The regulatory limitations affecting international transfers of personal data have been a controversial issue since the early nineties. Even before the deadline for implementation of the 1995 Data Protection Directive kicked in, businesses across the European Union struggled to find a way to accommodate their normal data sharing and communication practices to the impending legislation. In response to these concerns, the International Chamber of Commerce and the Confederation of British Industry took the lead and started working on some kind of contractual solution to the problem.
Despite the hard work, it took almost six years for the European Commission to make use of Article 26(4) of the Data Protection Directive and adopt an official Decision setting out standard contractual clauses ensuring adequate safeguards for transfers of personal data to unsafe jurisdictions[1] (the original clauses). However, the uncompromisingly legalistic content of the clauses and their non-negotiable nature did not satisfy the commercial imperatives of many relationships. As a result, the ICC and six other partners[2] continued to work on an alternative set of standard contractual clauses.
The ICC coalition suffered a setback in December 2003, when the Article 29 Working Party issued its Opinion 8/2003[3] on the draft alternative clauses and stated that it had doubts that the proposed alternative clauses satisfied the following requirements:
· a comparable level of protection to the clauses approved by the Commission in 2001
· an added value beyond the mere fact that they were more business-friendly, such as being more citizen-friendly.
The Article 29 Working Party identified three fundamental areas of concern which had to be overcome before the European Commission could grant its approval in accordance with Article 26(4) of the Data Protection Directive, namely:
· the duty of cooperation with data protection authorities
· the limitations to the right of access
· the system of liability.
Therefore, from the beginning of 2004, the coalition focused its efforts in addressing these issues in a way that met the Commission’s requirements. The Commission was also keen to get the alternative clauses approved, as it had pledged in its report of
Obligations of the data exporter
In the original clauses, the exporter of the data has to warrant very difficult things, such as the fact that the processing will always be carried out in accordance with the law of the country where the exporter is based and that individuals will be informed if the transfer involves sensitive personal data. In the alternative clauses, these obligations are replaced by more practical and achievable tasks, such as:
· ensuring that the collection, processing and transfer is in accordance with the laws applicable to the exporter
· using reasonable efforts to determine that the data importer is able to satisfy its legal obligations under the clauses
· providing the importer, upon request, with copies of relevant data protection laws and references to them (not including legal advice).
In addition, some of the obligations under the original clauses have been softened, as the exporter will be required to respond to enquiries from individuals and data protection authorities only if the importer has not agreed to do so, and confidential information may be excluded from the copy of the clauses that must be made available to individuals who request them.
Obligations of the data importer
As in the case of the original clauses, the most important aspect of the new model clauses in terms of safeguarding the data protection rights of individuals is how to control the uses of the data made by the importer. Accordingly, the alternative clauses dealing with the importer’s obligations are very detailed and precise. However, they are also more realistic than the original clauses.
For example, unlike under the original clauses, a data importer that enters into an agreement containing the alternative model clauses will have to warrant and undertake that:
· it has appropriate technical and organisational security measures in place
· it has procedures in place to ensure that any third party with access to the data (including data processors) will respect and maintain the confidentiality and security of the data
· it will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning the processing of the personal data, and will cooperate in good faith with the data exporter and the relevant individuals and data protection authorities within a reasonable time
· it will provide the data exporter with evidence of financial resources sufficient to fulfill its responsibilities upon request
· it will submit its data processing facilities, data files and relevant documentation for reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings under the agreement, with reasonable notice and during regular business hours, if reasonably requested by the data exporter
· it will not disclose or transfer the personal data to a third-party data controller located outside the European Economic Area, except in some specific cases.
A clause that has been softened is the one dealing with the impact of local laws on the ability of the data importer to comply with its data protection obligations. Under the alternative clauses, the data importer must warrant and undertake that, at the time of entering into the agreement with the data exporter, it has no reason to believe in the existence of any local laws that would have a substantial adverse effect on the guarantees provided, and that it will inform the data exporter (which will pass such notification on to the relevant data protection authority where required) if it becomes aware of any such laws. However, even in this case, there is no provision that allows the exporter to suspend the transfer of data or terminate the contract, as in the original clauses.
Further, the alternative clauses place a practical limitation on the right of access by allowing data importers to deny such access in cases where requests are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. In addition, provided that a competent data protection authority has given its prior approval, access need not be granted when doing so would be likely seriously to harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the individuals.
Liability and third-party rights
The “joint and several liability” obligations under the original clauses have always been regarded as a real deal-breaker because, in practice, they meant that a data exporter was more likely to be at the receiving end of a claim by individuals for misuse of the data by the importer than was the importer itself. This approach has disappeared from the alternative clauses and instead they introduce the following four-step system:
· an individual is entitled to enforce his or her rights against the data importer or the data exporter for their respective breach
· however, in cases involving allegations of breach by the data importer, an individual must first request the data exporter to take appropriate action to enforce his or her rights against the data importer
· if the data exporter does not take such action within a reasonable period (ie one month), the individual may then enforce his or her rights against the data importer directly
· in any event, an individual is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under the contract.
The practical consequence of the last point is that data exporters need to satisfy themselves that they can effectively enforce their right to carry out data protection audits of the data importers’ operations and to request evidence of the importers’ financial resources to fulfill their data protection obligations. The bottom line is that under the alternative clauses, exporters must take an active interest in the data processing operations of the importer, rather than simply rely on the undertakings received.
Authorities and termination
Apart from the provisions dealing with the obligations and liability of the parties, the alternative clauses also pay attention to issues such as the duty to cooperate with the relevant authorities and termination. With regard to the former, the parties must abide by a decision of a competent court of the data exporter’s country of establishment or of the data protection authority of that country which is final and against which no further appeal is possible.
The data protection authorities can more easily prohibit or suspend data transfers based on the alternative clauses in those cases where the data exporter refuses to take appropriate steps to enforce contractual obligations against the data importer or the importer refuses to cooperate in good faith with competent supervisory authorities.
As far as termination is concerned, it is quite revealing that the two-line sentence of the original clauses has been replaced by a nine-paragraph clause which sets out in very specific terms the circumstances that trigger termination rights for the parties – in particular, for the data exporter.
Summary
The alternative clauses should be seen as a very positive development in the area of international transfers of personal data. Their pragmatism and their careful drafting will be welcome by all parties involved in a transaction concerning data transfers and it will not be long before the original clauses become an obsolete piece of data protection history.
Eduardo Ustaran is a solicitor in the Technology Law Group of Field Fisher Waterhouse (www.privacyandinformation.com). He can be contacted at eduardo.ustaran@ffw.com
[1] Commission Decision of
[2] The American Chamber of Commerce to the European Union in Brussels (AmCham EU), the Confederation of British Industry (CBI), the European Information, Communications and Consumer Electronics Technology Industry Association (EICTA), the Federation of European Direct and Interactive Marketing (FEDMA), the International Communication Round Table (ICRT) and the Japan Business Council in Europe (JBCE).