Feeds

Personal data export clauses now in force

EEA guidelines updated

Build a business case: developing custom apps

New 'model clauses' governing the exporting of personal data outside of the European Economic Area (EEA) have come into force. The new documents update one of the ways in which data can leave the EEA legally.

European Union data protection law says that personal data can only be transferred outside of the EEA if it is protected as well there as it is within the EU. One way of ensuring this is by using EU Commission-provided 'model clauses' in contracts to protect information.

New clauses published in February came into force on 15th May and now govern the sending of personal data outside the EEA. OUT-LAW.COM has published a brief guide to the changes, Model clauses for transferring personal data overseas: the May 2010 changes.

Companies processing the personal data of individuals must include these model clauses in contracts with companies outside the EEA that will do data processing on their behalf. Those contracts pass some of the EU company's responsibilities on to the processor outside the EEA.

The new clauses take account of the fact that outsourcing often happens a number of times. They allow for the fact that further sub-contracting of data processing can take place once data leaves the EU.

"A definition of sub-processors has been added," said Louise Townsend, a data protection law expert at Pinsent Masons, the law firm behind OUT-LAW.COM. "This extends not just to someone acting as a sub-processor to the main processor but to sub-processors engaged by sub-processors – so the requirements flow all the way down the chain."

Townsend said that the new clauses make it clear who is responsible for the security of the data, saying that the company to which the data is first sent must ensure its security even if that company sub-contracts activities to other firms.

"A data importer must not subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer," said Townsend. "The data importer remains fully liable for the activities of its sub-processors."

The new clauses also place a demand on the EU organisation which owns the data to keep track of all sub-contracting.

"The data importer is required to send a copy of any sub-processing contract to the data exporter," said Townsend. "The data exporter is required to keep a list of the sub-processing agreements which have been concluded and update this at least once a year. This should be available to the data exporter’s supervisory authority, which in the UK would be the Information Commissioner."

Townsend said that data controllers - meaning the companies that collected the information in the EEA in the first place - should take simple practical steps if they are using the newly published model clauses.

"Data controllers should make sure that they have a list and copies of all sub-processing agreements and keep this updated. If something changes on an existing contract with a non-EEA data processor, they should update it with the new model clauses," she said.

For companies outside the EEA that will be doing data processing, they should make sure that their responsibilities are reflected in contracts they make with their own sub-contractors. And, said Townsend, they should make sure that they are aware which law applies to the processing.

"Be aware that it is the law where the data controller is based that applies to the data protection aspects of the subcontract," she said. "In practice this could mean that there is a data controller based in England who transfers personal data to a data processor based in India who then transfers personal data to a sub-processor in Japan. English law will apply to the relationship between the data controller and the data processor and the data processor and the sub-processor, at least in relation to the data processing aspects."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple ran off to IBM
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.