Approval has been given to a new set of standard contractual clauses which businesses can use to ensure adequate safeguards when personal data is transferred from the EU to non-EU countries. The new clauses, submitted by a business coalition, will be added to those already available under the Commission’s June 2001 decision. The use of standard contractual clauses offers companies and other organisations a straightforward means of complying with their obligation under the 1995 EU Data Protection Directive to ensure 'adequate protection' for personal data transferred outside the EU.
Over the past three years, a coalition of business associations led by the International Chamber of Commerce has negotiated these new standard contractual clauses with the EU Commission and with the committee of EU data protection authorities (the “Article 29 Working Party”).
Companies believe that some of the new clauses, such as those on litigation, allocation of responsibilities or auditing requirements, are more business-friendly. Yet they provide a similar level of data protection as those of 2001, and to prevent abuses, the data protection authorities are given more powers to intervene and impose sanctions where necessary. The implementation of this new set of clauses will be reviewed in 2008.
'Adequate protection' regimes
Contractual clauses are not necessary, however, to transfer data to Switzerland, Canada, Argentina and the UK territories of Guernsey and the Isle of Man, whose own regimes are recognised by the Commission as offering adequate data protection. Neither are they needed for transfers to U.S. companies adhering to the ‘Safe Harbor’ Privacy Principles issued by the U.S. Department of Commerce.
For transfers to other countries, standard contractual clauses are one of a range of means under the 1995 Directive to ensure appropriate data protection.
More clauses possible
This is the third set of standard contractual clauses made available to operators since the Directive entered into force in 1998. Should other interested parties submit other set of clauses in the future, the Commission may consider them if they contribute to further simplification and ensure adequate safeguards.
The Commission is also working with the data protection authorities on other possible alternatives, such as “Binding Corporate Rules”, that is, the use of codes of conduct instead of model contracts for the transfer of personal data to third countries. All these efforts are part of the Commission’s work programme for a better implementation of the Data Protection Directive, the results of which will be assessed by the Commission in 2005.
Single Market Commissioner Charlie McCreevy, said: ”The business community has shown a serious commitment towards data protection and the Commission has carefully listened to business needs. This is a good example of regulating in cooperation with business.”
For further information