A press release last week from the European Commission, descriptively entitled “Decision updating the standard contractual clauses for the transfer of personal data to processors established in non-EU countries”, announces last Friday’s adoption by the Commission of its Decision, which addresses transfers to jurisdictions that are not recognised as offering an adequate level of data protection. The clauses in question are known as “controller to processor” clauses. According to the press release,
The “controller to processor” standard contractual clauses were approved by Commission Decision 2002/16/EC in order to provide companies with a tool which help them to comply with the obligation to ensure “adequate protection” for personal data when they transfer personal data to processors outside the EU/EEA.
Directive 95/46/EC lays down the legal framework for the processing of personal data in the European Union. With regard to international transfers of personal data to non EU/EEA countries, Directive 95/46/EC provides that transfer of personal data to a third country may take place only if the third country ensures an adequate level of protection, unless one of a limited number of specific exemptions applies. Where a third country does not ensure an adequate level of protection, Member States may authorize a transfer or a set of transfers of personal data to that third country where the controller adduces adequate safeguards with respect to the protection of privacy and data protection standards; such safeguards may in particular result from appropriate contractual clauses. Directive 95/46/EC provides that the European Commission may decide that certain standard contractual clauses offer sufficient safeguards for transfers of personal data to a third country that does not offer an adequate level of protection.
The standard contractual clauses are only one of several possibilities under the EU data protection Directive (95/46/EC) for lawfully transferring personal data outside the EU. They are not compulsory for businesses. However the advantage of using these standard clauses when transferring personal data to processors in countries outside the EU is that, on one hand, companies are obliged to comply with data protection standards and, on the other hand, Member States’ data protection authorities are obliged to recognise that these transfers enjoy adequate protection.
In addition to these standard contractual clauses, the European Commission has also adopted two Decisions which lay down standard clauses for the transfer of personal data to controllers outside the EU/EEA (Decisions 2001/497/EC and 2004/915//EC) – “controller to controller”.
The Decision … modifies current ” controller to processor” standard contractual clauses to take account of the expansion of processing activities and new business models of companies for international processing of personal data. Specific provisions allow under certain conditions the outsourcing by the processor of its processing activities (sub-processing) to other sub-processor or sub-processors so as to continue to ensure the protection of data subjects. Under these standard contractual clauses, an EU company exporting data (controller) should instruct its processor established in a third country to treat the data with full respect to the EU data protection requirements and should guarantee that appropriate technical and security measures are in place in the destination country. The data subjects are granted a third party beneficiary right against the EU data exporter and, under some circumstances, against the data importer (processor) to enforce several of the contractual obligations entered into the exporter and the data importer in order to ensure the protection of their rights, in particular where the data subjects suffer damage as a consequence of a breach of the contract.
The report on the implementation of Decisions on standard contractual clauses for the transfers of personal data to third countries of 2006 has recommended the insertion of appropriate contractual clauses on subsequent onwards transfers from a data processor established in a third country to another data processor (sub-processing), In addition stakeholders such as The International Chamber of Commerce (ICC), Japan Business Council in Europe (JBCE), EU Committee of the American Chamber of Commerce in Belgium (Amcham), and the Federation of European Direct Marketing Associations (FEDMA), have submitted proposals with a view to updating the contractual clauses of Decision 2002/16/EC in order to take account of both the rapidly expanding scope of data processing activities in the world and to address some issues that have not been covered by that Decision”.
Further information about this Decision and the standard contractual clauses is available here. Frequently Asked Questions relating to transfers of personal data from the EU/EEA to third countries can be found here.