Find Opportunities

Find Solutions

1-800 USA TRAD(E)

Tools for International Data Transfers – The Perspective of Multinationals

The European Union – United States Safe Harbor Framework:

Bridging Differences in Approaches to Data Protection

Art. 29 Working Party and U.S. Department of Commerce

Washington, 7 December 2005

Henriette Tielemans

Partner

Covington & Burling

Brussels

htielemans@cov.com

Safe Harbor Agreement

By far the most efficient instrument to date to legalize international transfers to a country without adequate protection

Main advantages:

– no prior approval required, unlike for BCRs and even SCCs

– flexible onward transfer rule

– pragmatic provisions (i.e., FAQ 14)

– positive for the brand (“Safe Harbor certified”, independent dispute resolution logos, etc.)

Main disadvantages:

– few participants : “nobody wants to be the first” syndrome

– jurisdiction in the U.S.

– only covers transfers to the U.S.

– some sectors excluded (i.e., financial sector)

Concept should be expanded to other countries: Japan, India, etc.

Standard Contract Clauses : Controller to Controller (2001 and 2004)

Often the only available tool for transfers to countries other than the U.S.

Advantages:

– legal certainty

– initially very cost efficient (just print of the Internet and sign them !)

Disadvantages:

– take it or leave it approach : no changes possible

– very cumbersome for large multinationals with hundreds of entities = patchwork of contracts

– some clauses are problematic for exporters and importers (third party beneficiary rights, joint and several liability, due diligence and audit rules)

– still subject in some Member States to prior approval procedures, which can take several weeks, if not months (i.e., Austria, France, Netherlands)

Standard Contract Clauses : Controller to Processor (2001)

Similar advantages and disadvantages

Legal impasse with sub-processing:

– not covered in SCC

– altering SCC to allow for sub-processing not allowed

– quid ?

Hopefully addressed in upcoming Commission Working Paper evaluating SCC

Derogations of Art. 26

Derogations were included in the Directive after many long discussions (deliberate choice of EU Legislator)

Policy concerns may be understandable, but limitations on the use of derogations have no basis in the Directive:

– limiting use of derogations to transfer cases where SCC are “genuinely inappropriate, maybe even impossible”, has no basis in Directive

– transfer on basis of “unambiguous consent” instead of “explicit consent” was deliberate choice of EU Legislator at the time (see very clear legislative history)

DPAs want to limit the use of derogations under the theory of restrictive interpretation – questionable legal reasoning – would require amending the Directive

Binding Corporate Rules

Concept in itself is very tempting, but it is still in its infancy

Very useful guidance document (checklist) from Art. 29 WP

Main advantages:

– allows for transfers worldwide

– generates a high level of privacy awareness in the company = especially useful given that privacy laws are proliferating

Main disadvantages:

– excruciating negotiation procedure (several years)

–recently proposed BCRs to the Dutch DPA

–expects approval by 22 other DPAs in a matter of months

–but, preparation time: 3 years

–18 months for approval by German DPA

Binding Corporate Rules

Main disadvantages (continued):

– continued uncertainty on key issues

approval for transfers still required? (contract approach)

for DPAs to opt-out at last minute?

Expectations:

– process will become easier as more DPAs and companies go through the process

– BCRs will standardize over time, even though a level of customization will always be required

Future:

– EU Directive to be amended to better enshrine BCRs

– role for EU Commission?

– quid BCRs for data processors?

Print | E-mail Page

Main Topics