Easier agreements with new data protection model clauses

A draft document on new data protection model clauses for transfers of personal data from European Union data processors to non-EU sub-processors has been approved by the Article 29 Working Party setting an important milestone on data protection issues for projects triggering the transfer of personal data outside Europe making life easier for outsourcing agreements and cloud projects.European data protection laws in principle prohibit the transfer of personal data to countries outside the European Economic Area which are not deemed to offer an adequate level of protection.  This creates major issues in outsourcing and cloud projects where entity running the project or their subcontractors are located outside the Europe.

The prohibition above is subject to exceptions which include the possibility to put in place a data transfer agreement. The European Commission has approved three sets of model clauses that are mandatory for such data transfer agreements.  Subject to local notification and approval requirements, transfer agreements based on those model clauses will typically provide a sufficient legal basis for data transfers. 

To date, the European Commission has only approved model clauses governing “controller-to-controller” and “controller-to-processor” transfers which required that either the second controller or the processor (i.e. the contractor) had to be located outside the European Economic Area to rely on them.  However, experience shows that the transfer of personal data outside the EEA often only occurs in the processor – sub-processor relationship, and not in the controller – processor relationship i.e. usually only the subcontractor is located outside of the EEA.  In such case, companies are often forced to rely on one of the exceptions permitting data transfers (which is often a challenge as the exceptions can rarely be invoked in relation to large-scale data transfers), or to create a customised data transfer agreement (which offers less legal security and/or is subject to burdensome approval processes).

Given the above the initiative of the Article 29 Working Party (an European data protection advisory body) to take the first steps towards creating model clauses for processor-to-processor data transfers is welcomed.  Indeed, such model clauses will complement the existing model clauses framework and facilitate compliance with European data protection laws.  It should, however be noted that these draft new model clauses have not yet adopted been by the European Commission and therefore do not constitute a new official set of model clauses.  Use of these new model clauses will not yet guarantee compliance with data transfer requirements.  It can, however, be expected that using these draft new model clauses could facilitate approval from the local data protection authority in countries where customised transfer agreements are subject to such data protection authority approval.