Archive for June, 2011

Moving away from model clauses

Posted on June 27th, 2011 by



Anyone caught up in the murky world of international data transfers tends to regard the standard contractual clauses approved by the European Commission as the most popular solution to legitimise those transfers. For starters, they are freely available and have the blessing of the Commission and the regulators. Surely, those two factors alone must provide considerable comfort to finance directors and general counsels who will think that one cannot go too wrong with them. Also, from a resources perspective, drafting and entering into a set of model clauses should not be very time-consuming as it is just a matter of signing on the dotted line. So, are we wasting our time looking for alternatives? Or aren’t we…?

The problems with the model clauses start with the bureaucracy that surrounds them. Despite the fact that the use of the clauses to legitimise data transfers has the seal of approval of the European Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. The whole ex ante regulatory scrutiny of international data transfers is in itself a highly questionable aspect of European data protection, but the fact that so many countries apply that level scrutiny to an officially sanctioned mechanism is simply absurd. In the meantime, both data exporters and regulators spend valuable time and resources going through the motions of rather pointless administrative requirements.

Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving transfers. In the real world, information simply flows across borders and data processing services are provided globally at the speed of light. Today’s data transfers are different from yesterday’s and from tomorrow’s. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – not least because the parties involved in any global data flows are normally as fluid as the transfers themselves. As Professor Schwartz of the University of California, Berkeley School of Law put it in his thorough study of cross-border information flows for The Privacy Projects, data transmissions occur as part of a networked series of processes made to deliver a business result. Pinning down the parties involved in those processes and the intended business results, and reflecting all that in a single document is just like eating soup with a fork.

An added difficulty of the model clauses is the fact that their onerous obligations are set in stone. A non-negotiable agreement is an oxymoron – non-negotiable means take it or leave it, and that is the essence of the model clauses. The fact that so many data transfer contracts incorporating the model clauses are signed does not mean that the parties have reached an agreement. It normally means that one party is imposing them onto the other. The problem with that is that not only are the clauses being entered into without due regard for their content, but they turn global data protection into an empty box-ticking exercise.

The international data transfers regime is one of the centrepieces of the ongoing reform of the EU data protection framework. And rightly so. But even before a revised framework is devised, decisive action is needed to transform the inadequate game of signing up to model clauses into an effective way of securing information and guaranteeing privacy rights irrespective of geographical boundaries. A constraining set of unrealistic obligations cannot deliver that, but other approaches will. Contractual protections can be extremely effective when they are realistically agreed and allow for flexibility in their practical application. The key is to ensure that whatever the approach – a contract or a set of policies – it reflects what is viable in the real world.

In fact, the saddest thing of all would be to turn real world solutions – like BCR and Binding Safe Processor Rules – into model clauses-like exercises where applicants are simply signing up to an artificially imposed standard. Data protection should be as fluid as dataflows themselves. The truth is that many organisations are looking for ways of moving away from model clauses. Not because they don’t think that information should be protected, but because they prefer to devote efforts and resources to achieve genuine protection.

This article was first published in Data Protection Law & Policy in June 2011

Misdirected e-mails and miscreant employees beware: ICO flexes its enforcement muscle!

Posted on June 13th, 2011 by



Last week was a busy week in the world of UK data protection enforcement, with reports of not one, but two significant data protection enforcement acts by the Information Commissioner’s Office (“ICO“).

£120,000 Monetary Penalty Notice for Surrey County Council

First, there was the news that the ICO had imposed a fine of £120,000 on Surrey County Council for a serious breach of the Data Protection Act 1998 (“DPA”). The fine related to misdirected e-mails sent by Council staff on three separate occasions, with each e-mail resulting in confidential and sensitive personal information falling into the hands of unintended recipients. The most serious of the three incidents saw sensitive personal information about 241 individuals’ physical and mental health being inadvertently sent to various transportation companies, including taxi firms and coach and mini bus hire services. The other incidents concerned sensitive personal information being inadvertently circulated to newsletter registrants and to an incorrect group mailing list.

