Wednesday, February 24, 2010

Outsourcing and Data Protection in the European Union: EU Standard Contract Clauses Must Be Changed Regarding Overseas Transfers of Personal Data

Out-law.com alerts us to the fact that a recent formal Decision of the European Commission requires that Model clauses for overseas transfers of personal data be updated, writing
"Outsourcing companies outside the EU will now have to get written permission to subcontract the processing of personal data after the European Commission changed arrangements permitting the export of such information.

The EU's data protection regime limits the export of personal data outside the European Economic Area (EEA) which comprises the EU, Iceland, Norway and Liechtenstein.

A small handful of countries have proved their data protection regimes the equivalent of the EU's and so are permitted to receive personal data without further steps (Switzerland, Canada, Argentina, Guernsey, the Isle of Man and Jersey), while the US has a special arrangement, the Safe Harbour scheme, under which participating US companies can receive data if they promise to abide by rules over and above US law.

For transfers to all other countries there must be specific data protection contractual arrangements in place before the personal data of EU residents can be sent to companies based there for processing. The European Commission produces standard clauses that are used in such contracts.

The Commission has changed the terms of those clauses to allow companies in non-European Economic Area (EEA) countries to sub-contract work, but only with the explicit permission of client companies." [emphasis added]
Read the full article here for more details and a link to an Out-law.com guide to overseas transfer of personal data.