Feeds

Personal data export clauses now in force

EEA guidelines updated

The Essential Guide to IT Transformation

New 'model clauses' governing the exporting of personal data outside of the European Economic Area (EEA) have come into force. The new documents update one of the ways in which data can leave the EEA legally.

European Union data protection law says that personal data can only be transferred outside of the EEA if it is protected as well there as it is within the EU. One way of ensuring this is by using EU Commission-provided 'model clauses' in contracts to protect information.

New clauses published in February came into force on 15th May and now govern the sending of personal data outside the EEA. OUT-LAW.COM has published a brief guide to the changes, Model clauses for transferring personal data overseas: the May 2010 changes.

Companies processing the personal data of individuals must include these model clauses in contracts with companies outside the EEA that will do data processing on their behalf. Those contracts pass some of the EU company's responsibilities on to the processor outside the EEA.

The new clauses take account of the fact that outsourcing often happens a number of times. They allow for the fact that further sub-contracting of data processing can take place once data leaves the EU.

"A definition of sub-processors has been added," said Louise Townsend, a data protection law expert at Pinsent Masons, the law firm behind OUT-LAW.COM. "This extends not just to someone acting as a sub-processor to the main processor but to sub-processors engaged by sub-processors – so the requirements flow all the way down the chain."

Townsend said that the new clauses make it clear who is responsible for the security of the data, saying that the company to which the data is first sent must ensure its security even if that company sub-contracts activities to other firms.

"A data importer must not subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer," said Townsend. "The data importer remains fully liable for the activities of its sub-processors."

The new clauses also place a demand on the EU organisation which owns the data to keep track of all sub-contracting.

"The data importer is required to send a copy of any sub-processing contract to the data exporter," said Townsend. "The data exporter is required to keep a list of the sub-processing agreements which have been concluded and update this at least once a year. This should be available to the data exporter’s supervisory authority, which in the UK would be the Information Commissioner."

Townsend said that data controllers - meaning the companies that collected the information in the EEA in the first place - should take simple practical steps if they are using the newly published model clauses.

"Data controllers should make sure that they have a list and copies of all sub-processing agreements and keep this updated. If something changes on an existing contract with a non-EEA data processor, they should update it with the new model clauses," she said.

For companies outside the EEA that will be doing data processing, they should make sure that their responsibilities are reflected in contracts they make with their own sub-contractors. And, said Townsend, they should make sure that they are aware which law applies to the processing.

"Be aware that it is the law where the data controller is based that applies to the data protection aspects of the subcontract," she said. "In practice this could mean that there is a data controller based in England who transfers personal data to a data processor based in India who then transfers personal data to a sub-processor in Japan. English law will apply to the relationship between the data controller and the data processor and the data processor and the sub-processor, at least in relation to the data processing aspects."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Build a business case: developing custom apps

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.