Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Model contracts for transborder data flows: a way forward [2000] PLBIRp 47; (2000) 56 Privacy Laws and Business International Report 4

Model contracts for transborder flows: a way forward

A report by Dr Waltraut Kotschy

CONTRACTS ARE NOT THE ONLY MEANS of achieving adequate protection for personal data where legislation is missing. A unilateral civil commitment, which would guarantee certain rights to data subjects, could be used instead.

Although it has already been widely realised that data protection is an important factor in human rights protection, the vast majority of states do not yet have data protection legislation. As a consequence, there is a considerable gap in data protection resulting from data export to countries without adequate data protection in place. The need to look for a legal instrument suitable for closing this gap is apparent since transborder data flow cannot, in many instances, be forbidden without causing serious harm to other lawful interests either of third persons or even of data subjects themselves.

Today's European data protection standard demands that national legislation should try to solve the problem of adequate protection in transborder data flow situations. This aim is expressly stated in the European Data Protection Directive, and has lately been introduced into the Council of Europe's data protection rules as part of the Additional Protocol to Convention 108 (which will be open for signature soon).

The provisions in international or national legal instruments dealing with the protection of data in the context of transborder data flows usually requires an involvement of the independent Data Protection Authorities - whether in the form of a notification or even a licensing system. They also often mention contracts between the data exporter and the data importer as a means to ensure data protection in transborder data flow situations.

INTERNATIONAL WORK ONGOING

For many years, there has been discussion on whether and how contractual provisions between the data exporter in a country with a high level of data protection and the importer in a country with a low level (or no) data protection could be used as a substitute for data protection legislation in the importing country.

An extensive report about the overall situation was recently released by the OECD (Draft Report on Transborder Data Flow Contracts, DSTI/ICCP/REG(99)15/REV2).

Models have been developed by several of the national Data Protection Authorities, and proposals have been made by different industry representatives. Also, a joint study by the Council of Europe, the Commission of the European Communities and the International Chamber of Commerce was undertaken on model contracts.

However, so far none of these model contracts have gained general acceptance, although the existence of such a model would help ease transborder data flow considerably. A new effort was launched recently by the European Commission in the context of a possible decision based on Art. 26 (4) of the EU Data Protection Directive about model contractual provisions guaranteeing adequate protection (see p.3 and p. 15).

If such a decision came to pass it would have a binding effect on all EU Member States. It does not seem completely unfounded to assume that this model would then become widely accepted, and might sooner or later even become a global standard for contractual clauses on transborder data flow. Any outcome of discussions on this topic in international fora is therefore particularly interesting as it might have an influence on the EU work on new model contractual clauses.

The following remarks will concentrate on the conditions which would create the effect that contracts could substitute for the lack of legislation in the importer's country, and will also deal with the question of whether contracts are the only means for achieving effective data protection where legislation is missing.

ARE CONTRACTS SUITABLE?

The main aim of a transborder data flow contract would be to extend the protection which is guaranteed in the exporting country for personal data to the importing country. The question is how far this is legally possible. The protection of data in the exporter's country with adequate data protection legislation is guaranteed by:

o the existence of legal rules for the processing of data and

o the possibility for the data subject (especially with the help of a specific Control Authority) to enforce adherence to these rules.

A contract dealing with the data protection aspects of transborder data flow would therefore have to:

o establish certain rules which the importer would have to follow when using the transferred data, and

o enable the data subject to force the importer to adhere to these rules in spite of the fact that there are no such legally binding rules in the importer's country.

A contract between the exporter and the importer can undoubtedly create the effect of establishing legally binding rules for the importer for the use of personal data. This effect can, however, be triggered only by the exporter, it being the only other contracting party, unless the contract contains a "third-party beneficiary clause", granting to the data subject (who is not a party to the contract ) the right to enforce all or certain of the contractual obligations. Such a third party clause in favour of the data subject would put data subjects into a legal situation vis à vis data importers which is, at least in principle, comparable with the legal situation according to domestic law where they have certain rights against anyone who processes their personal data.

Consequently, a transborder data flow contract between exporter and importer, which contains a third party beneficiary clause (so that data subjects can enforce their rights against the importer) is, in principle, a suitable instrument for ensuring data protection in transborder data flow situations.

