Virtually all businesses in the UK will be data controllers of the personal data they process. Where a data controller (or his processor) wishes to process personal data outside the European Economic Area (“EEA”), he must demonstrate that there is an adequate level of protection for personal data in that country. Since 2001, one way of doing this has been for the data controller to enter into an agreement in the form of the EU Model Clauses with its processor (for instance any supplier of services based outside of the EEA and processing data on the data controller’s behalf) whereby the processor agrees to be bound by certain obligations beneficial to the data controller and the individual whose personal data is proposed to be transferred.
On 5 February 2010, the EU Commission issued a decision notice adopting revised EU Model Clauses1.
The new EU Model Clauses are largely based on an Opinion issued in March 2009 by the Article 29 Working Party which is the body convened to harmonise laws across the EU and to advise the EU Commission on data protection topics. The New EU Model Clauses seek to address what was previously perceived as a lack of flexibility by the 2001 EU Model Clauses when dealing with complex global outsourcing projects involving onwards transfer of personal data from one supplier of services to another outside of the EEA.
These new EU Model Clauses (which are largely based on the 2001 version) may be used for transfers of personal data between a data controller based in the EEA and a data processor based outside of the EEA. They will replace the 2001 EU Model Clauses as of May 2010.
We have highlighted in this note what has changed between the 2001 and the 2010 EU Model Clauses and considered how these new clauses are likely to impact those involved in major outsourcing services involving cross border transfers of personal data.
Click here to view table.
WHAT HAS CHANGED SINCE 2001?
There are two main categories of changes:
- extension of the EU Model Clauses to cover transfers from data processors to their sub-processors; and
- additional provisions for the protection of data subjects.
TRANSFERS TO PROCESSORS BASED OUTSIDE OF THE EEA
The Decision does not affect, on the whole, the manner in which the EU Model Clauses operate. It introduces the possibility however for a processor of personal data based outside of the EEA to appoint a sub-processor to process data on behalf of the data controller, provided a number of requirements set out in the new EU Model Clauses are complied with.
In particular, the data processor will need to do the following:
- inform and obtain the prior consent of the data exporter before allowing any sub-processing to take place;
- have a written agreement in place with the sub-processor: i. imposing the same obligations on the sub-processor as those imposed on the data importer itself under the EU Model Clauses entered into with the data exporter; ii. including a third party beneficiary clause allowing an individual whose data may have been lost or misused to bring a direct claim against the sub-processor; iii. that is concluded under the laws of the country where the data exporter is established,
- send a copy of any sub-processor agreement(s) to the data exporter.
The data importer will retain full liability for any acts or omissions of its sub-processors causing loss or damage to personal data. The data importer will need to ensure that it makes available, on request from the data exporter or any data subject, a copy of the sub-processing agreements (editing any commercially sensitive information these may contain). The data importer will also be required to update this list at least once a year. Such list may need to be made available to the data exporter’s national data protection authority on request.
Controllers of personal data should bear in mind that the EU Model Clauses apply exclusively to processors of data who are based outside of the EEA. The revisions to the EU Model Clauses permit further sub-contracting of the processing of personal data they are carrying out on behalf of a data controller based in the EEA (see the diagram below).
RIGHT OF DATA SUBJECTS
The new EU Model Clauses also introduce the right for the data subject to direct any claims they may have for the loss or misuse of their personal data:
- against the data importer where the data exporter has ceased to exist as a separate entity and no other corporate entity has taken on the data exporter’s rights and obligations; and
- against any sub-processor where the data exporter and data importer have both ceased to exist as separate entities (and no other corporate entity has taken on the data exporter’s rights and obligations), but such liability will be limited to the sub-processors’ own processing activities.
WHAT DOES THIS MEAN FOR MY BUSINESS?
From 15 May 2010, any data controller wishing to demonstrate adequacy (and therefore compliance with the Eighth Data Protection Principle) by using the EU Model Clauses will need to use the new 2010 EU Model Clauses. Agreements currently in place will remain valid after this date but only whilst they relate to the type of processing and data referred to in that agreement. If and when there are any changes to the nature or scope of the data processing operations they cover, the agreement will need to be revised to reflect the provisions contained in the new EU Model Clauses.
The new EU Model Clauses will effectively provide some operational flexibility to both controller and processor in circumstances where both parties know and agree to the sub-contracting of processing activities that involve onwards transfers of personal data. As a consequence, a direct agreement between the data exporter and the sub-processor will no longer be required. This will also mean that where a data exporter regularly uses one sub-processor, multiple agreements will not be required to cover each of the data controller’s requirements.
The main obligations imposed on both data exporters and data importers by the EU Model Clauses remain however onerous and cumbersome. Although the new EU Model Clauses represent a formal recognition that the 2001 clauses needed to be adapted and evolve to match businesses’ needs in relation to sub-processing, the amendments only deal with a few of the complex issues arising in relation to transfers outside of the EEA and it is thought that the changes will only make limited difference in practice.
A particular aspect which has not been covered by the new EU Model Clauses is the transfer from a data processor based in the EEA to a sub-processor based outside of the EEA. The Article 29 Working Party recommended that the Commission deal with this case scenario through a separate set of clauses, but for the moment the status quo has been maintained and in these circumstances a direct agreement between the data controller and sub-processor will still be the best option.
The diagram here describes the position in respect of transfers from data controllers based within the EEA wishing to outsource their activities.