New European Standard Contractual Clauses for data processors

In February 2010, the European Commission approved new Standard Contractual Clauses for the transfer of personal data to processors outside the European Economic Area (New Processor Clauses). At the same time, the commission repealed its 2001 decision approving a predecessor version of such clauses (Old Processor Clauses) effective May 15, 2010. As a result, multinational organizations will consider updating their group-internal and external contracts relating to data processing and service providers can expect requests from their customers to sign updated forms. Companies should start this process immediately given the amount of information that is required by the New Processor Clauses and the fact that new contracts and changes to existing arrangements usually trigger negotiations, such as those relating to risk allocation, pricing, and other commercial terms. This article is intended to provide background, a brief summary of what is new, practical guidance as to when the new clauses are required or recommended, as well as considerations as to the pros and cons and alternatives to adopting the New Processor Clauses.

The EC Data Protection Directive and the various national implementation laws and regulations distinguish between data subjects (i.e., the individuals to whom personal data relates), data controllers (i.e., companies and other entities that determine the purposes and means of data processing) and data processors (i.e., companies and entities that process personal data on behalf of others, namely the data controllers). The terms “personal data” and “processing” are defined very broadly: Any information relating to an identifiable individual is “personal data” and any collection, use, and transfer—even the redaction and deletion thereof—constitutes “processing.” As a result, many businesses and functions within an organization qualify as “data processor,” including software-as-a-service companies, outsourcing service businesses, payroll providers, and shared services entities within a group of affiliated companies (e.g., a U.S. parent company hosting an e-mail or voice mail server for its global subsidiaries). The exact demarcation lines between data controllers, data processors and neither-entities are still subject to controversy and very little case law and clear guidance is available to date. But it seems relatively clear that a service provider risks becoming a data controller if it contractually reserves or exercises too much control over the purposes or means of data processing, server locations, engagement of sub-processors and other key aspects of data processing arrangements. This typically has adverse effects for provider and customer, as filings, consent, notice, and other compliance requirements can be triggered in controller-controller transfer situations that may not apply in controller-processor scenarios. Also, companies risk becoming data processors by reserving rights or securing technical possibilities to access their customers’ personal data. Therefore, from a data protection law perspective, it is generally in both parties’ interests—customer and service provider alike—to keep the customer in control and minimize the amount of discretion and data access service providers have. In technologically complex situations, service providers can proactively prompt their less tech-savvy customers to give certain pre-formulated instructions or approve proposals by the service provider, but the customer and data controller should retain the right to withhold consent or issue different instructions (which may have to come at a hefty price point in the context of standardized services).

Under national laws implementing the EC Data Protection Directive, companies in the European Economic Area (EEA) that collect and use data for their own purposes (i.e., act as “data controllers”) have to cross three hurdles before they can share personal data with data processors outside the EEA. Firstly, the European data controllers must comply with formal and substantive requirements of local data protection laws, including notifications to data protection authorities and data subjects, appointment of data protection officers, minimization of data collection, usage and retention, data security, and various other data protection law principles. These laws apply regardless of whether the data controller transfers any data within or outside the EEA.

Secondly, the data controller must confirm that the selected data processor provides sufficient data protection guarantees and conclude a contract providing that the processor shall act only on behalf of and pursuant to instructions from the data controller and in compliance with all data security requirements that apply to the data controller; this requirement applies whenever a data controller transfers any data to a data processor, regardless of whether such data processor is established within or outside the EEA.

Thirdly, the European data controller has to ensure an adequate level of data protection if the data processor is established outside the EEA. With the New Processor Clauses, European companies can take this third hurdle, but only this third hurdle. Companies should not lose sight of the fact they have to address the first two hurdles separately and if they fail to do so, any subsequent data processing activities will be illegal even if the New Processor Clauses are signed.

The EC decision is addressed to the Member States of the EEA, but individual companies or citizens are not directly bound. Based on the decision, national data protection authorities in the EEA have to accept agreements incorporating the New Processor Clauses as sufficient to take the third of the three hurdles described in Section 2 of this article. And, after May 15, 2010, national authorities no longer have to—but could continue to—accept the Old Processor Clauses. National authorities have to accept that the New Processor Clauses provide adequate safeguards with respect to transfers of personal data to processors outside the EEA. The data protection authorities may still prohibit a particular data transfer under national law if the data controller has failed to take the first or second hurdle.

Also, the decision allows data protection authorities to take action in case of serious concerns regarding a particular data processor or destination jurisdiction. Moreover, the data protection authorities can apply and enforce national laws to the extent EC law does not apply or lacks jurisdiction. And the decision does not prohibit the national data protection authorities from establishing stricter standards for data transfers within the EEA (although this would appear to be hard to justify for the national authorities from a policy and perhaps EC law perspective, given the resulting burden for multinational enterprises that would be prevented from establishing the New Processor Clauses as a standard). Data transfers from controllers to controllers are not covered by the New Processor Clauses but are governed by two other commission decisions approving two sets of standard contractual clauses for data transfers to controllers.

