The Use of Contracts and BCRs
to Transfer Personal Data
The Use of Contracts and BCRs
to Transfer Personal Data
The European Union – United States Safe Harbor framework:
bringing differences in approaches to data protection
Washington, 7 December 2005
Agustín Puente Escobar – Head of the Legal Department
Agencia Española de Protección de Datos
Agencia Española de Protección de Datos
1
1. Introductory
1. Introductory
Agencia Española de Protección de Datos
2
How to transfer data from the EU to the US
How to transfer data from the EU to the US
Options
lSafe Harbor
lCases under art. 26 (1) EU Directive
lContracts with model clause
lBinding Corporate Rules
Agencia Española de Protección de Datos
3
Slide 4
 | In order to facilitate data flows from the Community, it is desirable for data controllers to be able to perform data transfers globally under a single set of data protection rules. In the absence of global data protection standards, standard contractual clauses provide an important tool allowing the transfer of personal data from all Member States under a common set of rules |
Commission Decision 2004/915/EC. Preamble
Agencia Española de Protección de Datos
4
Requirements under Spanish Data Protection Act
Requirements under Spanish Data Protection Act
| included in SH list |
| 26 (1) EU Directive |
Notification to AEPD’s
Register
Proposed TDF
Inscription of the TDF
in the AEPD’s Register
If not: provide adequate
Safeguards:
| clauses |
| corporate rules |
Authorisation of the
Director of AEPD
Agencia Española de Protección de Datos
5
2. Contractual clauses
2. Contractual clauses
Agencia Española de Protección de Datos
6
Possible options for contractual clauses
Possible options for contractual clauses
| TDF from controller to controller |
– Commission Decision 2001/497/EC
– Commission Decision 2004/915/EC
| TDF from controller to processor |
– Commission decision 2002/16/EC
| Moreover |
– Other contracts that provide adequate safeguards according internal law
Agencia Española de Protección de Datos
7
Slide 8
| Since the use of standard contractual clauses for international data transfers is voluntary as standard contractual clauses are only one of several possibilities under Directive 95/46/EC, for lawfully transferring personal data to a third country, data exporters in the Community and data importers in third countries should be free to choose any of the sets of standard contractual clauses, or to choose some other legal basis for data transfer. |
| As each set as a whole forms a model, data exporters should not, however, be allowed to amend these sets or totally or partially merge them in any manner. |
| Commission Decision 2004/915/EC. Preamble |
Agencia Española de Protección de Datos
8
Applicable law to data processing by the importer
Applicable law to data processing by the importer
| Purpose: to provide adequate safeguards within the personal data flows between both parties. |
| Therefore: Contractual clauses must provide an “adequacy area” within these flows equivalent i.e. to the safe harbor. |
| Consequence: |
Law applicable should be “adequate”
– Country where the exporter is located
– Core principles
– Safe Harbor principles (if importer is establish in the US)
Agencia Española de Protección de Datos
9
Core principles
Core principles
WP12 and Decisions on standard clauses
| Purpose limitation. |
| Data quality and proportionality. |
| Transparency. |
| Security and confidentiality. |
| Rights of access, rectification, erasure and blocking of data. |
| Special categories of data (consent, specific security measures). |
| “Opt out principle” when using the data for direct marketing purposes. |
| Automated individual decisions. |
Agencia Española de Protección de Datos
10
Basic content of contractual clauses
Basic content of contractual clauses
Under Decisions 2001/497 and 2004/915
| Third party beneficiary clause |
| The data subject must be able to enforce the contract against both parties |
| Liability |
| Joint and several, or |
| Based on “culpa in eligendo” or “in vigilando” |
| Restrictions to onward transfers |
| Unless adequacy or consent is found |
| Security and audit |
| To ascertain compliance with the warranties and undertakings provided by the clauses |
| Non-variation of the clauses |
Agencia Española de Protección de Datos
11
3. Binding Corporate Rules
3. Binding Corporate Rules
Agencia Española de Protección de Datos
12
Legal Components of BCR’s
Legal Components of BCR’s
WP 74, 03 June 2003
| Pre-approved as compliant with law governing protection of personal data in participating EU jurisdictions |
Subject to procedural requirements of participating member states; BCR’s do not replace notification requirements, WP 74, p. 15.
| Internally binding and enforceable on all B.U.s |
q Binding between all business units
q Binding between employer and employees
q Binding on sub-contractors
| Externally binding and enforceable on all B.U.s |
q Consent to jurisdiction of DPA and courts in country of headquarters or place of alleged infraction
q Consent to burden of proof of compliance
q Guarantee of corporate responsibility for damages
Agencia Española de Protección de Datos
13
Legal components of the BCRs.
