Towards more harmonization on the EU model clauses
On November 26th, 2014, the Article 29 Working Party ("WP 29") issued a document setting forth a cooperation procedure regarding the use of the EU model clauses in the context of international data transfers. The aim of this document is to facilitate the use of the EU model clauses across multiple jurisdictions in Europe while ensuring a harmonized and consistent approach to the way these model clauses are approved by the national data protection authorities ("DPAs").
Context
General rule
As a general rule, organizations who use the standard contractual clauses that were adopted by the European Commission to frame their transfers of data outside the EEA cannot change them unless they seek the prior approval of the DPAs of the Member States from where transfers are taking place. Nonetheless, companies may include the standard contractual clauses in a wider contract and add specific clauses such as commercial clauses (as permitted under paragraph VII of the model clauses 2004/915/EC, clause 10 of the model clauses 2010/87/EC and recital 84 of the proposed Data Protection Regulation) as long as they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the rights or freedoms of the data subjects. For example, it is possible to include additional guarantees or procedural safeguards for the individuals (e.g., on-line procedures or relevant provisions contained in a privacy policy).
Need for authorizations
In many EU Member States, a national authorization is required for the use of ad hoc contracts (e.g., Austria, Belgium, France, Germany (in some Länder), the Netherlands, Poland or Spain) or for transferring data outside the EEA on the basis of the EU model clauses (e.g., Austria, France or Spain). In practice, there has been a discrepancy between some DPAs who have traditionally been opposed to accepting any form of amendment to the model clauses and those who accept certain changes where they do not contradict the requirements under the model clauses.
Purpose: Obtaining an ad hoc approval from those DPAs can be challenging, thus making it complicated for international organizations to implement ad hoc model clauses or intra-group data transfer agreements in the different EEA countries where their affiliates are located. As a consequence, this has created a legal risk for organizations because DPAs in different jursidictions might adopt a different position with regard to an organization's contractual clauses.
For this reason, the WP29 has created a new cooperation procedure with a view to providing a more harmonized interpretation of the EU model clauses and adopting a common approach when reviewing the contracts used by organizations that are based on the EU model clauses.
Scope: This new cooperation procedure applies to both sets of model clauses that were adopted by the EU Commission covering controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EC) data transfers and is meant to be used where:
-
- an organization wants to use a single set of contractual clauses that are based on the EU model clauses (but with some divergences such as additional clauses);
-
- in different EEA Member States;
-
- in order to frame a same type or similar transfers from different EEA Member States; and
-
- this organisation wants to obtain a coordinated position of the competent DPAs regarding its proposed contract, and in particular, to verify whether this contract complies with the EU model clauses.
For example, this would be the case in certain corporate groups, where data systems may be centralized outside the EEA, and subsequently, the same set of contractual clauses are signed by the different EEA subsidiaries (e.g., by means of an intra-group data transfer agreement). The WP 29's document does not provide any specific examples, but one can expect that the DPAs will review a company's contractual clauses on the basis of a pre-established list of criteria with a view to approving or rejecting changes that are made to the model clauses. Where such divergences have no impact on whether the contract complies with the EU model clauses, then it is not required to follow this procedure.
It is not entirely clear whether this procedure can be used for transfers between an EEA processor and a non-EEA sub-processor. Earlier this year, the WP29 issued a draft version of its ad hoc model clauses covering such transfers, but these model clauses have yet to be formally drafted and adopted by the EU Commission, which is not yet the case (see our previous blog article).
Procedure: The cooperation procedure is largely inspired by, and based on, the actual approval procedure for Binding Corporate Rules ("BCR"). At the beginning of the procedure, the organization must send a copy of its contract clearly highlighting all the divergences and additional clauses to a lead DPA. Once the lead DPA is approved, a formal review of the organization's contract is carried out by the lead DPA to verify its conformity with the EU model clauses. For example, the lead DPA will verify whether the proposed contract is:
- based on the EU model clauses;
- diverts from, or contradicts, the EU model clauses; or
- prejudices the rights of the individuals.
