Transborder Transfers of Data Outside Europe Need New Rules

The European Commission established a Data Protection Working Party on data protection and privacy—an independent advisory body set up under the Data Protection Directive. This Working Party recently published an opinion relating to the EC’s draft standard contract terms that apply to the movement of data across national borders, notably between Member States within and outside of the EU. 

Specifically, the Working Party recommended that the Commission develop brand new model contract provisions to deal with international and multi-national data processing involving transfers of data outside the EC—a long-standing sore point among companies in countries that have historically been viewed as having "inadequate" privacy and data protections. These model or standard contract terms would establish acceptable contractual protections between entities that control data within the European Union/European Economic Area (EU/EEA) and data processors they use outside the European Community, to ensure protections are comparable.

What is notable is the call for the development of completely new model terms that, in the view of the Working Party, has arisen with the growth of international outsourcing, and the widespread use of lower cost data processing, network, and other service providers outside the EU/EEA. Clearly, if technology and international cooperation have made the previous and existing regulations and legal frameworks either out-dated, or unworkable, or both, companies in Europe often find themselves at a competitive disadvantage, being unable to outsource because of data protection and transborder data flow restrictions. The last time the European Commission promulgated approved model contract clauses that applied to transborder data flows between EU Member States and data recipients outside the EU was in 2001, and the Working Party’s recommendations were stimulated by the EC’s current initiative to update these model contracts and terms to deal with more current technology and working relationships among service providers.

As most people familiar with international business already know, the European Data Protection Directive generally requires any country outside the EU to have an "adequate" level of protection in order to allow transfers of personal data by a data controller (the entity that controls the database within the EU)—unless, of course, you have each individual’s personal consent. Another way to enable the transfer is to have an agreement between the transferor and the recipient that includes clauses that have been approved by the EC for that purpose, and that establish a legally binding contractual obligation to accord the data a level of protection the EC considers adequate. Under the currently proposed draft of the EC, data processors in the EU/EEA would be under greater restrictions and burdens when deciding to transfer the data to a service provider (referred to as a "subprocessor") outside the EU/EEA than those data processors that are already outside the EU/EEA, have already properly received data from the EC, and who now want to us another subprocessor.

If this all sounds complicated, it is. It means that if you are considering outsourcing; if you require great flexibility and the ability to dynamically shift processing to reduce costs; if you have international and multinational operations that include customers and personal data of customers inside the EU: simply put, you need to have experts help you. Legal advisors who know the current rules and also follow new developments. Contact me at or call me directly at +1 212 702 1303 if you need help. Rimon has offices in the UK, France, Germany, and Greece, as well as in the Middle East, Hong Kong and China—oh, and lots in the United States, too! How can we help you?