ARE CONTRACTS THE ONLY SUITABLE MEANS?

Until now, only model contracts have been discussed as a means for substituting legislation in the context of transborder data flow. The transfer of data has always been seen as a situation which touches mainly the interests of exporter and importer, so that it would be necessary for them to conclude a contract. Such an approach is certainly adequate concerning the civil or commercial law aspects of a transborder data flow.

Whether this is true also concerning the data protection aspect of a transborder data flow situation is open to doubt: data protection rights and obligations exist between the data subject and the user of his data. To ensure their compliance by the importer via stipulations between third parties is actually a far fetched solution, which works only if the data subject is artificially made a party to the contract by means of a third party beneficiary clause.

POSSIBILITY OF A UNILATERAL CIVIL COMMITMENT

The creation of obligations on the importer vis à vis the data subject can be achieved much more easily by a unilateral civil law commitment (in Austrian civil law it would be called "Auslobung"), whereby the importer promises certain rights to the data subject, which could in consequence be enforced by the data subject before the competent courts.

This solution would establish a direct link of rights and obligations between the data subject and the importer, and would therefore seem to be a more natural and logical way of extending data protection to the importer. Additional contractual data protection obligations of the exporter should not be necessary since the relationship between data subject and exporter is already taken care of by domestic law.

Discussions between business representatives and the Austrian Data Protection Commission have shown that, in the context of transborder data flows within international groups of firms, unilateral commitments might be a rather practical solution. If there were a common set of data protection rules drawn up by headquarters of the group of firms and binding for the whole group, it seems reasonable that a unilateral commitment of a member of the group to respect these rules would be acceptable to a Control Authority, if it has to deal with data transfer to this member abroad, and is satisfied by the quality of the rules. This system would be much easier to handle than having to conclude (and to check) contracts between all the different members of such a group of firms.

If contractual solutions should, nevertheless, be favoured over unilateral commitment solutions, one should be aware of the fact that such contract models are usually not strictly limited to data protection aspects, and tend to introduce new additional data protection obligations for the exporter which are not contained in domestic law.

Whether this is justified is open to discussion. The answer may perhaps depend on the special circumstances of the type of transfer in question.

The following remarks will, nevertheless, concentrate on contracts. However, most of them can also apply to unilateral commitment solutions.

WHAT SHOULD BE THE SCOPE OF A MODEL CONTRACT?

When comparing the known proposals for model contracts in this area, there are wide differences concerning the proposed scope of these models. Several proposals for model contracts show a "fractionist" approach, for example:

o different contracts for multinational companies and for other business (several industry proposals) or

o different contracts for "Business to Business" transfers against "Customer to Business" transfers (OECD report)

o different contract models for different purposes or sectors of business (CNIL., France's Data Protection Commission), one contract model with different appendices (EU draft model) and so on. Others (such as the Council of Europe's proposal or the approach of the Austrian Data Protection Commission) have been in favour of one contract model for all "controller to controller" transfers, and possibly one other model for "controller to processor" transfers.

Looking into the differences of substance in these proposed models, it seems however that a "one for all" approach should be possible if:

o the model contract contains alternatives on certain items and

o the description of the content of the transfer is not prefabricated but can be done by means of an open list.

The following remarks on the necessary content of a model contract shall, therefore, be based on the assumption that the model could serve all types of data transfer.

NECESSARY CONTENT OF A CONTRACT

1. Any model contract would have to include, first of all, a detailed description of the purpose and the content of the transfer:

o name, address and field of activity of the exporter and importer

o purpose of the data transfer

o purpose of the domestic data processing (this should be the purpose for which the data have been collected)

o the (categories of) data which are to be transferred

o the (categories of) data subjects concerned

o likely (categories of) recipients apart from the importer.

This information is necessary in order to be able to decide whether the intended transfer would be lawful as such, regardless of whether it were made to a domestic or a foreign recipient, and in order to assess the special risk which transfer to a country without adequate data protection would pose.

