Privacy Law and Policy Reporter
Harmony or discord? Using intra-group contracts to address international data protection standards
Gayle Hill FREEHILLS
Multinational corporate groups seeking to reap the benefits of globalisation must inevitably grapple with the vexed and seemingly intractable challenge of complying with multiple data protection and privacy regimes.
At the heart of the issue lies the requirement under the European Data Protection Directive (Data Protection Directive) with respect to international data transfers. The export of personal data from any European Union Member State or from any European Economic Area member country to a third country is restricted unless the recipient country ensures an ‘adequate level of protection’ of that personal data. Further, because a number of non-European countries have now legislated to protect personal data, transfers of such data from those countries will be restricted by any transborder data flow (TBDF) provisions that are imposed under the law of the exporting country.
Accordingly, multinational corporates (MNCs) are likely to find that the countries in which they operate include any or all of the following:
• European countries having laws that mirror the Data Protection Directive restrictions on TBDFs, such as Great Britain (EU countries);
• countries with data protection laws or schemes that have been assessed as ‘adequate’ for the purposes of the Data Protection Directive, such as Switzerland, Hungary, Canada and, in those situations where the relevant company participates in the ‘Safe Harbor’ scheme, the US (adequate countries);
• countries with data protection laws that either have not been conclusively assessed or have been assessed as ‘inadequate’, such as Australia (non-adequate countries); and
• countries in which personal data is not protected, such as in India (unregulated countries).
Transferring personal data within the MNC but across national territorial boundaries requires that the entity exporting the data adheres to its own domestic laws (if any) that govern TBDFs. Further, the recipient entity in the corporate group might be required by the exporter to adhere to standards established under the laws of that exporting country.
A simple diagram to explain the resultant web of personal data protection restrictions that potentially apply to TBDFs within the MNC is set out in Table 1. The complexity of the situation is further exacerbated when a recipient company in the MNC seeks to onward transfer personal data to another country.
However, global organisations are increasingly unlikely to operate in such a simplistic capacity. To take advantage of globalisation, MNCs strive to gain efficiencies out of streamlining their operations and reducing duplication of processes. MNCs may seek to warehouse greater volumes of the data that they hold in fewer locations or in common databases accessible by entities in various locations around the world. As a result, the entities in their groups will need to transfer personal data internationally and receive data from other countries. Often MNCs may structure the processes within the group with the view to ensuring that the flow of information between the members can occur as quickly and as freely as possible, to and from multiple points in the MNC at any time.
Whatever the internal mechanics adopted by the MNC, it is a considerable impediment to competitive efficiency if the multinational fails or is unable to implement a system that harmonises the various data protection and privacy standards that attach to personal data transferred across national borders. Nevertheless, it is imperative for the group to do so if it is to achieve compliance with data protection and privacy regulation.
Although the ‘adequacy’ process under the Data Protection Directive offers some assistance at a macro level, Table 1 clearly illustrates that MNCs having European operations will be disadvantaged if any of the other countries in which they operate have laws that do not meet the standards required to be deemed as ‘adequate’. Furthermore, whether or not a country has legislation that is ‘adequate’ for the purposes of the Data Protection Directive is essentially in the hands of the domestic legislature and is not an outcome that the MNC can guarantee.
Assuming that the TBDFs do not fall within the specific derogations in the Data Protection Directive, which is highly unlikely when vast amounts of data are being transferred regularly for varying purposes by different entities in the group, alternative arrangements must be implemented. Other means by which MNCs can seek to resolve the dilemma of harmonising multiple data protection standards at a micro level include:
• using the standard contractual terms that have been approved by the European Commission (EC) for those purposes; and
• developing a non-standard intra-group agreement to govern TBDFs within the group.
EU model (or standard) contracts
Under art 26(4) of the Data Protection Directive, the EC has the power to decide that certain standard contractual clauses offer sufficient safeguards to ensure adequate protection for personal data that is transferred internationally from the European Union.
