On 27 December 2004, the EU Commission approved model terms for data transfer developed by a number of business organisations. The is effective as from 1 April 2005, although it seems likely that many supervisory authorities will allow use of the terms before then.
Under the EU Data Protection Directive, it is unlawful to transfer personal data to most countries outside the EU. There are a limited number of exemptions from this; one of which is to use standard contract terms approved by the European Commission. The Commission approved two sets of standard contractual clauses in 2001. However, these clauses are onerous and have not been widely used to date.
The alternative model contract follows a similar structure to the standard contractual clauses. It sets out:
obligations on the data exporter
obligations on the data importer
provisions dealing with liability and third party rights
provisions dealing with applicable law
dispute resolution provisions
no variation provisions
an annex setting out details of the transfer
Although the structure of the two sets of clauses is similar, there are important differences.
The most significant difference between the standard contractual clauses and the alternative model contract is the method by which individuals can pursue remedies against the importer and exporter. In the standard contractual clauses for controller-controller transfers, the exporter is jointly and severally liable with the importer for the importer’s use of exported personal data. Although there is an indemnity from the importer to the exporter, this liability has made companies reluctant to use the clauses in arm’s length contracts.
The standard contractual clauses also allow individuals, whose rights have been breached, to take action directly against the data importer. This has made US importers, in particular, reluctant to use the clauses.
The alternative model contract is better on both of these points. Under the alternative model contract, the data subject must first take action against the data exporter. The data subject is only able to enforce rights against the data importer if the data exporter does not take action within a reasonable period (which the alternative model contract suggests, in normal circumstances, would be one month).
A data exporter is not jointly and severally liable with the data importer for the importer’s acts. However, the data exporter is incentivised to carry out appropriate due diligence on the parties to whom it transfers personal data. Under Clause III(b) a data subject can proceed against a data exporter if the data exporter has failed to use reasonable efforts to determine that the importer is able to satisfy its obligations under the alternative model contract and that the onus is on the exporter to show that it did take reasonable efforts.
The alternative model contract is more pragmatic and business friendly than the standard contractual clauses in a number of other areas.
Like the standard contractual clauses, the alternative model contract has a set of data protection principles set out in an annex. However, these are less rigid than the principles set out in the annex to the standard contractual clauses. They recognise more of the exceptions with which we are familiar under the Data Protection Act 1998. For example, the principle dealing with rights of access, rectification, deletion and objection, notes that there is no need to comply with subject access requests, which are manifestly abusive, based on unreasonable intervals, their number or repetitive or systematic nature or where there is an exemption under the local law of the data exporter. In addition, importers are exempt from the need to comply with access requirements if this would seriously harm the interests of the data importer. In this case, the exporter’s supervisory data protection authority must give approval. The principles also provide for an exemption from subject access where necessary to protect third party information.
The alternative model contract gives contractual recognition to the due diligence that a data exporter should undertake on a data importer. Clause I(b) obliges the data exporter to warrant that it has used reasonable efforts to determine that the importer is able to satisfy its legal obligations under the clauses. Conversely, at Clause II(f) the data exporter must, on request, provide the exporter with evidence of financial resources to meet its responsibilities (which may include insurance). However, the data importer is protected against unreasonable requests by the exporter to carry out audits. Reasonable notice must be given of an audit which must be carried out during regular business hours.
Unlike the standard contractual clauses, there is no obligation on the importer to comply with “advice” issued by supervisory authorities. Instead the obligation (at Clause V(c)) is to abide by decisions of competent courts in the exporter’s country or other supervisory authority; in each case where the decision is final and where no further appeal is possible.
The alternative model contract attempts to avoid some of the duplications in the standard contractual clauses, whereby both the importer and the exporter are obliged to respond to requests from individuals and supervisory authorities. In the alternative model contract, the parties can agree that the importer should, in the first place, handle these enquiries.
Finally, the alternative model contracts also plug the termination gap in the standard contractual clauses. There is provision for the alternative model contract to be terminated if:
(because of the importer’s breach) the transfer of data has been suspended for more than one month
the data importer is not able to comply with the alternative model contract because of local laws
the data importer is in substantial or persistent breach of the alternative model contract
there is a final decision by the courts or the data protection authority in the exporter’s country to the effect that the importer has breached the clauses
an insolvency event occurs relating to the data importer
In addition the clauses also provide for the right to terminate if a Commission adequacy decision supersedes the clauses, i.e. if the country in which the importer is based is cleared by the Commission as offering adequate protection for personal data.
The Data Protection Directive held out the possibility of standard contracts as a pragmatic way in which prohibition on data export could be resolved. The standard contractual clauses approved to date by the European Commission have failed to live up to this expectation. The requirement for joint and several liability means they are unsuitable for use in most arm’s length commercial transactions. Similarly, the need (in some countries) for there to be direct contracts between all contracting parties and to replace the contracts as group structure and data flows change has meant they are too unwieldy to be taken up by many large corporate groups.
The alternative model contract submitted by the business organisations is a real step forward. It proposes a more equitable split of responsibility between data exporter and data importer. It also includes practical steps to improve the position of data subjects – principally by incentivising data exporters to carry out appropriate due diligence before data is ever transferred.
There are areas where the alternative model contract doesn’t help. The alternative model contract is designed for use between two data controllers; it cannot be used where a data controller appoints a data processor outside the EU (for example when it outsources the processing of HR data to a data processor). Further, for organisations transferring personal data between group companies, there will still be many of the same practical problems that apply to use of the 2001 standard contractual clauses (although the contract does allow the parties to amend details of the data being transferred). For large multi-nationals, binding corporate rules is still the solution most likely to be suitable.