After years of negotiations, on February 5, 2010, the European Commission (EC) updated its Standard Contractual Clauses (SCCs), which set forth contract terms that govern the protection of personal data transferred from data exporters within the European Union (EU) to data processors outside the EU. On June 8, 2009, we wrote that the EC was considering implementing new SCCs. On May 15, 2010, the new SCCs, promulgated under 2010/87/EU, will go into effect, replacing the old SCCs, promulgated under 2002/16/EC.
Under Directive 95/46/EC, personal data may only be transferred by EC Member States to a third country if that country ensures an adequate level of data protection. EC Member States may circumvent this relatively high standard by incorporating SCCs covering data protection into their agreements with personal data processors in countries that lack adequate data protections. The SCCs are intended to ensure that personal data is appropriately safe guarded when transferred to a data processor in a third country that does not otherwise provide an adequate level of data protection.
Unlike the old SCCs that did not consider sub-processors of personal data, the new SCCs permit a data processor in a country outside the EU to transfer data to a data sub-processor so long as the data exporter provides its prior written consent. Additionally, the sub-processor must agree to the same terms agreed to by the data processor, including the SCCs governing personal data. One interesting effect of the new SCCs relates to liability in the event of an information security breach; even if a data sub-processor is solely responsible for a breach, the original data-processor remains fully liable to the data exporter for such breach.
The new SCCs, like the old SCCs, are enforceable not only by the entities which are parties to the agreements incorporating them, but also by data subjects who are third-party beneficiaries of these agreements. While both the old and new SCCs allow for recovery by data subjects from data processors, the new SCCs, in specific instances, allow for recovery by data subjects from data sub-processors.
One other change worth noting is that the new SCCs have no arbitration clause. In the old SCCs, a data processor had to agree that certain disputes with data subjects were permitted to be resolved by arbitration. The new SCCs eliminate this option, offering mediation or litigation as a means to resolve disputes between a data processor and data subjects.
With the new SCCs, the EC has attempted to balance the need to protect sensitive personal information and the need for efficient and increasingly global business operations. It remains to be seen whether the new SCCs will provide a medium where both needs are adequately addressed.