International transfers of personal data are heavily restricted under EU data protection rules. As a general rule, transfers from an EU/EEA Member State to recipients in countries outside the EU/EEA are only permitted if the laws of the recipient country ensure an adequate level of data protection. There are only limited exceptions to this rule. For instance, organizations may transfer personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection if they have entered into a data transfer agreement using one of the sets of EU approved standard contractual clauses. Up to now, the European Commission has approved three sets of contractual clauses: two of these sets apply to transfers from data controllers to other data controllers, while the third set has been drafted for transfers from data controllers to recipients who act as data processors only. In EU privacy parlance, if organizations hold or process personal data without taking responsibility for or control over the data (e.g., payroll service providers), they are viewed as “processors”.
On February 5th, the European Commission decided to modify the standard contractual clauses for ”controller to processor” transfers of personal data, repealing the original decision (Decision 2002/87/EU) that introduced these clauses back in 2002. The European Commission considered it necessary to adjust the existing standard contractual clauses to meet the growing challenges of global outsourcing. As more and more organizations are not only transferring personal data to a “processor” but also to one or more “sub-processors” (and sometimes “sub-sub-processors”) outside the EU/EEA, the original standard contractual clauses were no longer suitable to deal with these complex onward transfers.
So what’s new about the updated set of standard contractual clauses? The most important novelty is the inclusion of a specific subcontracting clause, which imposes a number of requirements on parties wishing to use sub-processors. Sub-processing will, for example, require the prior written consent of the data controller, while the data processor must put in place a written agreement with each sub-processor that mirrors the terms of the “controller to processor” agreement. In some cases it may be possible to meet this requirement by having the sub-processor co-sign the data transfer agreement between the controller and processor including the standard contractual clauses.
The subcontracting clause also includes specific liability provisions: if the sub-processor fails to fulfill its data protection obligations, the data processor remains fully liable to the data controller for the performance of the sub-processor’s contractual obligations. In addition, the contract between the processor and its sub-processor must include a third-party beneficiary clause in case individuals are unable to bring a claim for compensation against the data controller or processor (e.g., because they have become solvent). Such third-party liability is, however, limited to the sub-processor’s own data processing operations.
The new subcontracting clause further includes the possibility for European data protection authorities to audit the full chain of sub-processing and, where appropriate, to take binding decisions on the data controller, processor and sub-processor under the applicable data protection law. The subcontracting clause therefore provides that the law of the Member State in which the data controller is established also applies to contracts entered into for subcontracting services. According to an opinion issued by the Article 29 Working Party early last year, the ability of European data protection authorities to conduct audits of sub-processors is essential to ensure compliance with the standard contractual clauses and the level of protection required by all (sub) processors. As an additional measure to ensure this level of protection through all layers of subcontracts, the data controller is expected to keep an updated list of all sub-processing agreements notified by the data processor.
It is worth noting that the new set of standard contractual clauses only applies to subcontracting by a data processor established outside the EU/EEA of its data processing services to a sub-processor also established outside the EU/EEA. The new clauses do not apply to international sub-processing (outside the EU/EEA) by a processor established in the EU/EEA. The Article 29 Working Party already warned last year that this situation could cause a competitive disadvantage for European-based processors that would be required to bear administrative burdens greater than those of processors outside the EU/EEA in order to perform equivalent processing services. There is a possibility that in the future the European Commission may adopt a new and separate set of standard contractual clauses that controllers and processors established in the EU/EEA can use for data transfers to sub-processors outside the EU/EEA. In the meantime, the European Commission has suggested that “Member States are free whether to take account of the fact that the principles and safeguards of the standard contractual clauses have been used to subcontract”. In other words, data protection authorities should perhaps consider as adequate protection for international data transfers the fact that controllers and processors established in the EU/EEA have included the new standard contractual clauses into their agreements with sub-processors outside the EU/EEA.
The updated set of standard contractual clauses enters into force on May 15th. Data transfer agreements that include the previous set of clauses remain valid. However, organizations wishing to amend their data transfer agreements after May 15th (e.g., to introduce subcontracting arrangements) will need to make sure that these agreements are brought in line with the new standard contractual clauses.