The Article 29 Working Party has published an Opinion on a draft EU Commission decision despite the fact that the draft decision itself does not yet appear to have been published. It is to be hoped that, when it is eventually published, the decision will clarify the recommended approach to the appointment of subcontractors to process personal data transferred overseas.
The issue may seem obscure but it is not; the involvement of sub- processors is part of the commercial reality for those who outsource data processing. A realistic and clear way of dealing with that is long overdue.
Background
The Data Protection Directive (95/46/EC) impacts on the use of data processors by imposing two main requirements on the person who appoints the processor (the data controller):
· to appoint a processor who offers appropriate levels of security for the processing, secured by contract terms; and
· to ensure that any personal data transferred outside the EEA is afforded ‘adequate protection’.
Data controllers can meet these two requirements in various ways but the method most commonly used in the commercial environment where a controller uses a processor outside the EEA is for the two parties, controller and processor, to enter into the Commission-approved model contract for the transfer of data between a controller in the EEA and a processor situated outside it. This contract satisfies both the security and the adequacy obligation.
However the model contract does not deal with the appointment of subcontractors to the main processor, whether these are situated within or outside the EEA. This has long been an irritant for business. It means that a contract to have personal data processed by a sub-contractor outside the EEA cannot have the protection of the model clauses unless the model contract is entered into directly between the data controller and the sub-contractor or some device is adopted to use the model clauses as between the head processor and the sub-processor. As global outsourcing has become more complex with the appointment of subcontractors throughout the world, the pressure on the Commission to adopt a new model contract which deals with this problem has increased.
Previous Proposal
In 2006 the International Chamber of Commerce, working with other organisations, put forward a proposal for a revised version of the controller-to-processor model contract which included a specific provision to deal with the appointment of sub-processors. The new clause would provide that a head processor (the data importer) could not sub-contract its rights or obligations under the model clauses without the prior written consent of the data controller (the data exporter). However such subcontracting would be allowed, with the consent of the data exporter, subject to a written agreement between the exporter and the subcontractor which would impose the same obligations as those in the model clauses upon the sub-contractor. If a subcontractor failed to fulfil its obligations the main processor would remain fully liable to the data exporter for the subcontractor’s obligations.
This would mirror the structure of many current legal arrangements where a processor, whether inside or outside the EEA, uses a sub-contractor outside the EEA. The current arrangements can however be clumsy legal vehicles, hampered by the fact that the current model clauses are drafted so as to apply only between a controller and a processor. For example, one of the devices commonly used is for the main processor to enter a model contract with the sub-processor subject to a recital at the start of the contract that the processor is a data controller but for the purposes of the contract only. This is clearly less than satisfactory.
Opinion 3/2009
In March 2009 the Article 29 Working Party published Opinion 3/2009 on the Draft Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC. The Opinion recites the problems caused by the fact that the current model contract does not deal with the position of sub-contractors and it is clear from the terms of the Opinion that the revised Draft Decision now does. Sadly we can only guess at the approach taken in the Draft Decision from the tenor of the Opinion as the Draft Decision does not appear to have been published.
The Opinion states that the Draft would allow a processor established in a third country (ie outside the EEA) to make onward transfers, for the purposes of sub-processing only, subject only to a simple authorisation granted by the controller, while processors established in the EEA who wish to use a sub-processor in a third country ‘should continue to use the current legal system’. This strongly suggests that the proposed Decision does not mirror the ICC proposed clause and differentiates between main processors which are established in the EEA and those which are outside the EEA, allowing more leeway to those which are outside the EEA to sub-contract on terms which do not necessarily mirror the requirements of the model clauses. The Opinion also states that the new provisions as drafted would require the processor to send a copy of any subcontract he enters into to the data controller which again suggests that the contract does not have to be on the model terms.
The Article 29 Working Party raises concerns about this and a number of other matters. It urges the Commission to develop an appropriate contract which would meet the following standards:
- There should be parity between processors and sub-processors wherever they are based, whether within or outside the EEA.
- All sub-processing should require the consent of the data controller.
- Sub-processors should not be able to appoint further processors without the specific consent of the controller, in particular where sensitive personal data are involved.
- Any chain of sub-processing operations should be subject to the same level of protection as required by the model clauses, with the model clauses being effectively cascaded down the chain and care being taken to ensure that the use of sub-contractors does not affect the purpose limitation principle.
- The data controller should ensure that data subjects rights are safeguarded even where a chain is in effect, for example by setting up a single corporate contact for subject access.
- The data controller should maintain a ‘register’ of all the processors in the chain.
- All the sub-processors should be subject to the governing law of the State in which the data controller is established.
- Rights of audit by the data protection regulator in the data controller’s home country should be part of the contract terms cascaded down the chain.
It is questionable whether all of these are realistic, particularly the choice of law clauses, however they would amount to a single coherent code for sub-processing which would at least produce a level playing field in the regulated area.
The Opinion recognises however that, until a revised model is adopted, the situation remains unsatisfactory and it urges national regulators to accept sub-processor contracts that include adequate guarantees for the protection of personal data by analogy to the model clauses saying:
‘..contracts made between an EU/EEA data controller and an EU/EEA data processor under which the controller authorises the transfer of data to a sub-processor outside the EU/EEA should be viewed by a national data protection authority as providing adequate protection for the rights of the data subjects whose data is being transferred if they apply by analogy the same principles and guarantees of these Standard Contractual Clauses 2002/16/EC. ‘
The Opinion also goes on to deal with the effect on existing contracts if the current applicable Decision 2002/16/EC is repealed and replaced by a new Decision. It recognises that the replacement of the existing contracts based on the 2002 model would create a disproportionate burden but recommends transitional provisions under which existing agreements remain in force as long as the transfers and processing involved have not changed. However if data controllers wished to amend the existing agreement or add new sub-processing arrangements they would be required to adopt the new clauses.
Comments
I welcome the fact that we have at last seen some movement on this long-standing issue. However it seems extraordinary that the draft Commission Decision has not been published and that such a simple point should be taking so long to resolve. The positive point for data controllers who are using sub-processors is that the Article 20 WP endorses the current standard practice of cascading down the model clauses to sub-processors although it does not currently offer any more flexible mechanism for achieving this.
Rosemary Jay is a partner and Head of the Information Law team with Pinsent Masons and the author of Data Protection Law and Practice published by Sweet & Maxwell.
