What the proposed data protection regulation means for outsourcing by UK organisations

John will be blogging separately on the draft data protection regulation published by Commissioner Reding earlier today, but I thought I’d share some thoughts in relation to its impact on outsourcing in the UK.

To date, data controllers in the UK have had a degree of flexibility when entering into outsourcing agreements that involve the processing of personal data outside the EEA.

Under the Data Protection Act 1998, which implemented the 1995 EU directive in the UK, transfers outside the EEA may broadly take place in the following circumstances:

  • Where the European Commission has made a finding of adequacy in relation to the level of protection offered to personal data in the country or territory in question (including, for example, the US Safe Harbor scheme);
  • Where the transfer is made pursuant to contract on terms approved by the European Commission (AKA the EU model clauses for data transfers);
  • Where the organisation has put in place binding corporate rules that have been approved by the relevant data protection regulators; and
  • Where the data controller has made a finding of adequacy in respect of the proposed transfer.

Findings of adequacy
The ability to make a finding of adequacy is particularly useful for data controllers, as it allows the data controller to make a reasoned decision based upon its diligence on the proposed data processor and the actual contractual terms that are put in place.

In particular, it allows the data controller to deviate from the approved model clauses without needing to go through the administrative burden of having those clauses approved by the Information Commissioner. For example, the data controller may wish to outsource a service through a single contracting entity on behalf of various group data controllers, rather than enter into multiple model clause agreements between each data controller and the end data processor.

The ability to make a finding of adequacy is not carte blanche to do anything – the data controller still needs to be able to justify its actions to the Information Commissioner, but it does provide some significant commercial flexibility.

The position outside the UK
But that permissive and flexible approach in the last bullet does not apply everywhere in the EU. In a number of EU member states, any deviation from the model clause agreements needs to be notified and approved by the national data protection regulator. In some member states even the use of the model clause agreements needs to be notified to the regulator.

So what will happen under the new law?
If passed as it stands, the regulation would have direct effect. Unlike a directive, there would be no need for local implementation by individual member states. The intention of the regulation is to have a uniform data protection law across the whole of the EU – a law that is not subject to local variations and differing interpretations by different parliaments, regulators and courts.

The consequence of this is that the rules on cross-border data transfers will be unified.

Under the draft regulation there is no ability for the data controller to make a finding of adequacy. If the data controller wishes to vary from the terms of the model clauses, the data controller will need to obtain the consent of the relevant data protection regulator.

Whilst not unexpected, confirmation of this restriction is disappointing and will substantially increase the red tape involved in entering into outsourcing agreements – particularly where there are complex inter-group arrangements and multiple data controllers.

The UK Information Commissioner has already issued a press release questioning this requirement, presumably with half an eye to the increased (and unnecessary) administrative burden that it will incur, when its resources are already stretched.

Of course the irony here is that as all seasoned data protection lawyers will tell you, the data processor has no direct obligations under data protection laws – it is the data controller that is responsible (contractually) for ensuring that data is securely processed. National legislation is irrelevant. Approved form processing contracts are not required within the EEA, so why should transfers outside the EEA be treated differently?

Why not simply leave it to the data controller to ensure that it has carried out its diligence and has an appropriate contract, as the law requires for outsourcing within the EEA? I’m not aware of major problems having arisen from data controllers deviating from the model clauses, so why try to fix something that isn’t broken?

It must be hoped that this change does not make it into the final draft. Those involved in outsourcing may wish to support the UK Information Commissioner in ensuring that a workable mechanism is in place for cross border outsourcing.

6 Responses to “What the proposed data protection regulation means for outsourcing by UK organisations”

  1. 1 martinsloan January 25, 2012 at 10:14 pm

    Walter – thanks for your post.

    That is the position under the UK implementation of the directive.

    This page on the UK Information Comissioner’s website explains the roles of the data controller and data processors under the UK Data Protection Act (DPA):


    The data controller is responsible under the DPA for ensuring that a data processor acting on its behalf complies with the Act in relation to that processing. Similarly, the data subject’s remedies are against the data controller, not the data processor.

    There have been a number of high profile data loss cases in the UK involving contractors. In each case, it is the client (data controller) that the Information Commissioner took action against.

    I know that some member states impose direct obligations on data processors. Is the Netherlands one of those countries?

    • 2 Walter van Holst January 27, 2012 at 10:12 am

      Yes, that is the consensus among Dutch IT-lawyers. The controller remains responsible, but has the added responsibility to enforce the compliance of the processor with the rules. Bear in mind that currently the implementation of the controller’s country applies, and that therefore UK based processors are by extension directly addressed by the rules in those countries that impose direct obligations on data processors.

  2. 3 Walter van Holst January 25, 2012 at 9:55 pm

    The idea that the data processor has no direct obligations under the current system is a mistake. A data processor that is negligent can get in trouble with the regulators. If this is the common understanding among English IT-lawyers, they ought to take a look at the reasoning behind the blanket prohibition of personal data transfer outside the EFTA.

  1. 1 UK government opens informal consultation on new EU data protection regulation « Brodies TechBlog Trackback on February 8, 2012 at 2:30 pm
  2. 2 e-update on the draft data protection regulation – what price harmonisation? « Brodies TechBlog Trackback on January 30, 2012 at 12:07 pm
  3. 3 The draft data protection regulation – a summary of the key provisions « Brodies TechBlog Trackback on January 25, 2012 at 9:15 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

January 2012
« Dec   Feb »

%d bloggers like this: