ARTICLE
10 April 2014

New Draft Processor To Sub-Processor Model Clauses (Art. 29 Working Party)

M
Mintz

Contributor

Mintz is a general practice, full-service Am Law 100 law firm with more than 600 attorneys. We are headquartered in Boston and have additional US offices in Los Angeles, Miami, New York City, San Diego, San Francisco, and Washington, DC, as well as an office in Toronto, Canada.
(LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.
European Union Privacy

(LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.

The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA.  (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.)  While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.

The model clauses run to over fourteen pages of text.   Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing.  This is particularly relevant to cloud computing arrangements

Why might these clauses be useful?  The current Data Protection Directive (95/46/EC) limits the ability of an entity to transfer personal data outside of the EEA to countries other than those that the Commission has determined have adequate safeguards.  The list of countries with adequate safeguards is short.  The US as a whole is not on the list, although the US Safe Harbor program has been approved, so companies that participate in Safe Harbor are effectively deemed to have adequate safeguards.  But there are many countries that are not covered.  The main option for those countries is contractual protections – but there's always a possibility that an EEA data protection authority could find a contract inadequate.

The model clauses, if adopted by the Commission, would provide a pre-approved set of contractual provisions that would be deemed adequate, so companies would have a high degree of legal certainty and would need to spend minimal time negotiating with each other (model clauses being a "take it or leave it" provision if one wants to get the benefit of deemed adequacy).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More