The cross-border transfer of personal data is a reality within most corporate groups, which constantly exchange data using shared service centres, databases, etc.
However, when the data controller (i.e. the entity that determines the purposes and means of the processing) that transfers the data is established in Belgium, the transfer must comply with the Data Protection Act of 8 December 1992, as amended (the "DPA"). The DPA transposes into Belgian law Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
- Cross-border transfers of personal data
For transfers of personal data within the European Economic Area ("EEA"), no particular formalities need be fulfilled since all EEA Member States have implemented Directive 95/46/EC and thus offer a similar (and adequate) level of protection.
The same cannot be said, however, for transfers to recipients outside the EEA. Such transfers are, in principle, only allowed if the country in question is deemed to offer an adequate level of protection. Based on the European Commission's decisions, only Switzerland, Andorra, Argentina, Jersey, Guernsey, the Isle of Man, Canada (for certain processing activities), the Faeroe islands, Israel, Uruguay and New Zealand are deemed to do so. The United States is generally not considered to offer an adequate level of protection, unless the US data recipient (the importer) has adhered to the Safe Harbor Privacy Principles (i.e. data protection principles agreed between the European Commission and the US Department of Commerce).
Transfers to other countries are, as a general rule, prohibited unless certain measures are taken. One of such measures is the entering into by the transferor and the transferee of contractual clauses which provide for adequate safeguards in relation to the transfer and protection of personal data.
To this end, the European Commission has issued standard contractual clauses for the transfer of personal data ("Model Clauses") which, if not amended, are presumed to offer adequate safeguards.
Until recently, when the Model Clauses were used in un-amended form, the prior authorization of the Belgian data protection authority (the Privacy Commission) or any other authority was not required to transfer personal data abroad. If the Model Clauses were modified or derogated from, however, approval by royal decree was required before the transfer could take place. In practice, however, in the absence of appropriate procedures to handle approval requests, such approval was seldom (if ever) granted.
- New procedure
Following discussions between the Ministry of Justice and the Privacy Commission, a protocol agreement was entered into on 25 June 2013 (the "Protocol"), revisiting the procedure to be adhered to when using contractual clauses (including the un-amended Model Clauses) for the transfer of personal data.
Pursuant to the Protocol, all contractual clauses used to transfer personal data outside the EEA, to countries which do not offer an adequate level of protection, must now be submitted to the Privacy Commission for prior approval.
Use of the Model Clauses
The Protocol - unfortunately in our opinion - expressly states that no transfer abroad of personal data can take place based on contractual clauses until confirmation has been received from the Privacy Commission. In practice, this means that the Privacy Commission's prior consent is effectively required to transfer personal data outside the EEA, to countries which do not offer an adequate level of protection, even when the Model Clauses are used.
When the Model Clauses are used, the Privacy Commission will verify that the clauses effectively entered into do not derogate from those issued by the European Commission. If no derogations are found, the Privacy Commission will issue written confirmation to the applicant, thereby allowing the data transfer.
Use of other contractual clauses
If the Privacy Commission finds that the contractual clauses used by the parties are not based on (or derogate from) the Model Clauses, it will make an assessment of the guarantees provided by the clauses within 60 days from submission of the complete application. If this assessment reveals that the clauses are sufficient, the Privacy Commission will refer the matter to the Ministry of Justice, which will issue a royal decree approving the transfer.
When derogating clauses are used, the new procedure most certainly constitutes an improvement. Indeed, there is now a clear approval procedure for such clauses.
It is unfortunate that the Protocol requires formal approval even when the Model Clauses are used. This obligation is likely to delay data transfers and constitutes an additional administrative burden on companies. However, use of the Model Clauses is likely to remain the most straightforward solution to transfer personal data outside the EEA, to countries which do not offer an adequate level of protection.
On the other hand, the approval procedure for derogating contractual clauses is clearly an improvement, although timing will most likely remain an issue for companies that wish to use such clauses. Based on the procedure laid down in the Protocol, we estimate that, in the best case scenario, it will take three to four months to obtain a royal decree approving the transfer, as from the filing date of a request for approval. Therefore, it is still advisable to use the Model Clauses, unless derogations are strictly necessary.