Draft ad hoc contractual clauses for EU data processor to non-EU sub-processor — consensus at last?
Article first appeared in Privacy & Data Protection Journal, Volume 14, Issue 7
Dominika Kupczyk, examines the current state of play with regard to EU Model Clauses, and comments on the process envisaged by the Working Party in its recently released Working Document on draft ad hoc contractual clauses for ‘EU data processor to non-EU sub-processor’ arrangements.
On 21st March 2014, the Article 29 Working Party adopted Working Document 01/2014 on draft ad hoc contractual clauses for ‘EU data processor to non-EU sub-processor’ arrangements (referred to in this article as ‘draft ad hoc clauses’). The Working Document represents the first instance that the European data protection regulators appear to have achieved a level of consensus about legitimising data transfers between European processors and their non-EU subcontractors — a topic that has been problematic since 2010.
Transfers of personal data to third countries (i.e. outside the European Economic Area) are regulated by Articles 25 and 26 of the EU Data Protection Directive 95/46/EC (‘the Directive’). The Directive contains a general prohibition on such transfers unless an adequate level of protection for individuals is ensured.
Under Article 25(6) of the Directive, the European Commission has the power to make determinations of adequacy of laws regulating protection of personal data that are binding on the EU (and EEA) Member States. However, the list of countries recognised as adequate remains extremely short (there have been only fourteen decisions issued to date — see www.pdpjournals.com/docs/88199).
Exceptions to the general prohibition on transfers to third countries are set out in Article 26 of the Directive, and are as follows:
- the controller can refer to one of the six derogations listed in Article 26(1);
- the controller may adduce additional safeguards with respect to the protection of privacy and fundamental rights (e.g. by using appropriate contractual clauses or binding corporate rules — see Article 26(2)); and
- the controller may adopt the Commission’s standard contractual clauses, referred to also as ‘Model Clauses’ (Article 26(4)).
The latter option, i.e. approved Model Clauses, has had various treatments in the national laws of EU Member States. Some countries require Model Clauses to be filed with their national Data Protection Authority (‘DPA’) in order to obtain approval before data transfer to a third country can be lawful.
Many jurisdictions take a more relaxed approach, whereby if a controller is basing the legitimacy of the transfer on Model Clauses, no further steps are required. This more relaxed approach explains why Model Clauses are still an attractive solution for controllers, albeit a rigid one. To be able to base legitimacy of transfers on Model Clauses, controllers are not allowed to amend the EU Commission’s approved text, but are permitted to add commercial clauses to the contract containing the Model Clauses.
Current state of play on Model Clauses
So far, the European Commission has exercised its right to recognise standard contractual clauses as offering adequate safeguards for the purposes of Article 26(2) of the Directive on only four occasions. The following sets of Model Clauses have been published to date:
- 2001 Set I EEA controller to non-EEA controller;
- 2002 Set I EEA controller to non-EEA processor (repealed by 2010 Set II);
- 2004 Set II EEA controller to non-EEA controller (alternative to the 2001 Set I); and
- 2010 Set II EEA controller to non-EEA processor.
This list of approved Model Clauses illustrates the gap that currently exists with regard to Model Clauses — namely, all of them focus on transfers from EEA based controllers.
When an EEA controller outsources data processing to an EEA processor (Part I), who then outsources onto a non-EEA sub-processor (Part II), no Model Clauses or any other adequacy mechanisms are needed for Part I of the supply chain, because it occurs within the EEA. The legal exposure arises in Part II of the transfer.
For Part II, in some limited circumstances of transfers to the US, Safe Harbor was of assistance when transferring data to an appropriately certified US company. However, that option became less attractive since the recent criticisms of the Safe Harbor Scheme by European regulators.
Some controllers attempt to deal with the compliance challenge of Part II of the transfer by entering into data processing agreements directly with the non-EEA sub-processors, thus adding complexity to the outsourcing scenario. Such ad hoc data transfer agreements with non-EEA sub-processors often have to be negotiated and approved by national DPAs, resulting in an additional administrative burden.
When the EEA processor wants to appoint a non-EEA sub-processor to further outsource the processing, there are no Model Clauses available. This puts EEA processors at a significant disadvantage compared with non -EEA processors, who are able to use the 2010 Set II clauses which contain provisions regarding sub-processing.
The first DPA to recognise this as a problem, and to provide a solution to it, was the Spanish DPA. Since 2012, Spanish data processors are allowed to obtain authorisations for transferring data processed on behalf of their customers (data controllers) to sub-processors based outside the EU on the basis of a specific set of standard contractual clauses for processor-tosub- processor transfers, and a new procedure introduced by the Spanish DPA.
The new Working Document
So Working Document 01/2014 (copy available at www.pdpjournals.com/docs/88201) is a first step on the road to eliminating the above described compliance headache, which is troubling many EEA based processors. In the Working Document, the Article 29 Working Party proposes a draft of a new set of contractual clauses dedicated to the international transfers of personal data from an EU data processor (data exporter) to a non-EU data sub-processor (data importer) and subsequent sub-processors (as applicable).
