The Model Clauses are dead! Long live the Model Clauses!

“Model Clauses”; “Model Contracts”; “Standard Contractual Clauses”… For international transfers generally they remain entirely useable and legally valid. For transfers to the USA, now that Safe Harbor can’t be relied upon, they may still [December 2015] be the best option while awaiting a decision on what any successor arragements may look like.

The Model Clauses are dead! Long live the Model Clauses!

“Model Clauses”; “Model Contracts”; “Standard Contractual Clauses”… However you call them, rumours of their demise may be exaggerated:

(i) For transfers to the USA

For the USA, there is a little doubt as EU regulators have announced (more or less enthusiastically) “enforcement actions” if no substitute for the Safe Harbour scheme is agreed by 31 January 2016; and German state regulators in particular have indicated that they do not want to automatically approve transfers to the USA based on them. However, in many cases, for now they are the most acceptable method of ensuring approval for exports of data from the EU to the USA, assuming that we don’t have specific consent to the transfer from all data subjects or the transfer is otherwise justified e.g. because necessary for performance of a contract with the data subject. (Even if your company has in place Binding Corporate Rules for intra-group transfers – though Eden Legal is not generally recommending those as a business-friendly solution – then for EU-US transfers outside the group, the model clauses can still be used).

(ii) For transfers elsewhere

In any event, for transfers from the EU/EEA to any other place in the world that has not been formally recognised by the European Commission as having a legal framework providing adequate protections en.htm, nothing has changed: the EU Court of Justice’s decision invalidating the Safe Harbour scheme was limited to the USA. In the absence of any binding decision, they should still be accepted for transfers elsewhere.

A few tips:

1. Use the correct ones!

The only officially endorsed sets of model clauses en.htm are: (i) Controller to controller (two sets to choose from); and (ii) controller to processor. The correct set should be used for the situation at hand. But Eden Legal has also seen these draft model clauses proposed for “processor to sub-processor” transfers. In fact the EU’s Article 29 Working Party of representatives of the national regulatory authorities has produced a processor to sub-processor set of model clauses but they were never adopted by the European Commission. Contractually, there is no particular reason why they shouldn’t be used, however, unlike the formally adopted sets Member States authorities are not obliged to recognise that they provide adequate protections. Also they do refer to certain matters arising under the Framework Contract between the data controller and the data processor (and to the need for prior consent to sub-processing from the data controller) so there is possibility for conflict with that. Given that national data protection authorities aren’t obliged to accept them, then the benefits of using them “as is” are debatable. Interestingly, the 2010 controller to processor clauses do allow non-EU processors to subcontract processing to other EU sub-processors. So there is a legal gap here which potentially leaves EU processors at a disadvantage compared to non-EU processors – except in Spain where this situation has been officially recognised by the Spanish DPA and a set of clauses has been approved for such use – though the transfers and supporting documents still need to pass through a process of approval).

2. Use for exports from the EU only

Eden Legal has seen the clauses used for transfers from a list of data exporting entities – including entities in Australia, China, India and Japan. Contractually, there is probably no real reason why not, although there is potential for conflict with the data exporter’s home laws. However, this is not the purpose of the clauses, which are intended to be governed by the laws of the country of a particular data controller/exporter, which needs to be an EU national law.

3. Read them and actually make sure that you can comply with everything said…

The clauses generally require the data importer to have in place security measures equivalent to those applicable in the data exporter’s home state. Especially for countries with prescriptive regulations regarding security measures (e.g. Spain or Poland) it is of course important to ensure that the data importer really can and does comply.

4. Annex II…

The standard contractual clauses include annexes be completed by the parties. These are intended for details of the parties, the transferred data, the data processing and the technical and organizational security measures to be implemented by the data importer. This last requirement can sometimes cause puzzlement. However, depending on precise national practices, there is some flexibility here and a more prescriptive (data exporter friendly) or more relaxed (data importer friendly) approach can be acceptable. Separate technical security documents (which many data processing entities publish) or possibly local laws and regulations (even if not formally recognized by the European Commission as providing adequate safeguards) may also be annexed. Clearly, the security measures indicated need to be: (i) achievable in practice; and (ii) not significantly less protective than those applicable to the data exporter. Depending on the Member State of the data exporter, including more detail may be helpful in avoiding issues later.

