International : Privacy Law Blog

Home > International >

Posted on June 8, 2009 by Cecile Martin

A New Solution for Global Outsourcing? The EU Commission Considers New SCCs For Cross-Border Data Transfers

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.

As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.

As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms:

Safe Harbor (which only applies if the processor is located in the US);
Binding Corporate Rules;
SCCs.

Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.

The new SCCs are designed to:

regulate sub-processing;
allow multi-layered sub-contracting;
allow the local Data Protection Authorities to inspect the full chain of sub-processing and make binding decisions;
function as the law of the Member State in which the data exporter is established. (According to some, such a process would be against normal commercial practices as it would have for effect to apply a foreign law to a sub-processor);
repeal the current SCCs.

In its opinion about the new SCCs, the Working Party outlines three main issues:

1. First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.

The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.

2. Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.

The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).

3. Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.

Tags: "Global, Cross-border data transfers, European Union, International, outsoursing"

Posted on March 13, 2009 by Clifford Davidson

U.K. Internet Publication Rule Upheld; Internet Viewings Constitute Republication

On March 10, 2009, the European Court of Human Rights held that the British Internet publication rule does not violate the right to free expression guaranteed by Article 10 of the European Convention. The case has profound implications for those bringing privacy- or disclosure-related tort claims based on materials available on the Internet – where U.K. law applies.

Tags: International, United Kingdom, defamation, litigation

Posted on February 4, 2009 by Brendon Tavelli

Google Execs Face Privacy-Related and Other Criminal Charges for Taunting Video

Several Google executives, including the Company’s global privacy counsel, Peter Fleischer, will face criminal charges in Italian court stemming from Italian authorities’ two-year investigation of a video posted on Google Video showing a disabled teen being taunted by classmates. The video, posted in 2006, depicts four high school boys in a Turin classroom taunting a classmate with Down syndrome and ultimately hitting the young man over the head with a box of tissues. Google removed the video on November 7, 2006, less than twenty-four hours after receiving multiple complaints about the video. Nonetheless, Fleischer and his Google colleagues face criminal charges of defamation and failure to exercise control over personal information that carry a maximum sentence of three (3) years.

Tags: CDA, Cajani, Communications Decency Act, European Union Data Protection Directive, Google, IAPP, International, International Association of Privacy Professionals, Invasion of Privacy, Italian court, Italy, Section 230, criminal, personal data, takedown

Posted on November 26, 2008 by Kristen J. Mathews

Privacy Issues When "Computing in the Cloud"

When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed.

While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues. Cloud computing, in its essence, is the migration or outsourcing of computing, hardware and storage functions to a third-party service provider, which hosts applications on the Internet through linked servers located worldwide. Cloud computing has captured the attention of IT professionals because it offers the appealing option of reducing a company’s computer infrastructure and placing it in the hands of a vendor who can perform a company’s computing needs more cheaply and efficiently than the company can itself.

Tags: EU Data Directive, European Union, International, cloud computing

Posted on October 31, 2008 by Clifford Davidson

UK Court Parts with US Court regarding Compelled Disclosure of Encryption Keys

On October 9, in the case R v. S and A [2008] EWCA Crim 2177, the Criminal Division of the England and Wales Court of Appeal held that requiring criminal defendants to disclose an encryption key allegedly protecting criminal materials does not violate the privilege against self-incrimination under U.K. law or Article 6 of the European Convention of Human Rights. The U.K. court’s ruling is at odds with Magistrate Judge Jerome J. Niedermeier’s ruling on a similar issue in the District of Vermont, In re Boucher, No. 06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29, 2007).

Tags: Fifth Amendment, International, encryption

Posted on October 3, 2007 by Christopher Wolf

International Privacy Issues and More Addressed in New International Practice Guide

Proskauer Rose LLP has just released "Proskauer on International Litigation and Arbitration: Managing, Resolving, and Avoiding Cross-Border Business and Regulatory Disputes." The online guide is a practical reference work for businesses and practitioners; it explores best practices and creative yet practical approaches to manage, resolve, and avoid controversies affecting multiple jurisdictions.

The 28-chapter guide is available free in e-Book format at www.proskauerguide.com. It includes a thorough chapter on international privacy law.

Tags: International, international litigation, international practice, international privacy, privacy, proskauerguide

Posted on April 19, 2007 by Jeremy Mittman

Dubai Becomes First Arab Nation to Enact Data Protection Law

Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens. In a statement announcing the new law, Dubai called the enactment "pioneering in the region" and an examination of the law reveals that the description is rightly deserved. The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.

Tags: Dubai, European Union, International, data protection, data transfers, personal data

Privacy Law Blog

Proskauer Rose LLP
1001 Pennsylvania Avenue, NW Suite 400 South Washington, DC 20004 202.416.6800
2049 Century Park East, 32nd Floor Los Angeles, CA 90067-3206 310.557.2900
Three First National Plaza, 70 West Madison, Suite 3800 Chicago, IL 60602-4342 312.962.3550
1585 Broadway New York, NY 10036-8299 212.969.3000
One International Place Boston, MA 02110-2600 617.526.9600
2255 Glades Road, Suite 340 West Boca Raton, FL 33431-7383 561.241.7400
One Newark Center Newark, NJ 07102-5211 973.274.3200
650 Poydras Street, Suite 1800, New Orleans, LA 70130-6146 504.310.4088
36/F, Edinburgh Tower, The Landmark, 15 Queen's Road Central Suites 3605-3607, Hong Kong 852.3410.8000
374 rue Saint-Honoré 75001 Paris France 33.1.53.05.60.00
Berkeley Square House, Berkeley Square, London, UK W1J 6BD 44.20.7083.8500
Rua São Tomé, 86, 17° andar 04551-080 São Paulo, Brazil 55.11.3045.1250

Privacy Law Blog : Privacy Lawyer & Attorney : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Published By
Proskauer Rose LLP

Short tagline goes here

A New Solution for Global Outsourcing? The EU Commission Considers New SCCs For Cross-Border Data Transfers

U.K. Internet Publication Rule Upheld; Internet Viewings Constitute Republication

Google Execs Face Privacy-Related and Other Criminal Charges for Taunting Video

Privacy Issues When "Computing in the Cloud"

UK Court Parts with US Court regarding Compelled Disclosure of Encryption Keys

International Privacy Issues and More Addressed in New International Practice Guide

Dubai Becomes First Arab Nation to Enact Data Protection Law

Editors

Contributors