European Commission Issues New Set of Standard Contract Clauses for Compliance with European Union Data Directive
By Jere M. Webb
4/7/2005

On January 7, 2004, the European Commission (EC) issued new standard contract clauses that businesses can use to demonstrate compliance with the European Union (EU) Privacy Directive. The new clauses do not supersede earlier standard contract clauses issued in 2001. Both sets are still fully applicable. The EC issued the second set in response to negotiations with the business community to develop alternative standard clauses that are more “business-friendly.” The changes include “more flexible auditing requirements” and “more detailed rules on the right of access.” Another change in the contract language is the treatment of third-party beneficiary rights. Data exporters must now be more involved in resolving the complaints of data subjects, through an obligation to contact any data importer and compel it to comply with the contract.

These new clauses are designed to help companies meet their obligations under the Privacy Directive (95/46/EC), which imposes upon member states a duty to block the transfer of personal data outside the EU unless the data importer provides for “adequate protection” of that data. Although the EU has determined that certain countries, such as Canada and Argentina, provide for adequate protection, data importers in other countries, including the United States, must rely on other means to demonstrate compliance.

Commission Issues New Set of Standard Contract Clauses for Compliance with European Union Data Directive

On January 7, 2004, the European Commission (EC) issued new standard contract clauses that businesses can use to demonstrate compliance with the European Union (EU) Privacy Directive. The new clauses do not supersede earlier standard contract clauses issued in 2001. Both sets are still fully applicable. The EC issued the second set in response to negotiations with the business community to develop alternative standard clauses that are more “business-friendly.” The changes include “more flexible auditing requirements” and “more detailed rules on the right of access.” Another change in the contract language is the treatment of third-party beneficiary rights. Data exporters must now be more involved in resolving the complaints of data subjects, through an obligation to contact any data importer and compel it to comply with the contract.

These new clauses are designed to help companies meet their obligations under the Privacy Directive (95/46/EC), which imposes upon member states a duty to block the transfer of personal data outside the EU unless the data importer provides for “adequate protection” of that data. Although the EU has determined that certain countries, such as Canada and Argentina, provide for adequate protection, data importers in other countries, including the United States, must rely on other means to demonstrate compliance.