Morrison & Foerster : Legal Updates & News : Legal Updates : European Commission Approves New Set of Standard Clauses for Data Transfers

This article first appeared in the January 2005 issue of Privacy & Information Law Report and is reprinted with permission.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Privacy and Data Security

European Commission Approves New Set of Standard Clauses for Data Transfers

February 2005
by Karin Retzer, Cynthia Rich

The European Commission has approved a new set of model contract clauses ("Clauses") [fn1] for the transfer of personal data from the European Union [fn2] to other countries. By incorporating the Clauses into a contract between the organization exporting the data and the data importer, the parties can ensure adequate safeguards for data transfers as required under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive"). [fn3]

The Clauses, submitted by a business coalition in 2000, [fn4] will be available for use as of April 1, 2005. They are intended to provide businesses with a wider choice of compliance options, in addition to the contract clauses already available under the Commission's June 2001 decision ("Commission Decision"). [fn5] A comparison of the provisions of the Clauses to those of the Commission Decision, provided below, suggests that these two sets of contract clauses are more similar than they are different.

Background

Rules For Data Transfers to Third Countries

Before reviewing the Clauses, it is important to understand the rules governing data transfers to third countries under the Directive. The Directive restricts cross-border transfers to third countries that have been found to ensure an "adequate" level of protection (Article 25). To date, the European Commission has deemed adequate the laws of Argentina, Canada, Guernsey, Hungary, and Switzerland. In addition, companies that certify to the U.S. Safe Harbor principles, and the Passenger Name Record of air passengers transferred to the United States' Bureau of Customs and Border Protection have also been deemed to be adequate.

The Directive provides several exceptions that allow for international transfers of personal information where there is no "adequacy" determination in place for the relevant jurisdiction, including where: (i) the data subject has given his or her unambiguous consent; (ii) the transfer is necessary for the performance of the contract with the individual; or (iii) the controller has entered into an appropriate contract, which, if individually negotiated, requires approval of the Member State Data Protection Authority, or which incorporates the clauses in the 2001 Commission Decision. In addition, privacy experts, the EU data protection commissioners and the European Commission are working on the use of codes of conduct or "Binding Corporate Rules" as an alternative for ensuring adequate data protection without the need to establish and maintain contracts.

Comparison of the Clauses and the Commission Decision

In the following we briefly summarize the salient points and highlight the main differences between the Clauses and the Commission Decision.

Liability

While the Commission Decision provides for joint and several liability (Clause 6), the Clauses (Clause III) only require each party to be liable for the damages it causes. To compensate for lack of joint and several liability, however, the Clauses (Clause Ib) contain a due diligence clause that requires the exporter to guarantee that it "used reasonable efforts to determine that the importer is able to satisfy the requirements established by the Clauses." This provision, therefore, could create similar liability for the data exporter for damages caused by the importer where the exporter was found to be in breach of its due diligence obligations (culpa in eligendo).

Audits

The Commission Decision (Clause 5d) mandates that the importer submit the data processing facilities, upon the exporter's request, for an audit executed by either the exporter or any independent third party. The exporter may select the members, where applicable in agreement with the supervisory authority.

In comparison, the Clauses are more in line with standard industry practice audit provisions. The Clauses (Clause IIg) also afford the choice of the auditors to the exporter and require the necessary consent or approval from the EU regulator, but they allow the audit to be done by the exporter or an independent third party. In addition, the Clauses require reasonable notice and allow the audit only during regular business hours. It is unclear, however, how the data protection authorities in practice will interpret this provision.

Jurisdiction

The Commission Decision (Clauses 8 and 5c) requires that the importer cooperate with the competent supervisory authorities and abide by their advice while the Clauses (Clause V) only require the parties to warrant that they will cooperate with the supervisory authority. The Commission Decision (Clause 7) requires the data importer to agree to accept the decision of the data subject to refer the matter to arbitration or mediation or the relevant court. Under the Clauses (Clause V), the parties also agree to respond to any non-binding mediation procedure initiated by the data subject, but need only consider participating in arbitration and other data protection dispute resolution mechanisms. The data importer, however, must agree to abide by the decision of a competent court, which is final.

