The European Commission has finally issued its long awaited revision to the controller-processor model clauses. The main change is to allow sub-processing. This has been implemented in a sensible manner and provides welcome flexibility when structuring outsourcings and other processing arrangements.
Background
Model clauses are one of the most flexible methods for businesses to export personal information from the European Union to countries outside the EU, without falling foul of the prohibition on export set out in the EU Data Protection Directive 95/46/EU. Model clauses come in two flavours – one used for export to data controllers located the EU, and the other for data processors. The latter category are widely used in the outsourcing and IT services industries, but to date only one set of controller-processor model clauses have been approved for use by the European Commission.
Lengthy consultations with industry bodies such as the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU), Japan Business Council in Europe (JBCE) and the Federation of European Direct and Interactive Marketing (FEDMA) have created this revised set of controller-processor model clauses which are a marked improvement on the previous versions although the new clauses do not address all the perceived shortcomings of their predecessors such as the onerous filing requirements imposed by some national regulatory authorities and the problems raised when the clauses are used by multiple parties. However, the arbitration provisions, which were unpopular with some data controllers, have been removed.
Sub-Processors
The most significant alteration is that the new model clauses expressly allow a processor located outside the EU to appoint a sub-processor. This situation is extremely common in practice – for example where Indian IT service providers sub-contract some of their work intra-group or to third parties. Appointment of subcontractors under the new model clauses is conditional upon:
- the non-EU based processor obtaining the controller’s prior consent in writing;
- the non-EU based processor providing to the EU based controller a copy of the contract under which any sub-processing takes place; this contract in turn has to be made available to data subjects, but although redactions can be made when providing the contract to data subjects if they contain commercially sensitive terms, the same is not true when providing copies of the sub-processing arrangements to EU based data controllers; in practice therefore service providers will want to ensure that their sub-processing arrangements do not contain any commercially sensitive terms, in order to avoid having to disclose them to their ultimate EU based controller customers;
- the sub-processing being carried out under a written contract which imposes the same obligations on the sub-processor as are imposed on the non EU-based processor;
- the non EU based processor remaining liable for the sub-processor; and
- data subjects being granted third party rights against the sub-processor which can be exercised should both the EU based controller and non-EU based processor cease to exist or become insolvent.
This largely reflects the arrangements which many data controllers have been implementing for some time. Importantly, the new model clauses do not draw the line at sub-processors and deeper supply chains are permitted (i.e. sub-sub-processing). This follows from the definition of sub-processor - “any processor engaged by the data importer or by any other sub-processor of the data importer”.
The new model clauses also only applies to processors based in third countries not providing adequate protection. This means the clauses are not authorised for use with a processor in the EU who uses sub-processors outside of the EU. Although this appears to put EU based IT service providers, or similar, at a disadvantage to their non EU competitors, the practical answer may be for the controller to enter into the new model clauses directly with the non-EU sub-processors.
Use in practice
The new model clauses will help to simplify the contractual framework for outsourcing arrangements. A data controller customer in such arrangements no longer needs direct contracts with all processors and sub-processors and can rely on the non-EU based “head” processor supplier to put a “chain of contracts” in place with sub-processors. It seems logical to conclude that this approach can also be used for processors and sub-processors within the EU and that such an arrangements would satisfy the requirements of Article 17 of the Directive.
Finally, it is worth remembering that the model clauses are not a “cure all”. Many data protection authorities, such as the UK Information Commissioner, will be more interested in the steps a data controller has taken in practice to confirm that offshore processors will keep the information secure. Depending on the nature of the data, this may include on-site visits and audits. In the event of a serious data loss, model clauses alone will provide very little comfort.
Expiry of Old Model Clauses
The new model clauses come into effect on 15 May 2010. On this date the old model clauses, approved under Decision 2002/16/EC, will cease to be recognised. This is in marked contrast to the controller-controller model clauses where the two different forms of model clauses approved to date continue to benefit from approved status in parallel. As a result, contracts that have already been concluded between parties will continue to be valid but only so long as the “transfers and data processing operations that are the subject matter of the contract remain unchanged”. It is not entirely clear what this means but, potentially, even an amendment to Appendices to the clauses (i.e. to the details of the data transferred and security measures) could trigger the need for new model clauses.
The Future for Data Processors
The new clauses are very welcome. However, they come at a time when the very concept of “data processors” is being questioned. A number of the responses to the Commission’s consultation on the Data Protection Directive pointed out it is increasingly difficult to draw a clear distinction between data controllers and data processors given the increasing sophistication of vendor services and outsourcing relationships and have called for the distinction between data controllers and data processors to be abolished. The Article 29 Working Party has been reviewing these definitions for some time and their interpretation will be on the agenda of its 74th meeting on 15-16 February 2010.
A blackline showing the amendments made by the new model contracts is available here ...
By Tanguy Van Overstraeten, Brussels, and Richard Cumbley, London, Linklaters LLP. Tanguy and his team in Brussels actively contribute in the work of the Digital Economy Committee of the American Chamber of Commerce to the European Union (AmCham EU) that participated in the review of the model clauses.
