Privacy officers at multinational organizations can face challenges lawfully transferring personal data across multiple jurisdictions within their corporate group, as many jurisdictions have implemented — or are planning to implement — rules prohibiting such international transfers.
Implementing contractual clauses that govern the processing and security of personal data between a data exporter and importer, like the EU's standard contractual clauses or the Association of Southeast Asian Nations' model contractual clauses, is one solution.
While privacy officers can attempt to set up these model data protection clauses or engage a law firm to assist, many decisions will need to be made and supporting mechanisms that external legal counsel might not be able to help with or those from nonlegal or noncorporate backgrounds may find especially challenging.
Think about the long term
Implementing model data protection clauses can be a costly and time-consuming endeavor. They are also unlikely to be one-off capital investments when accounting for changes in the clauses themselves, an organizations' expansion into a new jurisdiction or a jurisdiction’s adoption of its own prohibitions on international transfers unless its model data protection clauses are followed.
To future-proof and minimize unnecessary subsequent costs, think about how to configure the contract through which the model data protection clauses are executed. It is possible to create a contract so that each jurisdictions' model data protection clauses sit in an appendix.
This means:
- Supporting mechanisms are shared across model data protection clauses and are consistent. Then, there is only one contract with the same entities, instead of multiple contracts for different model data protection clauses with different entities, which creates a mapping nightmare of who can transfer what to where and when.
- Different jurisdictions' model data protection clauses can be added or removed without affecting others within the contract.
- Signatories only need to sign one contract instead of several for each jurisdiction's model data protection clauses.
- Length and complexity can be minimized. For example, things like the description of the personal data processing only need to be defined once in the contract.
Map out international transfers and identify relevant model data protection clauses
The proliferation of privacy laws around the world introducing model data protection clauses means they can be relied on to facilitate international transfers in more jurisdictions than ever before.
The first step is to identify jurisdictions where the organization's international transfers originate. Those compliant with the EU General Data Protection Regulation likely already know this information as part of satisfying records of processing activities obligations. If not, it's a good idea to embark upon a data processing inventory journey.
Next, identify which jurisdiction has model data protection clauses and their current version.
Get cozy with key stakeholders
Implementing model data protection clauses isn't something done in isolation; buy-in and input is needed from a variety of stakeholders within organizations. Start planning and speaking to relevant stakeholders early.
Administrative office and finance. Multinational organizations likely have a complex corporate structure with multiple entities. The administrative office or finance function, in addition to information gathered from a data processing inventory, can help identify and understand the roles different entities play in importing, exporting and processing personal data. This information is critical to ensure all relevant entities that process personal data are party to the contract. It will also help identify an appropriate entity as the administrator to facilitate changes and other processes under the contract.
The administrative office can likely help identify the right signatories and get them to execute the contract.
Cybersecurity. Most model data protection clauses contain clauses that require parties to implement technical and operational measures to protect personal data. For some, like the EU SCCs, it's not enough to simply state such measures are in place. The safeguards in place must be specified. This can be achieved by speaking to the cybersecurity team, which often has policies and standards in place.
Information technology and contracting and procurement. Facilitating entities' ability to use subprocesses is a tricky area to navigate because it requires understanding what subprocessors are used, by who and in what circumstances, as well as whether any contractual agreements are in place governing the processing of personal data. Unless an organization has a sophisticated data processing inventory that can help answer some of those questions, the next best option is to speak to the information technology and contracting and procurement functions, which will have a list of vendors that can be used to identify subprocessors and contractual agreements.
Although there are many considerations when setting up model data protection clauses, these are among the more effective alternatives to other exceptions on the prohibition of international transfers and are widely recognized by many jurisdictions.
Piotr Debowski, CIPM, is a manager and Mark Byrne, CIPP/A, CIPP/E, CIPM, FIP, is a principal at elevenM.
