Archive for the ‘Model clauses’ Category

Article 29 Working Party issues draft model clauses for processor-to-subprocessor data transfers

Posted on April 9th, 2014 by



On 21st March 2014, the Article 29 Working Party (“WP 29″) issued a working document (WP 214) proposing new contractual clauses for cross-border transfers between an EU-based processor and a non-EU-based sub-processor (“draft model clauses”). This document addresses the situation where personal data are initially transferred by a controller to a processor within the European Union (“EU”) and are subsequently transferred by the processor to a sub-processor located outside the EU.

Back in 2010, the EU Commission adopted a revised version of its model clauses for transfers between a controller in the EU and a processor outside the EU, partly to integrate new provisions on sub-processing. However, it deliberately chose not to apply these new model clauses to situations whereby a processor established in the EU and performing the processing of personal data on behalf of a controller established in the EU subcontracts his processing operations to a sub-processor established in a third country (see recital 23 of the EU Commission’s Decision 2010/87/EU).

Absent Binding Corporate Rules, many EU data processors were left with few options for transferring the data outside the EU. This issue is particularly relevant in the context of a growing digital economy where more and more companies are transferring their data to cloud computing service providers who are often based outside the EU. Negotiating ad hoc model clauses on a case-by-case basis with the DPAs seemed to be the only solution available. This is precisely what the Spanish DPA undertook in 2012 when it adopted a specific set of standard contractual clauses for processor–to-sub-processor transfers and put in place a new procedure allowing data processors based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based outside the EU.

This has inspired the WP 29 to use the Spanish model as a basis for preparing draft ad hoc model clauses for transfers from an EU data processor to a non-EU sub-processor that could be used by any processor established in the EU. However, these draft model clauses have yet to be formally adopted by the European Commission before they can be used by companies and it may take a while before the EU Commission adopts a new official set of model clauses for data processors. Meanwhile, companies cannot rely on the draft model clauses to obtain approval from their DPAs to transfer data outside the EU. While the WP 29′s document certainly paves the way in the right direction, it remains to be seen how these draft model clauses will be received by the business sector and whether they can work in practice.

Below is a list of the key provisions under the draft model clauses for data processors:

  • Structure: the overall structure and content of these draft clauses are similar to those that already exist under the controller-to-processor model clauses, but have been adapted to the context of transfers between a processor and sub-processor.
  • Framework Contract: the EU data processor must sign a Framework Contract with its controller, which contains a detailed list of obligations (16 in total) specified in the draft model clauses – including restrictions on onward sub-processing.  The practical effect of this could be to see the service terms between controllers and their EU processors expand to include a substantially greater number of data protection commitments, all with a view to facilitating future extra-EU transfers by the processor to international sub-processors under these model clauses.
  • Sub-processing: the EU processor must obtain its controller’s prior written approval in order to subcontract data processing activities to non-EU processors. It is up to the controller to decide, under the Framework Contract, whether it grants a general consent up front for all sub-processing activities, or whether a specific case-by-case approval is required each time the EU processor intends to subcontract its activities. The same applies to the sub-processing by the importing non-EU sub-processors. Any non-EU sub-processor must be contractually bound by the same obligations (including the technical and organisational security measures) as those that are imposed on the EU processor under the Framework Agreement.
  • List of sub-processing agreements: the EU processor must keep an updated list of all sub-processing agreements concluded and notified to it by its non-EU sub-processor at least once per year and must make this list available to the controller.
  • Third party beneficiary clause: depending on the situation, the data subject has three options to enforce model clause breaches against data processing parties to it – including initially against the exporting EU data processor (where the controller has factually disappeared or has ceased to exist in law), the importing non-EU data processor (where both the controller and the EU data processor have factually disappeared or have ceased to exist in law), or any subsequent sub-processor (where the controller, the exporting EU data processor and the importing non-EU data processor have all factually disappeared or have ceased to exist in law).
  • Audits: the exporting EU data processor must agree, at the request of its controller, to submit its data processing facilities for audit of the processing activities covered by the Framework Contract, which shall be carried out by the controller himself, or alternatively, an independent inspection body selected by the controller. The DPA competent for the controller has the right to conduct an audit of the exporting EU data processor, the importing non-EU data processor, and any subsequent sub-processor under the same conditions as those that would apply to an audit of the controller. The recognition of third party independent audits is especially important for cloud industry businesses who – for security and operational reasons – will often be reluctant to have clients conduct on-site audits but will typically be more comfortable holding themselves to independent third party audits.
  • Disclosure of the Framework Contract: the controller must make available to the data subjects and the competent DPA upon request a copy of the Framework Contract and any sub-processing agreement with the exception of commercially sensitive information which may be removed. In practice, it is questionable how many non-EU suppliers will be willing to sign sub-processing agreements with EU data processors on the understanding that provisions within those agreements could end up being disclosed to regulators and other third parties.
  • Termination of the Framework Contract: where the exporting EU processor, the importing non-EU data processor or any subsequent sub-processor fails to fulfil their model clauses obligations, the controller may suspend the transfer of data and/or terminate the Framework Contract.