Where the data are transferred from more than 10 Member States, two other DPAs will be appointed as co-reviewers. In all other situations, only one reviewer will be appointed in addition to the lead DPA. Once the lead DPA is satisfied that the contract complies with the EU model clauses, it issues an opinion in a draft letter and communicates the draft letter, the proposed contract and its analysis to the co-reviewer(s) who has one month to provide its comments. Following that, the draft letter is then sent to the remaining DPAs (in the countries where data are being transferred) who are part of the mutual recognition (they simply acknowledge receipt of the documentation without reviewing in detail) and to those who are part of the cooperation procedure (they have one month to review and provide their comments).
Once all the DPAs have reviewed, the lead DPA signs the letter of opinion on behalf of all DPAs concerned and sends the letter to the organization, indicating whether the proposed contract is compliant with the EU model clauses. From that moment on, the procedure is closed and the organization may then obtain the necessary approval or permit in the different Member States for the transfer of data outside the EEA.
Limitations: A significant difference with the BCR approval procedure is that the purpose of the coordination procedure for model clauses is not for the DPAs to approve an organization's contract as a whole, but rather to assess whether the proposed contract complies with the requirements under the EU model clauses. In other words, where the proposed contract integrates the EU model clauses within a wider commercial agreement, the lead DPA will review the contractual clauses that relate to data transfers, but will not review or adopt any opinion regarding the broader commercial terms of the agreement.
This was clearly expressed by the CNIL in a press release issued on 24 April 2014 in which the CNIL stated, when referring to Microsoft's "ad hoc model clauses", that the WP 29 had considered that the documents provided by Microsoft complied with the data transfer requirements under the EU model clauses, but had not assessed whether Microsoft's contractual clauses as a whole complied with EU data protection law, nor that Microsoft complied with those rules in practice. In other words, the WP 29 simply agreed that Microsoft had taken the necessary precautions to frame its international data transfers as required by article 26 of the Data Protection Directive.
Furthermore, the lead DPA's letter of opinion does not exclude that permits or authorizations at a national level may be legally required and companies may also be required to comply with other national requirements, such as notifications or administrative formalities with the DPAs. In particular, where permits or authorizations are legally required, national DPAs may still analyse the annexes and the description of the transfer in order to assess whether these are lawful under applicable national laws. In practise, this could mean that following the issuance of a letter of opinion, the organization in question may still need to put in place specific contractual terms to address the national requirements that apply to their local affiliates (e.g., specific security provisions to comply with laws in Spain or Poland) and in any case, will need to obtain a formal approval for the transfer of data where required. Nonetheless, this cooperation procedure may facilitate the administrative formalities under national law, and in theory, the DPAs in the countries concerned should comply with the opinion given by the lead DPA when issuing their permits or authorizations under national law.
Advantages: The main advantage of this procedure is that it will provide more clarity and legal certainty for organizations who want to put in place a single set of contractual clauses based on, or incorporating, the EU model clauses and are therefore seeking a common and coordinated position of the DPAs as to whether their contract complies with the EU model clauses. In that sense, the WP 29 has introduced some degree of flexibility by enabling organizations to depart from the EU model clauses and to tailor their contracts to each organization.
It also provides more clarity and a more harmonized interpretation of the EU model clauses by the DPAs, and in particular, makes it easier for organizations to use ad hoc contracts or intragroup agreements in countries where DPAs have traditionally been reluctant to approving such contracts. Consequently, this should enable organizations to adopt a more harmonized and consistent approach when rolling out their data transfer agreements across Europe.
Disadvantages: The downside is that in creating a new review process for model clauses, which previously did not exist, the WP 29 could make it more burdensome in some cases to use the EU model clauses. Depending on the time it takes for the lead DPA to issue its letter of opinion, there is a risk that the overall time needed for an organisation to obtain the necessary premit or approval from the various DPAs before implementing its contractual clauses will be stretched.
This procedure also puts organizations under more scrutiny by the DPAs. Officially, the cooperation procedure for model clauses is not obligatory, but nonetheless organizations will be pressured to follow it if their contracts depart from the EU model clauses. In practice, this means that rolling out ad hoc contracts or intra-group agreements will become less straightforward, and on the contrary, will be more formalized.
Finally, this procedure does not change the fact that, contrary to BCR, the EU model clauses do not constitute, and do not serve the purpose of, a group's global policy. And so, organizations will inevitably need to have different sets of clauses to frame their data transfers as controller and processor, whereas BCR can be used as a single set of rules to frame all transfers both as a controller and a processor.