United States: European Commission Approves Contract Terms For Data Transfer

The European Commission last month approved a set of standard contract terms that non-European Community companies can use in private agreements to ensure that they are in compliance with the European Union's ("EU") data privacy legislation, which (subject to certain exceptions) prohibits the transmission of personal data outside the EU unless the laws of the country to which the data is sent "ensure an adequate level of protection." Under the EU's Directive on Data Protection, the United States does not provide the same level of statutory data protection, complicating transfers of personal data from the EU to the US and many other non-EU nations. The European Commission's issuance of standard contractual terms for use between parties transferring data outside the EU, however, offers a means to comply with the Data Protection Directive regardless of the receiving nation's data privacy laws. These standard contractual clauses impose obligations on both the transmitting party and the receiving party to process the data in accordance with the EU's basic data protection rules, and create third-party beneficiary rights that permit data subjects to enforce their statutory rights under the contract between the data-transferring parties.

The U.S. Treasury Department earlier this year objected to the EU's standard contractual clauses on the grounds that they placed unfair burdens on foreign companies. Specifically, the Treasury Department complained that the clauses could expose non-EU companies to suits in the EU for violations by the data exporter of data privacy laws that take place even before the data transfer. As a result, many US companies may be reluctant to work with the standard contractual clauses and will continue to seek other exceptions -- or "derogations" as they are called under the Directive -- to the general proscription against the transmission of personal data from the EU to the US. The most significant of these other exceptions is probably the so-called "necessity" exception in the Data Protection Directive, which permits the transmission of personal data "to a third country which does not ensure an adequate level of protection" if "the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the [data exporter] and a third party . . . ."