European Union Adopts Standard Contract Clauses for Transfers of Personal Data

Author:Mr Paul Kilmer
Profession:Holland & Knight LLP
 
FREE EXCERPT

In 1998, the European Union (EU) put into effect a directive that prohibited

the transfer of personal data to nations outside of the 15-member EU, unless the

nation to which the data was transferred "ensures an adequate level of

protection." The directive does not specify what measures are

"adequate," but provides only general guidance about the factors to be

considered in assessing the "adequacy" of non-member states' privacy

protections. Consequently, this directive has caused considerable uncertainty

and debate; it was widely believed that EU companies could not export personal

data - such as human resources information or information gathered on customers

- without violating EU data privacy laws.

In an effort to provide some clarity, this past summer the European

Commission adopted certain standard contractual clauses by which organizations

can transfer personal data. These clauses include:

making those whose data is transferred third-party beneficiaries under the

contract and allowing associations and "other bodies" to bring

actions against the actual contracting parties for violations of the

agreement that adversely affect persons whose data is transferred

a warranty that the use of the personal data does not violate applicable

EU laws and regulations

a warranty that persons whose data is to be transmitted outside of the EU

have been advised of that possibility

a guarantee that the exporter of the data will, upon request, provide a

copy of the standard clauses to person whose data is exported from the EU

an undertaking that the data exporter will abide by certain

"Mandatory Data Protection Principles" that must be attached to

the agreement

mandatory audit provisions applicable to the importer of data (who is

located outside of the EU)

admission of possible joint and several liability by the data exporter and

data importer to the person whose data is transmitted outside of the EU for

a number of potential breaches of the standard clauses

mandatory indemnification for costs to enforce the agreement

mandatory mediation and submission to jurisdiction in the courts of the EU

Member State where the data exporter is located

a reservation of rights by the person whose data is transferred,

permitting that person to rely upon the substantive and procedural rights

available under national and international laws that may apply to the

agreement

a provision requiring that the parties to the contract will deposit a copy

of the standard clauses with an EU Supervisory Authority upon request...

To continue reading

REQUEST YOUR FREE TRIAL