AA A lert Electronic Commerce
A lert
Electronic Commerce
FEBRUARY 26, 2001
STANDARD CONTRACT CLAUSES UNDER THE EU DATA
PROTECTION DIRECTIVE
I.
Background
T he Commission of the European Union (EU) is developing standard contractual clauses
(Standard Clauses) to be recommended for use between commercial parties conducting international transfers of personal information from the EU. These Standard Clauses 1 are designed to create a presumption of adequacy under the EU Data Protection Directive 95/46/EC (the Directive).
The data protection authorities (DPAs) in EU Member States are considering taking the position that the only acceptable contract-based method of ensuring adequacy of protection for personal information in international data transfers is through the use of the Standard Clauses. This view is being expressed even though the Directive contemplates several means for companies to demonstrate adequacy, including more than a single contract-based means.
This paper evaluates whether DPAs have the legal authority to deny commercial parties the flexibility afforded by the Directive. The Standard Clauses feature several provisions that are beyond the scope of the Directive; imposing them as a regulatory approach creates additional legal burdens on companies transferring data which are not contemplated by the Directive.
II.
Summary Conclusions
The Directive clearly allows for contract-based compliance alternatives, other than the Standard
Clauses, to be used to demonstrate adequacy. Although a set of Standard Clauses can be developed on the EU level, the use of those clauses is not self-executing. To be effective, the Standard Clauses must also be adopted at the Member State level. It is also possible for different sets of standard clauses to be developed by DPAs at the Member State level that would be recognized, in addition to the
Standard Clauses, under particular national laws.
These circumstances present the following issue:
Under the Directive, may a national statute or DPA require that specific standard contractual clauses be used in commercial agreements, whether those clauses are the
Standard Clauses or other standard clauses approved under national law?
1 The usage standard contractual clauses is the usual term in EU data protection documentation. See, for example, Article 26(4) of the Directive. However, the terms model contract clauses and model clauses are widely used.
Kirkpatrick & Lockhart
LLP
We are not aware of any national data protection law adopted by an EU Member State implement the Directive which imposes such a requirement. These national laws do not give DPAs the explicit authority to require that only standard contractual clauses may be used.
There are strong sentiments, however, that a DPA could exercise its discretionary authority, under national law, to require that only standard contractual clauses be used. We have confirmed that at least one DPA is, in fact, adopting that view. We believe any decisions in that direction would be contrary to the structure of the Directive and its specific terms, as well as the authoritative construction that has been provided by the EU Commission. Indeed, a requirement to use the Standard Clauses would have important negative consequences for many US businesses.
III.
The Standard ClausesCurrent Status follows:
The current reported situation with regard to the development of the Standard Clauses is as
The Directive authorizes the development, at an EU-wide level, of the Standard Clauses. The
Article 31 Committee (an EU Commission body that assesses adequacy under the Directive) is reviewing the Standard Clauses for approval on behalf of the EU Commission.
An initial draft of the Standard Clauses was released in September 2000. The comment period allowed by the Commission was only 18 days long. A second draft of the Standard Clauses was published in January 2001, but did not become readily available until late February.
The US Department of Commerce has recently submitted comments to the EU Commission on the second draft of the Standard Clauses. As of this writing, the text of these comments is not publicly available.
The Article 31 Committee met on February 19 and 20, 2001 to review these and other comments. As of this writing, the text of the report of the Article 31 Committee is not publicly available.
After the Article 31 Committee issues its report, a 30-day period will commence, during which the EU Commission and the EU Parliament will consider any additional input regarding the
Standard Clauses. This remains the only remaining formal opportunity for US companies to provide comment.
Following a final drafting process, the EU Commission will submit the Standard Clauses for the approval of the EU Parliament. We are informed that this process is planned to be completed by the end of June 2001.
Currently, the process seems strongly inclined toward the EU adoption of the Standard Clauses, generally in the form in which they are currently published. Presumably, the individual DPAs will then consider whether to require use of the Standard Clauses.
IV.
Discussion
A.
The Availability of Alternative Contract Solutions Under the EU Directive.
1.
The Terms of the Directive Itself.
Under Article 25(1), the Directive permits the transfer of personal information from a Member
State in the European Economic Area (EEA) to any non-EEA country only if:
2
Kirkpatrick & Lockhart
LLP
The transferring parties comply with the data protection laws of the Member States (which must comply with the Directive) prior to and following the transfer, or the laws of the importing country ensure an adequate level of data protection.