Click here to access the WP 29′s working document WP 214 on draft ad hoc contractual clauses “EU data processor to non-EU sub-processor”.

Click here to view the article published in the World Data Protection Report.

The conflicting realities of data globalisation

Posted on June 17th, 2013 by



The current data globalisation phenomenon is largely due to the close integration of borderless communications with our everyday comings and goings. Global communications are so embedded in the way we go about our lives that we are hardly aware of how far our data is travelling every second that goes by. But data is always on the move and we don’t even need to leave home to be contributing to this. Ordinary technology right at our fingertips is doing the job for us leaving behind an international trail of data – some more public than other.

The Internet is global by definition. Or more accurately, by design. The original idea behind the Internet was to rely on geographically dispersed computers to transmit packets of information that would be correctly assembled at destination. That concept developed very quickly into a borderless network and today we take it for granted that the Internet is unequivocally global. This effect has been maximised by our ability to communicate whilst on the move. Mobile communications have penetrated our lives at an even greater speed and in a more significant way than the Internet itself.

This trend has led visionaries like Google’s Eric Schmidt to affirm that thanks to mobile technology, the amount of digitally connected people will more than triple – going from the current 2 billion to 7 billion people – very soon. That is more than three times the amount of data generated today. Similarly, the global leader in professional networking, LinkedIn, which has just celebrated its 10th anniversary, is banking on mobile communications as one of the pillars for achieving its mission of connecting the world’s professionals.

As a result, everyone is global – every business, every consumer and every citizen. One of the realities of this situation has been exposed by the recent PRISM revelations, which highlight very clearly the global availability of digital communications data. Perversely, the news about the NSA programme is set to have a direct impact on the current and forthcoming legislative restrictions on international data flows, which is precisely one of the factors disrupting the globalisation of data. In fact, PRISM is already being referred to as a key justification for a tight EU data protection framework and strong jurisdictional limitations on data exports, no matter how non-sensical those limitations may otherwise be.

The public policy and regulatory consequences of the PRISM affair for international data flows are pretty predictable. Future ‘adequacy findings’ by the European Commission as well as Safe Harbor will be negatively affected. We can assume that if the European Commission decides to have a go at seeking a re-negotiation of Safe Harbor, this will be cited as a justification. Things will not end there. Both contractual safeguards and binding corporate rules will be expected to address possible conflicts of law involving data requests for law enforcement or national security reasons in a way that no blanket disclosures are allowed. And of course, the derogations from the prohibition on international data transfers will be narrowly interpreted, particularly when they refer to transfers that are necessary on grounds of public interest.

The conflicting realities of data globalisation could not be more striking. On the one hand, every day practice shows that data is geographically neutral and simply flows across global networks to make itself available to those with access to it. On the other, it is going to take a fair amount of convincing to show that any restrictions on international data flows should be both measured and realistic. To address these conflicting realities we must therefore acknowledge the global nature of the web and Internet communications, the borderless fluidity of the mobile ecosystem and our human ability to embrace the most ambitious innovations and make them ordinary. So since we cannot stop the technological evolution of our time and the increasing value of data, perhaps it is time to accept that regulating data flows should not be about putting up barriers but about applying globally recognised safeguards.

