John will be blogging separately on the draft data protection regulation published by Commissioner Reding earlier today, but I thought I’d share some thoughts in relation to its impact on outsourcing in the UK.
To date, data controllers in the UK have had a degree of flexibility when entering into outsourcing agreements that involve the processing of personal data outside the EEA.
- Where the European Commission has made a finding of adequacy in relation to the level of protection offered to personal data in the country or territory in question (including, for example, the US Safe Harbor scheme);
- Where the transfer is made pursuant to contract on terms approved by the European Commission (AKA the EU model clauses for data transfers);
- Where the organisation has put in place binding corporate rules that have been approved by the relevant data protection regulators; and
- Where the data controller has made a finding of adequacy in respect of the proposed transfer.
Findings of adequacy
The ability to make a finding of adequacy is particularly useful for data controllers, as it allows the data controller to make a reasoned decision based upon its diligence on the proposed data processor and the actual contractual terms that are put in place.
In particular, it allows the data controller to deviate from the approved model clauses without needing to go through the administrative burden of having those clauses approved by the Information Commissioner. For example, the data controller may wish to outsource a service through a single contracting entity on behalf of various group data controllers, rather than enter into multiple model clause agreements between each data controller and the end data processor.
The ability to make a finding of adequacy is not carte blanche to do anything – the data controller still needs to be able to justify its actions to the Information Commissioner, but it does provide some significant commercial flexibility.
The position outside the UK
But that permissive and flexible approach in the last bullet does not apply everywhere in the EU. In a number of EU member states, any deviation from the model clause agreements needs to be notified and approved by the national data protection regulator. In some member states even the use of the model clause agreements needs to be notified to the regulator.
So what will happen under the new law?
If passed as it stands, the regulation would have direct effect. Unlike a directive, there would be no need for local implementation by individual member states. The intention of the regulation is to have a uniform data protection law across the whole of the EU – a law that is not subject to local variations and differing interpretations by different parliaments, regulators and courts.
The consequence of this is that the rules on cross-border data transfers will be unified.
Under the draft regulation there is no ability for the data controller to make a finding of adequacy. If the data controller wishes to vary from the terms of the model clauses, the data controller will need to obtain the consent of the relevant data protection regulator.
Whilst not unexpected, confirmation of this restriction is disappointing and will substantially increase the red tape involved in entering into outsourcing agreements – particularly where there are complex inter-group arrangements and multiple data controllers.
The UK Information Commissioner has already issued a press release questioning this requirement, presumably with half an eye to the increased (and unnecessary) administrative burden that it will incur, when its resources are already stretched.
Of course the irony here is that as all seasoned data protection lawyers will tell you, the data processor has no direct obligations under data protection laws – it is the data controller that is responsible (contractually) for ensuring that data is securely processed. National legislation is irrelevant. Approved form processing contracts are not required within the EEA, so why should transfers outside the EEA be treated differently?
Why not simply leave it to the data controller to ensure that it has carried out its diligence and has an appropriate contract, as the law requires for outsourcing within the EEA? I’m not aware of major problems having arisen from data controllers deviating from the model clauses, so why try to fix something that isn’t broken?
It must be hoped that this change does not make it into the final draft. Those involved in outsourcing may wish to support the UK Information Commissioner in ensuring that a workable mechanism is in place for cross border outsourcing.
On January 25, 2012