Cross-border
Data protection issues on an EU
outsourcing
Saam Golshani, Alastair Gorrie and Diego Rigatti,
Orrick Herrington & Sutcliffe
www.practicallaw.com/8-380-8496Outsourcing can mean subcontracting a process to a third-party company in the interest of lowering firm costs, focusing on the core competencies of a particular business, or making more ef-ficient use of labour, capital, technology and resources. It can involve the transfer of the management and day-to-day operation of an entire business function to an external service provider, with the resulting need for a large data exchange.
Cross-border flows of personal data are necessary to the expan-sion of international trade. In the EU, the economic and social integration that has taken place as a result of the establishment of the internal market has led to an increase in cross-border flows of personal data between those involved in a private, or public, capacity in economic and social activity in the member states. Directive 95/46/EC on data protection (Directive) aims to protect the rights and freedoms of individuals in the processing of their personal data, while ensuring the free movement of such data between member states.
The transfer of personal data beyond the EU (third countries) is also on the rise (see box, Outsourcing trends). The Directive allows such transfers to third countries that ensure an adequate level of data protection. Transfers to countries not considered to provide an adequate level of protection are allowed as long as the inadequacies are contractually remedied.
Against this background, this chapter examines:
The role of the data controller and data processor in the processing of data in the EU.
Some general pre-contractual issues to be considered when negotiating an outsourcing services agreement in the EU. The contract drafting and implementation issues that need to be addressed to ensure that an agreement complies with EC data protection and privacy (DP&P) law.
National law governing the transfer of personal data in three EU member states (France, Italy and the UK) as well as specific contractual considerations that arise in these jurisdictions.
The daTa ConTroller and daTa proCessor
On a data processing, the data controller determines the purpose and manner in which any personal data is to be processed, while the data processor processes the personal data on behalf of the data controller. On an outsourcing, the customer is and remains the data controller while the supplier takes the role of the data processor.
Applicable EC law provides that the data controller is responsible for the acts and omissions of the data processor, and so it is advisable that the data controller instructs and selects its data processor only after a thorough assessment of the candidates. This is important even if the parties have agreed by contract to al-locate their responsibilities so that, for example, all liabilities are transferred to the supplier. While such clauses can be effective between contracting parties, they are not in relation to the data subject, who remains a third party with respect to the contractual relationship.
There are three different legal relationships that arise regarding the treatment of personal data in a contract for outsourcing services:
Contractual (and/or in tort, depending on the jurisdiction), between the data subject and the data controller.
Contractual, between the data controller and the data processor.
In tort, between the data subject and the data processor. In any case, the data controller remains liable for the non-compli-ance of the data processor with applicable law, because the latter acts on behalf of the former.
While the agreement between the supplier and the customer can-not affect their responsibilities to the data subject, for clarity, a proper allocation of duties among the parties is important. For example, it may be useful to set out which party must prepare the privacy information letter to the data subject in compliance with DP&P law (information letter), or which party must acquire the data subject’s consent to the processing. This will help to determine which party bears any penalties imposed in the case of breach of the law. A thorough risk assessment of DP&P issues at the pre-contractual stage will help the parties to allocate their rights and duties appropriately.
Once a contract is in place, the parties should periodically review their arrangement, to:
Assess the level of compliance with DP&P law.
Identify appropriate action to remedy any non-compliance. Amend the outsourcing agreement accordingly whenever appropriate (note that this must be in writing, as by law a written agreement is required to appoint a data processor).
Cross-border
pre-ConTraCTual negoTiaTions
During the pre-contractual phase, the customer should assess the DP&P risks involved in the proposed outsourcing and determine whether the potential supplier could adequately manage these risks.
The risk assessment should take into account: The kind of data to be processed. The method and frequency of the transfer.
Whether electronic or automated means of processing will be used.
Whether the supplier will be assigned the responsibility of serving the information letter on the data subject.
Based on the above risk assessment, the customer should make a first selection of potential suppliers, create a shortlist and, even-tually, start negotiations with the best candidates.
