The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.
Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.
As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.
As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms:
- Safe Harbor (which only applies if the processor is located in the US);
- Binding Corporate Rules;
Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.
The new SCCs are designed to:
- regulate sub-processing;
- allow multi-layered sub-contracting;
- allow the local Data Protection Authorities to inspect the full chain of sub-processing and make binding decisions;
- function as the law of the Member State in which the data exporter is established. (According to some, such a process would be against normal commercial practices as it would have for effect to apply a foreign law to a sub-processor);
- repeal the current SCCs.
In its opinion about the new SCCs, the Working Party outlines three main issues:
1. First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.
The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.
2. Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.
The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).
3. Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.