Data protection in Europe

This alert deals with hot topics in European data protection – transferring data and the results of the CNIL's (the French Data Protection Regulator) 2010 annual report.

Transferring data

The new model contract for transfers of personal data from data controllers in the European Economic Area (EEA) to data processors outside of the EEA came into force on 15 May 2010. It repealed the 'old' version of this model contract. The European Commission's Article 29 Working Party has issued a frequently asked questions (FAQs) document on the subject.

The FAQs answer some commonly asked questions such as: Who should be regarded as the 'data importer' when the primary service provider is located within the EEA? Should it be the primary service provider or the service provider's ex-EEA sub-contractor? The answer is that it should be the ex-EEA sub-contractor.

What the FAQs do not answer is why the European Commission didn't take into account the fact that nowadays service contracts are often entered into locally. This means both customer and primary service provider are based within the EEA, with a flow of sub-contracts (and personal data) to both EEA and non-EEA based sub-contractors sitting behind the primary service contract.

In this case, if the model contract has to be put in place with the ex-EEA sub-contractor, the model contracts would need to be separate from the primary services agreement. This is not always the preferred option of either the customer or the service provider. The FAQs do hint at some future changes on this which might help simplify the contractual relationships, but they do not give much away on what we can expect and when.

Nor do the FAQs answer the question as to what type of additional commercial clauses (which can be added to the model contract as long as they do not 'vary' the model contract terms) the European Commission has in mind. For example, does adding a limitation of liability constitute a variation to the model contract?

For more information on transferring data, speak to data protection specialist Kirsten Whitfield.

CNIL annual report

In its annual report, the CNIL (the French Data Protection Regulator) gave its views on some privacy issues including:

• Advertising and behavioural targeting
• Use of binding corporate rules (it looks like the CNIL is going to be busy on this front)
• Discovery and requests from the US
• Outsourcing, including cloud computing (a toolkit from the CNIL is imminent on this)
• The simplification of rules in France for transfers of personal data outside of Europe
• Whistleblowing and other forms of surveillance
• The disappointing findings following its assessment of a number of organisations on recruitment practices and procedures
• Its plans for further assessments during 2010 and new online procedure for filing complaints

Director Christine Borfiga from Wragge & Co's Paris office provides more detailed analysis.

With offices in the UK, Belgium, France and Germany, Wragge & Co offers cross-border European data protection expertise from specialists who understand the issues facing international businesses. For topical updates on data protection and information law, take a look at Wragge & Co's legal alerts. Find out more about Wragge & Co's data protection capabilities and credentials..