Additional information would be needed if joint liability were foreseen for specific situations of transborder data flow. As there is no certainty yet on which situations would trigger joint liability, it is not possible to elaborate on the necessary additional information.

2. The rules mandatory for the importer when using the transferred data:

Regarding the fact that there are no binding data protection rules in the importer's country, it is necessary to establish such rules to set out the conditions of lawful use of the personal data transferred to that country. Such rules would have to focus on:

o for which purpose(s) and under which specifications the data may be used

o whether and under what conditions further use (onward transfer) is allowed

o which security measures would have to be in place and

o what are the rights of the data subjects, especially concerning access and damages.

It is often proposed that the relevant rules contained in the law of the exporter's country should be made mandatory for the importer. This is, from a theoretical point of view, certainly the best way to guarantee adequate protection for the data subject. From a practical point of view, it seems, however, quite difficult for an importer to know and correctly interpret foreign legislation, especially since he might have to follow several foreign laws.

Adherence to data protection rules would certainly be considerably easier - and therefore more often to be found - if the essence of European data protection standards could be formulated in a set of rules which are comprehensive and easy to understand. It would seem a worthwhile undertaking to develop such a set of rules. The "quality of data" principles of Art. 5 of Convention 108 and respectively of Art. 6 of the EU Directive would certainly be a valuable foundation on which to build such core principles.

The model contract could also allow for other alternatives to be chosen by the contractual parties as binding rules for the importer, such as the OECD Guidelines or No. 1 - 6 of the Safe Harbour Principles. However, the rules should always guarantee adequate protection. Whether this is the case will, according to many legislative regimes, be decided by the Data Protection Authority of the exporter's country (see Art. 26/2 of the EU Directive). Otherwise it will be the responsibility (and the risk) of the exporter to make a correct evaluation of the rules in question.

Any set of rules used for a transborder data flow contract will have to address the question of whether and how onward transfer of the transferred data is allowed. The Safe Harbour Principles, for example, deal expressly with this question in one of the principles. Looking at this question from an EU perspective, it would seem that onward transfer to a further recipient would need a renewed procedure according to Art. 26 (2) of the Directive in all cases which do not fall under Art. 26 (1). If, for example, the data subject has given his/her unambiguous consent, onward transfer would be lawful according to Art. 26 (1) without further need to approach the Control Authority.

There is, however, no coordinated final view yet between the EU Member States on this question. This is only one example for rules on onward transfer. The question of whether onward transfer would not actually always need a new licence or notification (unless there are special provisions comparable to Art. 26/1) is, however, a general problem, which should be looked into in order to find a coordinated view among countries with data protection legislation in place.

Any chosen set of rules would moreover have to contain provisions on how the data subject may obtain the right of access to his/her data from the importer, including the right of correction of inaccurate data and deletion of unlawfully processed data, and what are the conditions for claiming damages as a result of the fact that data were used in a way contrary to the obligations of the contract.

3. Enforcement of the contract:

a) Civil law obligations are usually enforced by suing the contractual party before the competent court. As a transborder data flow contract would have to contain a third party beneficiary clause according to the model contract, the obligations of the importer could not only be enforced by the exporter but also - which is much more important from a data protection point of view - by the data subject.

In this respect, certain additional points would have to be addressed in the contract, such as:

o the place of jurisdiction, i.e : where the parties to the contract can respectively be taken to court and

o which law will govern (be applicable to) the decision of the court complementary to the special rules laid down in the contract for the use of data. (The applicable law would govern the validity of the contract, the rules for the interpretation of the provisions in the contract, etc).

Among the many options for contractual stipulations concerning these questions, the most suitable options will be those which enable data subjects effectively to enforce their rights. A model contract should therefore either leave the choice of (the place of) jurisdiction to the data subject or - if this should not be acceptable - state that the jurisdiction of the exporter's country is mandatory if the importer should be taken to court by the data subject.

Concerning the applicable law (which is relevant only when complementary to the special data protection rules in the contract) it would seem practical if this question were solved in accordance with the question of jurisdiction.

b) In the context of effective enforcement of the data protection rules established by the contract, the idea of joint liability between the exporter and the importer is often introduced on grounds of making enforcement easier for the data subject. As this means, on the other hand, increasing the burden on the exporter, it seems necessary to look for a balanced solution limiting joint responsibility to the necessary and justified cases.

