Europe's data protection regime erected barriers to the export of personal data from the European Economic Area – making it unlawful for, say, a company in France to e-mail a database of customer details to its US office – unless there is "adequate protection" for the personal data transferred.
Use of standard contractual clauses offers companies and other organisations one way to achieve this adequate protection; but the only Commission-approved terms available to date have been unpopular. That changes with effect from 1st April 2005.
The Commission's contract terms – published in 2001 – have faced criticism "because they are neither user-friendly nor commercially sensible," according to Shelagh Gaskill, a partner with Pinsent Masons, the law firm behind OUT-LAW.COM. "The good news for businesses," she said, "is that there is now an alternative."
A new set of standard contractual clauses for data transfers was proposed by seven international business associations: the American Chamber of Commerce to the European Union in Brussels (AmCham EU); the Confederation of British Industry (CBI); the European Information and Communications Technology Association (EICTA); the Federation of European Direct and Interactive Marketing (FEDMA); the International Chamber of Commerce (ICC); the; International Communication Round Table (ICRT); and the Japan Business Council in Europe (JBCE).
Approval of the new clauses came after four years of negotiation. According to the business groups, it marks the first time the Commission has officially approved a mechanism for data transfers proposed by the private sector.
Christopher Kuner, Chairman of ICC's Task Force on Privacy and the Protection of Personal Data, who led the negotiations with the EU, said: "Our clauses offer the same level of data protection as the Commission's clauses, but use more flexible mechanisms that are more in line with business realities."
He said the new clauses do not require the data exporter and data importer to be liable for each other's misuse of the data, as the Commission's previous clauses had done, and contain auditing provisions that are more flexible and realistic.
Pascale Gelly, representing AmCham EU, added that "these clauses are beneficial to individuals as more data transfers will be operated under an adequate level of protection."
Single Market Commissioner Charlie McCreevy said "This is a good example of regulating in cooperation with business. The business community has shown a serious commitment towards data protection and the Commission has carefully listened to business needs. That is good for EU citizens, whose privacy is better protected, and for our companies, whose competitiveness is reinforced."
Shelagh Gaskill concluded: "The terms are much more sensible than the originals and much more user-friendly for large commercial organisations."