This article was first published in Data Protection Law & Policy in June 2013.

How PRISM will affect the EU Data Protection Regulation

Posted on June 10th, 2013 by



Politics aside, we can take it for granted that the recent revelations about the PRISM programme are likely to have a direct effect on the EU data protection legislative reform. Details of the programme are still pouring in but according to the reports already in the public domain, under PRISM the US intelligence services have direct access to the content and traffic data available in the servers of all of the leading Internet communications companies. Whether those reports are entirely accurate will now hardly matter from an EU public policy perspective. You can count on the PRISM story being used as a strong argument in favour of a tough stand on the future EU privacy framework.

Apart from the obvious ‘I told you so’ justifications for a strict and wide reaching data protection regime in Europe that will populate much of the political rhetoric from now on, there are specific provisions in the draft Data Protection Regulation that may end up being the perfect recipe for a conflict of international laws. In particular, the PRISM revelations will increase the reluctance of the EU Parliament to allow disclosures of personal data in response to a legal obligation or public interest duties which do not specifically emanate from EU law. Therefore, any hopes of widening the current references in the draft Regulation to “European Union law or the law of the EU Member State to which a controller is subject” as a basis for either justifying data processing operations which are necessary for compliance with a legal obligation or the performance of a task carried out in the public interest are now substantially smaller. What this means in practice is that global organisations operating in the European Union may be left facing a conflict between complying with legally binding non-EU duties or avoiding a breach of EU data protection law.

The other aspect of EU data protection law directly affected by the PRISM story is the restriction on international data transfers. This is indisputably one of the greatest compliance challenges for EU organisations and one that many of us were hoping would be more pragmatically addressed in the new law. What are the chances of that now?? My guess is that this sort of story is the perfect ammunition for those who seek to maintain the pureness of ‘adequacy findings’ and therefore, it will make it more difficult for any country – not least the USA – that wishes to be regarded as providing an adequate level of data protection. In addition to that, all of the other mechanisms and exemptions to overcome the restrictions on international data transfers – Safe Harbor, contractual arrangements, BCR, transfers made on the grounds of public interest – will be much more closely scrutinised, so global data flows will remain a focus of regulatory attention.

At times like this, it becomes more essential than ever to keep a clear head and get the facts right, because achieving a realistic and balanced legislative outcome with the appropriate safeguards and a degree of pragmatism is as important as respecting our privacy.

Do BCR now, not later.

Posted on February 23rd, 2013 by



BCR are a big feature of the Commission’s proposed General Data Protection Regulation.  Previously a regulatory invention (the Article 29 Working Party first established a structure for BCR back in its 2003 paper WP74), the Commission has sought to put BCR on a solid legal footing by expressly recognising them as a solution for data exports under Articles 39 and 40 of the proposed Regulation.  The intent being that, by doing so, all EU Member States will uniformly have to recognise and permit global data transfers using BCR, solving the issue presented today where the national legal or regulatory regimes of one or two Member States inhibit their adoption. 

As if further poof were needed of the Commission’s support for BCR, Commissioner Viviane Reding has even gone so far as to say: “Indeed, I encourage companies of all size to start working on their own binding corporate rules!  Binding corporate rules are an open instrument: They are open to international interoperability. They are open to your innovations. They are open to improve data protection on a global scale, to foster citizens’ trust in the digital economy and unleash the full potential of our Single Market. And more: they are open to go beyond the geographical borders of Europe.

High praise indeed, and certainly Ms. Reding’s description of BCR matches with our own experience helping clients design and implement them.  Clients who implement BCR substantially simplify their global data movemments and embed a culture of respect for privacy that enhances compliance and drives down risk.

What the Regulation will really mean for BCR adoption

But here’s the thing: far from supporting BCR adoption, the Regulation will make authorisation of BCR harder to achieve, and this flies in the face of the Commission’s very express support for BCR.  