First of all, it should be clarified whether it is really intended to introduce "joint liability" in the usual civil law sense, which is mutual responsibility working both ways. It seems that it is rather an additional liability on the exporter for activities of the importer which is called for, and not vice versa.

Joint liability is usually envisaged in cases where several persons jointly render a service, and where it is typical that it would be difficult to attribute responsibilities correctly. If such special situations could be found and defined in a transborder data flow context, it might seem justified to envisage (something like) joint liability for these cases. However, if the advantages derived from a specific case of transborder data flow are not entirely and exclusively on the exporter's side, but also on the data subject's side - which is quite often the case - joint liability as a general solution might seem disproportionate and therefore unjustified.

c) It has been mentioned earlier that effective enforcement of the data subject's rights in the EU Member States includes the possibility for data subjects to ask for the help of the Data Protection Authority of their country. A contract between the data exporter and the data importer, providing for voluntary submission of the foreign importer under the jurisdiction of the Data Protection Authority, cannot, however, extend the law enforcement competence of a public authority like a Data Protection Authority to have jurisdiction over the foreign importer. This could only be achieved by an international bilateral agreement between the exporter's state and the importer's state.

The Data Protection Authority could only interfere by conducting an investigation into whether an existing notification or license for transborder data flow should be revoked because of failure of compliance with a contract which was a condition for granting the license (accepting the notification). This would, however, most likely require persistent failure to comply, and would only affect future transfers; it would not help data subjects to enforce their rights concerning past infringements

ESTABLISHING AN ARBITRATION BODY

In order to facilitate enforcement for data subjects, a private arbitration body, established at (or near to) the Control Authority could be called upon if the contract contained a suitable arbitration clause. This would probably need special provisions by law enabling the Data Protection Authority to act through this intermediary instrument of an arbitration body under private law. It could, however, provide for all the advantages of first rate expertise in data protection questions and - hopefully - a low cost procedure for the data subject.

A model contract should therefore contain an arbitration clause. However, if possible, it should not refer to some costly international institution with complicated procedures in a language foreign to the data subject, but rather to an institution, as similar as legally possible to the Data Protection Authority of the exporter's country.

d) A special problem of effective enforcement would be execution of the court decision. As the assets of the importer which could be drawn into execution of the court's decision would most likely not be situated in the exporter's country but in the importer's country, execution could be realised only if an international agreement on execution existed between the importer's and the exporter's country.

This is a question which would have to be considered when deciding about an application for granting a license for a specific transborder data flow. If, for example, sensitive data were included in a transborder data flow, special attention should be given to the question of whether data subjects have a realistic chance to enforce their rights against the importer. In the absence of an international agreement on court decisions, consideration could be given to demanding a deposit by the importer in case damages should be granted to a data subject by a court.

CONCLUSIONS

1. Contracts are a suitable means to extend data protection to a foreign importer residing in a country without adequate data protection, if they contain a third party beneficiary clause.

2. Contracts are not the only instrument of civil law capable of achieving this result: unilateral commitments under civil law should be included into the discussion in future.

3. The necessary content of a model contract seems fairly clear; the contract should concentrate on data protection aspects and, as far as possible, not merely questions of civil or commercial law.

4. It could be favourable to global data protection if a set of rules were developed, describing the European data protection standard in comprehensive and easily understandable language.

5. Although the Data Protection Authorities cannot usually be called upon to enforce transborder data flow contracts, legal possibilities for the involvement of these authorities in private arbitration bodies should be created in order to facilitate enforcement by the data subject.

This report, presented at the Data Protection Commissioners' International conference in Venice, Italy on 28-30th September, was written by Dr Waltraut Kotschy, Executive Member of the Austrian Data Protection Commission and the Data Protection Commissioner of the Council of Europe. She can be contacted at Buro der Datenschutzkommission und des Datenschutzrates, Bundeskanzleramt, Ballhausplatz, Vienna, A-1014 Austria. Tel: +43 1 53115 2528 Fax: +43 1 53115 2690.