The United States has not been determined by the EU Commission to have adequate protections for personal data.
Article 26(4) provides the authority for the development of the Standard Clauses: [International transfers of personal information may occur] where the Commission decides . . . that certain standard contractual clauses offer sufficient guarantees . . .. Once the EU Commission approves such standard contractual clauses, Member States are thus obligated to accept any commercial use of such clauses as creating a presumption of adequacy.
But, Article 26(2) of the Directive also provides:
A Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection . . . where the controller adduces sufficient guarantees with respect to the protection of privacy . . . such guarantees may in particular result from appropriate contractual clauses.
Article 26(2) allows companies to create their own contract-based solutions for providing adequacy, through the use of internal policies and business processes, and through the use of independently developed contracts. No provision of the Directive suggests that any standard contractual clauses adopted by the Commission ( viz.
, the Standard Clauses) are the only appropriate contractual clauses for adducing sufficient guarantees.
Indeed, Article 26(3) provides that, whenever the DPA of a particular Member State authorizes international transfers of personal data under Article 26(2), the DPA must notify the Commission and the other DPAs. Paragraph 3 then sets forth a procedure whereby a different Member States DPA may object and challenge the earlier determination of adequacy. Thus, the Directive expressly contemplates that different solutions may be approved and that the DPAs may disagree as to their adequacy. The procedures set out in Article 26(3) would have no relevance if the only contractual clauses that were acceptable were those approved by the Commission.
Finally, if the importing country does not ensure an adequate level of protection, the Directive contemplates even further means by which personal data may still be transferred. These means include the exceptions (called derogations) in Article 26(1): a. the data subject has given his consent unambiguously to the proposed transfer; b. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subjects request; c. the transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party; d. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; e. the transfer is necessary in order to protect the vital interests of the data subject; 2 or
2 Our understanding is that this exception will apply only rarely, in life-threatening circumstances.
3
Kirkpatrick & Lockhart
LLP
f. the transfer is made from a register which by law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
The most important point about Article 26(1) is that these exceptions are mandatory. The
Directive states that the laws of Member States shall provide for these exceptions. At a minimum, the laws of Member States cannot require that only Standard Clauses be used to the exclusion of the exceptions in Article 26(1).
3 It is critical to understand that some of the Article 26(1) exceptions anticipate the use of contracts.
2.
EUs Commentary on the Directive.
Currently, the EU has under consideration a Commission Decision (Decision) that would approve the set of Standard Clauses. A draft of that Decision, dated January 19, 2001, was publicly released February 15, 2001 on the EUs website.
4 That draft clearly indicates that the EU Commission anticipates seeing contractual provisions other than the Standard Clauses:
The European Commission will also consider in the future whether the standard contractual clauses submitted by business organisations or other interested parties offer adequate safeguards in accordance with Article 26(2) of Directive 95/46/EC;
Article 26(2) which provides flexibility for a company wishing to transfer data to third countries and Article 26(4) which provides for the standard contractual clauses are essential for maintaining the necessary flow of personal data between the European
Community and third countries without unnecessary burden for economic operators; these articles are particularly important in view of the fact that the Commission is unlikely to adopt adequacy findings under Article 25(6) for more than a limited number of countries in the short or even medium term;
3.
The Standard Clauses May be Used Only for Controller-to-Controller Transfers.
The Standard Clauses apply only to transfers from one controller to another controller.
5 do not apply to transfers from a controller to a processor. The draft Decision states:
They
This decision does not cover the transfer of personal data by controllers established in the
Community to recipients established outside the territory of the Community who act only as processors; these transfers do not require the same safeguards because the processor acts exclusively on behalf of the controller and all the relevant provisions of the Directive would remain applicable under the responsibility of the controller; the Commission sees a need to address this type of transfer in a subsequent decision; 6
4
3 Article 26(1) provides: By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) may take place on condition that: (Emphasis Supplied.) http://europa.eu.int/comm/internal_market/en/media/dataprot/news/clauses_en.pdf
5 In the terms of the Directive, a controller is a party that makes or directs uses of personal data on its own initiative. A processor, by contrast, is a party that uses personal data only at the direction of another party.
