1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework: bringing differences in approaches to data protection Washington, 7 December 2005 Agustín Puente Escobar – Head of the Legal Department Agencia Española de Protección de Datos

2 1. Introductory

3 Agencia Española de Protección de Datos How to transfer data from the EU to the US Options Safe Harbor Cases under art. 26 (1) EU Directive Contracts with model clause Binding Corporate Rules

4 Agencia Española de Protección de Datos In order to facilitate data flows from the Community, it is desirable for data controllers to be able to perform data transfers globally under a single set of data protection rules. In the absence of global data protection standards, standard contractual clauses provide an important tool allowing the transfer of personal data from all Member States under a common set of rules Commission Decision 2004/915/EC. Preamble

5 Agencia Española de Protección de Datos Requirements under Spanish Data Protection Act Proposed TDF Company included in SH list Art. 26 (1) EU Directive Notification to AEPD’s Register If not: provide adequate Safeguards: Contractual clauses Binding corporate rules Authorisation of the Director of AEPD Inscription of the TDF in the AEPD’s Register

6 Agencia Española de Protección de Datos 2. Contractual clauses

7 Agencia Española de Protección de Datos Possible options for contractual clauses TDF from controller to controller –Commission Decision 2001/497/EC –Commission Decision 2004/915/EC TDF from controller to processor –Commission decision 2002/16/EC Moreover –Other contracts that provide adequate safeguards according internal law

8 Agencia Española de Protección de Datos Since the use of standard contractual clauses for international data transfers is voluntary as standard contractual clauses are only one of several possibilities under Directive 95/46/EC, for lawfully transferring personal data to a third country, data exporters in the Community and data importers in third countries should be free to choose any of the sets of standard contractual clauses, or to choose some other legal basis for data transfer. As each set as a whole forms a model, data exporters should not, however, be allowed to amend these sets or totally or partially merge them in any manner. Commission Decision 2004/915/EC. Preamble

9 Agencia Española de Protección de Datos Applicable law to data processing by the importer Purpose: to provide adequate safeguards within the personal data flows between both parties. Therefore: Contractual clauses must provide an “adequacy area” within these flows equivalent i.e. to the safe harbor. Consequence: Law applicable should be “adequate” –Country where the exporter is located –Core principles –Safe Harbor principles (if importer is establish in the US)

10 Agencia Española de Protección de Datos Core principles 1.Purpose limitation. 2.Data quality and proportionality. 3.Transparency. 4.Security and confidentiality. 5.Rights of access, rectification, erasure and blocking of data. 6.Special categories of data (consent, specific security measures). 7.“Opt out principle” when using the data for direct marketing purposes. 8.Automated individual decisions. WP12 and Decisions on standard clauses

11 Agencia Española de Protección de Datos Basic content of contractual clauses 1.Third party beneficiary clause The data subject must be able to enforce the contract against both parties 2.Liability Joint and several, or Based on “culpa in eligendo” or “in vigilando” 3.Restrictions to onward transfers Unless adequacy or consent is found 4.Security and audit To ascertain compliance with the warranties and undertakings provided by the clauses 5.Non-variation of the clauses Under Decisions 2001/497 and 2004/915

12 Agencia Española de Protección de Datos 3. Binding Corporate Rules

13 Agencia Española de Protección de Datos Legal Components of BCR’s 1.Pre-approved as compliant with law governing protection of personal data in participating EU jurisdictions Subject to procedural requirements of participating member states; BCR’s do not replace notification requirements, WP 74, p. 15. WP 74, 03 June Internally binding and enforceable on all B.U.s  Binding between all business units  Binding between employer and employees  Binding on sub-contractors 3.Externally binding and enforceable on all B.U.s  Consent to jurisdiction of DPA and courts in country of headquarters or place of alleged infraction  Consent to burden of proof of compliance  Guarantee of corporate responsibility for damages

