On June 4, the European Commission released published new model contracts for international transfers of personal data were published.
This update was much needed, for several reasons:
(1) The existing contracts were from the pre-AVG era; the current ones are more in line with the current rules and the new obligations regarding, for example, audits and control and the rights of data subjects.
(2) The contracts were too limited: only possible between 2 parties (whereas often information is exchanged with several parties) and only available to a controller who wanted to send data to another controller or a processor outside the EU/EEA; the new ones provide not only for transfer from controller to controller or processor, but also for (modules for) transfer from (sub)processor to (sub)processor and transfer from (sub)processor to controller.
(3) The ruling of the Court of Justice of the European Union in the Schrems II casewhich invalidated the Privacy Shield with immediate effect, made it clear that it is not enough to just sign these contracts; it must be examined whether they actually provide sufficient protection and, where necessary, additional measures must be taken. The new Model Clauses contain provisions that respond to this.
The new contracts are modular: they consist of a general section and four modules for the following situations:
1. transfer from responsible party to responsible party;
2. transfer from controller to processor;
3. transfer from (sub)processor to (sub)processor;
4. transfer from (sub)processor to controller.
The user must carefully consider which modules he wants to use. Thus, knowledge of the AVGT and an understanding of one's own role in the chain are essential.
The contracts can only be used in situations where the AVG does not apply to the recipient, so, for example, not in the case of a party established outside the EU that offers goods or services to data subjects in the EU or monitors their behavior (within the EU). Conversely, that non-EU based party that is itself subject to the AVG anyway can use this model contract in its relationship with processors that are not subject to the AVG.
As indicated above, multiple parties can join an agreement, that allows, for example, the transfer of data by a processor outside the EU to also non-EU-based sub-processor; that sub-processor can then simply become a party to the agreement.
Data subjects (whose data are processed) can derive rights directly from the agreement, even if they are not a party to it. A choice of foreign law is therefore only possible if that legal system allows "third-party beneficiary rights."
The new contracts take effect 20 days after publication. Three months after that, the old contracts expire. During that period, therefore, these old contracts can still be concluded. Closed old contracts remain valid for 15 months after the expiration date; thus, in total, the old contracts could still be used for a maximum of 18 months.
Several provisions were included specifically as a result of the "Schrems II" case already mentioned.
Both parties must establish and ensure that the law of the receiving party's country does not prevent the recipient from fulfilling the contract, taking into account the circumstances of the data transfer, including aspects such as the length of the processing chain, the number of actors involved and the transmission channels used; the type of recipient and details of further transfers; the purpose of the processing and the nature of the data transferred.
This assessment must be recorded and made available to the competent supervisory authority upon request.
The data importer should - where possible - notify the data exporter if it has received a request from a government agency to access such data and assess and challenge the legality of such an order where possible and make available at most a minimal set of data. The data importer must document and make available to the exporter these requests and the steps taken in response.
For the exact obligations of both parties, please refer to the new model contract.
The introduction of the new model contracts irrevocably leads to several points of interest and action:
these provisions are still not a conclusive solution to the Schrems II issue. What "additional measures" are appropriate is still for parties to determine. Furthermore, in assessing the situation in the host country, they should not rely solely on their own practical experience, but should base that assessment on "objective elements" and should carefully assess "whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion." Not only that: "In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies." That's quite a task!
The assessment of the situation in the recipient country is not optional, must be documented and provided to the competent regulator (in the Netherlands: the AP) upon request.
The current model provisions have a maximum of 18 months left to use; parties will need to switch to the new provisions in a timely manner.
Data subjects must also fulfill their obligation to inform data subjects about the (intended) data export when using this model contract.
Contracts may be modified, supplemented and/or embedded in other contracts, provided that this does not impair the provisions of the model contract. Thus, it remains advisable to be very careful (and perhaps cautious) in making modifications
Commercial aspects such as the cost of auditing the recipient, conditions for compensation (e.g., timely notification of established claims and assistance to the responsible party) are not included in this model and thus will have to be negotiated out.
Annex 2 should include security measures. This can no longer be done in general terms about "security policies," but must be quite detailed. There is work to be done here as well.
The new model contracts for international transfer of personal data are more in line with the AVG and more usable in practice. They have not become more readable and easier: they are actually 4 contracts merged into one model of 34 pages long. Selecting the right modules and adapting the piece to the specific situation will take time and headaches, especially in the beginning.
In addition, this contract does not solve the "Schrems II problem." On the contrary, it places a lot of obligations on parties, who must be able to demonstrate that they have seriously addressed the issue.