6 Opinion 1/2001 of the Article 29 Working Party is equally clear, although it appears to have a different sense of urgency: The Working Party wishes to draw the attention to the fact that the scope of the Decision is limited to
(continue on next page)
4
Kirkpatrick & Lockhart
LLP
Although the Commission may be correct as to the relative importance of controller-to-controller transfers, the volume of controller-to-processor transfers is likely to be quite substantial, if not greater than controller-to-controller transfers. It is also highly doubtful that the Commission will be able to deal with Standard Clauses for controller-to-processor transfers any time soon. Hence, in order for business to continue (which is another policy objective of the Directive), the DPAs must be prepared to consider and approve data transfer contracts other than the Standard Clauses.
4.
Summary.
The Directive, by both its terms and its structure, contemplates flexibility in the development of contract-based controls for transfers of personal data. This flexibility also reflects practical business necessities. There are clear problems with any attempt to enforce a one size-fits-all approach to the international transfer of personal information.
All these considerations suggest that it would not be permissible under the Directive for the
DPA of a Member State to take the position that only the Standard Clauses (or other standard clauses approved under national law) may be used as a matter of discretionary authority that the DPA may possess under national law.
B.
The Counter-Argument.
Notwithstanding the arguments above, an argument can be made that it is permissible under the
Directive for a DPA to assert that only the Standard Clauses (or other standard clauses approved under national law) may be used, through the exercise of that DPAs discretionary authority.
As noted above, Article 26(1) requires Member States to recognize certain exceptions to the transfer prohibition of Article 25(1). However, Article 26(2), the primary source of authority allowing companies to create their own contract-based solutions, is permissive only.
7 Member States are arguably not required to permit the use of independently developed contract regimes and the DPAs could, therefore, require the adoption of standard contractual clauses. On certain points, the implementing laws of the Member States can be stricter than the requirements of the Directive.
But it is not easy to reconcile the permissive nature of Article 26(2) with the mandatory exceptions of Article 26(1). Any independently developed contract regime (the authority for which is arguably optional) will normally be based on transfers that have been consented to by data subjects (the authority for which is mandatory). Similarly, many transfers performed pursuant to independently developed contracts will be conducted in order to honor contractual obligations owed to, or consented to by, the data subject, another of the mandatory exceptions. A requirement by the DPAs to use the
Standard Clauses would appear to diminish the availability of options required by the Directive.
6 (continued from previous page) transfers where both parties act as a controller. The Working Party supports this approach, but invites the Commission to address urgently in a future decision contractual clauses for those transfers not covered by the present Decision, that is, where the recipient of the data outside the Community is a processor acting on behalf of a data controller established in the Community.
7 Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces sufficient guarantees with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such guarantees may in particular result from appropriate contractual clauses. (Emphasis Supplied.)
5
Kirkpatrick & Lockhart
LLP
V.
The Adverse Consequences of the Standard Clauses
In evaluating the appropriate course of action with respect to the Standard Clauses, US businesses should consider the types of negative legal and operational consequences that would result if the use of Standard Clauses became mandatory.
A.
Mandatory Integration.
The Standard Clauses are drafted to be integrated with another agreement. They do not contemplate the data transfer contract being separated from some underlying commercial agreement.
There is nothing in the Directive that requires, or even suggests, this integrated structure. The apparent thought behind this structure is that the DPA in a Member State might need to review the agreements in combination in order to assess the adequacy of the protection in particular cases, either routinely or on an audit basis.
But the difficulty with this structure is that the underlying agreement may be confidential or otherwise business sensitive. Thus, under the authority of protecting personal data, the Standard
Clauses empower DPAs to require inspection of virtually any commercial agreement requiring the transmission of personal information in connection with its performance.
B.
Third-Party Beneficiary Liability.
The Standard Clauses are a three-party agreement in which the data subject is expressly provided the right to enforce its terms as a third-party beneficiary against both the data exporter and the data importer. Indeed, the Standard Clauses require the data exporter and the data importer to agree that they will never seek a waiver of the data subjects third-party beneficiary status.
Article 23(1) of the Directive specifies that data subjects have a private right of action against
the controller for the damage suffered. Article 23(2), however, exempts any controller from liability where it proves that it is not responsible for the event resulting in the damage. The Standard Clauses overcome the risk that a data subject could not proceed against a data importer who has misused the data and violated the terms of the Directive, where the data exporter proves that it was not responsible for the event resulting in the damage. Although the Standard Clauses arguably expand beyond the scope of the Directive in this regard, the developing practice in Europe is to include such third-party rights in all data transfer agreements.
C.
Joint and Several Liability.