Undoubtedly, this demonstrates European data regulators’ awareness of the gap in the scope of the existing Model Clauses. The draft ad hoc clauses, if approved, will be published by the European Commission exercising its right under Article 26 (4) of the Directive. It is important to note that as they are just in a draft form and have not yet reached the necessary stage to become legally binding, they cannot currently be used to adduce adequacy of protection.
Approval of Microsoft cloud terms
Shortly after the publication of the draft ad hoc clauses, in April 2014, Microsoft publicised a letter that the company received from the Article 29 Working Party (accessible at www.pdpjournals.com/docs/88200) which, in essence, stated that the new version of the ‘Enterprise Enrolment Addendum Microsoft Online Services Data Processing Agreement’ (‘the MS Agreement’) and its Annex 1 will be in line with the 2010 Set II EEA controller to non-EEA processor Model Clauses. The letter stated that the effect of this determination was that the MS Agreement should not be considered as ‘ad hoc’ clauses. This means that, according to the Article 29 Working Party, the MS Agreement has effect equivalent to the EU Commission’s approved clauses.
The MS Agreement has not as yet been made public, so it is difficult to assess how different it is from the existing 2010 Set II clauses. It is worth remembering that the EU Commission’s Model Clauses cannot be modified, but can have commercial clauses added or be part of a larger contract. Taking into account that Microsoft’s clientele includes large organisations which are likely to want to negotiate the provisions of the MS Agreement, it remains unclear to what extent the national DPAs will tolerate any amendments.
The letter constituted an unprecedented step by the Working Party. Although the actual letter does not have legal effect per se, it is an expression of the collective thinking of the European data protection regulators. It can be expected that Microsoft and its clients will need to jump through fewer hoops in getting their transfers authorised. Indeed, the letter stated verbatim that ‘in practice, this will reduce the number of national authorisations required to allow the international transfer of data (depending on the national legislation).’
Commentators varied in their opinions as to the significance of this development. It is worth pointing out that Microsoft and its clients will be still required to complete Appendices which set out the description of the transfers of data and of the technical and organisational security measures implemented by Microsoft, as the letter does not address the issue of appropriateness of Microsoft’s security measures. These Appendices may be analysed separately by the national DPAs before which the MS Agreement is filed in the future.
This is an area that might prove a real sticking point in some jurisdictions where the local DPAs do not look favourably on sensitive personal data transfers, as well as countries which have national laws specifying the minimum security measures (e.g. Spain or Poland). It will be interesting to see how the national DPAs approach the first filings and/or requests for transfer authorisations of the MS Agreement.
Draft ad hoc clauses — key provisions
Categorised under the headings below are the key provisions under the draft ad hoc clauses.
Article 17 of the Directive requires controllers to enter into an agreement with any data processor that is acting on their behalf. In line with this provision, the prerequisite to use of the draft ad hoc clauses is that the contract between the data controller and the data processor (the ‘Framework Contract’) contains a provision permitting sub-contracting of data processing.
The draft ad hoc clauses clarify that the data controller must give the permission for sub-processing in writing, and it can either be general or specific. The latter means that an individual authorisation for each new sub-processor will be required. On the one hand, specific authorisation option is more burdensome for the controller and the processor alike, as each time a new sub-processor is to be appointed, the Framework Contract would either need modification or an addendum. As a minimum, a standalone authorisation document would need to be created, setting out that the permission is granted for the appointment.
On the other hand, specific authorisation might be preferred when the processing is commercially (or otherwise) sensitive, and the controller wants to maintain absolute control over the parties involved in the supply chain. In any case, even when the controller gives a general authorisation, the processor will still need to inform the controller whenever a new sub-processor is appointed, and give the controller time to object or terminate the contract. Termination is an extremely harsh option in this case. Clause 4 of the draft ad hoc clauses sets out the obligatory contents of the Framework Contract. These, among others, include:
- a statement of compliance with applicable laws — in terms of lawfulness of processing, technical and organisational measures, depositing of the contract with the local DPA and obtaining necessary permits (if required). This is not an unusual provision, and many ad hoc clauses currently used by outsourcers already contain such provisions;
- that processing is to happen exclusively on data controllers’ behalf;
- a statement that if sensitive personal data are transferred, data subjects will be informed;
- sharing with the relevant DPA (i.e. that in the country of the controller’s main establishment) of information, disclosure by the processor to the controller of requests from law enforcement authorities, and changes of law which might have substantial adverse effect on the warranties and obligations in the ad hoc clauses;
- making copies of the Framework Contract and ad hoc clauses available to individuals and DPAs on request. Security measures can be described in a shortened format and commercially secret information can be redacted;
- provisions as to what happens to the data post-termination of the contract; and
- a statement that the controller will be liable for compensation for damage suffered by the data subject.