Historically, the main barrier to BCR adoption has been the bureacracy, effort and cost entailed in doing so – early BCR adopters tell war stories about their BCR approval process taking years and having to address conflicting requirements of multiple data protection authorities all over Europe.  This burdensome process arose out of a requirement that the BCR applicant needed to have its BCR individually authorised by every data protection authority from whose territory it exported data.

Thankfully, this is an area where huge strides forward have been achieved in recent years, through the implementation of the so-called “mutual recognition” procedure that allows BCR applicants to submit their BCR to a single lead authority;  once the lead authority approves the applicant’s BCR, it then becomes binding across all mutual recognition territories (currently 21 of the 27 EU Member States).  No more trekking around Europe visiting data protection authorities individually then.

Mutual recognition has really lifted BCR out of the dark ages into an age of BCR enlightenment, and has been vital to the upswing in BCR applications all over Europe.  Now, though, the proposed Regulation – despite its intended support for BCR – threatens to actually inhibit their adoption, pushing controllers back to using “check box” solutions like model clauses that provide little in the way of real protection.

Why?  Because under the draft Regulation, any authority wishing to approve BCR must first refer the matter to the European Data Protection Board under the Regulation’s proposed “consistency mechanism” (designed to ensure consistency of decision making by authorities across Europe).  The European Data Protection Board can be thought of as the “Article 29 Working Party Plus”, and comprises the head of each data protection authority across Europe and the Data Protection Supervisor.  In effect, the consistency mechanism necessitates that an applicant’s BCR must once again be tabled before every data protection authority before authoristion can be granted – a step backwards, not forwards.  As the ICO noted in its initial analysis of the Regulation: “It is not entirely clear what would happen if, for example, the UK supervisory authority were to approve a set of binding corporate rules but, once informed of the approval, the EDPB takes issue with it.

To make things worse, it’s not clear how the consistency mechanism will sit with the mutual recognition procedure we have today.  Maybe it will supersede the mutual recognition procedure.  Maybe it will apply in addition.  Or maybe some kind of hybrid process will evolve.  We just don’t know and uncertainty is never a good thing. 

The time for BCR is now

What this means is that while BCR will remain the only realistic solution for multinationals exporting data on a global basis, the process for achieving them once the Regulation comes into effect will become much tougher.  Add to this that the fact that, as a whole, the Regulation will impose stricter data protection standards than exist under the Directive, and BCR applications will attract an even greater level of scrutiny once the Regulation comes into effect than they do today.

So given that there is strong regulatory support for BCR, but that the Regulation will create barriers to adoption, what strategy should multinational conrtollers adopt? 

The answer is simple: do BCR now, not later. 

The process for achieving today BCR is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.   When you look at it like that, why not do BCR now?

New model clauses for data processors on their way?

Posted on April 25th, 2012 by



We all know that the times when data processors could  try to shield themselves from data protection compliance by arguing that the law did not apply to them are long gone.

In recent years the role of data processors has become so sophisticated as to test the boundaries of the definition of data controllers to the limit. In addition, the new draft  General Data Protection Regulation of the European Commission (“draft Regulation”) establishes obligations directly applicable to data processors. Therefore data processors will soon be directly liable and subject to monetary penalties. 

However, is this really bad news?  Leaving aside the additional red tape that some of the obligations may generate, it seems that data processors have finally been given a voice. So, for those data processors wanting to get it right and already working on organisational data protection compliance programs, this is actually good news.

At last,  data processors will get deserved recognition for the measures they have adopted to ensure compliance with fundamental data protection obligations, such as those related to the international transfers of personal data outside the EEA.  As Binding Corporate Rules (“BCRs”) continue to establish themselves as the preferred way to legitimise international transfers of personal data  within multinational data controllers, Binding Safe Processor Rules (“BSPRs”)  are the obvious next step  for global data processors. The draft Regulation recognises  this – expressly instructing data processors to take the necessary steps to legitimise international transfers of data by putting in place BSPRs or appropriate contractual arrangements.

