Many outsourcing projects run into difficulties because data protection is not addressed early enough or fully enough. Projects with an international dimension such as offshorings suffer in this area particularly. This article looks at the key legal and practical issues in data protection necessary to ensure an outsourcing project is planned to succeed.
Background to Data Protection Issues in Outsourcing Projects
A client organisation outsourcing functions to a supplier will often transfer information about living individuals (whether the client’s customers or employees) to the supplier to allow the outsourced services to be provided. Outsourcing, in data protection terms, will usually involve the appointment by a data controller (the client) of a data processor (the supplier) and the transfer of personal data (the information) about data subjects (the individuals affected).
The relevant United Kingdom legislation governing the transfer and processing of personal data is the Data Protection Act 1998 (the DPA), which is derived from the Data Protection Directive (EC/95/46).
Data Protection Principles
Under the DPA, the processing of personal data must be in accordance with the data protection principles listed in Schedule 1 (the Principles). These state that a data controller (the client) must process personal data:
- fairly and lawfully and in accordance with statutory pre-conditions;
- only for purposes specified to the individual and the Information Commissioner;
- that are adequate, relevant and not excessive;
- that are accurate and, where necessary, up-to-date;
- for no longer than is necessary;
- in accordance with individuals’ rights;
- securely; and
- without exporting it outside the EEA, unless there is adequate protection.
The 7th and 8th Principles are particularly relevant in outsourcing projects and these are discussed below.
Breach of a Principle is not in itself a criminal offence. However the Information Commissioner, who enforces the DPA (the Commissioner) has the power to issue an enforcement notice, which will require the data controller to comply with the relevant Principle, or cease the offending processing, within a specified period. Failure to comply with this notice is a criminal offence (section 47 of the DPA).
A data controller may also face civil proceedings: any data subject suffering damage, or damages and distress (but not distress alone), as a result of a data controller’s failure to comply with the Principles has a right to sue for damages (section 13 of the DPA).
In practice the client will face the enforcement proceedings and/or claims for compensation as it is the controller and has the relevant obligations under the DPA. It will therefore be essential that the client has chosen a suitable supplier and has in place a contract with the supplier to ensure that it does not cause the client to breach the DPA.
The 7th data protection Principle requires organisations to take:
“appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damages to, personal data”.
In effect, this provides a statutory basis for good security and information handling practices. “Security measures” is defined by the law of the E.U. Member State in which the data controller is established. The differing interpretations of the 7th Principle can cause problems in implementing multi jurisdictional outsourcing projects. Some E.U. counties (e.g., Spain) have very specific and comprehensive security measures in force. In the United Kingdom, guidance states that one must consider the state of technological development and the cost of implementing any security measures. In effect this means that the security measures must ensure a level of security which is appropriate to both the nature of the data to be protected and the likely harm that would result from a breach of this principle.
Therefore, security measures need to be addressed fully and early on in the due diligence phase of an outsourcing project and their adequacy should be determined against the background of the applicable law, being the data controller’s law.
Contractual and Due Diligence Requirements
The 7th Principle also affects relations between a data controller and a data processor: it places an onus on the controller to ensure that any processor whom it appoints puts in place adequate data protection arrangements.
In particular, a data controller must choose a data processor which provides sufficient guarantees in respect of the security which will be in place and must take reasonable steps to ensure compliance with these measures. This may mean carrying out due diligence on the supplier and auditing (or having a contractual right to audit) the data processor’s activities.
In addition, a data controller must ensure it has a contract evidenced in writing with any data processor (this in itself will not be an onerous obligation). The contract must require the processor to act on the instructions of the controller (in effect the processor must act as an agent and leave the controller to make all the decisions on why and how the personal information is processed). Also, the contract must place on the processor similar obligations in relation to security as those set out above, from the 7th Principle.
Transferring Data Outside the EEA
The Prohibition on Transfer
The 8th Principle states that:
“personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” (Schedule 1 Part 1 para 8).
The EEA comprises the Member States of the European Union, together with Norway, Iceland and Lichtenstein. Given that, on a typical outsourcing, personal information will be transferred outside the EEA (perhaps to a supplier in India or South Africa), the 8th Principle is potentially very problematic indeed.
The Commissioner has issued both a lengthy but provisional legal guidance on the 8th Principle, “The Eighth Data Protection Principle and Transborder Dataflows” (referred to here as the 8th Principle Legal Guidance) and a shortened guidance note, “International transfers of Personal Data: Advice on compliance with the eighth data protection Principle” (referred to here as the 8th Principle, Short Guidance).
There are a number of possible solutions (for outsourcing projects) to the 8th Principle prohibition:
- transfers to countries with adequate protection (white listed counties);
- transfers to data processors;
- contractual necessity;
- data subject’s consent;
- contracts – approved and unapproved; and
- binding corporate rules.
Transfers to Countries with Adequate Protection (White-listed Counties)
Notwithstanding the 8th Principle, transfers of personal data to:
- Isle of Man;
- organisations in the United States that participate in the U.S. Department of Commerce’s Safe Harbor programme; and
- certain Canadian organisations in respect of which Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) legislation is in force,
may still take place. This is because the European Commission has stated that they offer appropriate protection for personal data. Although these countries have been approved by the EC, in practice there will be few outsourcings to these locations and therefore this list is unlikely to help in most cases.