5. Don’t amend them…

Model Clauses can be appended to another contract (in fact they should be – the processing activity itself needs to be agreed and regulated by a written agreement and of course the model clauses don’t go into key terms such as the scope of the services, payment, duration, etc.). However, in order to benefit from automatic approval where available, any additional terms (logically) cannot contradict the terms of the model clauses. Amendments may be acceptable but risk losing such automatic approval or approval in general for the international transfer, so Eden Legal would usually recommend (i) not making any substantial amendments; and (ii) appending the clauses in a separate annex for clarity rather than working them into a wider data processing agreement.


It’s possible that for EU-US transfers a new system may emerge in 2016. However, for now, Eden Legal still generally favours using the model clauses for exports to the USA. And for all other places that have not been recognised as having an adequate level of protection, but are not subject to a European court judgment shedding doubt on the protectiveness of the legal system, there is no legal indication that anything has changed. Although there is much debate, rather than second-guessing what will come, and certainly rather than doing nothing, this seems to be a case of “play to the whistle”.

READ THIS NEXT: Infographic – International Data Transfers from the EU

  • Are crypto wallet addresses personal data?

    Are crypto wallet addresses personal data?

    Never assume. They can easily be…

  • EU International Data Transfers - new 2021 Standard Contractual Clauses

    EU International Data Transfers - new 2021 Standard Contractual Clauses

    The European Commission has issued a new set of standard contractual clauses (“SCCs”) to address new requirements under the GDPR, changes in the digital economy, but most importantly the European Court’s judgment in Schrems II requiring supplementary measures for some exports. The new SCCs are comprehensive and fill some gaps; but they require data importers and exporters to invest significantly in documenting how they will overcome local government surveillance laws.

  • Adtech Regulation under the EU’s draft Digital Services Act

    Adtech Regulation under the EU’s draft Digital Services Act

    A lot has been made of the liability and transparency provisions of the EU’s proposed Digital Services Act.

    However, there are also a few advertising-specific obligations (proposed to be) coming for online platforms that deserve a closer look.

  • "Due diligence" obligations for EU online platforms

    The quickest-possible look at the EU’s draft Digital Services Act and proposed new obligations for intermediaries and online platforms.

    Eden Legal will return with additional posts on: (1) liability for illegal content; and (2) specific adtech-related obligations, under the proposed Regulation.

    #Lawinagraphic – minimum wordiness, maximum user-friendliness.

  • How will Artificial Intelligence Systems be regulated in the EU?

    How will Artificial Intelligence Systems be regulated in the EU?

    The European Commission has put forward a proposed Regulation on a European Approach for Artificial Intelligence, also known as the “Artificial Intelligence Act”. It’s a proposal and before entering into application faces a likely lengthy path through the EU institutions which seems bound to produce a hefty amount of debate and amendments.

  • 2021 will be the Year of Smart Contracts

    2021 will be the Year of Smart Contracts

    Smart contracts are here. Eden Legal’s very initial, very personal thoughts on them.

  • GDPR EU/UK Representative - do we need one?

    GDPR EU/UK Representative - do we need one?

    Everything you need to know about appointing an EU and/or UK representative as required by the GDPR.

    Update 14 February 2021: under the EU Council’s agreed position on the future E-Privacy Regulation, providers of electronic communications services, providers of publicly available directories, senders of direct marketing over electronic communications services, and anyone using processing and storage capabilities or collecting information processed by or emitted by or stored in the end-users’ terminal equipment (i.e. adtech!) will also be required to appoint a representative in the EU and communicate it to the relevant national supervisory authority.

  • GDPR and Brexit - take us to the bridge

    GDPR and Brexit - take us to the bridge

    The EU-UK Trade and Cooperation Agreement has avoided major changes to personal data flows between the EEA and UK at least until 30 April 2021. However, if we process data of individuals in both the EEA and the UK, then we face the prospect of complying with two similar but distinct regulatory regimes.

  • The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    The ICO fines Marriott and BA for GDPR Breaches - 10 Takeaways

    If you’re handling personal data subject to EU (and/or UK) laws then you would do well to read the UK Information Commissioner’s (“ICO”) decisions to fine Marriott and BA for failures to have in place appropriate cyber-security measures. And this post for 10 more easily digestible takeaways.

  • EU Court invalidates Privacy Shield - what to do?

    EU Court invalidates Privacy Shield - what to do?

    The Court of Justice of the EU has struck down the EU Commission’s EU-U.S. Privacy Shield Framework decision, but in principle left in place the EU Commission’s Standard Contractual Clauses, which organisations can sign in order to impose EU-style data protection obligations on non-EU data importers. For now, where we used to rely the Privacy Shield framework, the pragmatic approach may be to sign SCCs – but the story won’t end there.