< Back

Share |

Using Model transfer terms and private contracts

January 2013

Model transfer terms

Another method that could be used to reach the level of adequacy required by the Directive is the adoption of the European Commission-approved model clauses.

These model clauses are currently contained in three forms of contract that have been published by the EU Commission:

  • Data Controller to Data Controller contract (2001) — this governs international transfers from a data controller to another data controller. This can be used where it is likely that both parties will make decisions in relation to the personal data that is being transferred, e.g. exports to head office.
  • Data Controller to Data Processor contract (2010) — this governs the international transfers from a data controller to its data processor. This could be used where there is Diskoutsourcing to a data processor based outside the EEA.
  • Data Controller to Data Controller contract (2004) — this is a more business-friendly version of the 2001 Data Controller to Data Controller contract, and is often referred to as the "ICC Clauses".

The model clause solution. Whichever contract chosen contains a number of different advantages’ and disadvantages:

Advantages

  • Speed — this is a relatively speedy option to adopt.
  • It represents a cost efficient approach that does not require extensive individual interpretation in every jurisdiction.
  • Individual clearance in each and every country is not always required although some jurisdictions may require further approval (sometimes pre-approval) and certain registration/filing obligations.
  • Level of certainty — the model clauses are internationally understood to provide a level of compliance.
  • Details of privacy policies and practices that may (or may not) underpin the contracts need not be disclosed or made public.

Disadvantages

  • Contracts can be directly enforced by data subjects.
  • Model clauses exceed the obligations set out under the Directive in some respects.
  • Model clauses are often criticised as being poorly drafted and not business friendly.
  • Attempts to vary the standard form of the model clauses can cause further compliance difficulties and result in a loss of the automatic adequacy (but remain a possibility if undertaken with care).
  • Local EU law is forced on the data importer entity/recipient.

ICC Clauses

The approved model clauses have been around for a few years now and, in our experience, they have been used by multinational organisations, albeit with reservations. As outlined above, there are two fundamental categories of these model clauses, namely a separate version for controller-to-controller transfers and controller-to-processor transfers.

MalletThe model clauses have, over time, attracted much criticism, which has led to the International Chamber of Commerce (ICC) working party on data protection developing an alternative set of model clauses for controller-to-controller transfers, which were eventually approved by the EU. The final version of the alternative ICC clauses are far removed from the original proposal made by the ICC, but inevitably concessions had to be made before any EU approval could be granted. The ICC clauses do, however, offer a more flexible approach to model agreements but only cover controller-to-controller data transfers.

It is understood that the ICC has an initiative under way to prepare its own version of the controller-to-processor clauses, but this may take some time to reach the required stage of approval.

The ICC clauses are deemed to be a preferable solution for many organisations to use for such transfers when it is acting as a data controller, rather than using the earlier model clauses based on the Commission Decision of June 15, 2001. Even for the data controller acting as a data importer, the ICC model clauses would still be preferable, as the clauses are more reasonable for the data importer.

The key practical and legal reasons are outlined below:

