Outsourcing compliance eased by new 'model clauses', says expert

Companies in Europe may have to negotiate fewer contracts whenthey send data to foreign suppliers as a consequence of termspublished by the European Commission. An expert says that the newrules, in force on 15th May, simplify commercial relationships.

OUT-LAW reported earlier this month that the European Commissionhad updated its 'model clauses' for overseas transfers of personaldata. The have since been published. Contractsentered into from 15th May 2010 should include these clauses.

A cornerstone principle of the Data Protection Directive, whichapplies across the EU, limits the right to transfer personal dataoutside the European Economic Area. There are a few but the only realistic one in many cases isuse of contractual clauses that were published by the EuropeanCommission in 2001. These 'model clauses' were updated for thefirst time this month in a formal Decision by the Commission.

, a data protectionlaw expert with Pinsent Masons, the law firm behind OUT-LAW.COM,welcomed the update.

"The previous clauses did not reflect the increasingly complexdata transfers that we see in practice, particularly inoutsourcing," said Townsend. "This was because they only coveredthe situation where an EU data controller was transferring to anon-EU data processor, but they did not cover what happened whenthe data processor sub-contracted to a further data processor."

A data controller bears responsibility for compliance with theData Protection Directive but a data processor does not. Using themodel clauses, the controller will enter into a contract with theprocessor to pass on the controller's duties under the Directive,such as the need for security, to the processor.

If a data processor, such as an outsourcing company, wanted tosub-contract certain work, the data controller had to determine howto comply with its own duties for the transfer to thesub-contractor.

"The data controller could prohibit sub-contracting but this isoften unrealistic," said Townsend. "The data controller could allowsub-contracting provided that the data processor imposed equivalentobligations on the sub-contractor – the problem with this is thateven if the data processor got the sub-contractor to sign the modelclauses with the data processor, this was not automaticallycompliant as the clauses only covered a data controller to dataprocessor situation and not a data processor to data processorsituation."

Nevertheless, this was one common route taken by UK controllers,according to Townsend.

"The argument was that if such clauses were used, the controllercould argue that it had taken adequate steps to protect the dataand had assessed adequacy for itself," she said. "Another route wasto require the data processor to require that any sub-contractorentered into the model clauses direct with the datacontroller."

"That was a less risky approach but one that could be onerous ifthere were multiple sub-contractors, and it imposed directliability on sub-contractors. Commercially, it's hard to getsub-contractors to agree to that, so they resist that or seek tolimit it," she said.

The new clauses accommodate a non-EU processor sub-contractingto one or more non-EU sub-processors.

"The new clauses say that consent for this is required from thedata controller," said Townsend.

The data processor is then required to put in place a writtenagreement with the sub-processor which imposes the same obligationson the sub-processor as are imposed on the data processor under themodel clauses.

"In practice this is often what a head contract has requiredanyway, but the new clauses legitimise this approach and mean thatthe transfer to the sub-processor is automatically adequate if thisapproach is followed," said Townsend.

Where the sub-processor fails to fulfil its data protectionobligations under the written agreement, the data processor remainsfully liable to the data controller for the performance of thesub-processor’s obligations under the agreement.

According to Townsend, this was often reflected in a headcontract anyway. "But the agreement must also include a third partybeneficiary clause which allows data subjects to enforce itdirectly in the event that something happens to both the datacontroller and the data processor, something which commerciallywill be unattractive to the sub-contractor," she said.

The sub-contract must also be subject to the law of the datacontroller, i.e. the law of whichever EU state the data controlleris established in. "That may be commercially unattractive to theoverseas processor and sub-contractor," said Townsend. It couldmean, for example, that a sub-contract between a US processor andan Indian sub-processor would be subject to English law or at leastthe data protection parts of it would be.

Among the other requirements of the new model clauses, a dataprocessor has to provide the data controller with a copy of thesub-contract and the data controller has to maintain a list ofsub-contracts and update this at least annually.

Townsend said that one thing was missing.

"What the clauses do not provide is the sub-contract itself – aset of model clauses to be entered into between the data processorand the sub-contractor, so this will still have to drafted, or theobligations of the model clauses incorporated," she said.

A footnote to the new model clauses provides that thesub-contractor can co-sign the model clauses with the datacontroller and data processor. "That would work for onesub-contractor but would not seem to work where there are newsub-contractors added at a later date," said Townsend.

Townsend said that, overall, the new approach will be welcomedby companies.

"It is obviously helpful for data controllers that the newclauses give data controllers a way of automatically legitimising adata transfer to a sub-processor without the need for a directcontract," she said. "The clauses will perhaps cut down on thedeliberations that data controllers and data processors go throughas to how to achieve compliance."

"The real burden with the clauses lies with the data processorsand the sub-processors because they have to find a model forincorporating the clauses into their relationship," she said. "Theyhave to consider their liability to the data controller andpotentially to data subjects."

"In reality, though, data protection provisions are already aprerequisite to doing business with anyone who themselves doesbusiness within the EU, and there will be greater visibility ofthis with the requirement to submit contracts to the datacontroller," said Townsend.