Outsource Magazine

At 11.30am UK time on 25th January 2012, with the words "Ladies and gentlemen, we have done it!" Viviane Reding (the EU Commissioner for Justice, Citizenship and Fundamental Rights) announced new EU draft Data Protection Regulations, which, if implemented in the current form, will supersede the EU Data Protection Directive of 1995 and represent the biggest shift in Data Protection law in Europe for 17 years.

The Regulations run to 118 pages, and will apply across all European member states. The fact that they are Regulations, rather than a Directive, means that two years after they are adopted by the EU (having been passed to the European Parliament and the Council of Ministers for discussion) they will automatically take effect. The Data Protection regime will therefore be identical across all EU states.

The key points

So what effect will the new Regulations have on companies who are outsourcing services, and those providing outsourced services?

Firstly, it is worth saying that the provisions will apply to all data controllers processing personal data concerning individuals within the EU. There are, as you would expect from a set of Regulations 118 pages long, many important provisions, but there are key points to note:

• The need to notify a data protection authority, such as the Information Commissioner in the UK, of an organisation’s data processing activities will be abolished, along with the associated cost and administrative burden.
• Companies with more than 250 employees (who therefore do not fall within the definition of an SME) will need to appoint a Data Protection Officer.
• Organisations must notify their national data protection authority of serious data breaches as soon as possible and if feasible within 24 hours, even where the breach involves encrypted data.
• Organisations (and individuals) will only have to deal with one national data protection authority in the EU country where they have their main base.
• The process for establishing Binding Corporate Rules will be made significantly simpler, as companies will only need to apply to one national data protection authority for approval.
• Wherever consent is required for data to be processed, that consent must be given explicitly, rather than assumed.
• A concept of ‘portability’ has been introduced so that individuals have easier access to their own data and are able to transfer it from one service provider to another more easily.
• A 'right to be forgotten' will, in theory, help people better manage data protection risks online by allowing them to delete their data.
• A range of fines for various breaches of the Regulations have been provided for, with the maximum being €1 million or up to 2% of an enterprise’s worldwide annual turnover.

The effect on outsourcing

In addition to the general provisions, there are provisions that may have a specific impact on those companies outsourcing the provision of services.

Firstly, it is worth saying that the pan-European impact of the Regulations means that both the customer and provider will have greater certainty of the applicable law when the relationship is between two entities within the EEA. Compliance in one state will mean compliance in all other states.

In addition, securing Binding Corporate Rules authorisation will be easier as authorisation by the data protection authority in one EU state will mean that all other data protection authorities are deemed to accept those Binding Corporate Rules as effective.  Although Binding Corporate Rules would not be applicable to the transfer outside the company’s group, they could be useful when considering the exchange of information within a company group which will then be used in an outsourcing relationship.

Currently, data controllers may transfer personal data to service providers based in countries outside the EEA if they are within the ‘White List’; if (being a US company) they have signed up to the Safe Harbor Rules; if the contract includes the EU Model Clauses; or if, having undertaken due diligence on the provider and the country to which the data is being transferred, the customer as data controller makes a finding of adequacy.

Using this last provision should, arguably, be viewed as a last resort: it perhaps requires more due diligence than when using one of the other provisions, and in the event of a data loss or breach, the data controller would need to justify why it has chosen that route, rather than using the EU Model Clauses in unamended form. 

Under the new Regulations, the ability to make a finding of adequacy will be removed. This could restrict a company’s ability to transfer data outside the EEA to an outsourcing provider, even where the outsourcing provider has taken significant steps to keep personal data secure, and the country in which they are resident has a developed Data Protection regime (albeit one which does not go so far as the EU regime). The parties would be obliged to use the EU Model Clauses in unamended form (which may not suit the circumstances of the particular transaction) or seek approval from the national data protection authority for the proposed deviation (certain countries in the EU require this under their current Data Protection regimes). 

The ICO has already issued a press release setting out its initial comments on the proposals, and expressed concern at this provision.  Given that it has finite resources, it is presumably concerned about the impact of significant numbers of applications from data controllers for authorisation to make transfers outside the EEA.

Summary

The new Regulations, if enacted in their current form, will have broad application to all sectors and industries.  The pan-European application which will aid clarity and certainty, and this is to be welcomed. However, these particular provisions may add an extra layer of bureaucracy to the outsourcing industry, and may delay the completion of transactions, as obtaining authorisation from the ICO (or another national data protection authority) will presumably need to be built into the timeline for completion of the contract.  Given the ICO’s published concerns, outsourcing companies and their customers would be well advised to monitor whether these provisions are enacted in this or a revised form, and consider how they might deal with any potential impact on the contractual process.