Since the fall of Safe Harbor, there's been a wave of data export conservatism that's spread across Europe - ranging from EU data protection authorities casting doubt on the longevity of other data export solutions, through to EU customers delaying (or, in some cases, even cancelling) deals with US counter-parties over data export concerns.
Reports that Safe Harbor 2.0 may be on its way have done little to allay these woes because, whatever the optimism of the political parties involved in these discussions, the fact remains that any new framework adopted will face significant adoption challenges. For a start, existing Safe Harbor companies will almost certainly need to re-certify under the new framework (possibly with greater checks and balances by way of third party audit), certain DPAs around the EU will remain highly skeptical of - and so likely inclined to investigate - any transfers made under revised US-EU Safe Harbor arrangements, and many EU customers who have been 'once bitten, twice shy' due to the current Safe Harbor's collapse will be reluctant to move away from solutions they see as being more 'tried and trusted', i.e. model clauses.
So, rightly or wrongly, that means for the short- to mid-term model clauses are likely to remain the solution of choice for many companies engaging in global data exports, whether intra-group or to US (or wider international) suppliers. Certainly, this has been my personal experience to date - virtually every EU-US deal I've been engaged on in recent weeks has been dominated by discussions concerning the need for model clauses.
The problem with model clauses
While they are probably the only immediately viable legal solution for data exports right now, it's no secret that model clauses - especially the 2010 controller-to-processor model clauses - suffer from significant problems - namely, the potential for on-premise audits, consent and contractual flow down requirements when appointing sub processors, and an absence of liability limitation provisions. In a one-off arrangement between just two parties, these obstacles might be surmountable and a commercially-acceptable risk; in a cloud-based environment where the supplier hosts its solution on third party infrastructure with vendors who won't negotiate their terms and where it provides a multi-tenanted, uniform offering across all customers, it's a very significant problem. The accrued risk is potentially huge.
Simple example: imagine a US supplier has 5,000 EU customers, and at any one time 1% of those decide to exercise on-premise audit rights under the 2010 model clauses (e.g. in the wake of a data incident). Suddenly, the supplier finds itself managing 50 simultaneous on-premise audits, a significant business disruption and threat to the security of the data it hosts. Or, imagine instead, that 10% of its EU customers insist on case-by-case consents every time the supplier wishes to appoint a new sub processor (which may be something as simple as another group company providing technical support to EU customers) - this means approaching 500 customers for consent. What if one (or more) refuse?
So can you amend the model clauses?
Bearing the above in mind, it should be no surprise that suppliers, when asked to sign model clauses, will often seek to amend their more onerous provisions, either by way of a side agreement or directly within the model clauses themselves. But, when they do, they're often met with a very blunt response: "You can't amend the model clauses!"
Having encountered this argument many times when negotiating on behalf of internationally-based suppliers, I want to set the record straight on this point. You absolutely can amend the model clauses, provided your terms are purely commercial in nature and do not impact the protection of the data, nor the rights of data subjects or supervisory authorities.
If you're not convinced you can amend the model clauses, then see Clause 10 of the 2010 Controller-to-Processor Model Clauses: "The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause." (emphasis added). In fact, as if to emphasize the point, the 2010 Model Clause even include an "illustrative" and "optional" indemnification clause.
Similar language exists in the 2004 Controller-to-Controller Model Clauses too at Clause VII: "The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required." (emphasis added). (In the interests of completeness, the original 2001 Controller-To-Controller Model Clauses do not expressly permit the addition of commercial clauses, which is as good a reason as any to avoid using them.)
And, if that weren't enough, even the Article 29 Working Party has weighed in on this issue with its FAQs on the 2010 Model Clauses: "7) Is it possible to add commercial clauses to the Model Clauses? As clearly stated in clause 10, parties must not vary or modify the Model Clauses, but this shall not prevent the parties from adding clauses on business-related issues where required, as long as they do not contradict the Model Clauses."
Should you amend the model clauses?
First things first, if you want to amend the model clauses, it's very important you do so in a considered way that is respectful of the rights the model clauses aim to protect. Don't go doing things like removing third party beneficiary rights owed to data subjects or flat out refusing audit rights - that cuts right to the heart of the protections that the model clauses are intended to provide and will never ever be acceptable, either to counter-parties or to supervisory authorities.
Any amendments you make should be purely commercial in nature, or intended to explain how some of the model clause rights should work in practice. For example, you might choose to limit the liability between the two parties to the model clauses (but not the data subjects!) by reference to liability caps agreed within a master services agreement between the parties. Alternatively, you might seek a general, upfront consent from the EU data exporter to the data importer's appointment of sub processors, provided the appointed sub processors fulfill the requirements of the model clauses. Or you might seek to explain how the EU data exporter can exercise its model clause audit rights against the data importer in practice - for example, through reliance on the data importer's independent third party audit certifications or written responses to audit questionnaires etc.
As a final consideration, if you do amend model clauses, be aware that this may trigger regulatory notification or authorization requirements in some Member States. This doesn't mean that you can't amend the model clauses, but is a consideration that should be investigated and borne in mind if amending the model clauses.
When doing so, ask yourself this question: Is it better to sign model clauses that you know you (or your supplier) will be unable to comply with for legitimate practical reasons, simply to ease any regulatory notification requirements? Or is contractual honesty between two parties, knowing that they will comply in full with the terms they agree, the better approach, even if this may carry some additional regulatory requirements?
Since the fall of Safe Harbor, there's been a wave of data export conservatism that's spread across Europe - ranging from EU data protection authorities casting doubt on the longevity of other data