The European Data Privacy Directive* imposes a controversial requirement on EU governments. It prohibits the transfer of personal data to any country outside the European Economic Area (the 27 EU Member States plus Norway, Iceland and Liechtenstein) unless the importing country ensures an ‘adequate’ level of data protection.

This raises important compliance requirements for any organisation which transfers personal data outside the EEA, even where the transfer is intra-company. In particular it applies to EU-based companies transferring data to other group companies outside Europe (for example under a global whistle-blowing scheme), and it will catch organisations which offshore parts of their operations. It even covers EU-based data processors who want to subcontract services to sub-processors outside Europe. 

As the prohibition is not absolute there are various derogations under which transfers are deemed lawful. One of these allows transfers made under a formal data transfer agreement or ‘DTA’. There are two types of DTA: standard contractual clauses approved by the European Commission (known as the ‘Model Clauses’) or alternatively a bespoke DTA which organisations can choose to write themselves.

The Model Clauses were first published back in 2001. They addressed the requirement for ‘adequate’ protection using a legally enforceable declaration whereby the data exporter and importer both undertook to process data in accordance with basic data protection rules, and agreed that data subjects could enforce their rights directly under the contract. These Model Clauses were intended to offer a straightforward means of legitimising transfers.

Unfortunately they were inflexible (even minor amendments risked invalidating them) and regulators across the EU took very different approaches to authorisation. In some countries (notably the UK) the requirements were relatively simple, whilst in others works council consultation and formal filing of the clauses were required, making the process time-consuming, bureaucratic and uncertain. Worse still, they didn’t allow for sub-processing arrangements going beyond the prime contractor, which in offshoring transactions has now become commonplace.

The Commission has attempted to address these issues with a new set of Model Clauses which were approved in 2010. Regrettably, while the new Model Clauses specifically allow the use of sub-processors, they set out very cumbersome rules about the subcontracting process itself. It also remains a requirement in many countries to ‘file’ Model Clauses for approval by local regulators. This can be an administrative nightmare involving months of liaison with faceless bureaucrats.

In the context of complex data processing arrangements involving chains of service providers, the new Model Clauses still seem at odds with modern market practice. Fortunately, their use is voluntary and sophisticated organisations are starting to explore alternatives. 

An increasingly popular approach is a tailored DTA. In essence, the parties negotiate their own data protection provisions for international processing and rely on their own judgment to ensure an ‘adequate’ level of protection. The Article 29 Working Party (an influential advisory body set up to contribute to uniform application of the Directive) has sanctioned this approach in certain cases. See its ‘FAQs’ (WP 176) which were published in response to concerns raised after publication of the updated Model Clauses.

A tailored DTA should contain the principles and safeguards embodied in the updated Model Clauses and the parties should be bound by the same duties and rules of liability. In addition, a non-EEA-based supplier must respect the controller's national law.

This approach is well suited to jurisdictions like the UK where there is no obligation to evidence the arrangement by filing a copy with the regulator. In other EU countries, however, a tailored DTA may be subject to strict regulator scrutiny (and even formal authorisation) before transfers of data will be permitted.

In recent years the EU data protection authorities have encouraged multinationals to adopt internal ‘Binding Corporate Rules’ or BCRs based on European standards as a more flexible way of legitimising their global data processing operations. The current BCR model has only been applied to companies who are controllers but this will soon be extended.

The Article 29 Working Party is planning to extend the BCR concept to processors through ‘Binding Safe Processor Rules’ or BSPRs: legally binding internal data protection rules that apply to clients’ data processed by service providers. Unlike the Model Clauses the BSPRs can be tailored to the data protection practices of the service provider and, as long as they include the appropriate adequacy standards, are likely to be a very useful tool for the benefit of international data processing and the outsourcing industry.

Having said that, BCRs and BSPRs should be undertaken by organisations as part of their corporate-level data privacy compliance strategy. Both take considerable time to implement and would not be appropriate solely as part of a stand-alone transaction.