Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

EU drafts a model contract to facilitate data flows from 2001 [2000] PLBIRp 46; (2000) 56 Privacy Laws and Business International Report 3

EU drafts a model contract to facilitate data flows from 2001

THE EUROPEAN UNION'S MODEL CONTRACT, due to be published by mid-2001, should provide a reliable tool for businesses transferring personal data from the EU to countries without adequate data protection laws.

The September 2000 version has now been redrafted several times in the light of comments and is now a much shorter document concentrating on essential elements. The European Commission submitted a new version to the Art. 29 and Art. 31 committees in November. The Art. 31 committee was due to reach an opinion at its 19th December meeting while the Art. 29 committee is expected to follow by February 2001. By March, the draft is expected to go to the European Parliament which has four weeks to begin its study of the draft and a further six weeks to prepare its opinion. By May, the draft should return to the European Commission for final approval.

WHEN TO USE MODEL CONTRACT

The EU's draft model contract, prepared with the assistance of the EU Data Protection Working Party (Article 29 Group) provides a framework for various types of business-to-business data transfers to third countries. It states clearly the privacy obligations of both parties. The draft contract could be used in the following situations:

1. A transfer within an international or multi-national group of companies

2. A transfer within a consortium of independent organisations set up to process international transactions

3. A transfer between the providers of professional services whose client's affairs are international in scope (for example lawyers, accountants, financial advisers, stockbrokers, surveyors)

4. A transfer which amounts to a license for use and/or a rental payment in respect of personal data used (for example, direct marketing)

5. A transfer which amounts to a sale of data to a third party with no continuing relationship either with the data subject or the purchaser (for example direct marketing or insolvency/bankruptcy cases resulting in a change of ownership of a customer database).

DATA EXPORTER'S RESPONSIBILITIES

The draft contract spells out certain responsibilities for the data exporter and the importer. Both will have to agree to abide by the requests and orders of the Data Protection Authority of the country where the data exporter is established.

The organisations transferring data must, in the case of sensitive data, inform data subjects of the fact that their personal details are being sent to a country that does not provide an adequate level of data protection. If applicable, they must also register with the country's Data Protection Authority (note that European legislation differs on notification, and in some cases organisations will require a license). In addition, they will have to promise to respond to any enquiries by the Data Protection Authority about their data processing, and to some extent, also about the use of data by the recipient organisation. The organisations will also have to respond to subject access requests and disclose the name of the recipient organisation, and inform the recipient organisation about the data protection laws in the country where the exporter is established, and of any changes to that legislation.

DATA IMPORTER'S RESPONSIBILITIES

From the recipient organisations' point of view, using the model contract may turn into a heavy administrative task. In the case of multi-nationals that deal with all fifteen EU Member States, they will have to gain detailed knowledge about every EU data protection law.

The draft model contract states that the data importer undertakes to "process the personal data in accordance with the laws applicable to a data controller in the country in which the data exporter is established." As there are differences in the implementation of the EU Data Protection Directive, familiarity with just one or two European data protection laws will not be enough for these companies.

Data importers have to agree not to disclose personal data to any third parties, unless they have received prior written consent of the data exporter. Importers also have to nominate an individual within the organisation to deal with data protection. All documentation concerning data processing has to be delivered to the data exporter, or to independent auditors chosen by the exporter.

DISPUTE RESOLUTION

The model contract allows data subjects to enforce the terms of the contract as third party beneficiaries. This means that data subjects may pursue their rights against the importer. In cases of joint liability between the data exporter and importer, the parties would either agree to accept the decision of the EU court in which the data exporter is established, or the decision of an arbitration body in the exporter's country. The latter would require that the arbitration body allows for the "third party beneficiary clause" to be applied.

In cases of separate liability, the parties would agree to have the matter resolved in the national court of the importer's country, the national court of the exporter's country, or under the jurisdiction of an arbitration body.

GOVERNING LAW AND TERMINATION

The parties to the contract may choose whether they prefer the contract to be governed by the laws of the country where the exporter is established, a set of common rules, or the laws of a third country, which provides for adequate protection of personal data. A set of common rules may be defined in a separate appendix at a later stage.

The parties to the contract will have to agree to submit a copy of the contract to the Data Protection Authority. The length of validity will be determined in the contract, and the termination of the contract requires three months written notice. The data importer would return all personal data to the exporter, destroy all copies of personal records, and allow the data exporter access to its premises to ensure that this has been done.

Although now superseded, the September 2000 version of the preliminary draft for a EU model contract for transborder data flows can be found at the website of the Internal Market Directorate, http://europa.eu.int/comm/internal_market/en. Other model contracts are also being prepared, for example by the Confederation of British Industries (http://www.cbi.org.uk) and the International Chamber of Commerce (http://www.iccwbo.org).