  • A data subject claim can only be made for actual damage suffered and only against the party/entity that has actually caused damage, rather than joint and several responsibility for damage suffered under the EC 2001 model clauses.
  • Under the ICC model clauses, the data controller/data exporter would not be bound by a binding mediation procedure, as the only obligation is to respond to any generally available non-binding mediation.
  • The data controller/data exporter does not have to respond to the data subject and authority enquiries if the parties have agreed that the data importer will respond, which would involve less time and cost.
  • BookThe data controller/data exporter can remove confidential information from its contract with the data controller/data importer when providing a copy to the data subject.
  • The ICC model clauses contain more flexible provisions regarding data subjects' access rights, such as denying requests which are frivolous or repeated, or where not required under the data exporter's laws.
  • The ICC model clauses do not specifically require the parties to waive objections to consumer organisations bringing challenges on data subjects' behalves, whereas the EC model clauses do. The ICC model clauses allow direct challenges by data subjects against the importer only where the exporter has not taken action to enforce the clauses within a reasonable period (normally one month), whereas this limitation is not in the EC model clauses.
  • The EC model clauses require the exporter to respond to inquiries from data protection authorities in all cases, whereas the ICC model clauses effectively allow the exporter and importer to agree for such responses to be dealt with by the importer (with a default position that the exporter will respond where the importer is unwilling or unable to do so within a reasonable period).
  • The EC model clauses require the importer to warrant that local law does not prevent it "from fulfilling its obligations under the contract", whereas the ICC model clauses limits this to knowledge that the importer has at the time it enters into the clauses, and to legal obligations "which would have a substantial adverse effect" on its compliance with the clauses. The ICC model clauses require the importer to notify only the exporter if it becomes aware of a conflicting legal obligation, and not also the data protection authority as with the EC model clauses.
  • The ICC model clauses provision on auditing gives the data importer considerably more rights than the Commission clause, for example, there is a reasonableness test regarding the exporter's request for audit and the auditor need not be approved by the exporter's data protection authority, as is the case in the EC model clauses.
  • The EC model clauses require the importer to follow advice from the data protection authority, which is a wide term and could include informal guidance. The ICC model clauses only require compliance if a competent court or data protection authority issues a final decision where no further appeal is available.Cables
  • The ICC model clauses contain more detailed and specific termination provisions than the EC model clauses.
  • The EC model clauses may not be varied or modified, whereas the ICC model clauses permit updating of certain factual information, and additional commercial provisions. The ICC model clauses also provide a more flexible administration of the clauses by enabling execution of annexes to cover additional transfers, and for a single annex to cover multiple transfers.
  • The ICC model clauses improve the voluntary and mandatory data processing principles in the EC clauses, for example, less onerous information obligations for onward transfers by allowing the importer to tell the data subject that recipient countries may have different levels of data protection rather than saying inadequate levels of protection.

Private contracts

Private contracts can be concluded between a data exporter in the EEA and the data importer located outside the EEA. These are contracts for data transfers not in the form(s) approved by the EU Commission. Approval will usually need to be obtained for the private contract from the Buildingdata protection authority of the country from which the data exporter is exporting the personal data.

Private contracts would typically need to provide that personal data must be processed in accordance with the requirements imposed by the Directive, and also with any additional requirements in the member state from which it is exported. Some of the advantages and disadvantages include:

Advantages

  • They can be tailored to individual circumstances.
  • They potentially offer companies a greater level of comfort as a result.
  • They have the potential to be more practical and business friendly.

Disadvantages

  • Each data protection authority has a different way of dealing with these and has differing requirements, raising local, and therefore pan-European, uncertainty over whether "adequacy" has been achieved.
  • For a large group of companies the approval of a number of EEA data protection authorities will be required — this could be time consuming and potentially costly.
  • If there are changes to the way in which personal data is transferred or processed, additional clearances may be required.

Self-assessment of adequacy

In certain instances the data exporter can consider whether, given the particular circumstances of a transfer, the transfer is being made to a country that can ensure an adequate level of protection.

Certain EEA member countries have taken the approach of allowing a data controller to discharge the obligation of ensuring that the country to which data is being exported provides an adequate level of protection. Some of the data protection authorities in those countries have provided further guidance in this area.

However, this option is not available in all countries, due to lack of recognition, and is not recognised as a viable solution to achieve adequacy. Some of the key advantages and disadvantages are:

Advantages

  • A company can itself determine whether to make the transfer without the need to involve external data protection authorities (at least initially).
  • The assessment can be made quickly and, if satisfied, can mean minimum disruption to the activities of the company.

Disadvantages

  • FlagNot all countries have adopted the Directive in such away as to allow self-assessment. For a group scenario, with many companies across Europe, this may not therefore be an attractive option.
  • Even where it is available, not all countries have guidance as to how to utilise this method, which creates a very uncertain risk profile with little comfort on mitigation of that risk.
  • Self-assessment means the data exporter bears the compliance risk. The data controller may wrongly assess the requirement of adequacy issue. This would mean a breach of the Directive or local laws.

See our summary of adequacy solutions table.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Contract
Vinod Bange

      

Sally Annereau

Sally Annereau

Lucy Lyons

Lucy Lyons





Vinod, Sally and Lucy analyse how different model terms and contracts can be used to permit personal data transfer.

"The model clauses have, over time, attracted much criticism, which has led to the International Chamber of Commerce (ICC) working party on data protection developing an alternative set of model clauses for controller-to-controller transfers, which were eventually approved by the EU."