European Union Adopts Standard Contract Clauses for Transfers of Personal Data
In 1998, the European Union (EU) put into effect a directive that prohibited the transfer of personal data to nations outside of the 15-member EU, unless the nation to which the data was transferred "ensures an adequate level of protection." The directive does not specify what measures are "adequate," but provides only general guidance about the factors to be considered in assessing the "adequacy" of non-member states' privacy protections. Consequently, this directive has caused considerable uncertainty and debate; it was widely believed that EU companies could not export personal data - such as human resources information or information gathered on customers - without violating EU data privacy laws.
In an effort to provide some clarity, this past summer the European Commission adopted certain standard contractual clauses by which organizations can transfer personal data. These clauses include:
- making those whose data is transferred third-party beneficiaries under the contract and allowing associations and "other bodies" to bring actions against the actual contracting parties for violations of the agreement that adversely affect persons whose data is transferred
- a warranty that the use of the personal data does not violate applicable EU laws and regulations
- a warranty that persons whose data is to be transmitted outside of the EU have been advised of that possibility
- a guarantee that the exporter of the data will, upon request, provide a copy of the standard clauses to person whose data is exported from the EU
- an undertaking that the data exporter will abide by certain "Mandatory Data Protection Principles" that must be attached to the agreement
- mandatory audit provisions applicable to the importer of data (who is located outside of the EU)
- admission of possible joint and several liability by the data exporter and data importer to the person whose data is transmitted outside of the EU for a number of potential breaches of the standard clauses
- mandatory indemnification for costs to enforce the agreement
- mandatory mediation and submission to jurisdiction in the courts of the EU Member State where the data exporter is located
- a reservation of rights by the person whose data is transferred, permitting that person to rely upon the substantive and procedural rights available under national and international laws that may apply to the agreement
- a provision requiring that the parties to the contract will deposit a copy of the standard clauses with an EU Supervisory Authority upon request of that body (supposedly, other provisions of agreements may be kept confidential, but this may depend upon the law of each Member State of the EU)
- These standard clauses are not mandatory, but they do provide a lawful means of transferring data outside of the EU. In addition, companies in the United States that adhere to the Safe Harbor Privacy Principles issued by the U.S. Department of Commerce as a result of an arrangement negotiated with the EU need not use these clauses, as they are already presumed to be in compliance with the EU data privacy directive.
- The standard clauses also may be unnecessary where:
- a person has already given unambiguous consent to the export of personal data
- the transfer is made under a contract with the person providing the data at that person's request
- the transfer is necessary for the performance of a contract made for the benefit of the person providing the data
- the transfer is otherwise made to protect the vital interests of the person providing the data or for a legitimate public information purpose
Certain specific requirements for contracts under the laws of EU Member States also may apply and are not necessarily eliminated by the so-called standard provisions adopted by the EU for data transfers outside of the EU.
Because many U.S. companies do not adhere to the safe harbor privacy principles of the U.S. Department of Commerce, organizations should exercise caution to ensure that they comply with EU when they are transferring any data out of the EU. Using the new EU standard data transfer clauses is one way to avoid being haled into a European court for data privacy violations.