Feeds

Personal data export clauses now in force

EEA guidelines updated

Beginner's guide to SSL certificates

New 'model clauses' governing the exporting of personal data outside of the European Economic Area (EEA) have come into force. The new documents update one of the ways in which data can leave the EEA legally.

European Union data protection law says that personal data can only be transferred outside of the EEA if it is protected as well there as it is within the EU. One way of ensuring this is by using EU Commission-provided 'model clauses' in contracts to protect information.

New clauses published in February came into force on 15th May and now govern the sending of personal data outside the EEA. OUT-LAW.COM has published a brief guide to the changes, Model clauses for transferring personal data overseas: the May 2010 changes.

Companies processing the personal data of individuals must include these model clauses in contracts with companies outside the EEA that will do data processing on their behalf. Those contracts pass some of the EU company's responsibilities on to the processor outside the EEA.

The new clauses take account of the fact that outsourcing often happens a number of times. They allow for the fact that further sub-contracting of data processing can take place once data leaves the EU.

"A definition of sub-processors has been added," said Louise Townsend, a data protection law expert at Pinsent Masons, the law firm behind OUT-LAW.COM. "This extends not just to someone acting as a sub-processor to the main processor but to sub-processors engaged by sub-processors – so the requirements flow all the way down the chain."

Townsend said that the new clauses make it clear who is responsible for the security of the data, saying that the company to which the data is first sent must ensure its security even if that company sub-contracts activities to other firms.

"A data importer must not subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer," said Townsend. "The data importer remains fully liable for the activities of its sub-processors."

The new clauses also place a demand on the EU organisation which owns the data to keep track of all sub-contracting.

"The data importer is required to send a copy of any sub-processing contract to the data exporter," said Townsend. "The data exporter is required to keep a list of the sub-processing agreements which have been concluded and update this at least once a year. This should be available to the data exporter’s supervisory authority, which in the UK would be the Information Commissioner."

Townsend said that data controllers - meaning the companies that collected the information in the EEA in the first place - should take simple practical steps if they are using the newly published model clauses.

"Data controllers should make sure that they have a list and copies of all sub-processing agreements and keep this updated. If something changes on an existing contract with a non-EEA data processor, they should update it with the new model clauses," she said.

For companies outside the EEA that will be doing data processing, they should make sure that their responsibilities are reflected in contracts they make with their own sub-contractors. And, said Townsend, they should make sure that they are aware which law applies to the processing.

"Be aware that it is the law where the data controller is based that applies to the data protection aspects of the subcontract," she said. "In practice this could mean that there is a data controller based in England who transfers personal data to a data processor based in India who then transfers personal data to a sub-processor in Japan. English law will apply to the relationship between the data controller and the data processor and the data processor and the sub-processor, at least in relation to the data processing aspects."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Providing a secure and efficient Helpdesk

More from The Register

next story
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.