With some exceptions, the EU Directive 95/46 prevents EU organizations from transferring personal data to third-countries which do not ensure an adequate level of protection. In this context, three basic instruments were specifically enacted to allow EU exporters to transfer personal data to U.S. importers: the “Safe Harbor” certification, the Standard Contractual Clauses and the Binding Corporate Rules. The last two instruments are each divided into two separate instruments: those for controllers and those for processors.
But since they all have different scopes, the issue for EU and U.S. organizations dealing with personal data is to know what instrument is tailored to their transfer. The relevant questions are the following:
- For the exporter Is the EU Directive 95/46 applicable to the transfer? Is my organization a controller or a processor? Is the importer within the same group or an external organization?
- Is the EU Directive 95/46 applicable to the transfer?
- Is my organization a controller or a processor?
- Is the importer within the same group or an external organization?
- For the importer Under which administrative jurisdiction is my organization? Is my organization a controller or a processor? Will my organization transfer data to a processor or, if it is a processor itself, to a sub-processor?
- Under which administrative jurisdiction is my organization?
- Is my organization a controller or a processor?
- Will my organization transfer data to a processor or, if it is a processor itself, to a sub-processor?
SCOPE OF THE DIRECTIVE 95/46
All five instruments apply under the scope of Directive 95/46, i.e., to exporters established in the EU territory.
With the exception of the Standard Contractual Clauses for processors, they also apply when the exporter processes the data to be transferred with equipment located in the EU territory.
TRANSFERS FROM EU CONTROLLERS TO U.S. CONTROLLERS
Three instruments could be relevant: the Safe Harbor, the Standard Contractual Clauses for controllers and the Binding Corporate Rules for controllers.
The Safe Harbor
This is a documented self-certification of compliance with some data protection principles and procedures, which a U.S. organization may supply to the U.S. Department of Commerce in order to allow EU controllers to export personal data. But this certification has a number of limitations.
The U.S. organization must be subject to the Federal Trade Commission or to the Department of Transportation jurisdictions. This excludes, for example, most financial institutions and all nonprofit associations.
The Safe Harbor alone does not make lawful the transfers to U.S. importers, but it could grant additional safety to the EU controller.
But since the Safe Harbor is only a self-certification, some national authorities insist on prior concrete checks before transferring data. Furthermore, the German data protection supervisory authority has recently declared that it no longer wishes to approve transfers under the Safe Harbor. Then, the EU Commission calls for a new EU – U.S. agreement (see for further details Safe Harbor – On Hold?).
The Standard Contractual Clauses for controllers
Standard Contractual Clauses are models of data transfer contracts. The controller version may be used between an EU exporter and a U.S. importer in order to sell or share data in a single lawful transfer.
The EU and U.S. organizations must be controllers, i.e., those which “determine the purposes and means of the processing of personal data.” Neither of them should be processors, i.e., those which “process personal data on behalf of the controller.”
The U.S. importer may transfer data to processors only if both comply with the clauses governing sub-processing.
The Binding Corporate Rules for controllers
They are binding codes of conduct, checked and enforced by EU national authorities, to implement in multinationals, in order to make at once all their internal transfers lawful.
They apply to transfers from an exporter established in the EU territory to an importer established abroad, including in the U.S. territory.
In the controller’s version, the EU entity must be a controller.
Transfers from EU controllers to U.S. processors
The two most relevant instruments are the Binding Corporate Rules for controllers that we have already talked about and the Standard Contractual Clauses for processors. Indeed, the Safe Harbor is not sufficient, as such, to make lawful the transfers to U.S. processors. In this case, additional tools are required.
The Standard Contractual Clauses for processors apply to transfers from controllers established in the EU territory to processors established abroad, including in the U.S. territory.
They do not apply to transfers from exporters which fall within the scope of Directive 95/46 because of their use of equipment in the EU territory.
Neither do they apply to transfers from EU processors to U.S. sub-processors. In this last case, the only relevant instrument is the Binding Corporate Rules for processors.
The U.S. importer may transfer data to sub-processors only if both comply with the clauses governing sub-processing.