Privacy Law Blog : Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.

As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.

As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms: 

• Safe Harbor (which only applies if the processor is located in the US);
• Binding Corporate Rules;
• SCCs. 

Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.

The new SCCs are designed to: 

• regulate sub-processing;
• allow multi-layered sub-contracting;
• allow the local Data Protection Authorities to inspect the full chain of sub-processing and make binding decisions;
• function as the law of the Member State in which the data exporter is established. (According to some, such a process would be against normal commercial practices as it would have for effect to apply a foreign law to a sub-processor);
• repeal the current SCCs.

In its opinion about the new SCCs, the Working Party outlines three main issues:

1.      First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.

The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.

2.      Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.

The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).

3.      Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.

• Email This
• Print
• Comments
• Trackbacks

On May 12, 2009, the UK Information Commissioner's Office (ICO) released a much anticipated report authored by the RAND Corporation assessing the strengths and weaknesses of the 1995 EU Data Protection Directive (95/46/EC) (the "Directive), the main source of privacy legislation in Europe. While the report highlighted a number of the Directive's positive attributes, it nonetheless concluded that as society becomes more globally networked, "the Directive as it stands will not suffice in the long term."

• Email This
• Print
• Comments
• Trackbacks

• Email This
• Print
• Comments
• Trackbacks

In a landmark ruling, the European Court of Human Rights (ECHR)—Europe’s highest court to take up cases affecting the privacy rights of EU citizens—ruled that some aspects of the UK’s DNA database violated EU law.  Specifically, on December 4, the ECHR issued its decision, S. and Marper v. The United Kingdom (Applications 30562/04, 30566/04), holding that the UK DNA database violated the EU’s Convention for the Human Rights and Fundamental Freedoms (the "Convention") in retaining the DNA samples of individuals who had been acquitted of (or arrested and not charged with) any crime.    

• Email This
• Print
• Comments
• Trackbacks

When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed.

While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues.  Cloud computing, in its essence, is the migration or outsourcing of computing, hardware and storage functions to a third-party service provider, which hosts applications on the Internet through linked servers located worldwide.  Cloud computing has captured the attention of IT professionals because it offers the appealing option of reducing a company’s computer infrastructure and placing it in the hands of a vendor who can perform a company’s computing needs more cheaply and efficiently than the company can itself.

• Email This
• Print
• Comments
• Trackbacks (1)

A German court (Case No. 133 C 5677/08) recently issued a decision that Internet Protocol (IP) addresses stored on a company's server do not constitute "personal data" under the German data protection law. An IP address is a unique number that every computer connected to the internet is assigned. Under German data protection law (and EU law generally), "personal data" is any data that identifies a natural person. Usually, whether or not a particular category of data constitutes "personal data" is fairly noncontroversial. However, the issue of whether IP addresses constitute personal data is a particularly thorny issue, as an IP address usually consists of a string of numbers, making it difficult to identify a natural person behind a given numerical combination. In fact, last year the EU article 29 Working Party (the EU Committee charged with clarifying the EU Data Protection Directive) has previously opined in 2007, and again in 2008 in more detail as reported here that there is "no doubt" IP addresses do in fact constitute "data relating to an identifiable person" under the EU Data Protection Directive.

• Email This
• Print
• Comments
• Trackbacks

Binding corporate rules (“BCRs”) may now be easier to implement due to much needed guidance issued last month by the European Union’s Article 29 Working Party, the group responsible for the oversight of the EU’s data protection regime. The guidance consists of three documents, which clarify the requirements for establishing BCRs. These documents are: (1) a checklist outlining the required elements of the BCRs; (2) a framework for the structure of BCRs; and (3) a list of frequently asked questions regarding BCRs.

• Email This
• Print
• Comments
• Trackbacks

A new Act of Parliament gives the United Kingdom’s Information Commissioner’s Office (ICO) the authority to impose monetary penalties for misuse of personal data in violation of section 55 of the Data Protection Act of 1998 (DPA).

• Email This
• Print
• Comments
• Trackbacks

The European Data Protection Supervisor (EDPS) has come out in favor of the EU enacting data security breach notification laws.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good data protection practices within the EU, both by monitoring the EU administration’s own data processing, as well as by commenting on pending legislation.

• Email This
• Print
• Comments
• Trackbacks

• Email This
• Print
• Comments
• Trackbacks (1)

Last month the French subsidiary of the U.S. based company, Tyco Healthcare, became the first local branch of a U.S. company to be fined for data protection violations. France’s data protection agency, La Commission Nationale de L'informatique et des Libertes (CNIL) levied a fine of 30,000 euro (or about $40,350) against the company after it both ignored CNIL’s requests for clarification about one of its human resource databases and then made misrepresentations concerning the database to the regulatory agency.

• Email This
• Print
• Comments
• Trackbacks

Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens.  In a statement announcing the new law, Dubai called the enactment "pioneering in the region" and an examination of the law reveals that the description is rightly deserved.   The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.    

• Email This
• Print
• Comments
• Trackbacks

On January 10, 2007 the Article 29 Data Protection Working Party announced the adoption of a new Model Application for the submission of a company’s Binding Corporate Rules to any European Union Data Protection Authority (DPA). The EU’s approval of the Model Application is long-awaited and a welcome addition to help make Binding Corporate Rules a truly viable alternative to the two other current approved methods of international data protection transfers, safe harbor and model contractual clauses.   

• Email This
• Print
• Comments
• Trackbacks