During the negotiations the customer should carry out (even if in-formally) a due diligence exercise on the above issues. This should be completed before the drafting of the contract so that appropri-ate contractual terms can be drafted to suit the circumstances. The potential suppliers should ensure that they can guarantee ad-equate policies and procedures to process data. Those policies and procedures must be stricter when the data to be transferred and/or shared is more sensitive or its transfer is frequent or material.
ensuring ComplianCe wiTh The law: ConTraCT
drafTing and implemenTaTion issues
When drafting an outsourcing services agreement it is important to bear in mind the following duties:
duty of confidentiality of processing. Under the Directive, a data processor must not process data except on instructions from the data controller, unless he is required to do so by law.
duty of security of processing. The data controller must pro-tect personal data against accidental or unlawful destruc-tion or accidental loss, alteradestruc-tion, unauthorised disclosure or access (in particular, where the processing involves the transmission of data over a network) and against all other forms of processing that are unlawful or inconsistent with the purposes for which the data has been collected. To ensure compliance with these duties, the parties to an out-sourcing agreement should:
Accurately measure the risks involved in data processing. Specify the scope and purpose of the service to be provided in the agreement.
Adopt and implement adequate DP&P policies setting out measures and procedures for processing.
DP&P policies help set the parameters of the data processor’s du-ties, as well as the risks involved and the relative compliance costs to be borne. The policies adopted must ensure a level of security appropriate to the risks presented by both the processing and the nature of the data to be protected (for example, personal or sen-sitive data). Technical and organisational measures must remain fully effective during the life of the outsourcing agreement. Once the agreement is underway, the customer should periodi-cally inspect the supplier’s facilities where data is processed. The issues that the customer should consider when undertaking such an inspection include whether:
The data is being processed legally.
The procedures to ensure safekeeping of records are being followed.
The procedures to keep certain records in restricted-access filing systems are being followed.
Minimum security measures are being met.
Generally, the greater access the customer has to inspect, moni-tor and control the supplier’s DP&P policies, the better able it is to assess its own compliance with the law as a data controller. (See also box, Outsourcing services agreements: contractual clauses.)
Outsourcing continues to increase rapidly: the trend from 2003 to 2008 shows an increase by 40% in value. The most interesting growth is occurring in the information technology sector (IT operations, databases, services and infrastructure, e-business processing, call centres and related business processes). Faster electronic communication capabilities mean significant flows of financial and personal data (for example, name, address, dependents and age) including sensitive personal data (such as health insurance data and lifestyle data relating to investment requirements).
Outsourcing services offered by foreign companies continue to expand, particularly by companies resident in non-EU ju-risdictions. Some of these jurisdictions meet the EC adequa-cy requirements (for example, Argentina, Canada and Guern-sey), while others, which are probably the most interesting from an outsourcing perspective, are not currently consid-ered to have adequate legislative frameworks (for instance, Australia and India). Some of the latter, including Australia and India, have announced their intention to move towards the standards set by the data protection and privacy-related EC directives, to attract customers.
Another interesting trend is the globalisation of back office support services including administrative, accounting and financial services. This involves multiple centres spread across different continents and time zones where they have offices, subsidiary companies and third party processing ar-rangements, and resulting significant personal data flows.
Cross-border
naTional law issues: franCe
Parties to an outsourcing contract must comply with the provi-sions of Act no 2004-801 of 6 August 2004, amending Act no 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, which implements the Directive.
The customer always remains the data controller as it created the file containing the personal data, uses it and decides on its content and end purpose.
Before any outsourcing, the customer must notify the French Data Protection Authority (Commission nationale informatique et libertés) (CNIL) that data processing is to be carried out by an external service provider. If the outsourcing is organised after the creation of the data file, the customer must notify the CNIL before any outsourcing of that file (it is advisable to include this obligation to notify as a contractual clause). The customer must ensure that the supplier is aware of the fact that it is processing legally protected data on behalf of the data controller.
