New EU data transfer rules bear ICC imprint

  • 17 February 2010

The European Commission has substantially revised the Standard Contractual Clauses (SCC) for global data transfers from data controllers in the European Union (EU) to data processors outside the 27-member union.

“Although the Commission unfortunately did not adopt many of the suggestions made by the business associations, the new SCCs do have some important advantages over the existing controller-to-processor clauses,” said Christopher Kuner, the Chair of the ICC Task Force on Privacy and Data Protection. “I see this as an improvement but not as a breakthrough in making model clauses easier to use.”

Since the EU published its set of controller-to-processor clauses in 2001, the business community has recognized the need for a more pragmatic set of clauses that takes into account the rapidly-evolving climate for data processing. As global sourcing progresses and more businesses transfer data processing to companies that process data subject to an agreement with and under the control of the original data controller, the need for more pragmatic clauses has increased.

The EU Commission update represents the latest attempt to design data protection measures that safeguard personal data while meeting the day-to-day realities of business operations, based on practical business experience and aimed at closer cooperation between business and government authorities.

In October 2006, ICC, in conjunction with the American Chamber of Commerce to the EU, the Federation of European Direct Marketing, and the Japan Business Council in Europe, presented a draft covering the flows of personal data from data controllers to data processors.

Mr Kuner, a partner with Hunton & Williams in Brussels, who took the lead on negotiation on the clauses, said one important advantage of the new clauses is that for the first time they contemplate the possibility that a data processor outside the EU may need to transfer personal data to another data processor, something that happens frequently in daily business practice.

Under the clauses, such transfers may be carried out when the original data controller consents in writing and when the same data protection obligations that are imposed on the original data processor are also imposed on the sub processor. Another important change is that the new clauses must be used for new or changed transfers to data processors, meaning that the existing SCC’s for controller-to-processor transfers may no longer be used for such transfers from 15 May 2010.

While other mechanisms that provide a legal basis for complying with the EU restrictions for transferring personal data outside the EU exist and are increasingly popular, the use of SCCs remains indispensable. In many cases they are the only readily available data transfer solution that can be used and implemented on short notice.

The approval of these model clauses is the latest example of tools ICC has promoted with the European Commission to improve international data transfers for global business. Previous efforts culminated in the EU adopting ICC’s recommended changes to the standard clauses for international transfers from data controllers to other data controllers and its binding corporate rules checklist to streamline the process for companies applying to different data protection authorities around the EU.