Transfers to Data Processors
Where an organisation transfers personal data outside the EEA to a data processor then, in almost all situations, the Commissioner holds that the 8th Principle will not prevent such a transfer. So, for example, a U.K. financial services provider would be able to appoint a data processor in India to run a call centre for it and to transfer customer account details to this data processor.
The reason that transfers of this kind are, in normal circumstances, not prevented by the 8th principle is that (as explained in the Commissioner’s 8th Principle, Short Guidance (para 12)) the U.K.-based data controller remains responsible for the acts of the non-U.K. processor. Accordingly, individuals can still enforce their rights against the U.K. organisation, and, in the event of any breach of the DPA, the Commissioner can take enforcement proceedings against the U.K. organisation. The U.K. data controller would then, in turn, need to take appropriate steps against its data processor, no doubt relying on its contract.
This is a very practical solution that will apply to many transfers of personal data. However, organisations that operate across the EEA should note that not all E.U. Member States accept that personal data can lawfully be transferred to data processors outside the EEA in this way. Some Member States either require the European Commission standard contractual clauses for data processors to be used as the basis for the transfer (as to which see below) or require the arrangements to be submitted for approval to the appropriate supervisory authority.
The 8th Principle does not apply where the transfer of personal data is necessary for specified contractual reasons (Schedule 4). These are that the transfer is necessary in order to conclude or fulfil a contract entered into with the individual or with a third party, at the individual’s request.
Organisations should, however note that the exemption applies only where the transfer is “necessary”, and that this does not equate to administrative convenience. The 8th Principle, Short Guidance (para 8.3) makes clear that:
“a transfer is not “necessary” if the only reason it is needed is because of the way a data controller has chosen to structure its business”.
The example given by the Commissioner’s Office is that if a U.K. organisation chooses to locate its accounts department outside the United Kingdom, it will not be able to argue that the transfer of personal data to the accounts department for billing purposes is necessary for the conclusion of a contract with an individual. As the 8th Principle, Short Guidance says:
“it may be a necessary consequence of the decision to relocate the accounts department but the contract could be performed just as well if the accounts department were in the UK”.
In practice, therefore, this exemption is unlikely to be useful in permitting the transfer of personal information in offshoring projects.
Data Subject’s Consent
The 8th Principle does not apply where the data subject gives his consent to the transfer (Schedule 4, paragraph 1). Organisations should, however, remember that the Commissioner’s Office applies a high standard to determine whether or not consent is valid.
The 8th Principle, Short Guidance at para 8.2 gives some useful examples of approaches that are likely, and unlikely, to produce valid consent. The Commissioner’s Office suggests that the following wording is unlikely to produce valid consent:
“by signing below you accept that we can transfer any of the information we keep about you to any country when a business need arises”.
By contrast, this wording is likely to produce valid consent:
“by signing below you accept that we may pass details of your mortgage application to XYZ Limited in Singapore whom we have chosen to arrange mortgages on our behalf. You should be aware that Singapore does not have any data protection law”.
The suggestion that organisations should alert individuals to the fact that the receiving countries do not have data protection laws will put many organisations off following the Commissioner’s advice. Furthermore, the need to specify the receiving country whenever possible is also problematic.
Recently, the Article 29 Working Party (an E.U. think tank on data protection matters) has again emphasised the E.U.-wide concern over the use of consent to permit transfers outside the EEA. (“Working Document on the common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995”, adopted on November25, 2005 WP114). The Article 29 Working Party made clear its preference for providing adequate protection for the personal information once it had been sent outside the EEA, rather than relying on exemptions such as consent to permit a transfer. Therefore the Working Party commended to data controllers the use of contracts and binding corporate rules, as described below.
Contracts: Approved and Unapproved
Article 26 (4) of the Data Protection Directive allows the European Commission to decide that certain standard contractual clauses offer adequate protection for the transfer of information relating to individuals. The Commission has produced two sets of standard contractual clauses: the first set is for use when data is transferred from one data controller to another and the second is intended for use when a data controller transfers personal data to a data processor located outside the EEA. When working on an outsourcing project the second set (controller-processor) clauses will normally be used.
There are drawbacks with the standard contractual clauses. Firstly, they are non-negotiable. Secondly, if sensitive personal data (e.g., health related information) is to be transferred, the data controller is required to contact all individuals before the transfer to advise them that the transfer will take place. Thirdly, the data controller must accept joint and several liability with the processor for the way in which the processor uses the personal data. Fourthly, the clauses do not address transfers between processors (see below on this issue). Finally, organisations that have establishments in several EEA Member States should note that, whilst one of the main benefits of the standard contractual clauses is that every Member State must accept that they are effective, some Member States do have additional registration requirements for organisations that wish to transfer personal data outside the EEA, even on the basis of the standard contractual clauses. (The United Kingdom has no registration requirement). Accordingly, use of the standard clauses may not be bureaucracy-free.
