New EC model clauses: Do you process data overseas?

If the answer is yes, then the recent decision by the European Commission ("EC") updating the controller-to-processor model clauses for the transfer of personal data outside the European Economic Area ("EEA") may be very relevant for your organisation.  The main change implemented by these new model clauses is that they now address the complex expansion of global processing activities by containing specific provisions to allow for sub-processors to be appointed.

24 March 2010

If the answer is yes, then the recent decision by the European Commission ("EC") updating the controller-to-processor model clauses for the transfer of personal data outside the European Economic Area ("EEA") may be very relevant for your organisation.  The main change implemented by these new model clauses is that they now address the complex expansion of global processing activities by containing specific provisions to allow for sub-processors to be appointed.

As stated by the EC, "This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing."

The EU Data Protection Directive ("Directive") provides that the transfer of personal data to a data processor in a country outside the EEA may only take place if that country ensures an adequate level of protection. Such level of protection can be achieved in a number of ways, one of which is by entering into appropriate model contractual clauses approved by the EC. The EC has recently adopted a decision, which replaces the previous version of the model clauses (issued in 2002) on the transfer of personal data to processors in non-EEA countries with a new set of model clauses. The other sets of model clauses for the transfer of personal data to data controllers outside the EEA remain unchanged.

The practical advantage of the new clauses is that a direct contract between the data controller and a sub-processor will no longer be required, thus reducing the contractual complexity of outsourcing arrangements. The new clauses also contain additional provisions for the protection of data subjects.

The new clauses come into effect on 15 May 2010, on which date they will replace the old 2002 clauses. Contracts concluded under the old clauses will remain in force and effect until the parties to the contract wish to make any changes to the nature of the transfer and data processing operations that are the subject matter in existing contracts. For example this might arise if the processor wishes to use a sub-processor. Moreover, on a strict interpretation, just amending the details of the data transferred in any appendices to a contract would require the parties to revise their contract to include the provisions of the new clauses.

However, a limitation of the new clauses is that they don't cover the situation where the data processor is based within the EEA but wishes to use a sub-processor based outside the EEA. Therefore a data controller dealing with such contractual arrangements will still have to enter into model clauses directly with any non-EEA sub-processors.

Organisations should be aware of circumstances when the new clauses may apply.

On a similar topic, the Article 29 Working Party has recently adopted an opinion on the interpretation of the concepts data "controller" and "processor". This is because the distinction between controllers and processors has become increasingly blurred given the increase in complex outsourcing structures. The opinion stresses that the definitions play a crucial role in the application of the Directive in order to determine who is responsible for compliance with data protection rules.