Under French law, the outsourcing contract must contain a number of fundamental clauses:
The supplier must undertake to comply with the law regarding data protection, particularly regarding security of processing and the purpose of the data usage.
The supplier must undertake to ensure the confidentiality of the file entrusted to it. Note that failure to comply with the provisions of data protection law relating to the security and/or confidentiality of personal data may involve the criminal liability of the customer as well as of the supplier. As a result, it is advisable to include the following clause in the agreement: “the supplier undertakes to apply, and cause to be applied, professional secrecy relating to the data, in particular nominative data, that the customer, itself bound by professional secrecy, may communicate to it for the purpose of its assignment”.
The contract must stipulate the main conditions under which the services will be provided, in particular the price for each service, time limits, guarantees and responsibilities.
If the supplier provides services that could give rise to copy-right or data producer copy-rights over the database or software used for the processing of the files or data, an assignment clause should be drafted if the customer wants to con-tinue to use that software or database, either itself or with another service provider.
French law does not prevent transfers of personal data to third countries.
To ensure compliance with data processing duties, an outsourcing services agreement in the EU typically includes provisions regarding:
The designation of the supplier as data processor. Usually the instructions to the data processor are detailed in writ-ing, and set out the purpose and means of processing.
The level and/or skills of the personnel involved in data processing. The customer can require that the personnel who will be undertaking the data processing have specific skills.
a mechanism to veto substitution of personnel. If an agree-ment states that a specific person (or personnel) is to be data processor, the agreement should provide the customer a right to veto the substitution of that person (or personnel).
The supplier’s duty to disclose its data protection and pri-vacy(dp&p) policies. This helps the customer ensure that the supplier is complying with the requirements of the ap-plicable law for the type of processing that is taking place.
right of access to the supplier’s premises. This right of access is useful as it helps the customer determine the extent to which the supplier’s DP&P policies have been implemented.
obligation of the supplier to co-operate with the customer in any claims against it. The customer, as data controller, always remains liable for any breach of the DP&P law by the supplier as data processor. This clause should stipulate that the supplier will inform the customer of any breach of the law, and co-operate with the customer’s defence.
indemnity. The supplier should indemnify the customer for any loss, damage or claim arising as a result of the supplier’s failure to meet its data processing obligations. Examples of such failure by the supplier may be:
non-compliance with the instructions of the customer; processing the data for a purpose other than the one for which it has been instructed; or
contrary to the data subject’s consent, communicating the data to third parties.
Termination. It is advisable to provide for the termination of the agreement and/or insert a penalty clause for breach of DP&P duties, to deter any unlawful conduct.
additional measures. It is advisable to insert some provi-sions that can have a positive effect on day-to-day opera-tions. For instance, it may be useful to stipulate in the contract that the customer’s databases at the supplier’s premises be segregated. This may, for instance, make inspections by the customer easier to perform and allow quicker and better responses to enquiries by data subjects. The outsourcing services agreement should be able to be amend-ed easily to account for any changes to DP&P law that may re-quire modification of the supplier’s instructions and policies or the kind of data that is to be processed. Other additional meas-ures may be required, depending on the type of processing to be performed and the specific needs of the parties.
Cross-border
An outsourcing agreement with a supplier in a third country that ensures an adequate level of protection is not subject to the CNIL’s prior authorisation. The customer must only notify the CNIL of its intentions to outsource before this occurs (see above).
If the outsourcing agreement is to be concluded with a supplier in a third country that does not ensure an adequate level of protec-tion, the customer can only transfer the personal data if one of the following conditions is fulfilled:
The data subject has expressly consented to the transfer. The transfer is necessary to comply with the law (Article 68, Act no 78-17 of 6 January 1978).
The CNIL grants prior authorisation.
The CNIL grants prior authorisation if the processing will suf-ficiently protect individuals’ privacy, liberties and fundamental rights. The CNIL usually determines this level of protection by assessing the contractual clauses.