The Framework Contract must set out the obligation on the data controller to maintain a list of sub-processors. This will be a significant administrative burden, one that will not be easy to comply with taking into account the intricacies of modern outsourcing scenarios e.g. in the context of cloud computing. Connected with this obligation will be a right to suspend transfers or terminate the Framework Contract if the processor did not enter into sub-processing agreements with its contractors. Also, the processor is to be liable for non-performance by any of the sub-processors.
The draft ad hoc clauses will require that obligations set out in the Framework Contract are transmitted by the processor via sub-processing agreements onto parties down the supply/ service chain. This means that non- EU sub-processors will be required to comply with exactly the same obligations (including security measures) as the ones set out in the Framework Contract for the EU processor. Although the world is becoming a global village in terms of negotiation of such contracts, EU processors are likely to meet with a level of resistance from non-EEA based sup-processors, which do not have to comply with the Directive.
Applicable law and security measures
The draft ad hoc clauses shall be governed by the law of the Member State in which the data controller is established. With regard to the security measures applicable to the data processing, it will be the law of the exporter (that is the data processor) country of establishment that will be applicable. The law of the data exporter shall also prevail over any conflicting provisions in the law applicable to the data controller.
Third-party beneficiary and liability
According to the draft ad hoc clauses, it will be the data controller who will be responsible and accountable for data protection compliance vis-à-vis the data subjects. However, if the data controller has ceased to exist, the liability might be passed on to the data processor, and ultimately to the sub-processor if the processor also ceased to exist. This would mean that a non-EEA sub-processor could find itself liable for the EEA data controller’s lack of compliance with even the most basic data protection obligations. It remains to be seen whether this provision makes it to the finalised version of the draft ad hoc clauses. Although the possibility of being sued by an EU citizen might be remote, it will certainly be a factor that the risk and compliance teams of non- EEA based sub-processors will be taking into account when assisting their sales teams in pricing up the outsourcing services and negotiation of contracts with EU based processors.
Data breaches and audits
The Framework Contract will impose an obligation on the data processor to inform the data controller about any accidental or unauthorised access to the data. This obligation, in turn, is also imposed on sub-processors. Such data breach notification is not anything new and it is already considered best practice.
The audit rights which the draft ad hoc clauses prescribe are more stringent. Processors and sub-processors are to agree to submit to an audit of their data processing facilities by the controller, any professional auditors appointed by the controller, but most importantly by the DPA of country of establishment of the controller. Third party independent audits are a growing trend within the outsourcing industry, sought out both by controllers and processors as a means of providing reassurance as to the quality of organisational and technical security measures.
Outsourcing companies tend to resist controllers’ access to their processing facilities as this can be challenging as regards to confidentiality obligations when the outsourcer provides services to many clients. A solution usually acceptable to both sides of the outsourcing relationship is to have a third party audit the provider. One could speculate how likely it is that the often under-resourced national DPAs could afford to send out auditors to a country outside of the EEA (e.g. India or Philippines which are big outsourcing hubs) to carry out inspections of data processing facilities.
Would EU DPAs try to resort to some kind of mutual assistance schemes with national DPAs in the non-EEA countries? There is certainly some precedent for transnational cooperation between DPAs — e.g. the Global Privacy Enforcement Network (‘GPEN’). However, GPEN’s activities may be distinguished in that they comprise many national DPAs inspecting various areas of compliance within their own jurisdictions.
The Article 29 Working Party’s letter to Microsoft and the ongoing negotiations of the draft EU General Data Protection Regulation prove that the regulators finally seem to be listening to EU processors’ concerns. That said, it is important to note that — in their current form at least — the draft ad hoc clauses contain many provisions that are going to be simply unpalatable to many companies.
At this stage, the main purpose of the document is promotion of a more harmonised approach to the question of such contracts. The draft ad hoc clauses clearly show the preference that European regulators seem to have for framework contractual setups between controllers, processors and sub-processors and for ensuring that all obligations applicable on data controllers are passed on down the supply chain.
Until they are formally adopted by the European Commission, the draft ad hoc clauses cannot be used to adduce adequacy of transfers. The question is what should organisations do with this development? Should they, for instance, be adjusting their contracts to take account of these draft ad hoc clauses. The answer is: ‘it depends, but probably not’. The draft ad hoc clauses appear highly uncommercial in their approach. The long catalogue of provisions that respective contracts are to contain seem virtually impossible to achieve.
However, the development should not be dismissed altogether. It allows us to learn about the thinking of regulators with regard to those types of transfers and an insight into the catalogue of ‘wish list’ provisions that regulators would like to see in the contracts. EU processors would be well advised to compare their existing precedents against the draft ad-hoc clauses, and consider whether their own templates can be improved by taking into account even only some of the solutions proposed by the European regulators.