Legal components of the BCRs.
WP74, 03 june 1998
| Data processing regulation should respect EU data protection principles |
| “Compliance with national law is of course a condition sine qua non for any authorisation to be granted”. |
| Limitation to onward transfers outside the group |
| “Transfers from members of the corporate group outside of the Community to companies outside the corporate group would be possible by subscribing the standard contractual clauses adopted by the European Commission” |
| Third party beneficiary rights |
| “ The scope of the third party beneficiary rights should match at least the one granted by the Commission Decision 2001/497 in respect of both the data importer and the data exporter |
Agencia Española de Protección de Datos
14
Practical Components of BCR’s
Practical Components of BCR’s
WP 74, 03 June 1998 and WP 108, 14 April 2005
| Binding Corporate Rules must include (not exhaustive): |
– Process flows of information compliant with data protection safeguards
– Internal enforcement process, including:
| transparency of rules + means for data subjects to verify compliance, complaints handling process, sanctions |
– Mechanism for reporting changes
– Evidence of effective incorporation of both internal and external binding liability (such as contracts)
Agencia Española de Protección de Datos
15
Coordinated Procedure for Establishing BCR’s
Coordinated Procedure for Establishing BCR’s
WP 107, 14 April 2005
1
2
3
Corporate
Representative
Propose
Lead DPA
Nat’l Data
Protection
Authority
Submit Draft
Binding
Corporate
Rules
Submit Final
Binding
Corporate
Rules
4
Fulfilling
internal
requirements
Lead DPA
Distribute to
Implicated DPA’s
With
Recommendation
Distribute to
Participating DPA’s
With
Recommendation
Distribute to
Participating DPA’s
With
Recommendation
Adoption by Remaining DPA’s
Implicated
DPA’s
Review &
Comment by all
implicated
DPA’s
Consensus
Review & Comment
by remaining
DPA’s
Consensus
Review & Comment
by remaining
DPA’s
Opt-out
Opt-out
Opt-out
Agencia Española de Protección de Datos
16
Determination of “Lead Authority”
Determination of “Lead Authority”
| in DPA country selection: |
– Group headquarters
– Relative significance of presence (# employees) vis a vis affiliates in other countries
– Where responsibility for data processing is situated, or where decisions regarding processing are taken
– Where most data processing occurs
– Country from which most data transfers occur
| determination is prerogative of the implicated DPA’s, by consensus, to deter forum shopping. |
Relative
Factor
Weight
Agencia Española de Protección de Datos
17
Caveats to “Pre-Approval”
Caveats to “Pre-Approval”
| “However, additional requirements that may exist in each country, such as notification or administrative formalities may also have to be complied with.” |
Working Paper 107, pg. 4, point 6.
Agencia Española de Protección de Datos
18
Obstacle to BCR’s in Civil Code Systems
Obstacle to BCR’s in Civil Code Systems
| civil code systems, unilateral declarations are not legally binding. |
– Spain, Italy
– I.e. Spanish Civil Code only considers the law and the contract as sources of legal liability
| a legal recourse for citizens on the basis of a binding contract, the concept of Binding Corporate Rules will not satisfy constitutional requirements protecting the rights regarding personal data. |
|
|
| Include Binding Corporate Rules in negotiated agreement with the Works Council. |
à Result: Contract with workers’ representative
à Expressly provide in legislation for Binding Corporate Rules as a grounds for civil action.
Agencia Española de Protección de Datos
19
Impact of forthcoming regulation pursuant to LOPD
Impact of forthcoming regulation pursuant to LOPD
| Proposed solution in Spain : |
v The Spanish Draft Royal Decree which develops the provisions of the LOPD 99 accepts the use BCRs for international data transfers on the basis that they are adopted as a code of conduct and are legally binding for all of the company´s international subsidiaries.
Agencia Española de Protección de Datos
20
Additional Considerations
from Spanish Perspective on BCR’s
Additional Considerations
from Spanish Perspective on BCR’s
| Component: A high level of cooperation between the company and the DPA. |
– AEPD considers application for approval of BCR’s as a commitment to work with the Agency in good faith to ensure protection of personal data.
| Approval of BCR’s can be revoked given reasonable indication of failure to comply. (LOPD Art. 37(f)) |
Agencia Española de Protección de Datos
21
International Data Transfers – Binding Corporate Rules
v AEPD is working with the Commission and other DPAs via the Article 29 Working Group to develop a regime that facilitates multinational compliance that is efficient and effective through Binding Corporate Rules.
International Data Transfers – Binding Corporate Rules
Agencia Española de Protección de Datos
22
Slide 23
Agencia Española de Protección de Datos
23