Pursuant to that power, the EC has made decisions with respect to standard contractual clauses to facilitate the transfer of personal data to non-EU countries. The two versions of the clauses respectively address the TBDF:
• to an importer which is to be a controller of that data; and
• to an importer which is merely to undertake processing of that data on behalf of the exporter.
A data controller exporting personal data from an EU country on the terms contained in the model contracts does not need to seek the prior approval of that country’s data protection regulator, thereby alleviating an onerous administrative burden. The model contracts are intended to expedite TBDFs between organisations operating in different jurisdictions and under different data protection standards, including MNCs.
However, the model clauses themselves may not offer an attractive option to many global organisations. The clauses have been criticised as:
• flawed and inflexible;
• unable to accommodate different types of organisations, recipient countries and personal data;
• imposing a ‘one size fits all’ approach; and
• arguably requiring separate sets of terms for each of the EU countries.
Although global organisations may be prepared to live with some difficulties in effecting TBDFs, it is the model clauses themselves that present the greatest obstacle. The roadblock potentially arises when the model terms are reviewed by lawyers practising in any of the non-adequate or unregulated countries in which the MNC operates. For example, the entity’s local legal counsel is likely to advise that the model clauses:
• are very onerous;
• require observance of the laws of the country of the exporting entity when the importer is not in a position to know or ascertain those laws;
• go well beyond what would otherwise be required under the importing entity’s own local laws;
• in countries that recognise the privity of contract doctrine (such as Australia), incorporate concepts that are not recognised under that country’s laws, particularly the purported granting of rights to the data subject to enforce the terms and bring an action in a court even though privity of contract principles preclude such third party rights; and
• include a reverse onus of proof with respect to establishing an entitlement to compensation for a violation of the terms.
As a result, prudent local legal counsel is likely to advise against agreeing to the standard contractual terms and to decline to sign off on contracts incorporating those terms.
Non-standard intra-group TBDF agreements
Another potential solution for MNCs is the use of an intra-group TBDF agreement that does not adopt the model clauses; in other words, a non-standard contract. This approach also involves the various entities in the group entering into an agreement the terms of which govern their TBDFs. Those terms must operate in such a way as to address deficiencies in levels of protection in recipient countries by raising the standards of protection whenever those standards fall below what is regarded as ‘adequate’.
For situations in which data may be transferred within the MNC, an entity that is exporting data from an EU country would face an onerous task attempting to determine if all other likely recipients of the data are subject to laws that are ‘adequate’. Such an analysis requires an assessment of the data protection standards applicable in the recipient countries and the means by which their application is ensured.
Exporting entities will often not be in a position to assess the adequacy of the laws of other countries. The intra-group TBDF agreement could set out basic data protection standards. Recipients would be required:
• to handle any internationally transferred personal data:
— in accordance with the data protection laws of the recipient’s country; or
— in the absence of such local laws or to the extent that the basic standards in the agreement are higher than those of those of the local laws, in accordance with those basic standards; and
• to comply with instructions of the exporter when the recipient is handling the data as a mere processor (as opposed to a controller).
This approach means that the data exporter is not obliged to determine adequacy for any TBDF because adequacy is assured under the agreement. The basic standards set out in the intra-group TBDF agreement could be modelled on the mandatory data protection principles in the standard contractual clauses for the transfer of personal data to third countries.
However, to guarantee a minimum level of protection, the intra-group TBDF agreement must include enforce-ment mechanisms. The third party beneficiary clauses typically used by EU countries pose the same problems under privity of contract principles as exist for the EU model contracts. A possible solution might be for the exporter to be obliged to enforce the obligations of the recipient entity for the benefit of data subjects adversely affected by mishandling of personal data by a recipient. Such a provision would apply only where third party beneficiary rights purported to be granted to data subjects are not recognised by local law.
There remains a problem, however, if the exporter fails to bring the recipient to account. A safety net could be provided by ensuring that if the data subject is denied redress under local laws, the agreement is governed in that event by the laws of a country that does enable the third party rights to be enforced, such as the laws of England and Wales. Practically, though, a data subject not resident in that country would still face problems.
