Data Protection: European Commission Approves Model Clauses for the Transfer of Data
The European Data Protection Directive grants right to individuals about whom data are processed (data subjects) and imposes obligations on organisations which use such data. In the UK, the Directive has been implemented by the Data Protection Act 1998, which comes fully into force on 24th October 2001. Although the Directive has not yet been fully transposed into the laws of all other EEA States (that is, the European Union, Norway, Iceland and Liechtenstein) the Directive already has effect under the terms of the European Treaty.
The Directive requires Member States to implement data protection legislation which:
- Grants individuals rights (including a right to access information about them);
- Establishes a registration scheme for organisations processing personal data; and
- Sets out data quality obligations relating to and restrictions on the use of personal data.
One of these restrictions relates to the transfer of personal data to "third countries" - that is to countries outside the EEA. Organisations may not transfer personal data to third countries unless those countries offer "adequate" protection for personal data - including a legislative regime that is similar to Europe's. Breach of this requirement may lead to the prohibition of further transfers by an organisation in default.
The Model Clauses
On 18th June 2001 the European Commission approved Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (the model clauses). Data exporters and data importers who contract on the basis of the model clauses and comply with their terms will have provided "adequate" protection for personal data, in accordance with the Data Protection Directive. The model clauses are effective as from 3rd September 2001 and are available at www.europa.eu.int/comm/internal_market and from Bird & Bird.
The model clauses:
- Set out obligations on the data exporter:
- To confirm that it has complied with national data protection legislation until transfer; and
- To assist with compliance queries;
- Set out obligations on the data importer:
- To comply with European-style data quality obligations and restrictions;
- To confirm that it is not subject to any local laws which would prevent it from meeting this obligation;
- To assist with compliance queries; and
- To submit to audits by the data exporter;
- Allow individuals themselves to enforce certain provisions of the model clauses;
- Provide for the contract to be governed by the law of the Member State in which the data exporter is established; and
- Contain an appendix that must be completed with details of the transfer.
There are some disadvantages with the model clauses:
- The data exporter may have to compensate data subjects for breaches by the data importer;
- If sensitive personal data (information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life) are transferred, the data exporter must inform the data subjects concerned before transfer;
- There is no easy way for the data subjects to enforce their rights; and
- Although they are binding on Member States, they only address the minimum privacy standards set out in the Data Protection Directive. Member States are free to impose additional restrictions on transfers of data overseas, to require organisations to deposit their contracts with supervisory authorities and to increase the detailed descriptions required by the appendix.
The Data Protection Directive allows data to be transferred in a number of other ways, in addition to the model clauses:
- To countries which the Commission considers offer adequate data protection (to date, the Commission has only approved Switzerland and Hungary);
- By model contracts approved by individual Member States;
- By other contracts approved by the Commission (the Commission is considering contracts submitted by the CBI and ICC);
- Where the data are being processed by a third party on the instructions and under the continuing control of a European organisation;
- To the US only, where a US established company has registered under the safe harbor scheme (a guidance note on this is available);
- Where data subjects have given consent, or where this is in their vital interests;
- Where the transfer is necessary to fulfil a contract with, or in the interests of, the data subject;
- Where the transfer is legally required; or
- Where the data are from a public register and where the importer complies with any conditions of use applicable to the register.