Privacy & Information Security Law Blog

On March 17, the Article 29 Working Party released its Opinion 3/2009 (dated March 5) on standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU. The Opinion deals with proposed changes to the European Commission's decision 2002/16 containing standard clauses for controller to processor transfers. The Opinion discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing. Although not mentioned in the Opinion, the March 17 Opinion is based on the proposal made in October 2006 to the European Commission by three business groups (the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU) and the Federation of European Direct and Interactive Marketing (FEDMA)). The proposal of the three business groups would amend the existing clauses from 2002 to bring them into line with business realities.

The clauses are quite important for business, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed by the three business groups was a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has lacked any discussion of the conditions under which such a transfer could be made between data processors. It is a significant development that the Working Party Opinion recognized this possibility.

Some of the other clauses proposed by the Working Party seem unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. ICC and the other business groups will work with the European Commission with the goal of ensuring that the final clauses approved by the Commission are drafted in a way that makes them useable in the real world. The final Commission decision on the clauses is not expected for a few months.