Brussels, 10/01/2005 (Agence Europe) - As we previously announced, the Commission adopted on 27 December a range of contractual clauses to improve personal data protection during transfer outside the European Union (EUROPE 8 January 2005). These clauses provide the authorities in charge of data protection with increased powers of intervention and imposing sanctions. Businesses also consider that the clauses on disputes, the sharing out of responsibilities and auditing demands are favourable. Implementation revision will take place in 2008.
The main objective of these clauses will be to guarantee respect for the four compulsory principles of the 95/46/EC directive on data protection: personal data collation for specific goals alone, which are explicit and legitimate; those affected to have full knowledge of these goals and the identity of the companies holding them; they must be provided with the right of access to the information in view of changing or getting rid of it; that they benefit from appeals procedures, which if needs be, lead to compensation for damages incurred. The 95/46/EC directive obliges Member States to allow the transfer of personal data to countries outside of the European Union only if there is an adequate level of protection. It allows the Commission to publish contractual clauses (Article 26), as instruments for personal data transfer measures. The range of clauses recently adopted is the third since the entry into force of the 95/46/EC directive. The two previous initiatives (one more general and the other more specific on sub-contractors to third countries, can be found in decisions 2001/497/EC and 2002/16/EC respectively).
The new ranges of clauses is not compulsory. It is not necessary in the transfer of data to countries that have suitable systems for protection recognised by the Commission: Switzerland, Canada, Argentina, the British territories of Guernsey and the Isle of Man. It does not involve transfers involving US companies that adhere to the "Safe Harbor Privacy Principles". Other measures such as codes of conduct for companies, also allow for a higher level of protection. And even if the country does not provide a level of appropriate protection, the transfer of data can be authorised in certain specific cases: when the person concerned has given their full consent; to allow for the conclusion or execution of a contract in the interest of the person concerned or at their request; to protect the public interest or in exercise of or defence of the law; when data can be located in a public register at the outset.
The adoption of contractual clauses is part of the Commission's work programme for better application of directive 95/46/EC on data protection. It is the result of a collaborative venture of four years with seven international corporate associations (AmCham EU, CBI, EICTA, FEDMA, ICC, ICRT, JBCE) under the auspices of the International Chamber of Commerce (ICC). In a joint press release, these associations warmly welcomed the official adoption of a "mechanism proposed by the private sector" as "a starting point for European Union recognition of additional solutions on international data transfer". Christopher Kuner, president of the work group on data protection at the ICC explained that these clauses "offered the same level of protection as the Commission clauses but used more flexible mechanisms that were more in tune with the reality of the business world". For example, clauses did not require exporters or importers of data to be legally liable for abusive use of data, such as those demanded in the Commission's pervious clauses. They also contained more flexible and realistic auditing provisions.