Most notably, the New Processor Clauses expressly mention and restrict data transfers from one processor to another (referred to as “sub-processor”). A processor who wants or needs to transfer data to a sub-processor must:

This change had been proposed by the International Chamber of Commerce and various other pro-business organizations, and its adoption has been praised as an improvement. However, from a practical perspective it seems difficult to perceive a benefit to companies—either to data processors or data controllers—compared to the situation under the Old Processor Clauses: The European Commission already acknowledged in the recitals of its 2001 decision on the Old Processor Clauses that data processors may transfer data “under certain conditions.” The operative text of the Old Processor Clauses did not impose any specific additional conditions, thus, processors were permitted to transfer data to sub-processors so long as all other legal requirements were complied with. The Old Processor Clauses did not dictate any particular content or format for sub-processor agreements, which gave the parties a flexibility that has been eliminated by the New Processor Clauses. For example, under the Old Processor Clauses companies involved in payment processing may have been able to rely on a combination of bank secrecy laws and industry-standard non-disclosure agreements with respect to intermediary payment processors and clearinghouses to provide for adequate safeguards. Under Clause 11.1 of the New Processor Clauses, however, data controllers and processors now have to sign the New Processor Clauses with each and every member of the data transmission chain. Similar concerns apply in other industries, e.g., telecom providers (who have to send data via cables, routers, switches, and other equipment operated by myriad other service providers) and providers of technologically complex services that rely on subcontractors for some of their functionality.

In the more than four-year-long process of deciding on what ultimately turned out to be very few changes to the Old Processor Clauses, the Article 29 Working Group of national data protection authorities noted that onward data transfers were already permissible under the Old Processor Clauses and that onward transfer agreements could be concluded by imposing similar terms on the subcontractors (without a strict requirement to sign up sub-processors to the Old Processor Clauses. The Article 29 Working Group noted that Clause 11 in the New Processor Clauses afford better protections to data subjects (which, conversely, means more obligations on data controller and processor relating to data processing).

Another change is that in addition to the cooperation and notification duties already contained in the Old Processor Clauses (which were slightly reinforced here and there), data processors now agree to “abide by the advice of the supervisory authority” in Section 5(e) of the New Processor Clauses. Based on this clause, companies may now find that through the backdoor of contractual agreements, otherwise non-binding guidance or opinions generally published or specifically provided by data protection authorities can now receive legally binding character. This is particularly worrisome as the data protection authorities in some EEA Member States have been quite active in publishing more or less formal opinions and guidance that does not always appear to be supported by existing legislation and rarely receives reality checks in courts because the data protection authorities enforce their opinions relatively rarely.

On the positive side, the New Processor Clauses clarify that data importers are exempt from liability unless the data exporter goes out of business and no successor-in-interest assumes its liabilities, the arbitration requirement was abolished and the sample indemnification clause was moved to an Exhibit to clarify its optional character that was already specified in the Old Processor Clauses.

The International Chamber of Commerce and other organizations that had requested changes to the Old Processor Clauses had proposed a number of reasonable changes that would have made life easier for businesses, for example allowing for multi-party agreements under one choice of law (so that multinational organizations can reduce the number of contracts they have to sign and maintain), eliminating bureaucratic requirements in the context of government approvals or notifications (e.g., signature notarization), striking the clause inviting enforcement actions by an “association or other body,” and clarifying that the parties have to provide only exemplary, not exhaustive descriptions of their security measures and procedures in the appendix to the clauses. However, the European Commission does not have legislative jurisdiction to regulate administrative process details in the EEA Member States, and where it had jurisdiction, it nevertheless opted against most of the changes.

As a result, the New Processor Clauses continue to (with some minor modifications):

If a service provider in the United States is registered under the EU-U.S. Safe Harbor program, European data controllers do not have to take a third hurdle. As a matter of EC law, national data protection authorities have to accept a Safe Harbor registration as providing adequate safeguards. The EU-U.S. Safe Harbor principles in turn allow onward data transfers to sub-processors that are in the EEA, registered under the EU-U.S. Safe Harbor program or sign a written agreement requiring the sub-processor to provide at least the same level of privacy protection as is required by the relevant Safe Harbor Principles. Under the Safe Harbor Principles, data controllers and processors do not have to use the standard contractual clauses approved by the European Commission, but they are free to draft the language for the onward contracts and have relatively few specific additional requirements or obligations to cope with. Also, the Safe Harbor Principles contain less draconian commercial risk allocation mechanisms. Overall, the Safe Harbor route seems to be preferable for data controllers and processors alike. But only U.S.-based companies that are subject to FTC jurisdiction can register, and in situations where data is transferred from the EEA to processors in countries other than the United States, a Safe Harbor filing is not available. In cases where data is sent from the EEA to the U.S. and other countries, controller and processor should consider whether it is technically and operationally possible to route all data through the United States.