However, some European data processors will not have to wait until the approval and implementation of the Regulation in order to take the  bull by the horns. The Spanish data protection authority (“Spanish DPA”) has recently announced that it has drafted a  new set of proposed model clauses  (based on the 2010 controller to processor clauses) that will allow data processors in Spain to engage sub-processors outside the EEA.

Of particular interest is the proposal that data processors can enter these new model clauses directly with sub-processors outside the EEA (i.e. not simply on behalf of the data controller) and seek their own data transfer authorisation from the Spanish DPA.   

By drafting these model clauses the Spanish DPA has responded to the demands of the outsourcing industry to provide a more flexible instrument that covers processor-to-processor exports and, by doing so, eliminate  some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors.

For those familiar with the  existing data transfer authorisation process in Spain, there is no doubt that the new processor authorisation process will be similarly burdensome. However,  an express recognition that data processors  should  be entitled to request  data transfer authorisation and directly manage their own sub-processors is, in itself, is a breath of fresh air.

Moving away from model clauses

Posted on June 27th, 2011 by



Anyone caught up in the murky world of international data transfers tends to regard the standard contractual clauses approved by the European Commission as the most popular solution to legitimise those transfers. For starters, they are freely available and have the blessing of the Commission and the regulators. Surely, those two factors alone must provide considerable comfort to finance directors and general counsels who will think that one cannot go too wrong with them. Also, from a resources perspective, drafting and entering into a set of model clauses should not be very time-consuming as it is just a matter of signing on the dotted line. So, are we wasting our time looking for alternatives? Or aren’t we…?

The problems with the model clauses start with the bureaucracy that surrounds them. Despite the fact that the use of the clauses to legitimise data transfers has the seal of approval of the European Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. The whole ex ante regulatory scrutiny of international data transfers is in itself a highly questionable aspect of European data protection, but the fact that so many countries apply that level scrutiny to an officially sanctioned mechanism is simply absurd. In the meantime, both data exporters and regulators spend valuable time and resources going through the motions of rather pointless administrative requirements.

Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving transfers. In the real world, information simply flows across borders and data processing services are provided globally at the speed of light. Today’s data transfers are different from yesterday’s and from tomorrow’s. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – not least because the parties involved in any global data flows are normally as fluid as the transfers themselves. As Professor Schwartz of the University of California, Berkeley School of Law put it in his thorough study of cross-border information flows for The Privacy Projects, data transmissions occur as part of a networked series of processes made to deliver a business result. Pinning down the parties involved in those processes and the intended business results, and reflecting all that in a single document is just like eating soup with a fork.

An added difficulty of the model clauses is the fact that their onerous obligations are set in stone. A non-negotiable agreement is an oxymoron – non-negotiable means take it or leave it, and that is the essence of the model clauses. The fact that so many data transfer contracts incorporating the model clauses are signed does not mean that the parties have reached an agreement. It normally means that one party is imposing them onto the other. The problem with that is that not only are the clauses being entered into without due regard for their content, but they turn global data protection into an empty box-ticking exercise.

The international data transfers regime is one of the centrepieces of the ongoing reform of the EU data protection framework. And rightly so. But even before a revised framework is devised, decisive action is needed to transform the inadequate game of signing up to model clauses into an effective way of securing information and guaranteeing privacy rights irrespective of geographical boundaries. A constraining set of unrealistic obligations cannot deliver that, but other approaches will. Contractual protections can be extremely effective when they are realistically agreed and allow for flexibility in their practical application. The key is to ensure that whatever the approach – a contract or a set of policies – it reflects what is viable in the real world.

In fact, the saddest thing of all would be to turn real world solutions – like BCR and Binding Safe Processor Rules – into model clauses-like exercises where applicants are simply signing up to an artificially imposed standard. Data protection should be as fluid as dataflows themselves. The truth is that many organisations are looking for ways of moving away from model clauses. Not because they don’t think that information should be protected, but because they prefer to devote efforts and resources to achieve genuine protection.

This article was first published in Data Protection Law & Policy in June 2011