Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

International data contracts [1998] PLBIRp 18; (1998) 45 Privacy Laws and Business International Report 6

Work on International Contracts makes progress

MODEL CONTRACTS for transborder data flows are beginning to take shape, but will not be adequate on their own. In addition, different countries and sectors may use different models.

The 11th Privacy Laws and Business Annual Conference in July included a session looking at the issues sur- rounding the use of contractual clauses as a means of regulating trans- border flows of personal data. The question is an increasingly important one for international companies given the requirements of the EU Directive would be useable by business in any country with privacy legislation. The work began in early 1997 and is due for completion in September 1998. It is hoped that the standard format developed will be accepted by data pro- tection authorities as a viable basis on which data can be transferred without an undue administrative burden. conference at the end of September will seek to refine the approach further.

“WE CAN’T AFFORD TO WAIT FOR CASE LAW”

In the United Kingdom, the Confederation of British Industry Data Protection Group has also been actively developing an approach, and

that data may be transferred outside the EU only if protection is adequate Vivian Bowern, the Chairman of the Group, was able to give a detailed

or if specific contractual solutions are in place.

Nick Platten, data protection con- sultant and advisor to DG XV of the European Commission, set the agenda by explaining the key ques- tions raised by the EU Data Protection Commissioners in their document of ‘preliminary views’ adopted in April 1998. The group has now issued a working document which expands the themes discussed in the first paper (p.15).

There then followed three presen- tations which demonstrated how three different groups were in the pro- cess of working on model contractual clauses which sought to find a practi- cal way to resolve the difficult issues highlighted by the Commissioners.

“LET THE PARTIES NEGOTIATE” Charles Prescott, US Council for International Business, gave an account of the work of the International Chamber of Commerce

(PL&B Feb ‘98 p.28). The ICC work, while naturally keeping the EU direc- tive very much in mind, is taking an even broader approach by seeking to develop contractual clauses which Mr Prescott was of the view that good compliance can be achieved by letting the parties of the contract negotiate. In case of a dispute, the exporter would recover damages.

“SELF-REGULATION IS HERE TO STAY”

Robert Belair, Mullenholz, Brimsek and Belair, reported on the efforts of the Privacy and American Business

‘Global Business Project’ to develop model contractual clauses in co- operation with leading US multi- nationals. The approach here is to develop different models for different sectors. A meeting on 31st August and a Privacy and American Business

account of this work. Here the focus is on providing clauses which would be operational in the context of the new UK legislation implementing the EU directive, although the drafting avoids UK-specific terms with the intention of making the end product more widely usable. The CBI model is based around a relatively small number of clauses supported by a set of schedules providing greater detail. It is envisaged that such a model will be adaptable to all the main situations in which data is transferred outside the EU:

• transfers within multi-national groups or consortia,

• to third party processors,

• when data are sold or licensed to third parties,

• or transfers as part of the provision of professional services.

“PRIMARY RESPONSIBILITY ON DATA CONTROLLERS”

Francis Aldhouse, UK Deputy Data Protection Registrar, discussed the role of contracts in the wider debate about ‘adequacy’ and transfers of per- sonal data to third countries, and the possibilities envisaged by the UK’s

the Data Protection Act 1998, for the Data Protection Commissioner to authorise particular transfers or to approve standard terms on the basis of which transfers could take place. He also expressed the view that the Commissioner might choose to consider contracts, not on their own, but as part of the overall package of protection provided for data trans- ferred to third countries, and thus refrain from using her powers to authorise and prove specific clauses in the way envisaged by the new law and the directive.

SUBJECT RIGHTS IMPORTANT

A number of important points emerged from the session. First, there seems to be a broad consensus that a contractual solution should seek to maintain liability for compliance in the data exporting country, so that data subjects have the means to obtain a remedy without recourse to assis- tance in a foreign jurisdiction. While this is a shared goal, there is equally,

however, a general acknowledgement that this is easier said than done, par- ticularly in a country such as the UK which does not permit the creation of rights for third parties to a contract, such as data subjects.

A second key issue concerns the degree of standardisation of contrac- tual terms that can be achieved. While the ICC is ambitiously aiming for a single set of clauses for use in all situ- ations in all countries, Privacy and American Business is working on a sector by sector basis.

WILL EU COMMISSION MAKE DECISIONS?

Finally there is an issue regarding the degree to which each EU Member State will be able to develop its own approach to model contract clauses. The directive will require all data transfers authorised on the basis of contractual guarantees to be notified to the European Commission so that a decision can be made at Community level. However, if con-

tracts are considered in some Member States as part of the general level of protection afforded in a third country, this national approach might be used as a means of bypassing the procedure of notifying the European Commission.

This is an edited report of a session on international contracts at the Privacy Laws & Business Annual Conference 1998 by Nick Platten, data protection consultant and

advisor to DG XV.