Transfers of personal data outside of the UK can be made without additional restrictions to data importers in the European Economic Area or EEA. However, transfers by UK data controllers to data importers based outside the EEA have to comply with the eighth data protection principle (“Eighth Principle”) in Schedule 1 to the Data Protection Act 1998.
The Eighth Principle requires EU member states to provide that the transfer to a non-EEA country (“Third Country”) of personal data which is undergoing processing, or is intended for processing after transfer, may take place only if the Third Country in question ensures an adequate level of protection for the rights of the data subjects in connection with the transfer/processing of their personal data. The onus is on the data controller to ensure that it complies with the Eighth Principle in relation to any cross-border transfer of personal data.
If a data controller needs to transfer personal data outside the EEA and the recipient country has not been subject to a positive finding of adequacy by the European Commission (details of those who have can be found here), nor are protected by what is known as the Privacy Shield (see further below), it will need to:
- consider whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects; or
- if (1) is not satisfied, put in place adequate safeguards. These include using model contract clauses (“MCCs”), Binding Corporate Rules (“BCRs") or other contractual arrangements; or
- consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data. These include but are not limited to: transfers necessary for the purpose of any legal proceedings and transfers made, or authorised, by the Commissioner on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
This article will focus on the MCCs in the second option.
Model Contract Clauses
The European Council and the European Parliament have given the European Commission the power to decide, on the basis of Article 26 (4) of the EU Data Protection Directive 95/46/EC (“the Directive”) that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2) of the Directive.
In the context of the Directive, a “data controller” is a company that “determines the purposes and means of the processing of personal data”. A “data processor” is a company that acts only on “behalf of the controller” and does not, by itself, have a right to determine the means or purpose of processing.
Two of the sets of MCCs relate to transferring personal data from one company to another company and where the second is located outside the EEA, which will then use it for its own purposes (“controller to controller clauses”). Either set of clauses may be chosen depending on which are most suitable (see further below).
The remaining two sets of MCCs are for transferring personal data to a processor acting under your instructions e.g. a company providing you with IT services (“controller to processor clauses”). Whilst the first set of controller to processor clauses may still be in use for data transfer arrangements commencing pre-2010, only the new set of controller to processor clauses may be used for new data transfer arrangements.
Controller to Controller Clauses
The Set I controller to controller clauses provide that the data exporter and the data importer are jointly and severally liable to the data subject for any damage he/she may suffer as a result of a breach by either party of the MCCs. The data subject has a direct right of action under these model clauses by virtue of a third party beneficiary clause.
The Set II controller to controller clauses differ as they provide that the data subject can only enforce his/her rights against the party who is responsible for the relevant breach. Where the data importer is at fault, if the data subject is having trouble taking action against the data importer, he/she may nonetheless be able to take action against the data exporter for failing to use reasonable efforts to ensure that the data importer is able to satisfy its obligations under the clauses.
Controller to Processor Clauses
The Set I controller to processor clauses, which are not available for new data transfer arrangements, provided that the data exporter was primarily liable to the data subject for damage arising from a breach by either party of the controller to processor clauses.
The Set II controller to processor clauses allow for liability to follow fault; namely, the party causing the breach will be held liable for the breach rather than liability being attributed to the data controller. In addition, the Set II controller to processor clauses envisage circumstances involving the onward transfer of personal data by the processor who is outside the EEA to a sub-processor (who likewise may be anywhere in the world). Any such sub-processing arrangements must contractually extend the protection for the rights of data subjects to the sub-processing and any sub-processing must be authorised by the data controller. The data subject may, by virtue of the third party beneficiary clause, take action in relation to any breach of the clauses primarily against the party at fault. However, the controller will always retain responsibility for any harm arising from its initial transfer of the data.
Amending the Clauses, Incorporating the Clauses in Other Contracts and Inserting Additional Clauses
If you are relying on any of the MCCs as “stand-alone contracts”, you must not change the clauses in any way. However, the MCCs may be incorporated into other contracts or additional provisions may be added, provided nothing in the other contract or the additional clauses alters the effect of any of the MCCs.
Use of any of the MCCs, where the wording is changed, will not amount to use of the MCCs that are authorised by the Information Commissioner as providing adequate safeguards.
If you choose to amend the MCCs, you may take the view that your amended clauses are sufficient to provide adequate safeguards for the protection of the rights of the data subjects whose personal data you propose to transfer. Your amended clauses will not be MCCs but may operate as contractual arrangements which in the reasonable view of the data controller provide adequate safeguards for data subjects’ rights.
Providing adequate safeguards by using your own clauses is an equally valid basis on which to proceed with a transfer as is the use of MCCs. The fundamental difference is that you need to be prepared to offer evidence that your clauses provide adequate safeguards if it is challenged. If you use MCCs, there can be no challenge as to the effectiveness of the safeguards they offer.
On the 12 July 2016 the European Commission adopted the EU-U.S. Privacy Shield (“Privacy Shield”). The new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on transatlantic data transfers.
For further information, please see our article on Privacy Shield here.
Binding Corporate Rules (BCRs)
Where a transfer is carried out by a UK-established company to other members of its group in different jurisdictions, the transfer will comply with the eighth principle if it is governed by a set of legally enforceable corporate rules that have been approved by the Information Commissioner. As with the MCCs, the BCRs will ensure that the data subject's rights will not be prejudiced as a result of transfers made to countries outside the EEA that do not have an adequate level of protection.
Consent of the Data Subject
With the exception of the use of standard MCCs, the international transfer of personal data will most commonly be justified by means of consent. Such consent should be given clearly and freely and may later be withdrawn by the individual. Wherever possible, transferors of data who have contact with the individuals whose data is to be transferred outside the EEA should take the opportunity to secure consent to the transfer while obtaining consent to their other processing activities.
Model clauses only deal with the transfer of data. The data exporter must still comply with all other local data protection requirements.
The above is not intended to be a comprehensive review of the MCCs but hopefully gives a helpful introduction and highlights the areas on which businesses should be focusing their thoughts. Using the MCCs is only one method of ensuring a transfer of personal data outside the EEA complies with the Directive and we would be happy to help with any queries in relation to the topics covered (including drafting model clauses) in this article.
For further information or advice please contact