“Model Clauses”; “Model Contracts”; “Standard Contractual Clauses”… However you call them, rumours of their demise may be exaggerated:
(i) For transfers to the USA
For the USA, there is a little doubt as EU regulators have announced (more or less enthusiastically) “enforcement actions” if no substitute for the Safe Harbour scheme is agreed by 31 January 2016; and German state regulators in particular have indicated that they do not want to automatically approve transfers to the USA based on them. However, in many cases, for now they are the most acceptable method of ensuring approval for exports of data from the EU to the USA, assuming that we don’t have specific consent to the transfer from all data subjects or the transfer is otherwise justified e.g. because necessary for performance of a contract with the data subject. (Even if your company has in place Binding Corporate Rules for intra-group transfers – though Eden Legal is not generally recommending those as a business-friendly solution – then for EU-US transfers outside the group, the model clauses can still be used).
(ii) For transfers elsewhere
In any event, for transfers from the EU/EEA to any other place in the world that has not been formally recognised by the European Commission as having a legal framework providing adequate protections en.htm, nothing has changed: the EU Court of Justice’s decision invalidating the Safe Harbour scheme was limited to the USA. In the absence of any binding decision, they should still be accepted for transfers elsewhere.
A few tips:
1. Use the correct ones!
The only officially endorsed sets of model clauses en.htm are: (i) Controller to controller (two sets to choose from); and (ii) controller to processor. The correct set should be used for the situation at hand. But Eden Legal has also seen these draft model clauses proposed for “processor to sub-processor” transfers. In fact the EU’s Article 29 Working Party of representatives of the national regulatory authorities has produced a processor to sub-processor set of model clauses but they were never adopted by the European Commission. Contractually, there is no particular reason why they shouldn’t be used, however, unlike the formally adopted sets Member States authorities are not obliged to recognise that they provide adequate protections. Also they do refer to certain matters arising under the Framework Contract between the data controller and the data processor (and to the need for prior consent to sub-processing from the data controller) so there is possibility for conflict with that. Given that national data protection authorities aren’t obliged to accept them, then the benefits of using them “as is” are debatable. Interestingly, the 2010 controller to processor clauses do allow non-EU processors to subcontract processing to other EU sub-processors. So there is a legal gap here which potentially leaves EU processors at a disadvantage compared to non-EU processors – except in Spain where this situation has been officially recognised by the Spanish DPA and a set of clauses has been approved for such use – though the transfers and supporting documents still need to pass through a process of approval).
2. Use for exports from the EU only
Eden Legal has seen the clauses used for transfers from a list of data exporting entities – including entities in Australia, China, India and Japan. Contractually, there is probably no real reason why not, although there is potential for conflict with the data exporter’s home laws. However, this is not the purpose of the clauses, which are intended to be governed by the laws of the country of a particular data controller/exporter, which needs to be an EU national law.
3. Read them and actually make sure that you can comply with everything said…
The clauses generally require the data importer to have in place security measures equivalent to those applicable in the data exporter’s home state. Especially for countries with prescriptive regulations regarding security measures (e.g. Spain or Poland) it is of course important to ensure that the data importer really can and does comply.
4. Annex II…
The standard contractual clauses include annexes be completed by the parties. These are intended for details of the parties, the transferred data, the data processing and the technical and organizational security measures to be implemented by the data importer. This last requirement can sometimes cause puzzlement. However, depending on precise national practices, there is some flexibility here and a more prescriptive (data exporter friendly) or more relaxed (data importer friendly) approach can be acceptable. Separate technical security documents (which many data processing entities publish) or possibly local laws and regulations (even if not formally recognized by the European Commission as providing adequate safeguards) may also be annexed. Clearly, the security measures indicated need to be: (i) achievable in practice; and (ii) not significantly less protective than those applicable to the data exporter. Depending on the Member State of the data exporter, including more detail may be helpful in avoiding issues later.
5. Don’t amend them…
Model Clauses can be appended to another contract (in fact they should be – the processing activity itself needs to be agreed and regulated by a written agreement and of course the model clauses don’t go into key terms such as the scope of the services, payment, duration, etc.). However, in order to benefit from automatic approval where available, any additional terms (logically) cannot contradict the terms of the model clauses. Amendments may be acceptable but risk losing such automatic approval or approval in general for the international transfer, so Eden Legal would usually recommend (i) not making any substantial amendments; and (ii) appending the clauses in a separate annex for clarity rather than working them into a wider data processing agreement.
It’s possible that for EU-US transfers a new system may emerge in 2016. However, for now, Eden Legal still generally favours using the model clauses for exports to the USA. And for all other places that have not been recognised as having an adequate level of protection, but are not subject to a European court judgment shedding doubt on the protectiveness of the legal system, there is no legal indication that anything has changed. Although there is much debate, rather than second-guessing what will come, and certainly rather than doing nothing, this seems to be a case of “play to the whistle”.
READ THIS NEXT: Infographic – International Data Transfers from the EU