Anyone caught up in the murky world of international data transfers tends to regard the standard contractual clauses approved by the European Commission as the most popular solution to legitimise those transfers. For starters, they are freely available and have the blessing of the Commission and the regulators. Surely, those two factors alone must provide considerable comfort to finance directors and general counsels who will think that one cannot go too wrong with them. Also, from a resources perspective, drafting and entering into a set of model clauses should not be very time-consuming as it is just a matter of signing on the dotted line. So, are we wasting our time looking for alternatives? Or aren’t we…?
The problems with the model clauses start with the bureaucracy that surrounds them. Despite the fact that the use of the clauses to legitimise data transfers has the seal of approval of the European Commission, more than half of the EU Member States still require organisations to submit their data transfer agreements for review and authorisation by the relevant data protection authorities. The whole ex ante regulatory scrutiny of international data transfers is in itself a highly questionable aspect of European data protection, but the fact that so many countries apply that level scrutiny to an officially sanctioned mechanism is simply absurd. In the meantime, both data exporters and regulators spend valuable time and resources going through the motions of rather pointless administrative requirements.
Then, the fact that approvals are restricted to a single contractual document covering a defined set of transfers makes the concept completely unworkable for multiple and evolving transfers. In the real world, information simply flows across borders and data processing services are provided globally at the speed of light. Today’s data transfers are different from yesterday’s and from tomorrow’s. A static contractual agreement is likely to become out of date between the time it is signed and the time it is filed with the authorities – not least because the parties involved in any global data flows are normally as fluid as the transfers themselves. As Professor Schwartz of the University of California, Berkeley School of Law put it in his thorough study of cross-border information flows for The Privacy Projects, data transmissions occur as part of a networked series of processes made to deliver a business result. Pinning down the parties involved in those processes and the intended business results, and reflecting all that in a single document is just like eating soup with a fork.
An added difficulty of the model clauses is the fact that their onerous obligations are set in stone. A non-negotiable agreement is an oxymoron – non-negotiable means take it or leave it, and that is the essence of the model clauses. The fact that so many data transfer contracts incorporating the model clauses are signed does not mean that the parties have reached an agreement. It normally means that one party is imposing them onto the other. The problem with that is that not only are the clauses being entered into without due regard for their content, but they turn global data protection into an empty box-ticking exercise.
The international data transfers regime is one of the centrepieces of the ongoing reform of the EU data protection framework. And rightly so. But even before a revised framework is devised, decisive action is needed to transform the inadequate game of signing up to model clauses into an effective way of securing information and guaranteeing privacy rights irrespective of geographical boundaries. A constraining set of unrealistic obligations cannot deliver that, but other approaches will. Contractual protections can be extremely effective when they are realistically agreed and allow for flexibility in their practical application. The key is to ensure that whatever the approach – a contract or a set of policies – it reflects what is viable in the real world.
In fact, the saddest thing of all would be to turn real world solutions – like BCR and Binding Safe Processor Rules – into model clauses-like exercises where applicants are simply signing up to an artificially imposed standard. Data protection should be as fluid as dataflows themselves. The truth is that many organisations are looking for ways of moving away from model clauses. Not because they don’t think that information should be protected, but because they prefer to devote efforts and resources to achieve genuine protection.
This article was first published in Data Protection Law & Policy in June 2011