What is a data transfer?
Transfers of personal data by any business in the European Economic Area (“EEA”) to outside the EEA e.g. where data is to be held on servers abroad, or emails or attachments containing personal data are sent to recipients abroad, are unlawful unless within narrow exceptions. “Transfers” in this context also include remote screen access in the US to data held on servers in the EEA. Personal data is interpreted broadly in Europe and is wider than Personally Identifiable Information (“PII”).
When is a data transfer lawful?
The recipient country must “ensure an adequate level of protection” for personal data and the rights of individuals in respect of their personal details. One method of making such data transfers lawful is to ensure the data is offered “adequate safeguards”. Safe harbor used to provide an adequate safeguard but other solutions are now needed in its place.
Current European data protection laws based on Directive 95/46/EC allow the European Commission to make decisions about the adequacy of protection for personal data in respect of transfers which are binding on EU member states. These laws recognise that if a data exporter adopts the “standard contractual clauses” adopted by the European Commission, this will provide an adequate safeguard as required by law. Standard contractual clauses are also known as model clauses, European model clauses, or EMC’s, or are sometimes called data transfer agreements, or DTAs.
There are three forms of model clauses, so it is important to understand the role of the recipient importing the personal data to make sure that the correct version is used. If the importer only uses the details on behalf of and as instructed by the “client” data exporter (e.g. a hosting service), the importer is a data processor and the data controller to data processor form of model clauses (2010) must be used. This scenario may arise where one group company acts as an internal service provider to other affiliates within a group of companies, as well as where an external vendor acts in that way. By contrast, if the importer acts as a data controller (e.g. a parent company receiving affiliate personal data for independent parental decision making and functions), a data controller to data controller form of model clauses must be used. This can be the original form (2001) or later form (2004). The 2004 version is recommended as it is more business friendly.
Can I amend the model clauses?
The model clauses must not be amended. The intended protection of the clauses must also not be changed by separate or additional clauses varying the effect or scope of the model clauses.
What details are needed to complete model clauses?
The model clauses must be completed by inserting details of the exporting data controller (the exporter cannot be acting as a data processor) and of the importer recipient. The appendices must also be completed. This will always include a suitable description of the data flow, including:
- What personal data and sensitive personal data is involved, about what sorts of individuals, and for what purposes will it be used?
- You should also consider with which other entities the details may be shared (e.g. other US affiliates), why and where they are based.
In the case of vendor processer recipients, a summary of their data security arrangement will also be required.
Data protection authorities, filings and approvals
Currently details of and a copy of the signed and completed model clauses may need to be filed with the local data protection authority in the country of the data exporter. In some countries, like Spain, a data transfer based on model clauses cannot proceed until approved by the data protection authority. It should also be noted that in some countries data transfers to data controller importers, even when based on model clauses, need local data protection authority approval e.g. Norway. In other countries, the need for filing and/or approval is driven by sensitive personal data involved. Transfers based on model clauses which do not meet local filing and approval requirements will still be unlawful.
Where model clauses are amended, the risk of assessment of adequate safeguard is taken on by the exporting data controller. In the vast majority of countries, if permitted at all, such “designer” solutions normally trigger the need for individual approval by the relevant data protection authority, taking months to obtain.
Why do I need to consider model clauses?
Following the European court’s decision striking down safe harbor, the European data protection authorities have confirmed that data exporters who were relying on safe harbor must put in place alternative arrangements.
These regulators have indicated they won’t take coordinated enforcement action until the end of January 2016, so as to allow exporters to put in place new safeguards. However, they are likely to investigate some who relied on safe harbor, after this “enforcement holiday”, to check that suitable new arrangements are in place. This could be forced by a complaint. This will also probably mean ensuring required filings/approvals are in place or applications have been made.
What risks are involved?
Unlawful transfers may lead to enforcement action by the data protection authorities. Although enforcement is normally based on civil law, occasionally there may be criminal implications and, in rare cases, personal liability. Fines for non-compliance may result, varying from country to country but which may be as high as a few hundred thousand euros. Enforcement may well now increase.
The biggest practical risk would be a regulator issuing an order to block and prevent any further data exports. They also have limited rights to block model clause transfers, such as where the clauses are not being complied with, or in some cases where the laws of the recipient’s country mean that the intended safeguard provided by the clauses could be disregarded.
Regulators are currently re-assessing model clauses in relation to the adequate protection they provide, following the decision on safe harbor. However, model clauses remain valid in the meantime.
What else do I need to do?
It is strongly recommended that if model clauses are used, data flows are carefully considered before the appendices to any model clause agreement are completed. You must ensure appropriate details are inserted. Don’t forget the filings.
Model clauses only deal with the transfer of data. The data exporter must still comply with all other local data protection requirements. Where exporting data to a data processor, the “processor” wording in model clauses will normally be insufficient to meet legal and regulatory requirements for written data processor contract terms. Additional contractual safeguards will be required. Where exporting data to a data controller, the data exporter must be confident the proposed disclosure is fair, lawful, meets any necessary lawful use ground(s) and is proportionate to need, or it will be an unlawful disclosure.