14 Agencia Española de Protección de Datos Legal components of the BCRs. 1.Data processing regulation should respect EU data protection principles “Compliance with national law is of course a condition sine qua non for any authorisation to be granted”. 2.Limitation to onward transfers outside the group “Transfers from members of the corporate group outside of the Community to companies outside the corporate group would be possible by subscribing the standard contractual clauses adopted by the European Commission” 3.Third party beneficiary rights “ The scope of the third party beneficiary rights should match at least the one granted by the Commission Decision 2001/497 in respect of both the data importer and the data exporter WP74, 03 june 1998

15 Agencia Española de Protección de Datos Practical Components of BCR’s Binding Corporate Rules must include (not exhaustive): –Process flows of information compliant with data protection safeguards –Internal enforcement process, including: Self-audits, transparency of rules + means for data subjects to verify compliance, complaints handling process, sanctions –Mechanism for reporting changes –Evidence of effective incorporation of both internal and external binding liability (such as contracts) WP 74, 03 June 1998 and WP 108, 14 April 2005

16 Agencia Española de Protección de Datos Coordinated Procedure for Establishing BCR’s Submit Draft Binding Corporate Rules Review & Comment by remaining DPA’s Distribute to Participating DPA’s With Recommendation Submit Final Binding Corporate Rules Review & Comment by remaining DPA’s Distribute to Participating DPA’s With Recommendation Propose Lead DPA Nat’l Data Protection Authority Review & Comment by all implicated DPA’s Distribute to Implicated DPA’s With Recommendation Corporate Representative Lead DPA Implicated DPA’s 123 Consensus Opt-out Adoption by Remaining DPA’s WP 107, 14 April Fulfilling internal requirements

17 Agencia Española de Protección de Datos Determination of “Lead Authority” Factors in DPA country selection: –Group headquarters –Relative significance of presence (# employees) vis a vis affiliates in other countries –Where responsibility for data processing is situated, or where decisions regarding processing are taken –Where most data processing occurs –Country from which most data transfers occur Final determination is prerogative of the implicated DPA’s, by consensus, to deter forum shopping. Relative Factor Weight

18 Agencia Española de Protección de Datos Caveats to “Pre-Approval” “However, additional requirements that may exist in each country, such as notification or administrative formalities may also have to be complied with.” Working Paper 107, pg. 4, point 6.

19 Agencia Española de Protección de Datos Obstacle to BCR’s in Civil Code Systems In civil code systems, unilateral declarations are not legally binding. –Spain, Italy –I.e. Spanish Civil Code only considers the law and the contract as sources of legal liability Without a legal recourse for citizens on the basis of a binding contract, the concept of Binding Corporate Rules will not satisfy constitutional requirements protecting the rights regarding personal data. Alternatives: 1.Include Binding Corporate Rules in negotiated agreement with the Works Council.  Result: Contract with workers’ representative 2.Expressly provide in legislation for Binding Corporate Rules as a grounds for civil action.

20 Agencia Española de Protección de Datos Impact of forthcoming regulation pursuant to LOPD Proposed solution in Spain :  The Spanish Draft Royal Decree which develops the provisions of the LOPD 99 accepts the use BCRs for international data transfers on the basis that they are adopted as a code of conduct and are legally binding for all of the company´s international subsidiaries.

21 Agencia Española de Protección de Datos Additional Considerations from Spanish Perspective on BCR’s Key Component: A high level of cooperation between the company and the DPA. –AEPD considers application for approval of BCR’s as a commitment to work with the Agency in good faith to ensure protection of personal data. * Approval of BCR’s can be revoked given reasonable indication of failure to comply. (LOPD Art. 37(f))

22 Agencia Española de Protección de Datos International Data Transfers – Binding Corporate Rules  AEPD is working with the Commission and other DPAs via the Article 29 Working Group to develop a regime that facilitates multinational compliance that is efficient and effective through Binding Corporate Rules.

23 Agencia Española de Protección de Datos