Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The EU Data Protection Directive [FOOTNOTE 1]has been a controversial subject between the United States and the EU since the directive was adopted in 1995. The directive, which became effective in 1998, provides stringent protection for individual personal data, and prohibits the transfer of personal data from the EU to entities located in other countries that are not deemed to have “adequate protection” for personal data. Only two countries, Switzerland and Hungary, are currently so recognized by the EU. The United States is not recognized as offering “adequate protection.” For those countries that are deemed not to provide adequate protection for personal data, the directive nevertheless allows transfer to those countries under specified circumstances. One method requires the entity exporting the data from the EU to the United States to obtain from each individual “data subject” “unambiguous” consent to the transfer. This method has been perceived as being too onerous. Another method involves participation in the Safe Harbor agreement negotiated with the EU by the U.S. Commerce Department, on behalf of U.S. companies. [FOOTNOTE 2]Companies that participate in the Safe Harbor program, which involves compliance with certain privacy standards, are deemed by the EU to provide adequate protection for the transferred data. While some companies have determined that the Safe Harbor is a practical and effective solution to compliance with the EU directive, many others are not so sure, and have withheld participation in the Safe Harbor program until enforcement and liability issues become clearer. Another method of compliance with the extra-EU data transfer provisions of the EU directive is the execution of a contract between the parties to the transfer that obligates them to comply with the directive. Article 26(4) of the directive provides that the EU may promulgate standard contractual clauses to be used by companies for this purpose. On June 18, the European Commission adopted a decision setting forth standard contractual clauses. [FOOTNOTE 3]The European Commission has also released an FAQ explaining the clauses. [FOOTNOTE 4] According to the EU, the standard contractual clauses contain a “legally enforceable declaration (‘warrant’)” under which the EU company providing the data (the “data exporter”) and the non-EU company receiving the data (the “data importer”) agree to process the data in accordance with EU data protection rules. Significantly, the clauses also contain a provision under which the parties agree that the individuals to whom the data pertains (the “data subjects”) may enforce their rights under the contract. [FOOTNOTE 5] Among the provisions in the standard contractual clauses are the following: � Obligations of the Data Exporter: A data exporter must agree and warrant that the processing and transfer of the personal data “up to the moment of the transfer” has been carried out in accordance with the relevant provisions of the data exporter’s member state and further, that the processing and transfer “does not violate the relevant provisions of that State.” The data exporter must also state that it will respond to inquiries within a reasonable time and to the extent reasonably possible from both the supervisory authority and a data subject concerning the processing of the data by the data importer. (A supervisory authority is the public authority responsible for monitoring the application of the directive within a particular EU member state.) � Obligations of the Data Importer: A data importer must agree that its data-processing facilities will be available for audit, either by the data exporter or an independent professional inspection body. A data importer must also make a representation that it has no reason to believe that applicable law prevents it from fulfilling its obligations under the contract, and further agrees to notify the data exporter and the relevant supervisory authority in the data exporter’s member state if an applicable law changes in such a way that it is “likely to have a substantial adverse effect on the guarantees provided in the Clauses.” � Third-Party Beneficiary Clause: The parties must include in the data transfer agreement a clause granting data subjects the ability to enforce certain provisions as a third-party beneficiary. A data subject is also entitled to be represented by “an association or other bodies” if such representation is permitted by national law. � Liability: The data exporter and the data importer must agree to be “jointly and severally liable” for damage to a data subject resulting from any violation of the terms of the agreement of which the data subject is the third-party beneficiary. � Mediation and Jurisdiction: The data importer must agree to be bound by the decision of a data subject to refer disputes to mediation or to a court in the member state of the data exporter. � Governing Law: The standard contractual clauses are to be governed by the law of the member state where the data exporter is established. � Cooperation With Supervisory Authorities: The parties agree to deposit a copy of the contract with the appropriate supervisory authority if it requested or if deposit is required under the applicable national law. Practitioners should be aware that the intended effect of these and the other standard contractual clauses is to subject a data importer to the EU data-protection legal regime, including scrutiny by EU data-protection authorities. These obligations should not be taken lightly. A U.S. entity that intends to import data from the EU by way of a contract that contains these clauses will be contractually obligated to comply with the terms of the directive, and to allow data subjects to seek relief in Europe under EU law. Therefore, exercise due caution in advising a client to assent to a contract containing the EU standard clauses. In addition to the stringent requirements set forth above, counsel must also weigh the advantages and disadvantages of this approach against other methods (such as those described above) that would allow the transfer of personal data from the EU to the United States. Marc Roth is a senior associate at Brown Raysman Millstein Felder & Steinerin New York. He concentrates his practice in privacy and advertising law. ::::FOOTNOTES:::: FN1Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. O.J. (L 281) 31 (Council Directive). FN2 See http://www.export.gov /safeharbor/. FN3http://europa.eu.int/comm/internal_market /en/dataprot/news/1539en.pdf. FN4Available at http://europa.eu.int/comm/internal_market /en/dataprot/news/clauses2faq.htm. FN5News Release No. 48/01 Data Protection Commission Approves Standard Contractual Clauses for Data Transfers to Non-EU Countries (June 18, 2001), available at http://www.eurunion.org/news /press/2001/2001048.htm.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.