RE: 19 January 2001 Draft of Model Contracts
Dear Fabrizia,
Thank you for providing the draft model contract provisions
of the Data Protection Directive. Patty is out of the office
this week and she asked that I respond to you directly. We
have had the opportunity to review the 19 January 2001 draft
and offer the following comments:
Relation to the U.S. Safe Harbor Principles. The draft
model contract and the Safe Harbor Principles (the "Principles")
offer U.S. firms alternative means of providing the "adequate
protection" called for by the Data Protection Directive. Accordingly,
U.S. firms that comply with the Safe Harbor Principles have
no need to use the model contract in order to effectuate the
transfer of personal information from Europe. Nevertheless,
we would like to register our deep concern that the model
contract would impose highly burdensome requirements that
exceed what was contemplated in our agreement on the Safe
Harbor Principles.
In his letter to former Under Secretary LaRussa, Director
General Mogg wrote in reference to the use of contracts:
The Commission and the Member States are of the view
that the "safe harbor" principles may be used in such
agreements for the substantive provisions on data protection. |
While the Mogg letter went on to note that contractual
agreements "may need to include other provisions on issues
such as liability and enforcement," the model contract that
the Commission has published would require data importers
to "top up" in other respects as well. Specifically, a data
importer would have to warrant to process the personal information
"without prejudice to compliance with the purpose limitation,
restrictions on onward transfers and the rights of access,
rectification, deletion and objection mentioned in the 'Mandatory
Data Protection Principles,'" even where it promise to adhere
to the Safe Harbor Principles. This exceeds the requirements
of the Safe Harbor Principles, particularly with respect to
access and data integrity, and is thus inconsistent with the
understanding set out in the Mogg letter.
Use by Safe Harbor organizations. Paragraph
c of Clause 1 and Paragraph c of Clause 5 would allow only
organizations that are not in the safe harbor to use the model
contract. We see no reason for this limitation which is contrary
to our agreement. The draft model contract and the Safe Harbor
Principles both provide adequate protection for the privacy
of data subjects. Where the Principles apply, use of the model
contract can only supplement and enhance the protection afforded
data subjects. There may be many occasions where safe harbor
organizations would need to use the model contract as the
basis to receive personal information. For example, the information
could be of a type that the organization did not handle at
the time of its safe harbor commitments and would therefore
fall outside of the representations made by the organization
at that time. Inasmuch as the model contract ensures adequate
protection, regardless of whether the U.S. organization is
also within the safe harbor, there is no justification not
to allow safe harbor organizations to use the model contract.
Transfers to Third-Countries. From time
to time, companies that have received personal information
from Europe under the Safe Harbor Principles may need to send
that information to another country which has not received
an adequacy determination. In such a case, U.S. firms that
are in the safe harbor have to comply with the onward transfer
principle as well as the Principles on notice and choice.
In the absence of an adequacy finding for the destination
third-country, the U.S. safe harbor firm will have to "enter[]
into a written agreement ... that provides at least the same
level of privacy protection as is required by the relevant
Principles." Thus, once again, U.S. firms that adhere to the
Safe Harbor Principles will not have to utilize the model
contract.
As for U.S. firms that are not in the safe harbor,
the model contract by its terms will apply only to transfers
of personal information from the European Community (although
the "Mandatory Principle" on onward transfer suggests that
parties can use the standard contractual clauses to transfer
information to "another controller established outside the
Community"). If this is the case, it would mean that U.S.
firms will not be able to use the model contract to effectuate
transfers of this information from the United States. Inasmuch
as the model contract will suffice to transfer personal information
from the European Community to countries that have not received
an adequacy determination, it makes little sense that it cannot
be used for transfers from the United States to those same
countries. Preventing or inhibiting can be disruptive to the
flows of e-commerce, and would be unnecessary.
"Sensitive data." Under Clause 1(a) of
the model contract, "special categories of data" or "sensitive
data" will have the same meaning as the definitions in the
Data Protection Directive. At the same time, Clause 3(c) will
permit U.S. firms to chose to apply the Safe Harbor Principles
to personal information received under the contract. The Safe
Harbor Principles also have a definition for sensitive information.
Consequently, the two articles in the model contract will
require application of two different definitions for the same
term. Where the U.S. data importer elects to adhere to the
Safe Harbor Principles, then the relevant provisions of those
Principles, including the definition of "sensitive data",
should apply.
Mandatory requirements of national law.
Paragraph a of Clause 5 will require the data importer to
attest that he is not subject to any law which would limit
compliance "beyond what is necessary in a democratic society
to safeguard one of the grounds list in Article 13 of the
[Data Protection] Directive." This provision is troubling
for a number of reasons. First, it will force the data importer
to determine whether local law meets or fails this requirement.
Presumably, the data importer can be held liable for a determination
later judged to be incorrect. Second, this provision would
establish the Directive as the standard of "what is necessary
in a democratic society." This would be clearly contrary to
international comity. Finally, the Safe Harbor Principles
expressly stipulate that compliance is subject to applicable
legal requirements. In agreeing to this, our two sides recognized
the need to show deference to the legislative prerogatives
of our respective governments. For these reasons, this requirement
should be deleted.
Auditing and certification. Clause 5(e)
will require the data importer to submit its data processing
facilities for audit at the request of the data exporter.
In addition to being potentially burdensome and disruptive,
this provision could also subject the data importer to the
risk of having to expose proprietary operations and other
trade secrets. To avoid prejudice to the data importer, the
model contract should allow the data importer the right to
have the audit done by independent experts instead of the
data exporter. Furthermore, the model contract should expressly
limit the frequency of audits or to authorize the data exporter
to request an audit only when there is reason to believe the
data importer is in breach of the contract. At a minimum,
the members of the inspection team should be selected by mutual
agreement between the data exporter and the data importer.
Disclosure of contractual clauses. Clause
5(g) will require data importers to provide a copy of the
contract to data subjects upon request. This provision is
unnecessary for two reasons. First, the contractual clauses
must conform with the model contract. The very purpose of
the model contract is to set a standard for all contracts
for the transfer of personal information where no adequacy
finding applies, thereby lending uniformity. More importantly,
Clause 4(c) already imposes the same requirement on the data
exporters. Indeed, it would be more convenient for data subjects
to ask the data exporter in Europe for a copy of the contract
that pertains to the handling of their personal information.
Joint and several liability. Clause 6
of the model contract calls for the data exporter and the
data importer to agree to joint and several liability for
violations of their obligations to the data subjects. It is
not unreasonable to hold the data exporter responsible for
ensuring the proper handling of personal information that
he transfers to others. However, it is unreasonable to hold
the data importer liable for the actions of the exporter.
In this case, the violation will have to occur while the personal
information is still in the possession of the data exporter.
Clause 6 will make the data importer liable for the improper
handling of personal information that it has yet to receive
and cannot control. While paragraph 3 of Clause 6 allows the
data importer to be exempt from liability "if he proves that
the Data Exporter is solely responsible," this unfairly shifts
the burden of proof to the data importer. The data importer
is thus liable until proven innocent. The model contract should
not hold the data importer liable for the actions of the data
exporter unless it is shown that the data importer is actually
responsible for such actions.
Mediation and jurisdiction. Clause 7
will give data subjects the right to seek recourse through
arbitration, third-party mediation, or litigation in Member
State courts. However, these remedies are "will not prejudice
the Data Subject's right to seek remedies in accordance with
other provisions of national or international private law."
This creates the very real possibility of duplicative liability
for the same offense contrary to the principle of preclusion.
Our concern is heightened by the lack of specificity or certainty
regarding what such "other provisions" might entail. The model
contract should require the data subject to choose which recourse
against the data importer to pursue. At a minimum, the data
subject should not be allowed to seek remedies under national
or international private law on the same legal grounds as
those already addressed in the prior forum, whether through
mediation, arbitration or litigation.
Please do not hesitate to contact me should
you have any questions.
Sincerely,
Jeff
|