Transborder Data Flows & Privacy
Contractual clauses in the practice
Tanguy Van Overstraeten
Washington DC
October 16, 2007
Strategies for Transborder Data Flows
Contractual
necessity + others
Consent
Approved
destination
US Safe
Harbor
Options for
Transborder
Data Flows
Binding
Corporate
Rules
Standard
clauses
Bespoke
contract
1
Standard Contractual Clauses
– Article 26 (4) of Directive 95/46/EC
– Member States required to authorize transfers based on
EU Commission standard contractual clauses
– 3 sets of clauses so far:
– http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/
index_en.htm
– Transfers between Data Controllers
(Commission Decision 2001/497/EC of June 15, 2001)
– Transfers between a Data Controller and a Data Processor
(Commission Decision 2002/16/EC of December 27, 2001)
– Transfers between Data Controllers - ICC version
(Commission Decision C2004/5271 of December 27, 2004)
2
Standard Data Controller Clauses
– Initial version June 2001
– Data Exporter agrees to:
– warrant DP compliance in home country
– provide access to the standard clauses to data subjects
– respond to DPA’s enquiries
– Data Importer agrees to:
– abide by DP mandatory principles (in Appendix 2)
– Third party rights for data subjects
– Joint and several liability
3
Standard Data Processor Clauses
– Similar obligations for Data Exporter
– Reduced obligations for Data Importer
– process only upon instructions
– implement specific security measures
– No joint and several liability
– Data Importer liable only if Data Exporter disappears
factually or ceases to exist legally
4
ICC Standard Clauses
– New version December 2004
– Some improvements over previous controller clauses
– no joint and several liability
– more pragmatic principles
(e.g. exceptions to subject access rights)
– more business friendly language
BUT…
– still designed for point to point use
– only cover controller to controller transfers (though work at
an advanced stage on controller to processor clauses to
address e.g. sub-contracting issues)
5
Practical issues of application
– Variety of application throughout the EU
–
–
–
–
Procedure required: none - filing – approval
Level of details required in the schedules
Language issue (translation requirement)
Additional clauses: allowed or not in practice (“bespoke
contracts”)
– Challenge for multi-party situations
– E.g. multinational structure
– Issue of subcontracting by Importer: (i) need for direct
agreement between the Exporter and the Importer’s
processor or (ii) three-party agreement
– Multiple governing law(s)
6
Conclusion – Room for improvements
– Need for consistency and harmonization of
procedural requirements
– Extension of use for multi-party transfers
– Allowance for onward transfer to data processors
– Possibility to include additional clauses
– Other sets of clauses required in specific areas
– e.g. HR transfers
7
Questions?
Tanguy Van Overstraeten
Linklaters LLP
Rue Brederode 13
1000 Brussels
Tel: +32 2 501 94 05
Fax: +32 2 501 91 14
[email protected]
8
Descargar

Document