Out-Law News 2 min. read
19 Jun 2001, 12:00 am
Currently, the EU's Data Protection Directive requires all personal data transferred to countries outside the Union to benefit from "adequate protection". Use of these standard contractual clauses will be voluntary but will offer companies and organisations a straightforward means of complying with their obligation to ensure "adequate protection" for personal data transferred to countries outside the EU which have not been recognised by the Commission as providing adequate protection for such data.
Internal Market Commissioner Frits Bolkestein said:
"This new practical measure will make it easier for companies and organisations to comply with their obligation to ensure "adequate protection" for personal data transferred from the Community to the rest of the world while safeguarding individuals' right to privacy."
The standard contractual clauses contain a legally enforceable declaration whereby both the "data exporter" and the "data importer" undertake to process the data in accordance with basic data protection rules and agree that individuals may enforce their rights under the contract.
The Commission Decision obliges Member States to recognise the contractual clauses annexed to the Decision as providing adequate safeguards and fulfilling the requirements of the Directive for data transfers to non-EU countries that do not provide for an adequate level of protection for personal data.
However, the standard contractual clauses are neither compulsory for businesses, nor are they the only way of lawfully transferring data to third countries. They add a new possibility to those already existing under the Data Protection Directive, which establishes several cases where data may still be transferred to countries where the data protection regime is not adequate.
These include cases where individuals have given their unambiguous consent for data to be transferred outside the EU and where the transfer is necessary for the conclusion or performance of a contract in the interest of the data subjects. In addition, Member States' data protection authorities may authorise such transfers on a case by case basis when they are satisfied the data enjoys "adequate protection".
Contractual clauses are not necessary for the transfer of data to Switzerland or Hungary, whose own data protection regimes have been recognised by the Commission as offering adequate protection, or to US companies adhering to the Safe Harbor Privacy Principles issued by the US Department of Commerce.
Data Protection Authorities in the Member States retain powers to prohibit or suspend data flows in exceptional circumstances, but the effect of this Decision is that they cannot refuse data transfers made under contracts that incorporate the standard contractual clauses approved by the Commission.
The Decision also does not prevent national Data Protection Authorities authorising other contractual arrangements for the export of data out of the EU based on national law, as long as these authorities are satisfied that the contracts in question provide adequate protection for data privacy.
This Decision is only a first step in developing contractual solutions as a tailor-made tool for the transfer of personal data world-wide. The Commission intends to adopt separate Decisions referring to specific types of transfers and situations. The Commission is consulting Member States and Data Protection Authorities on a new draft Decision concerning standard contractual clauses for the transfer of personal data from data controllers (i.e. any person or body determining “the purposes and the means of the processing”) established in the Community to data processors (i.e. a subcontractor processing the data on behalf of a data controller) established in non-EU countries.
Further information about this Decision and the standard contractual clauses, including exchanges of letters with business associations and the US Departments of Commerce and Treasury, are available on the Europa web site