(LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.
The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA. (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.) While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.
The model clauses run to over fourteen pages of text. Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing. This is particularly relevant to cloud computing arrangements
Why might these clauses be useful? The current Data Protection Directive (95/46/EC) limits the ability of an entity to transfer personal data outside of the EEA to countries other than those that the Commission has determined have adequate safeguards. The list of countries with adequate safeguards is short. The US as a whole is not on the list, although the US Safe Harbor program has been approved, so companies that participate in Safe Harbor are effectively deemed to have adequate safeguards. But there are many countries that are not covered. The main option for those countries is contractual protections – but there's always a possibility that an EEA data protection authority could find a contract inadequate.
The model clauses, if adopted by the Commission, would provide a pre-approved set of contractual provisions that would be deemed adequate, so companies would have a high degree of legal certainty and would need to spend minimal time negotiating with each other (model clauses being a "take it or leave it" provision if one wants to get the benefit of deemed adequacy).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.