New approval process for Data Transfer Agreements in Belgium - Update
At the end of June, the Belgian Privacy Commission and the Ministry of Justice executed a Protocol that puts in place a new approval process for Data Transfer Agreements (“DTA”).For customized DTA, it
At the end of June, the Belgian Privacy Commission and the Ministry of Justice executed a Protocol that puts in place a new approval process for Data Transfer Agreements (“DTA”).
For customized DTA, it brings considerable improvement, but unfortunately it also adds a layer of administrative burden in relation to the use of the EU Model Clauses.
1. Use of customized data transfer agreements
Let’s start off with the good news: Until now, it was very cumbersome and time consuming for a data exporter to use a customized version of the EU Model Clauses. The Privacy Commission had to assess whether these complied with the requirements of offering an adequate level of protection, and if they did, they had to be approved by Royal Decree. All in all, this was not an ideal solution, which is probably why the procedure has almost never been used.
The Protocol now acknowledges that it is sometimes justified for data exporters to make (some) changes to the EU Model Clauses. In order to facilitate this, the approval process has therefore been streamlined. The Privacy Commission will now take the lead and will check the DTA for compliance with the principles of the Article 29 Working Party 'Transfers of personal data to third countries' Working Document (WP12). Where the DTA passes this test, the Privacy Commission will provide the Ministry of Justice with a positive advice, which will then issue a Royal Decree approving the international transfer. To speed-up this process, a template Royal Decree has been agreed on, just as it is already the case for BCR approvals.
This streamlined approval process for customized DTA is obviously a big step forward.
2. Use of EU Model Clauses
Unfortunately, at the same time, we take a big step backwards when it comes to the use of EU Model Clauses. Prior to the Protocol, no formal approval was required when the EU Model Clauses were used in an unaltered form. A data exporter simply had to submit a copy to the Privacy Commission when filing the notification.
This has now changed: After submission of a copy of the executed EU Model Clauses to the Privacy Commission, the latter will verify whether these are indeed identical to the EU Model Clauses template. If it is the case, it will issue a formal confirmation authorizing the data transfer.
It is quite surprizing and - in our opinion – unfortunate that the Protocol has added this additional layer of administration. This is even more so considering the fact that the proposed new data protection framework intends to reduce the administrative burdens on companies.
The Protocol will clearly make it easier for companies to get approval for a customized DTA. Nonetheless, even now customized DTA will likely remain the exception. This leads me to conclude that the outcome of this Protocol is mainly negative: it will take longer before a bona fide data exporter who uses the EU Model Clauses template will be able to transfer personal data to his data importer.
UPDATE - 24 July 2013
Since writing this blog, we are told that the Belgian Privacy Commission did not have the intent to increase the administrative burden for the use of EU model clauses. While the Protocol clearly uses the word 'authorizing', this should not be interpreted as introducing a formal authorization requirement, but rather as a confirmation given to the data exporter that the DTA used does indeed comply with the EU model clauses. The latter would then imply that no other formalities (e.g. approval by a Royal Decree) are required.
If this would indeed be the Privacy Commission's or the MoJ's official interpretation of the Protocol, then we can indeed say that the overal outcome is positive.
For customized DTA, it brings considerable improvement, but unfortunately it also adds a layer of administrative burden in relation to the use of the EU Model Clauses.
1. Use of customized data transfer agreements
Let’s start off with the good news: Until now, it was very cumbersome and time consuming for a data exporter to use a customized version of the EU Model Clauses. The Privacy Commission had to assess whether these complied with the requirements of offering an adequate level of protection, and if they did, they had to be approved by Royal Decree. All in all, this was not an ideal solution, which is probably why the procedure has almost never been used.
The Protocol now acknowledges that it is sometimes justified for data exporters to make (some) changes to the EU Model Clauses. In order to facilitate this, the approval process has therefore been streamlined. The Privacy Commission will now take the lead and will check the DTA for compliance with the principles of the Article 29 Working Party 'Transfers of personal data to third countries' Working Document (WP12). Where the DTA passes this test, the Privacy Commission will provide the Ministry of Justice with a positive advice, which will then issue a Royal Decree approving the international transfer. To speed-up this process, a template Royal Decree has been agreed on, just as it is already the case for BCR approvals.
This streamlined approval process for customized DTA is obviously a big step forward.
2. Use of EU Model Clauses
Unfortunately, at the same time, we take a big step backwards when it comes to the use of EU Model Clauses. Prior to the Protocol, no formal approval was required when the EU Model Clauses were used in an unaltered form. A data exporter simply had to submit a copy to the Privacy Commission when filing the notification.
This has now changed: After submission of a copy of the executed EU Model Clauses to the Privacy Commission, the latter will verify whether these are indeed identical to the EU Model Clauses template. If it is the case, it will issue a formal confirmation authorizing the data transfer.
It is quite surprizing and - in our opinion – unfortunate that the Protocol has added this additional layer of administration. This is even more so considering the fact that the proposed new data protection framework intends to reduce the administrative burdens on companies.
The Protocol will clearly make it easier for companies to get approval for a customized DTA. Nonetheless, even now customized DTA will likely remain the exception. This leads me to conclude that the outcome of this Protocol is mainly negative: it will take longer before a bona fide data exporter who uses the EU Model Clauses template will be able to transfer personal data to his data importer.
UPDATE - 24 July 2013
Since writing this blog, we are told that the Belgian Privacy Commission did not have the intent to increase the administrative burden for the use of EU model clauses. While the Protocol clearly uses the word 'authorizing', this should not be interpreted as introducing a formal authorization requirement, but rather as a confirmation given to the data exporter that the DTA used does indeed comply with the EU model clauses. The latter would then imply that no other formalities (e.g. approval by a Royal Decree) are required.
If this would indeed be the Privacy Commission's or the MoJ's official interpretation of the Protocol, then we can indeed say that the overal outcome is positive.
However, pending any official clarification by the Privacy Commission or the MoJ, the legal uncertainty around the meaning of the word 'authorize' will unfortunatley remain.