Contract Can Satisfy the EU DirectiveCompanies exporting personal data from Europe have been wrestling with the problem of complying with European Union data protection standards for years. The 1995 EU Data Protection Directive restricts personal data exports to countries that lack adequate privacy protections. Of course, no one can seriously argue that the United States has general privacy laws that meet EU standards.
The safe harbor agreement negotiated between the U.S. Department of Commerce and the EU Commission produced one way to support data exports. An American company that agrees to participate in the safe harbor will be deemed to meet EU standards and can receive personal data from EU member states.
The EU directive recognizes other ways to deal with the export limitation. One method is under a contract between the data exporter and the data importer. For those who are following along with their own copy of the directive, the contact language is in Article 26(2).
To make the contracting process more secure and predictable, the EU Commission last June issued a model contract that exporters and importers can use. The chief benefit of using the model contract is that all EU member states must accept it as sufficient to meet export requirements. An EU member state could reject the model contract or require changes only under narrow and unlikely circumstances.
The model contract will make the processing of contracting for data processing simpler. When a company exports personal data from more than one EU country, using the model contract will avoid the need to seek approval of an export contract from the data protection authority in each relevant country. Trying to obtain agreement from as many as 15 separate national data protection authorities is a daunting task, and any relief from that requirement is welcome.
Procedurally, the contract should be seen as a good thing. However, life is much too complicated to expect that everyone would be happy with the result. Substantive and political objections remain.
The EU did a good job in dealing with internal substantive objections. As the draft contract language proceeded through the EU approval process, significant opposition arose. The national data protection authorities, acting through the Working Party established under Article 29 of the directive, objected to the draft. EU Commission staff made revisions in response to the Working Party's comments and in response to other comments as well. The final contract received the blessing of the Working Party.
The final contract was not so well received by some in the United States. The business community appeared horrified at the notion that a data export contract would impose any requirements at all or that it would be stricter than safe harbor. Apparently, those who were unhappy with the safe harbor process somehow expected that the model contract would permit the export of personal data without any responsibility or liability at all.
The U.S. government weighed in with objections as well. Interestingly, the Department of Commerce and the Department of the Treasury jointly signed the final letter on the model contract. The involvement by the Treasury Department was particularly notable since that department had not been much of a player in international privacy matters before. That work had been left almost exclusively to the Commerce Department. It appears that President Bush's appointees at the Treasury Department were being responsive to the banking industry, but the letter came much too late to have an effect.
The banks seem desperate to avoid the EU data protection rules. The banks want the EU to declare that the privacy rules of Gramm-Leach-Bliley meet the adequacy standards of the directive so that banks can continue to do business without paying any real attention to privacy. However, Gramm-Leach-Bliley has become something of a privacy joke, offering few meaningful privacy protections to consumers. The poor way that banks implemented the law certainly does not help their case either. It is hard for anyone to argue with a straight face that Gramm-Leach-Bliley is an adequate law.
Financial institutions also want the EU to declare the Fair Credit Reporting Act to be an adequate law. Their argument about the FCRA is more reasonable. The law is not perfect, but it does include a decent set of fair information practices. The EU should find a way to declare this law adequate for at least some purposes.
The response from the EU to the U.S. government's letter on the model contract was, to say the least, discouraging to the banks. The EU rejected the complaints and made it clear that there are strong objections to adequacy findings for either FCRA or Gramm-Leach-Bliley. The banks will never convince the EU that Gramm-Leach-Bliley is adequate.
One constant and reasonable response from the EU to criticism about the model contract is that the contract is voluntary. No data exporter is required to use the model contract or, indeed, any contract at all. I count at least eight ways that personal data can be exported from the EU, and the model contract is just one of those ways.
For some U.S. companies, the model contract will be just perfect. The model contract will not perform miracles for everyone, but it offers another way to tackle a difficult problem for companies that need to export personal data from Europe.