporate the standard
contractual clauses approved by the Commission.
The Decision also does not prevent national Data Protection
Authorities authorising other contractual arrangements for the
export of data out of the EU based on national law, as long as
these authorities are satisfied that the contracts in question
provide adequate protection for data privacy.
This Decision is only a first step in developing contractual
solutions as a tailor-made tool for the transfer of personal data
world-wide. The Commission intends to adopt separate Decisions
referring to specific types of transfers and situations. The
Commission is consulting Member States and Data Protection
Authorities on a new draft Decision concerning standard contractual
clauses for the transfer of personal data from data controllers
(i.e. any person or body determining “the purposes and the means of
the processing”) established in the Community to data processors
(i.e. a subcontractor processing the data on behalf of a data
controller) established in non-EU countries.
Further information about this Decision and the standard
contractual clauses, including exchanges of letters with business
associations and the US Departments of Commerce and Treasury, are
available on the
Europa web site
