On February 5th 2010, the European Commission has approved a decision related to the “standard contractual clauses for the transfer of personal data to processors established in third countries” to the European Union.
The directive 95/46/EC prohibits EU member states nationals to transfer personal data outside the European Union, unless such transfer is made towards a third party country which ensures a protection level that complies with the provisions of the aforesaid directive. In practice, only a very small number of states do offer an adequate level of protection for EU standards.
However, article 26, paragraph 2, of the directive 95/46/EC provide that member states may authorize a transfer of personal data to third countries which does not ensure an appropriate level of protection, “where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses”.
In order to facilitate the implementation of this exception, the European Commission proposed, in 2001, standard contractual clauses (“SCC”) compliant with the requirements of article 26.
To benefit of the advantages attached to the Commission SCC, one shall reprise them integrally in its contractual documentation. Any alteration is likely to modify the level of protection they grant and will, therefore, release the Commission and the CNIL (French Data Protection Authority) from their obligation to consider that the transfer of personal data has been completed in accordance with the conditions of article 26 of the directive 95/46/EC.
The Commission has approved on December 27th 2001 a set of SCC for the transfer of personal data from a data controller1 established in an EU member state to a processor established in a third party country2. This transfer must be set apart from the transfer of personal data from one data controller to another which is governed by the European Commission decision dated June 15, 2001.
The drafting of the SCC adopted on December 27th 2001 triggered some criticism from the business world. Most companies considered the SCC should take into consideration the evolution of the business which tends towards a globalized treatment of information. To address such criticism, the Commission decided to propose a new set of SCC in its decision dated February 5th 2010 for the transfer of personal data from an EU data controller to a processor / sub-contractor outside the EU.
The December 27, 2001, SCC did not apply in the very frequent case of a transfer of personal data from a processor to a subprocessor 3 both established outside the EU. The new SCC expressly address this case of a transfer to a sub-processor4 and define the conditions that the sub-processor must comply with: (i) the controller who transfers the personal data must give his written consent to the transfer from the processor to the sub-processor; (ii) the sub-processor is submitted to the same obligations that the initial processor; (iii) in the case of a breach made by the sub-processor to the contract with the initial processor, the latter remains liable toward the data controller.
These SCC apply only to the case of a transfer of personal data from a processor to a subprocessor both established outside the EU and do not apply when the processor is established in the EU and the sub-processor outside.
Secondly, the data subject has the right to apply to the courts to obtain damages from the sub-processor in case where both the data controller and the processor have factually disappeared, ceased to exist in law, or have become insolvent. The liability of the different data possessors in the “chain” of transmission of said data is said to be in “cascade”. In other words, the data controller is liable first and foremost, then it is the processor and at last the sub-processor. The data subject when acting in court should respect this order.
Finally, the February 5, 2010, decision abrogates the possibility for the data subject and the processor to bring their dispute to an arbitral court. This provision has been criticised as being too burdensome.
Concerning the applicability of the decision in the time, any contract executed between a data controller and a data processor pursuant to the December 27, 2001, decision before May 15, 2010, shall remain in force. Any substantial modification to this contract, made after May 15 2010 and affecting the SCC, shall comply with the provisions of the February 5, 2010, decision.