Companies are not prohibited from keeping data transfer agreements based on the Old Processor Clauses in place beyond May 15, 2010, or from modifying the New Processor Clauses or from conceiving and implementing entirely different data transfer agreements. Neither the Data Protection Directive, the commission decisions on the standard contractual clauses, nor national data protection laws expressly rule this out. But in EEA Member States where companies have to notify or obtain government approval for international data transfers, or in any EEA Member State in case of an audit or controversy, companies would have to persuade the authorities why and how the modified or alternate clauses are sufficient to provide adequate safeguards. This should be relatively compelling with respect to the Old Processor Clauses because these have been found to be sufficient for nearly 10 years and should not have become insufficient overnight. However, it has been and likely will remain very difficult to persuade authorities to accept modifications or entirely new agreements. In any event, it is time- and resource-consuming to seek approval or justify non-standard approaches. Authorities may accept modifications if they protect the data subjects equally or better than the New Processor Clauses, but companies that are willing to agree to increased protections might as well sign the New Processor Clauses without modifications and include the modifications in an attachment or separate agreement; so long as the additional clauses do not take precedent over the New Processor Clauses, the national data protection authorities would be bound by the commission decision and have to accept the agreement as sufficient.

Companies cannot rely on Binding Corporate Rules (BCRs) for any data processing arrangements with unaffiliated service providers because BCRs can only legitimize data transfers between entities that subscribe to the same set of terms. For group-internal transfers of human resources data, companies could rely on BCRs, but they would still have to sign group-internal agreements to satisfy the second of the three hurdles described in Section 2 of this article. Despite some recent improvements, most companies shy away from pursuing the BCR route given the costs and delays following from the need to obtain government approval for the BCRs and the fact that the data protection authorities tend to insist on the same types of protections in the BCRs that are contained in the standard contractual clauses.

It remains to be seen whether, in practice, the stricter requirements in the New Processor Clauses will actually translate into additional liabilities for companies and protections for data subjects, and whether the majority of companies will accept and implement the proposed multilayered structure of bilateral agreements incorporating the New Processor Clauses, or whether companies will try to pursue alternatives or fall further behind on compliance because of a perceived unreasonableness and impossibility of compliance requirements. The author is not aware of any publicized cases in which any of the standard contractual clauses approved by the European Commission or the Safe Harbor Principles have been asserted or enforced by authorities, individuals, or in courts in the near 10-year history of their respective existence.

Data processing service providers outside the EEA are or will very soon be confronted with customer requests to sign contracts based on the New Processor Clauses. Smaller providers will likely bow to pressure and sign the forms, whether they like it or not. To prepare for such requests and secure a competitive advantage, providers will try to pass on the New Processor Clauses (and/or Safe Harbor registration requirements, where possible) to their subcontractors, or reduce the number of subcontractors that qualify as “data processors” under the European rules. As a consequence, the New Processor Clauses can be expected to spread “virally” like the Old Processor Clauses and Safe Harbor registrations.

Providers that do not subcontract or that are able to secure their subcontractor’s agreement to the New Processor Clauses should consider preparing standard contracts adopting the New Processor Clauses, ideally along with clauses addressing similar requirements arising under other jurisdictions’ laws, e.g., under the California Civil Code, the Massachusetts regulations, and HIPAA.

Providers that believe they do not qualify as “data processors” because they are too tangentially involved in the processing of personal data or without access at all can either insist on this position vis-à-vis their customers (and possibly suffer consequences of lost business or delayed sales cycles where customers prove hard to be persuaded), or they can accept the clauses conditionally (i.e., based on a contractual agreement that the New Processor Clauses apply only in case the provider qualifies as a data processor).

In the contract terms incorporating the New Processor Clauses by reference, and without derogating from the New Processor Clauses, customers and service providers should consider including details on processes and additional safeguards to protect their respective interests; for example, service providers should insist that customers cannot approve additional subprocessors without the service provider’s consent, given that the service provider will automatically become liable vis-à-vis data subjects for actions and omissions of all subprocessors. Moreover, the parties should consider including transition and payment obligations in case the data controller issues (costly) instructions to the data processor or terminates the agreement early because the controller does not want to pay for costs caused by its instructions, or because the data controller can no longer transfer data to the jurisdiction where the processor is located, e.g., because of changes in law or law enforcement practices. Also, the parties should address commercial risk allocation as between themselves, e.g., who foots the bill and to what amounts in case one party is sued or sanctioned for violations or breaches by the other party. Further, it might be helpful to establish a procedural roadmap and substantive rules on how to address and cooperate in case of data security breaches, notifications, and compensation of data subjects.

Customers should consider the relative benefits of transferring data based on a Safe Harbor filing by U.S.-based service providers. Conversely, providers should consider a Safe Harbor registration and point out to their customers the relative benefits of relying on the Safe Harbor mechanism for both data controllers and processors.

Companies and business associations should think twice before asking for changes to data protection laws or seeking guidance: As a general trend, the legal and procedural requirements tend to get stricter and more burdensome for businesses in this area. And under the New Processor Clauses, service providers now have to “abide by advice” by the authorities.