Feeds

Personal data export clauses now in force

EEA guidelines updated

Using blade systems to cut costs and sharpen efficiencies

New 'model clauses' governing the exporting of personal data outside of the European Economic Area (EEA) have come into force. The new documents update one of the ways in which data can leave the EEA legally.

European Union data protection law says that personal data can only be transferred outside of the EEA if it is protected as well there as it is within the EU. One way of ensuring this is by using EU Commission-provided 'model clauses' in contracts to protect information.

New clauses published in February came into force on 15th May and now govern the sending of personal data outside the EEA. OUT-LAW.COM has published a brief guide to the changes, Model clauses for transferring personal data overseas: the May 2010 changes.

Companies processing the personal data of individuals must include these model clauses in contracts with companies outside the EEA that will do data processing on their behalf. Those contracts pass some of the EU company's responsibilities on to the processor outside the EEA.

The new clauses take account of the fact that outsourcing often happens a number of times. They allow for the fact that further sub-contracting of data processing can take place once data leaves the EU.

"A definition of sub-processors has been added," said Louise Townsend, a data protection law expert at Pinsent Masons, the law firm behind OUT-LAW.COM. "This extends not just to someone acting as a sub-processor to the main processor but to sub-processors engaged by sub-processors – so the requirements flow all the way down the chain."

Townsend said that the new clauses make it clear who is responsible for the security of the data, saying that the company to which the data is first sent must ensure its security even if that company sub-contracts activities to other firms.

"A data importer must not subcontract without the prior written consent of the data exporter and then only by way of a written agreement imposing the same obligations on the sub-processor as the model clauses impose on the data importer," said Townsend. "The data importer remains fully liable for the activities of its sub-processors."

The new clauses also place a demand on the EU organisation which owns the data to keep track of all sub-contracting.

"The data importer is required to send a copy of any sub-processing contract to the data exporter," said Townsend. "The data exporter is required to keep a list of the sub-processing agreements which have been concluded and update this at least once a year. This should be available to the data exporter’s supervisory authority, which in the UK would be the Information Commissioner."

Townsend said that data controllers - meaning the companies that collected the information in the EEA in the first place - should take simple practical steps if they are using the newly published model clauses.

"Data controllers should make sure that they have a list and copies of all sub-processing agreements and keep this updated. If something changes on an existing contract with a non-EEA data processor, they should update it with the new model clauses," she said.

For companies outside the EEA that will be doing data processing, they should make sure that their responsibilities are reflected in contracts they make with their own sub-contractors. And, said Townsend, they should make sure that they are aware which law applies to the processing.

"Be aware that it is the law where the data controller is based that applies to the data protection aspects of the subcontract," she said. "In practice this could mean that there is a data controller based in England who transfers personal data to a data processor based in India who then transfers personal data to a sub-processor in Japan. English law will apply to the relationship between the data controller and the data processor and the data processor and the sub-processor, at least in relation to the data processing aspects."

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.