FPF Report: Not-So-Standard Clauses – An Examination of Three Regional Contractual Frameworks for International Data Transfers
On March 30, the Future of Privacy Forum launched a new report comparing three regional model contractual frameworks for cross-border data transfers. The report compares the EU’s Standard Contractual Clauses (SCCs), the ASEAN Model Contractual Clauses (MCCs), and the Iberoamerican Network’s Model Transfer Agreement (MTA). The three frameworks cover a total of 62 jurisdictions on three continents – this report seeks to identify overlaps and key differences among the three, while also reflecting on the question of their potential interoperability. Notably, this report does not evaluate contractual frameworks created by individual countries (such as the recently released Chinese Standard Contract Provisions) or frameworks that are still in the development process, like the recently-amended draft Convention 108+ Model Contractual Clauses for the Transfer of Personal Data still being developed by the Council of Europe.
International transfers of personal information are an increasingly contentious space in the privacy and data protection world. As more jurisdictions pass laws and develop regulations governing the collection and processing of personal data, necessarily more limitations on the transfer of that information from one jurisdiction to another follow. Exceptions to those restrictions go hand-in-hand with those generalized restrictions on cross-border data transfers; in that context, pre-approved contractual frameworks between transferor and transferee have emerged as critical components of the modern cross-border data transfer environment.
These contractual frameworks set out the responsibilities of the parties to a data transfer, mandating to a greater or lesser extent what information those parties must provide to one another, members of the public, and relevant government authorities while also covering issues ranging from the distribution of liability to the parties’ responsibility to evaluate the laws of destination jurisdictions. This Report outlines how the three chosen frameworks are similar and where they are different in a number of key areas, including:
- Underlying Legal Basis for Use of Contractual Framework
- Core Party Obligations
- Data Subject and Third Party Rights
- Response to Government Requests
- Relevance to Cross-Border Enforcement
- Permissibility of Modifications
This Report also includes a number of Annexes that seek to set summaries of particularly important provisions side-by-side, organized by the type of provision or the specific party it binds.
Our analysis has determined that while the international space for cross-border transfers has begun to converge on some core concepts (such as classifying parties as “controllers” and “processors” as well as “importers” and “exporters”) and on some key obligations for parties (such as requiring a certain degree of transparency regarding each transfer, and imposing basic security requirements on parties) there remain significant areas where data transfer contracts diverge. As a baseline, the most critical element of any model contractual framework is how it interacts with the underlying legal obligations imposed on the parties it binds. Here, the EU SCCs and their relationship to the GDPR by necessity have a different structure than either the Ibero-American MTA or the ASEAN MCCs, designed as they are to interact with multiple jurisdictions governed by different (or lacking entirely) data protection laws. Additional issues include whether and how contracts should acknowledge third party rights, whether contracts should treat different types of processing or personal data differently, the parties’ responsibilities in the event of government requests for data, and whether specific concepts like the use of automated decision-making or the processing of children’s information should be addressed.