The European Union’s independent data protection advisory body, the Article 29 Working Party (“A29WP”) has published draft model clauses for legitimising the transfer of personal data from data processors based in the European Economic Area (“EEA”) to data sub-processors based in third countries (“New Model Clauses”). If adopted by the European Commission (“Commission”), the New Model Clauses should help to promote the adoption of cloud computing and certain other cross-border services by allowing EEA-based customers to comply more easily with the obligations imposed on them as data controllers by EU data protection legislation.
Why are data transfers outside the EEA restricted?
The EU Data Protection Directive (95/46/EC) (“Directive”) prohibits the transfer of personal data from within the EEA to third countries unless adequate levels of protection have been established (“Transfer Restriction”). Certain ‘White List’ countries are recognised by the Commission as having data protection regimes that offer adequate protection for the purposes of the Transfer Restriction, However, the number of White List countries is limited and does not include many of the countries in which all or part of the infrastructure for providing cloud-based services is commonly located, such as the US, Japan, India, Malaysia and Singapore.
To provide EEA-based businesses with a legitimate way to comply with the Transfer Restriction when transferring personal data for which they are responsible as data controllers (e.g. personal data relating to their employees and customers), the Commission has also recognised and approved certain contractual ‘Model Clauses’. When adopted in a binding contractual agreement, the Model Clauses impose various obligations on both the data controller (as exporter of the data) and the data importer (which may be either a data controller or a data processor) to ensure, by contractual means, that the Transfer Restriction is satisfied.
Why are the New Model Clauses required?
The compliance issue that has arisen in practice is that the Model Clauses governing the transfer of personal data from data controllers in the EEA to data processors in third countries (“C2P Model Clauses” - see Commission Decision 2010/87/EU) are not applicable in the common scenario whereby a business customer in the EEA (the data controller) contracts with a cloud provider in the EEA (the data processor) which then sub-contracts part or all of the data processing (e.g. cloud data storage) to a third party data sub-processor (typically a group affiliate or parent company) based outside the EEA in countries such as the US or Japan.
The New Model Clauses seek to address this issue by providing a set of contractual clauses that can be used to legitimate the transfer of personal data to, and subsequent processing of personal data by, such data sub-processors based outside the EEA. It is contemplated that the New Model Clauses will be included in the ‘Framework Contract’ between the data controller and the data exporter (in this case the data processor), for example as an appendix, to ensure that they bind the data controller as well as the data exporter and data importer.
Do the New Model Clauses differ significantly?
In many respects, the New Model Clauses adopt a similar style and approach to the C2P Model Clauses by imposing extensive obligations on both the data exporter (i.e. the data processor) and the data importer (in this case the data sub-processor) and granting third party beneficiary rights to the relevant individuals to whom the personal data relates (the data subjects) to allow them to take action in certain circumstances to enforce breaches against the data exporter, data importer, and any subsequent sub-processors.
Other similarities include requiring the parties to stipulate the details of the relevant personal data and processing activities/security measures, and allowing the sub-processor to engage subsequent sub-processors to process the relevant personal data provided that they obtain consent from the data controller (or the data exporter acting on the controller’s instructions) and ensure that equivalent contractual obligations are imposed on any such subsequent sub-processors.
The New Model Clauses also include additional obligations not in the C2P Model Clauses, for example the data exporter must warrant that the ‘Framework Contract’ between it and the data controller contains certain mandatory provisions (such as in relation to data security measures and authorisation for sub-contracting data processing) and the data exporter must agree to allow auditing of their data processing facilities at the request of the data controller (an obligation only imposed on the data importer under the C2P Model Clauses).
If adopted by the Commission, the New Model Clauses would most likely be welcomed by customers and providers as a practical and efficient way to ensure compliance with the Transfer Restriction not only in relation to cloud-based services but also cross-border outsourcing and other services where personal data for which the customer is responsible is stored and processed by entities within the provider’s group both inside and outside the EEA.
From a timing perspective, however, it remains unclear whether the Commission will be willing and able to devote the time and attention required to adopt the New Model Clauses in the near future while the negotiations are ongoing to agree the draft General Data Protection Regulation (“Regulation”). Once implemented, the Regulation will overhaul the existing EU data protection regime and, if adopted in its current form, then following a pre-defined ‘sunset period’ (for example, 2 years after the Regulation comes into force) all existing Commission-approved ‘Model Clauses’ will cease to have effect and will need to be replaced with new ‘Model Clauses’ that offer adequate protection for the purposes of the more onerous regulatory standard imposed by the Regulation.
That said, the Commission’s stated ambition of making the EU a leading force in cloud services means it is likely that the New Model Clauses will be adopted in some form, the main question being whether they will be adopted now under the current Directive or later under the future Regulation.
A copy of the New Model Clauses is available here