Privacy and Security TidBits

EU Cross Border Ediscovery, Standard Contractual Clauses, and Sub Processors: What Will Change on May 15, 2010?

How the New EU Rules on Data Export Affect Companies in and outside the EU

by Dr. Thomas Helbing

On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.

Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.

The EU Commission decision is relevant for all organization receiving personal data – for example customer or employee data – from subsidiaries, customers or vendors in the EU.

In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.

In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.

Example “CRM”: CRM-Ready Inc. is a US-based company providing a Customer Relationship Management software that clients use remotely via a web browser (Software as a Service – SaaS). Best-Resell GmbH in the EU intends to use CRM-Ready’s system to store and manage its customer data. CRM-Ready Inc. and Best-Resell GmbH agree to conclude a contract with the EU standard contractual clauses to ensure Best-Resell’s compliance with local privacy laws.

Example “HR-Data”: Global Workers Ltd. is a multi-national company headquartered in Japan with subsidiaries in various EU countries. Names, functions and phone numbers of all employees are stored centrally in a firmwide database at Global Workers Ltd. in Tokyo. The EU subsidiaries and Global Workers Ltd. agree on the EU standard contractual clauses to ensure the lawfulness of the intra-group data transfers under EU laws.

In this article we answer the following questions:
• What is the Concept behind Standard Contractual Clauses?
• What are the Changes to the Standard Contractual Clauses?
• How Does the New Subcontracting Scheme of the Clauses Work in Practice?
• When Do the New Clauses Take Effect and Which Existing Agreements Need to be Updated?
• How Do the Clauses Affect Companies Outside the EU?

Read More