Tuesday 27 July 2010

Transborder data yawns


July’s edition of the Baker & McKenzie’s privacy newsletter arrived in my in box a few days ago. It’s one of those publications that are “must reads”, if only to reassure myself that nothing much has happened recently that I wasn’t already aware of.

I read their lead article and became very irritated with myself. Why – not because the subject matter wasn’t important, but because I was having a real struggle in persuading myself that I actually wanted to be interested in it.

And what was this worthy (but oh, so dull) subject? None other than that old favourite, the methods with which data controllers legitimise transborder data flows.

The article referred to the fact that the European Commission had recently updated its controller to processor model clause for the transfer of personal data from controllers to processors based in countries outside the EEA that are not recognised as offering an adequate level of data protection. (The EEA is all EU countries plus Iceland, Liechtenstein and Norway.)

The article explained that “the main change to the model clauses is to allow sub-processing, a practice which is extremely common particularly in IT and outsourcing industries, to take account of the business trend and practice towards more globalised processing activity ... The main change to the controller to processor model clauses is the inclusion of new provisions to allow non-EEA processors to sub-contract their processing activities to sub-processors, provided certain conditions are fulfilled.”

The trouble was that, much as I tried to fake an interest, I really couldn’t do it. This is one aspect of data protection law that is so technical and so boring that I defy anyone to be seriously worried about this stuff. And I’m sure that no-one I try to explain the concept to really gets it either.

And then I remembered that I was in good company. The authors of the Kantor report, about which I blogged on 23rd July, also had a pretty dim view of some of the more arcane rules that the EU had set around these matters. Their views on “applicable law” and how a data controller can determine what the applicable law actually is, make pretty explosive reading. Section V(3) explains that “All data processing, including the processing of personal data, is becoming increasingly internationalised. This is inherent in activities on the Internet, and will be all the more so in an era of “cloud computing”. The actors involved in such processing are also becoming increasingly diversified and split between countries, with often not-easy-to-distinguish tasks and responsibilities. This will cause increasing conflicts of law, also within the EU/EEA, because of the ambiguity and different implementation of the “applicable law” rules in the Directive."

The report went on to argue that “Specifically, under the main Directive, within the EU/EEA, Member States must apply their national data protection law to a processing operation if “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”; but “when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable.” (Article 4(1)(a) of the main Directive)..... The rules in Article 4(1)(a) are quite simply utterly confused and impossible to apply in the new global-technical environment. Not surprisingly, the rules are applied differently in the Member States, leading to conflicts of law (which are only not too serious in practice because the competing and conflicting laws on paper are often not enforced in practice).”

So what was required? “Better, clearer and unambiguous rules are desperately needed on applicable law."

Hear, Hear. If the rules were less ambiguous then I might be more interested in trying to apply them properly.

But right now, I’m happy to echo the sentiments of Rhett Butler, in his last words to Scarlet O’Hara. Should European Commissioner Viviane Reding ask me for my views on the extent to which the EU Model clauses have been effective in facilitating excellent data protection standards when regulating transborder data flows, I’ll just turn to her and say:

“Frankly, my dear, I don’t give a damn.”