Feeds

Personal data export clauses now in force

EEA guidelines updated

Internet Security Threat Report 2014

New 'model clauses' governing the exporting of personal data outside of the European Economic Area (EEA) have come into force. The new documents update one of the ways in which data can leave the EEA legally.

European Union data protection law says that personal data can only be transferred outside of the EEA if it is protected as well there as it is within the EU. One way of ensuring this is by using EU Commission-provided 'model clauses' in contracts to protect information.

New clauses published in February came into force on 15th May and now govern the sending of personal data outside the EEA. OUT-LAW.COM has published a brief guide to the changes, Model clauses for transferring personal data overseas: the May 2010 changes.

Companies processing the personal data of individuals must include these model clauses in contracts with companies outside the EEA that will do data processing on their behalf. Those contracts pass some of the EU company's responsibilities on to the processor outside the EEA.

The new clauses take account of the fact that outsourcing often happens a number of times. They allow for the fact that further sub-contracting of data processing can take place once data leaves the EU.

"A definition of sub-processors has been added," said Louise Townsend, a data protection law expert at Pinsent Masons, the law firm behind OUT-LAW.COM. "This extends not just to someone acting as a sub-processor to the main processor but to sub-processors engaged by sub-processors – so the requirements flow all the way down the chain."

Townsend said that the new clauses make it clear who is responsible for the security of the data, saying that the company to which the data is first sent must ensure its security even if that company sub-contracts activities to other firms.

"A data importer must not subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer," said Townsend. "The data importer remains fully liable for the activities of its sub-processors."

The new clauses also place a demand on the EU organisation which owns the data to keep track of all sub-contracting.

"The data importer is required to send a copy of any sub-processing contract to the data exporter," said Townsend. "The data exporter is required to keep a list of the sub-processing agreements which have been concluded and update this at least once a year. This should be available to the data exporter’s supervisory authority, which in the UK would be the Information Commissioner."

Townsend said that data controllers - meaning the companies that collected the information in the EEA in the first place - should take simple practical steps if they are using the newly published model clauses.

"Data controllers should make sure that they have a list and copies of all sub-processing agreements and keep this updated. If something changes on an existing contract with a non-EEA data processor, they should update it with the new model clauses," she said.

For companies outside the EEA that will be doing data processing, they should make sure that their responsibilities are reflected in contracts they make with their own sub-contractors. And, said Townsend, they should make sure that they are aware which law applies to the processing.

"Be aware that it is the law where the data controller is based that applies to the data protection aspects of the subcontract," she said. "In practice this could mean that there is a data controller based in England who transfers personal data to a data processor based in India who then transfers personal data to a sub-processor in Japan. English law will apply to the relationship between the data controller and the data processor and the data processor and the sub-processor, at least in relation to the data processing aspects."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
DOUBLE BONK: Testy fanbois catch Apple Pay picking pockets
Users wail as tapcash transactions are duplicated
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.