Note that the European Commission has developed model con-tractual clauses on the protection of data subjects. It is advisable to include one of these clauses in the contract.
naTional law issues: iTaly
The Directive was first implemented in Italy in 1996, by Act 675/96. The law was reformed in 2003, when the Data Protec-tion Code (Codice in materia di protezione dei dati personali) came into force, which also implemented Directive 2002/58/EC on the protection of privacy in the electronic communications sector.
There is no regulation that specifically covers data protection in the context of outsourcing, although the Italian privacy authority (Garante per la Privacy) has issued recommendations for suppli-ers working on telecommunications networks, that is, outbound and inbound call centres.
On 30 May 2007, the privacy authority issued a recommendation to call centres active in marketing campaigns and operations, that is, outbound call centres. The recommendation reminded call centres to:
Stop using data collected for purposes beyond the scope of that which the data subject has consented to.
Send data subjects information letters, as required by law. Obtain data subjects’ consent for the use of their details for marketing purposes and to “clean” old databases still in use.
Stop using data where such consent is absent, or has been revoked.
Periodically check their compliance, as data processors, with the DP&P rules.
The terms and conditions of the outsourcing agreement must en-sure that the above duties are fulfilled.
On 15 November 2007, the privacy authority turned its attention to inbound call centres, in particular those providing customer care, sup-port and after sale assistance. It issued a recommendation emphasis-ing the importance of compliance with the rules of the Data Protection Code, and explaining in more detail and in practical terms how to bet-ter implement its principles. This followed other recommendations, guidelines and instructions directed at different industries (for exam-ple, banks, private and public employers, small- and medium-sized enterprises, recruitment companies and head hunters).
When personal data is to be transferred to third countries, rules similar to those in France apply (see above, National law issues: France). They set out the instances when personal data can be transferred; the following are of most relevance to outsourcing:
If the data subject has given his express consent (where the transfer concerns sensitive written data).
If the transfer is necessary for the performance of obliga-tions resulting from a contract to which the data subject is party or for performance of a contract concluded in the data subject’s interest.
If the processing concerns data relating to legal persons, bodies or associations.
If the jurisdiction to which the data is to be transferred has been deemed to guarantee an adequate level of protection. If the parties have inserted the European Commission’s model privacy clauses in the contract on the protection of data subjects (see above, National law issues: France). In the case of a transfer to a US company, if such a com-pany complies with the “safe harbour” requirements as set by the US Department of Commerce. (These requirements were set after negotiation with the EC privacy authorities.)
naTional law issues: uK
The Data Protection Act 1998 (DPA) implements the Directive. The UK data protection authority, the Information Commission-er’s Office, has issued good practice guidance on outsourcing and data protection.
Where the data controller outsources the processing of person-al information to a third party, it remains responsible for that processing and is ultimately liable for any breaches of the DPA by the data processor.
The data controller must put in place appropriate technical and organisational measures to ensure protection of the personal in-formation it processes, regardless of whether it is processing such information itself or arranging for a third party to do so. The data controller should consider the:
Sort of information it possesses.
Potential for harm that may result from its misuse. Technology available to process the information.
Associated costs of ensuring an appropriate level of security.
Cross-border
To appoint a data processor, the data controller must first enterinto a written contract with the third party that is to be respon-sible for the processing of the information. To fulfil the require-ments of the DPA, the contract must:
Ensure that the data processor only uses and discloses the personal information in line with the data controller’s instructions.
Require the data processor to take appropriate security measures to protect that information.
Where the processing of personal information is to be transferred to a third party based outside the European Economic Area, the DPA requires that there be an adequate level of protection in place. This can be ensured by following the good practice recom-mendations, which are:
Select a reputable organisation offering suitable guarantees about its ability to ensure the security of personal data.
Make sure the contract with the data processor is enforce-able.
Make sure the data processor has appropriate security measures in place.
Make sure that the data processor appropriately checks on its staff.
Audit the data processor regularly to ensure it is fulfilling its commitments.
Require the data processor to report security breaches or other problems.
Have procedures in place to deal with security breaches. The parties can also use the model contract clauses approved by the European Commission for transfers to third party organisa-tions acting on the data controller’s behalf.
