EU Adopts New Standard Contract Clauses for Foreign Processors
Last Friday, the European Commission adopted new "controller-processor" standard contractual clauses ("SCCs" or "model contract") to protect personal data transferred from Europe to a data processor located outside the EU/ EEA. Existing contractual arrangements are grandfathered, but any new contracts with data processors must include the new version of the SCCs.
The principal change from the 2002 controller-processor SCCs is that processing contractors are now obliged to obtain prior written consent from the customer before subcontracting any of the processing, and the subcontractor must be contractually bound to the same obligations that apply to the contractor.
Article 25 of the EU Data Protection Directive directs member states to prohibit the transfer of personal data to countries lacking similar legal protections, unless one of several limited exceptions applies or approved safeguards are in place. EU-approved standard contract clauses between the data "exporter" and data "importer" are a common means of legitimizing data transfers to locations outside the European Economic Area -- the European Union plus Iceland, Liechtenstein, and Norway. (SCCs are not used where the transfers are to a US company that participates in the international Safe Harbor program, or to a company relying on informed consent, nationally approved Binding Corporate Rules, or one of the other "derogations" under Article 26 of the Directive.)
The European Commission has approved two alternative sets of SCCs for use in transferring personal data to a data "controller" outside the EEA, and in 2002 the Commission approved a set of SCCs to be used when transferring data to a "processor." The distinction between controllers and processors is not always clear in practice, but the basic concept is that a controller makes decisions about what data to collect and how to use it, while a processor merely performs operations on data only on behalf of the controller and according to its instructions. Business process outsourcing in a non-EEA country such as the United States or India is a common context for using SCCs to protect employee and customer information or other personal data furnished by a European company.
The concern addressed in the new controller-processor SCCs is that processors today often subcontract some processing, storage, and technical support functions to third parties. This is particulary common in cloud computing, where several entities might be involved in handling and storing the data. The new SCCs are designed to ensure that the company that remains responsible as the data controller in Europe is informed about any proposed subcontracting, and that all parties handling the data are subject to the same obligations of confidentiality and security.
The full text of the decision and the new SCCs are not yet posted on the Commission's website. (They will ultimately appear on the "Model Contracts" page.) A Commission spokesman described the decision on Friday, however, as follows:
"According to the newly adopted Decision, where a data importer (processor) intends to subcontract any of its processing operations performed on behalf of the EU data exporter (controller), it must first obtain the prior written consent of the data exporter. The written contract will impose the same obligations on the sub-processor as those imposed on the data importer under the standard contractual clauses."
The Commission reportedly will not require companies with existing controller-processor SCCs to replace those agreements with the new SCCs. New processing agreements, however, must use the new set of controller-processor SCCs if they are to serve as a legal basis for data transfers outside the EEA.
Legal Implications of Cloud Computing -- Part Two (Privacy and the Cloud)
Last month we posted some basics on cloud computing designed to provide some context and identify the legal issues. What is the cloud? Why is everyone in the tech community talking about it? Why do we as lawyers even care? Dave provided a few things for our readers to think about -- privacy, security, e-discovery.
Now, let's dig a little deeper.
I am going to start with privacy and cross-border data transfers. Is there privacy in the cloud? What are the privacy laws to keep in mind? What are an organization's compliance obligations? As with so many issues in the privacy space, the answer begins with one key principle -- location, location, location. For those of you who prefer to listen, check out my recent webinar on International Regulatory Issues in the Cloud, or you can download the slides (PPTX). For everyone else, read on after the jump.
In the world of the cloud, location appears to be irrelevant. In the cloud, data effortlessly flows around the globe, ignoring boundaries and time zones, and magically appears on demand. Not surprisingly, the existing legal structure is far from prepared for the reality of existing technology. Every jurisdiction has its own laws, and its own compliance requirements. As that data instantaneously circumnavigates the globe, it may already be too late to comply with privacy laws in every jurisdiction.
You have undoubtedly heard that the laws of this country are like a patchwork quilt. They have popped up in certain sectors (financial, health) and with respect to certain types of sensitive information (e.g., kids' data). There are federal laws like Gramm-Leach-Bliley (applicable to financial institutions), HIPAA (applicable to health care providers and others dealing with health information and related entities), COPPA (applicable to data of children under 13 collected online), and the USA Patriot Act (may be applicable to foreign companies that work with cloud providers that allow data to reside in or flow through the US). In addition, we have a panoply of state laws requiring notification in the event of a breach of sensitive information and, in some cases, requiring the implementation of safeguards to protect sensitive information and/or secure disposal of such information.
By contrast, the European Union has a comprehensive privacy framework, the EU Data Protection Directive. Each member state has its own unique law implementing the Directive. The most notable thing about the EU Directive and member state laws for purposes of cloud computing is this -- in the absence of specific compliance mechanisms, the EU prohibits (yes, you read correctly, prohibits) the transfer of personal information of EU residents out of the EU to the US and the vast majority of countries around the world.
What does this mean for cloud computing? If you want to put data in the cloud that includes personal information of EU residents (and that might be something as simple as an email address or employment information), and the data will flow from the EU to almost anywhere in the world, you cannot simple throw the data in the cloud and hope for the best. You need to have, at a minimum, one or more of the following:
- International Safe Harbor Certification (which allows data transfer from the EU to the US, but not from the EU to other countries);
- model contracts (which allow data transfer from the EU to non-US countries, but do not always work well with multi-tiered vendor relationships); or
- Binding Corporate Rules (which are designed for a multinational company and therefore may not function well for cloud provider relationships).
So what, what does this tell us? All of the stakeholders within an organization should be part of the cloud discussion and due diligence -- IT, legal, information security, and all of the relevant business groups. And those stakeholders, in investigating a potential cloud relationship and in negotiating the terms of a relationship with a cloud provider, should consider and pose the following questions internally and to the vendor long before any contract is signed:
- What kind of data will be in the cloud?
- Where do the data subjects reside?
- Where will the data be stored?
- Where are the servers?
- Will the data be transferred to other locations and, if so, when and where?
- Can certain types of data be restricted to particular geographic areas?
- What is our compliance plan for cross-border data transfers?
Is that the end of the inquiry? No, it is just the tip of the iceberg, but it is a good start.
