[Things don’t stand still in the world of data privacy. Check out our updates: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, Spring Cleaning: Fix Contract Terms for Data Transfers From The UK; The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?; Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]
By Jennifer L. Sheridan, Esq.
Use Model Clauses (or EU’s standard contractual clauses) for data exporter-data importer transactions, which have been amended to be GDPR compliant
As discussed in the last blog post, EU personal data may not be exported to any non-EU country (any non-European Economic Area or “EEA” countries) unless that country provides adequate protections for personal data. Some non-EU countries have obtained such certification, but the U.S. has not.
There are three mechanisms for U.S. companies to meet the adequacy test:
- Self-certify under the U.S. Privacy Shield;
- Adopt the EU Model Clauses for all contracts with EU data exporters; and/or
- Adopt Binding Corporate Rules for your enterprise.
This post discusses how to Adopt the EU Model Clauses for all contracts with EU data exporters. So for BizConnect — the hypothetical company discussed in our earlier posts — the customers are data controllers. They decided how their employees’ personal data will be used on the BizConnect platform. BizConnect acts as a data processor under the GDPR. Under this scenario, BizConnect’s EU customers are data exporters and BizConnect is the data importer.
A bit of history
The EU personal data laws date back to 1995, when the EU adopted the EU Data Protection Directive (often referred to as the “95 Directive”). It regulated protection of all personal data for EU citizens.
This 95 Directive also stipulated that personal data could not be exported outside the EU (EEA) countries unless the receiving country provided an adequate level of protection.
The EU adopted certain “standard contractual clauses” (a.k.a. “model clauses”) If a U.S. company used these clauses (without modification) in contracts with EU companie,s then those personal data transfers outside the EU would be deemed valid and legitimate.
Some of the significant obligations imposed by the model clauses include:
- data processor agrees to obtain the data controller’s prior written consent to any subprocessors handling personal data;
- the parties agree that the data subject (the EU user) has third party beneficiary rights; in other words, they are subject to lawsuits under contract law for violating their obligations; and
- the law of the data exporter (the EU data controller in the BizConnect scenario) governs the the model clauses.
These are not the terms U.S. commercial attorneys usually agree to in commercial contracts. Pre-GDPR, some US companies tried to avoid the model clauses; however, under GDPR these requirements are applying to the import of EU personal data no matter the method of demonstrating adequacy.
The GDPR replaced the 95 Directive effective May 25, 2018.
The GDPR requires additional obligations and restrictions not covered by the current “standard contractual clauses.” So in other words, relying solely on the pre-GDPR model clauses risks non-compliance under the GDPR.
What to do?
As most experts have advised, use the model clauses but add some additional clauses to cover the GDPR’s additional requirements. You might ask, did the EU promulgate some GDPR model clauses? Unfortunately, no, at least not yet. So in the meantime you need this workaround.
What are the major gaps?
They cover these main areas:
- Duration of processing
- Responding to data subjects requests
- Data breach notifications
- Requirement that the data processor assists the data controller with creation of a data protection impact assessment
- Additional audit rights
- Additional obligations to disclose information regarding onward transfers to additional countries outside EEA
IRSG, a business consultancy group, along with attorneys at global law firms DLAPiper and Clifford Chance, have crafted an “Example Data Protection Addendum.” It attempts to address the gaps between the GDPR requirements for processor contracts and the 95 Directive’s Model Clauses. This draft DPA was created July 14, 2017, and you can download a Word version at this site.
Back to our Hypothetical
BizConnect is self-certifying under the Privacy Shield to meet the adequacy test.
If an EU customer insists on the model clauses, then it will ensure that the model clauses include an addendum to cover the gaps as discussed above.
Subprocessors: Whether or not BizConnect relies on the Model Clauses, it needs the prior approval of its EU customers (acting as data controllers) to engage any subprocessors under Article 29 of the GDPR. For example, BizConnect will need to ensure that its EU customer commercial contracts include a list (and approval process for additions) of third party subprocessors, such as the web analytics provider(s) used by BizConnect. Many companies have a ten-day notification mechanism for the EU data controller/customer to object to the addition of the subprocessor. And many also authorize the EU data controller/customer to terminate the contract if it does not agree. (For instance, see Salesforce’s DPA.)
You can find all 9 best practices here.
This is TechContracts.com’s final republication from this series, by Jenny Sheridan. But you can find the rest at Jenny’s own site.
Jennifer L. Sheridan is an attorney specializing in technology contracts and privacy.
This post was originally published here and has been republished with permission.
© 2019 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock images!