EU-approved “model clauses” are often used by companies to comply with their obligation to protect personal data transferring out of the European Economic Area (EEA) to suppliers. Beginning 15th May 2010, organisations will be required to use an updated set of controllerto- processor model clauses for new transfers of personal data or for any existing transfers where the purpose of the transfer or nature of the processing activities changes. The new clauses are intended to simplify the contracting processes by allowing for onward transfers of personal data from a non-EEA importer to subcontractors also located outside the EEA. However, the new clauses still lead to considerable administrative burdens on both parties.

The key changes seek to address one of the major criticisms of the previous (2001) model clauses, specifically that they did not reflect the reality of complex outsourcing and similar arrangements, which often involve multiple suppliers and subcontractors. As a result, organisations resorted to a variety of contracting structures to ensure that transfers of data were legitimate. Often the most prudent approach was for the exporting organisation to enter into model clause agreements with the lead supplier and each of its subcontractors (see Figures 1 and 2), leading to an unwieldy number of agreements even in seemingly simple deals.

As a result of these criticisms, in 2006, the International Chamber of Commerce (ICC), along with other business associations, submitted proposed amendments to the controller-to-processor model clauses in a move to “standardize and speed up transfers of international data”. The key recommendations included new provisions dealing with transfers from one supplier to its subcontractors, and many of these were adopted in the new version.

The new model clauses reduce the number of data transfer agreements to be entered into as part of an outsourcing arrangement. However, the new provisions still include a number of requirements which many organisations may find burdensome. For example, customers must maintain a list of agreed subcontractors and make the list available to its data protection supervisory authority, and all subcontracts must be governed by the law of the customer’s EEA Member State. If the customer is not one legal entity but a whole group of companies located in different EEA Member States, or if the service provider subcontracts to its affiliates through a global cloud computing model, such requirements may result in a significant administrative burden.

Exporting organisations should note that neither of the 2001 or 2010 model clauses deal with the common scenario whereby an EEA-based customer engages an EEA-based supplier, which then subcontracts processing activities outside the EEA. In this case, customers often enter into model clauses with the EEA-based supplier, but the model clauses were not intended to cover this scenario. Another solution might be to provide a power of attorney for the EEA-based supplier to enter into model clauses in the name of the customer, but many customers do not feel comfortable with this solution either. Therefore many customers will still opt to enter into model clauses directly with each of the relevant EEA-based sub-processors.

Key Considerations When Using the New Model Clauses

Prior Written Consent to Sub-Processing Suppliers must obtain the prior written consent of the controller to any subcontracting which will result in subcontractors having access to the controller’s personal data.

Written Agreement Between Data Importer and Sub-Processors The supplier must put in place a written agreement with each subcontractor, which imposes the same obligations on the subcontractor as are imposed on the supplier under the model clauses (see Figure 3). From a supplier perspective, this may be a key advantage to using the new model clauses, since it would enable the supplier to have a contract in place with a subcontractor which covers services provided to a number of the supplier’s customers. However, there are two potential problems with this approach. First, the new model clauses require the relevant data processing provisions to be governed by the law of the EEA Member State in which the customer is established. In addition, the appendices to the model clauses require the parties to specify the types of data being transferred along with the processing operations being carried out and the security measures to be taken by the supplier. As a result, suppliers may still be required to put into place separate subcontracts on a customer-by-customer basis.

Copy of Sub-Processing Agreement Must be Disclosed to Data Exporter The supplier is required to promptly send a copy of any subcontractor agreement it concludes to the controller. Suppliers should note that there is no carve out for commercial terms (as there is where a copy is requested by an individual whose data is being processed by the supplier or subcontractors). This, along with the requirement that the subcontractor agreement is concluded under the law of the Member State of the controller, may result in suppliers requiring subcontractors to put in place customer-specific agreements with their subcontractors.

Governing Law of Sub-Processing Agreement Must be that of the Data Exporter’s Member State The new model clauses require that any data protection provision within a subcontract between the supplier and a subcontractor must be governed by the law of the Member State in which the customer is established. This means that suppliers may not be able to use their existing contracts with subcontractors if they are not governed by the law of the Member State in which the customer is established.

Key Considerations During the Life of the Deal

Responsibility for the Sub-Processing Remains with the Data Controller The key point for customers to remember is that they remain liable under the relevant EEA Member State’s data protection law for all processing of personal data on their behalf, including processing carried out by a third party subcontractor. This is the case even if the subcontracting takes place under a separate agreement between the supplier and the subcontractor. In addition, the customer is required to warrant (to data subjects, who are third-party beneficiaries under the model clauses) that any subcontractor will provide at least the same level of protection for the data as the supplier.

List of Sub-Processors Customers are required to maintain a list of agreed suppliers and subcontractors and to make the list available once a year to their data protection supervisory authority (in the UK, this would be the Information Commissioner’s Office).

Audits The model clauses require both the supplier and the subcontractor to allow the customer or relevant supervisory authority to audit their processing facilities.

Implementation by 15 May 2010 If companies have already used the 2001 model clauses in existing deals, they will need to put a process in place now to identify whether the purposes for any existing transfers or nature of the processing activities change. If they do change, companies will need to put in place the new model clauses, even if the overarching deal has not ended. In many cases it may be easier to proactively change the contracts instead of trying to monitor the requirements for a mandatory change.

Impact Although the model clauses are not the only solution to exporting personal data out of the EEA (for example, exports to the US are sometimes carried out under the Safe Harbor framework), they will continue to be one of the preferred approaches in future contracts.

Click here to view table.