The Standard Clauses provide for joint liability between the data exporter and the data importer for damages resulting from the unlawful processing of personal data. However, the Directive is silent on the issue of joint liability. In this regard, the Standard Clauses arguably constitute bootstrapping imposing new legal requirements beyond the scope of the Directivewith potentially serious monetary consequences.
D.
Providing Copies Upon Request.
The Standard Clauses specifically provide that a copy of the data transfer agreement will be made available to a data subject upon request. Since data transfer agreements would be integrated with commercial agreements (see above), this presents the extraordinary result of requiring sophisticated commercial agreements between controllers to be made available to data subjects.
6
Kirkpatrick & Lockhart
LLP
E.
Audit Requirements.
Under the Standard Clauses, the data importer must agree:
to submit at the request of the Data Exporter its data processing facilities for audit. The audit may be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications, selected by the Data Exporter and, where applicable, in agreement with the Supervisory
Authority;
The Supervisory Authority referred to may be one or more DPAs. The Standard Clauses constitute consent to the investigatory jurisdiction of European DPAs, even when personal information is processed in the United States. This could have the result of allowing European government authorities to conduct inspections of data processing facilities within the United States.
VI.
Case Study: the UK
The UK Information Commissioners Act of 1998 implementation guidance handbook relating to international transfers of personal data illustrates the Commissioners interpretation of the UK law
(which is in compliance with the Directive). The handbook makes clear that the Commissioners Office intends to strongly discourage the use of non-standard agreements (i.e., independently developed contracts or one-off contracts):
such applications should only be made as a last resort or in very special circumstances.
This language suggests a strong bias will exist against the use of independently developed contracts and for the use of the Standard Clauses. On February 26, 2001, Iain Bourne, the Commissioners Director of
Strategic Policy Management, confirmed that the Commissioner intends not to approve the use of any privately developed contract. While acknowledging that the Directive allows for the development of such contracts, Mr. Bourne indicated that the Commissioners understanding is that she is not legally required to approve the use of such contracts.
VII.
The Practical Realities
On a very practical level, the reality is that the DPAs are informally expressing concern with a serious resources problem. Although they know that both the Directive and their national laws provide for the use of non-standard private contracts as a means of demonstrating adequacy, they also lack the resources to review a large number of contracts. Accordingly, they have two choices:
They can reduce their workload by insisting upon the use of the Standard Clauses.
They can reduce their workload by relying upon private contractual compliance with guidelines issued by their office. This option operates by basically shifting the workload to the private sector and its advisers.
The latter is strongly preferable both legally and practically for both the DPAs, affected businesses, and data subjects. Data subjects should prefer a system in which they will obtain protections that are calibrated to their individual circumstances, rather than a one size-fits-all regime. Businesses will prefer a system which maximizes freedom in contracting and preserves the confidentiality of business contracts.
In the absence of a vigorous and effective dialogue on these issues, the implementation of the Standard
Clauses in their current form could be enormously disruptive.
7
Kirkpatrick & Lockhart
LLP
The situation is particularly critical for certain US industries, primarily financial services companies, which do not currently qualify for Safe Harbor participation under the plan negotiated by the
US Department of Commerce in 2000. If the use of the Standard Clauses becomes the only alternative to the Safe Harbor, financial services companies will have no other alternative for demonstrating
adequacy in connection with their international transfers of personal information. This is particularly troubling because the EU is still involved in discussions with the US Treasury Department as to whether or not the current legal regime governing financial services in the United States (under the Gramm-
Leach-Bliley Act) is, by itself, adequate. Any other business that does not consider Safe Harbor membership a desirable option should also be gravely concerned by the possibility of being mandated to use the Standard Clauses. A strong, multi-industry coordinated response to disallowing the use of privately developed contracts to provide adequacy is essential.
Jeffrey B. Ritter
(202) 778-9396 jritter@kl.com
For further information, please feel free to contact:
Henry L. Judy
(202) 778-9032 hjudy@kl.com
Benjamin S. Hayes
(202) 778-9884 bhayes@kl.com
Kirkpatrick & Lockhart
LLP
Challenge us.
BOSTON
n
DALLAS
n
HARRISBURG
n
LOS ANGELES
n
MIAMI
n
NEWARK
n
NEW YORK
.........................................................................................................................................................................
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.
©
2001 KIRKPATRICK & LOCKHART LLP. ALL RIGHTS RESERVED.