It is unclear if the Clauses are any less likely than the Commission Decision to create jurisdiction for the importer. Under the Commission Decision, agreeing to accept the decision of the data subject to refer the matter to the relevant court appears to amount to submitting to jurisdiction. Agreeing to an audit, to cooperate with the authorities, to respond to a non-binding procedure, and to abide by a decision of a competent court, however, may also be tantamount to the importer submitting to jurisdiction in Europe.

Another and perhaps more significant difference between the Commission Decision and the Clauses is that under the Clauses the data protection authorities have greatly increased enforcement powers and can more easily prohibit or suspend data transfers. In particular, transfers based on the Clauses may be prohibited where the data exporter refuses to take appropriate steps to enforce contractual obligations against the data importer or the latter refuses to co-operate in good faith with the competent (EU) authorities (Article 1.2, recital 7).

Third Party Beneficiary Rights

The Commission Decision (Clause 3) creates third party beneficiary rights in data subjects, allowing them to enforce certain provisions of the agreement, presumably against both parties. The Clauses, in contrast, permit the data subject to take enforcement actions against the importer but only if the exporter does not take an enforcement action against the importer within a reasonable time. The Clauses indicate that, under normal circumstances, the exporter must take action and resolve any complaint within one month. Although it is not clear how this provision would operate, it appears that the data subject could put the exporter on notice of an enforcement problem and if the exporter does not act, proceed directly against the importer. In cases involving exporters and importers that are not affiliated, it is not clear how much insulation from third party beneficiary suits the Clauses would provide to the importer. Non-affiliated exporters would appear to have little incentive to proceed against the importer.

Onward Transfer

The onward transfer requirements in the Clauses and the Commission Decision are essentially equivalent. The Commission Decision (Annexes 2 and 3) generally prohibits onward transfers to non-EU entities unless the third party recipient is subject to an adequacy decision (e.g., by joining the Safe Harbor) and the additional requirements annexed to the Commission Decision are fulfilled; the third party recipient contractually assumes the same obligations as the importer; or the data subject's consent is obtained. The Clauses (Clause IIi) provide for the same restrictions. In particular, compliance with either Member State law or the provisions of an adequacy determination (e.g., Safe Harbor) is insufficient; additional restrictions must be fulfilled.

Technical and Organizational Measures

With respect to technical and organizational measures, the Commission Decision requires that these measures be implemented prior to the transfer and that the measures correspond to Member State law applicable to contractual clauses. The Clauses (Clause IIa) state that the importer will have in place measures to protect the data against accidental loss, alteration, disclosure, etc. No reference to Member State legislation is made.

Summary

There are few significant differences between the newly adopted Clauses and the Commission Decision. This conclusion is shared by the Commission. In its "Frequently Asked Questions" ("FAQs") published together with the Clauses, the Commission stated that "Both Clauses provide for a similar level of data protection, in other words, individuals are similarly protected by both sets on the bases of the same (adequate) data protection standards and principles. Differences between both sets are mainly of a technical nature." In addition, the Clauses do not advance the issues raised by organizations regarding the complexities and administrative difficulties associated with relying on contracts as an adequacy mechanism. Those problems remain as acute.

Footnotes:

1: Commission Decision (December 2004) amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46, C(2004)5271.

2: Any reference to Europe or the European Union (EU) should be understood as referring to the territory of its Member States, i.e., Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom. The three European Economic Area (EEA) member states Iceland, Liechtenstein, and Norway have also enacted the EU regulatory privacy regime.

3: Published in the Official Journal on November 23, 1995, L 281/31.

4: The International Chamber of Commerce, Federation of European Direct Marketing Associations, EU Committee of the American Chamber of Commerce in Belgium, Confederation of British Industry, European Information and Communications Technology Association, Japan Business Council in Europe, and the International Communication Round Table.

5: The Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC), published in the Official Journal of the European Communities on July 4, 2001, L 181/19, incorporates the standard terms suggested by the European Commission for transfers to so-called controllers ("Standard clauses for Controllers").