Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

New Draft Processor to Sub-processor Model Clauses (Art. 29 Working Party)

Posted in Cloud Computing, European Union, Privacy Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.

The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA.  (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.)  While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.

The model clauses run to over fourteen pages of text.   Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing.  This is particularly relevant to cloud computing arrangements

Why might these clauses be useful?  The current Data Protection Directive (95/46/EC) limits the ability of an entity to transfer personal data outside of the EEA to countries other than those that the Commission has determined have adequate safeguards.  The list of countries with adequate safeguards is short.  The US as a whole is not on the list, although the US Safe Harbor program has been approved, so companies that participate in Safe Harbor are effectively deemed to have adequate safeguards.  But there are many countries that are not covered.  The main option for those countries is contractual protections – but there’s always a possibility that an EEA data protection authority could find a contract inadequate.

The model clauses, if adopted by the Commission, would provide a pre-approved set of contractual provisions that would be deemed adequate, so companies would have a high degree of legal certainty and would need to spend minimal time negotiating with each other (model clauses being a “take it or leave it” provision if one wants to get the benefit of deemed adequacy).