The standard contractual clauses have not been widely used because of the difficulties outlined above. However, the International Chamber of Commerce, CBI and other business organisations have developed their own form of standard contractual clauses (which are referred to as the alternative model contract), which became effective on April 1, 2005. The alternative model contract is designed for use between two data controllers; however, the ICC are in the process of drafting and obtaining E.U. approval of clauses for the transfer from a controller to processor, which will therefore be available for outsourcing. There are several advantages in the present ICC clauses over the standard contractual clauses and hopefully these will be seen in the ICC controller-processor clauses. The key advantages are:
- Liability: the alternative model contract does not require the two parties to be jointly and severally liable. Instead, the exporting controller is only liable if action against the importing controller is unsuccessful.
- Flexibility: the data protection principles set out are more flexible and recognise more of the exceptions under the DPA.
- Relations with supervisory authorities: there is no obligation on the importer to comply with advice issued by supervisory authorities.
Instead of using the Commission’s standard contractual clauses it is, at least in the United Kingdom, possible to use non-standard contractual arrangements relating to the processing of personal data. The Commissioner’s Office accepts (e.g., 8th Principle, Short Guidance, para 9) that it is open to data controllers independently to draw up contracts that, as a matter of practice, put in place adequate protection for personal data. However, not all supervisory authorities take this view and some would require unapproved contracts to be submitted to them for approval. Where it is necessary to do this in a number of Member States, each supervisory authority may make different – and possible inconsistent – comments on the contracts. This would clearly be a lengthy and difficult process for the organisation to administer.
Binding Corporate Rules
The Article 29 Working Party has accepted that group data privacy policies (referred to by the Working Party as “binding corporate rules”) may be used to make international transfers of data lawful (“Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the E.U. Data Protection Directive to binding corporate rules for International Data Transfers”, 1/639/02/EN WP74, available at www.europa.eu.int/comm/privacy). Policy is at a relatively early stage and binding corporate rules need to fit the relevant organisation therefore there are no ready-made documents for organisations to use. Instead the Working Document discussed certain minimum requirements.
Binding corporate rules were originally conceived as a method for controllers to protect transfers within their group. In an outsourcing context, the supplier (a processor) would put in place binding corporate rules to protect the clients’ information. Although, in principle, there is no prohibition on use of binding corporate rules by processors, early applications and approvals all relate to controllers. As a result, it remains to be seen if this method can be used by processors in an outsourcing context.
Often a supplier based inside the EEA will have a sister/associated company based outside the EEA to enable parts of the service to be provided more cheaply. This may permit a U.K.-based supplier to have software development and maintenance carried out in India, saving costs on labour and enabling faster turnaround overnight. In this case there may be onward transfers of personal information from the supplier (processor) inside the EEA to another supplier (the sub-processor) outside the EEA. This has been a particularly difficult issue in data protection terms and has not yet been satisfactorily dealt with.
In approving the controller-controller clauses the EC set certain minimum conditions for onward transfers to other controllers. However, most outsourcings will involve transfers from a controller to a processor and then on to the sub-processor, therefore the controller-controller clauses will not be relevant.
When approving the standard clauses for controller-processor transfers, the EC only mentioned onward transfers briefly in passing, to the effect that onward transfers are possible only if certain conditions are met. These conditions are that the importer processes the transferred data on behalf of the exporter in accordance with his instructions, the obligations contained in the standard clauses and the applicable data protection law. As an interim solution, clients are using side letters, whereby the controller authorises the appointment of the sub-processor, and so fulfils these conditions.
In the Commission Staff Working Document SEC (2006) 95, the Commission staff hoped for clarification in the area of onward transfers and it requested an Article 29 Working Party assessment of the question of onward transfers. In particular, the Working Party could assess whether it should be permissible for a processor to outsource the processing to other sub-processors, if the controller has specifically instructed the processor to do so and assuming that the sub-processor is bound to observe the same protections as those to which the original processor is bound.
Organisations have unexpectedly come across data protection issues in outsourcings and this has caused concern, delay and costs. Unfortunately, data protection legislation does not provide a clear path for compliance in outsourcings, however much of what is required should be standard good practice (e.g., carrying out due diligence on security measures, documenting obligations in the contract and ensuring compliance through audits where necessary).
On the issue of transfers, if the transfer is from a number of EEA countries, at present most organisations will use the E.U. standard contractual clauses. Hopefully the ICC controller-processor clauses will be available soon and will offer a more commercially suitable alternative. Where the transfer is from the U.K. only it will be possible to follow the Commissioner’s advice above and use a written contract which complies with the requirements of the 7th Principle (as above).
The data protection risks can be mitigated by ensuring that project managers are aware of the need to comply with data protection legislation and put in place adequate protection or safeguards for exporting data. As there is no standard formula for implementing an outsourcing, advice should be sought from data protection experts on a case-by-case basis.
This article was published in the April 2006 issue of BNAI's World Data Protection Report It was based on a seminar held by Bird & Bird in London on 23 March 2006. The speakers at the event included Francis Aldhouse, Javier Fernández-Samaniego and Hazel Grant of Bird & Bird, and Mark Keddie of BP.