Non-standard intra-group TBDF agreements may also prove to be administratively burdensome where exporters are obliged under local laws to obtain the approval of the local data protection regulator prior to any TBDFs. Under the Data Protection Act 1998 (UK), such approval is not required, the UK Data Protection Commissioner sensibly taking the view that the data exporter must determine how it ensures compliance with the legislation and ought to be able to defend its actions should be it be called to account subsequently.
If the approval of numerous regulators is required, an alternative might be to seek the endorsement of the EC itself under the same process as that followed for the EU model clauses. If that occurred, European data protection authorities would be obliged to recognise that TBDFs under an approved intra-group agreement would enjoy adequate protection, even if those authorities still require notification of the agreement under their own local laws. Background information that accompanied Decision 2002/16/EC stated:
The Commission has declared its readiness to examine and if appropriate approve other sets of standard contractual clauses submitted by business organisations or other interested parties.
It is not clear from the above if an intra-group TBDF agreement would be regarded by the EC as a ‘set of standard contractual clauses’ or if the EC would limit itself to approving standard clauses submitted on behalf of industry sectors.
Clearly, however, the global business community will continue to struggle with TBDF compliance and with harm-onising international data protection standards until more streamlined and simplified ways of addressing the regulatory requirements can be achieved. The need for a common EU wide approval process to facilitate intra-group TBDF arrangements is self-evident and must be one of the next challenges to resolve in this area. l
Gayle Hill is a special counsel in the Melbourne office of Freehills and advises in the area of privacy law and practice. She is the national co-ordinator of Freehills privacy law team. Before joining Freehills in 1996 Gayle was a senior in-house counsel at Australia’s major telecommunications corporation where she had corporate legal responsibility for privacy. Steven Powell assisted in the preparation of this article. Until recently he was a privacy adviser at Freehills who has held various positions as a privacy manager and adviser during more than 15 years working in this area of the law. Gayle can be contacted at (03) 9288 1599 and <gayle.hill@ freehills.co>.
. European Union ‘Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ Official Journal of the European Communities L 281 23 November 1995 at 31.
. Above note 1 at art 25(1).
. Details of the Safe Harbor scheme are available at <www.export.gov/ safeharbor/sh_documents.html>.
. For present purposes, disparities in the way in which different EU countries have implemented the Data Protection Directive have not been canvassed. For a discussion on the need for a consistent European wide data protection law, see Pullen T ‘95/46: The Case for Proper Reform’ (2002) 2(12) World Data Protection Report 14 (BNA International Inc).
. Article 26(1) of the Data Protection Directive permits TBDFs to a non-adequate country in limited specified circumstances.
. European Commission Decision 2001/497/EC (15 June 2001).
. European Commission Decision 2002/16/EC (27 December 2001).
. Pullen, above note 4 at 17.
. For guidance on assessing ‘adequacy’ see European Commission WP 12 (5025/98) working document ‘Transfers of personal data to third countries: applying arts 25 and 26 of the EU data protection directive’ adopted on 24 July 1998 by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data; and UK Data Protection Commissioner ‘The Eighth Data Protection Principle and Transborder Dataflows’ July 1999, which is a preliminary view of the of the Data Protection Commissioner on assessing adequacy including consider-ation of the issue of contractual solutions and is available at <www.dataprotection. gov.uk/dpr/dpdoc.nsf>.
. European WP 12 (5025/98), above note 9 at p 5.
. Above note 6, Appendix 2.
. UK Data Protection Commissioner ‘International transfers of personal data: advice on compliance with the 8th data protection principle’ para 9.5, available at <www.dataprotection.gov.uk/ dpr/ dpdoc.nsf>.
. Background documentation dated 22 January 2002 accompanying above note 7, available at <europa.eu.int/ comm/internal_market/en/dataprot/ modelcontracts/02-102.htm>.