Following the fine, Information Commissioner Christopher Graham said: “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.

s.55 prosecution against former T-Mobile employees

In a separate development, two former employees of T-Mobile were prosecuted and fined a total of £73,700 for having stolen and sold customer data from the company on 2008.  The former employees, David Turley and Darren Hames, pleaded guilty to the section 55 DPA offence of unlawful obtaining of personal data. The prosecution was the culmination of a joint investigation by the ICO and T-Mobile into how customers’ names, addresses, telephone numbers and customer contract and end dates were being unlawfully supplied to third parties.

What this means

These reports highlight that the ICO’s data protection enforcement capabilities, having been criticised for so long by privacy commentators, are really beginning to ramp up.  Since the introduction of its fining powers in April 2010, the ICO has now issued no fewer than 6 fines (one every two months or so) with an aggregate total of £431,000, including two against private businesses.  The ICO has also demonstrated that it is not a ‘one trick pony’, showing that it will resort to criminal prosecutions (as in the case of the former T-Mobile employees) and other means of enforcement where these are warranted.

More tellingly, we are also starting to learn what makes the ICO tick.  The subject of fines issued so far have included:

  • misdirected communications of sensitive personal information (on e-mail and by fax);
  • unencrypted laptop theft;
  • failure to exercise proper due diligence over data processors; and
  • unlawful publication of individuals’ sensitive personal information online.

The message for data controllers is clear – lead by example, don’t risk becoming the example!

Cookies – In search of an intrusiveness grading

Posted on June 10th, 2011 by



The UK Information Commissioner’s Office is working hard trying to find the right balance between being realistic in its interpretation of the new cookie consent requirement whilst ensuring a decent degree of compliance across UK websites.  

The ICO’s position seems to be that whilst they do not intend to get aggressive for the lack of compliance with the consent requirement, they will be getting in touch with organisations in the event of a complaint about cookies, and they will expect websites (at least large websites) to have carried out an assessment of what cookies they have and started to work towards their cookie consent strategy.

Linked to this approach is the idea of having an “intrusiveness grading” of cookies.  This means that the form of consent required will be different depending on the level of intrusiveness.  For example, for a first party session cookie (which is not strictly necessary), it would not be unreasonable to assume consent by simply using the website.  At the other end of the scale, the regulator would expect a much more carefully thought out consent process.

So here is the homework for UK website operators:

1.  Make sure you know what cookies are being served from your website, who is serving them and how they are used.   To find out this, you can rely on the technology provided by Sitemorse, a leading supplier of web content governance solutions.

2.  Grade the level of intrusiveness by considering factors such as 1st party v 3rd party, session v persistent, life and density.  This is a key assessment that will determine the right approach to ensure compliance.

3.  Figure out what level of notice and consent is appropriate for your cookies.

Simple!  And by the way, the value of this exercise is not limited to the UK, as most other EU countries are likely to follow a similar approach.

Poland and Switzerland give thumbs up to BCR

Posted on June 8th, 2011 by



In order to promote and enhance awareness of the use of BCR in Poland, the Polish DPA is organising a seminar in Warsaw on 14 June for representatives of the Polish subsidiaries of those multinational corporations that are involved or interested in BCR applications and who will need to seek authorisation from the Polish DPA. The intention is that this seminar will go some way to filling any gaps in knowledge or awareness of the requirements of the Polish DPA for authorisation of such transfers.

The invitation to attend the seminar is extended to those organisations which have already completed the process and may not yet have sought national authorisation from the Polish DPA. If you are interested, please contact the GIODO directly or let us know.

On a separate development, the Swiss DPA has confirmed that the BCR of an EU-based company ensures an adequate level of protection from a Swiss law perspective. In this particular case, the terms of the BCR, based on the requirements of the Article 29 Working Party, were deemed to be acceptable. Furthermore, there are no additional formalities to observe before transfers may be effected our of Switzerland on the basis of the BCR.