Unless you’ve been hiding under a rock for the last few months, you’ll know that the Safe Harbor framework, which previously facilitated EU-US data transfers, is no longer valid. It will likely be replaced by a new EU-US Privacy Shield, but until that’s fully implemented there remains a degree of uncertainty about transferring data outside Europe.
Consequently, more and more US businesses are looking to implement EC-approved Model Clauses to protect those data transfers. This might be driven by internal stakeholders or external client/customer demand – either way I can’t say I blame them. These are uncertain times and the Model Clauses are a relatively convenient way of ensuring adequate safeguards for transferring data.
But…(you guessed that was coming, didn’t you? the Model Clauses have previously come under fire for being “poorly drafted”, “unworkable” and “uncommercial”. So is it possible to adapt the Model Clauses to make them work better for your organization?
No. Well, not really. These are the rules:
- Model Clauses should be seen as non-negotiable, since they are intended to protect data subjects and mitigate specific risks associated with the fundamental principles of data protection law in the EU.
- According to the UK data protection authority, for example, “use of any version of the model clauses, whether as a stand-alone contract or incorporated into another contract, where the wording is changed (even if the meaning or effect of the changed clause remain unaltered), will not amount to use of clauses that are authorised…as providing adequate safeguards”.
- Variation of the terms is expressly prohibited by the Model Clauses themselves but they are equally explicit that parties are free to include additional or supplementary provisions.
- Any additional clauses must not contradict, directly or indirectly, the approved standard contractual clauses. Note that there is a distinction between modifying the Model Clauses and adding to, or enhancing, them. Where the Model Clauses themselves are modified, the parties will no longer be deemed to have implemented the pre-approved provisions.
- Additional clauses must not prejudice any fundamental rights or freedoms of the data subjects in question. Additional guarantees or procedural safeguards that benefit data subjects are permitted.
- Unlike the Model Clauses themselves, any such additional clauses cannot be enforced by data subjects (assuming they are not parties to the contract in question) and may remain confidential between the parties.
In order to “guarantee” an adequate safeguard for the transfer of personal data to the US, the standard clauses must be used. However, organizations may decide that their amended versions of the Model Clauses are sufficient to protect the rights of the data subjects. Whilst that is a perfectly valid way of proceeding, you must be prepared to back up your view with firm evidence that your clauses do indeed provide such protection.