Data protection: Commission approves new standard clauses for data transfers to non-EU countries
European Commission - IP/05/12 07/01/2005
Brussels, 7 January 2005
The European Commission has approved a new set of standard contractual clauses which businesses can use to ensure adequate safeguards when personal data is transferred from the EU to non-EU countries. The new clauses, submitted by a business coalition, will be added to those already available under the Commission’s June 2001 decision (see IP/01/851). Use of standard contractual clauses offers companies and other organisations a straightforward means of complying with their obligation, under the 1995 EU Data Protection Directive, to ensure "adequate protection" for personal data transferred outside the EU.
Single Market Commissioner Charlie McCreevy, said "”This is a good example of regulating in cooperation with business. The business community has shown a serious commitment towards data protection and the Commission has carefully listened to business needs. That is good for EU citizens, whose privacy is better protected, and for our companies, whose competitiveness is reinforced.”
A big coalition of business associations led by the International Chamber of Commerce negotiated these new standard contractual clauses with the Commission and the committee of EU data protection authorities (the “Article 29 Working Party”) over the last three years.
Companies believe that some of the new clauses, such as those on litigation, allocation of responsibilities or auditing requirements, are more business-friendly. Yet they provide for a similar level of data protection as those of 2001 and to prevent abuses, the data protection authorities are given more powers to intervene and impose sanctions where necessary. The implementation of this new set of clauses will be reviewed in 2008.
Contractual clauses are not necessary to transfer data to Switzerland, Canada, Argentina and the UK territories of Guernsey and the Isle of Man, whose own regimes are recognised by the Commission as offering adequate data protection. Neither are they needed for transfers to US companies adhering to the 'Safe Harbor' Privacy Principles issued by the US Department of Commerce.
For transfers to other countries, standard contractual clauses are one of a range of means under the 1995 Directive to ensure appropriate data protection.
This is the third set of standard contractual clauses made available to operators since the Directive entered into force in 1998. Should other interested parties submit other set of clauses in the future, the Commission may consider them to the extent that they contribute to a further simplification and ensure adequate safeguards.
The Commission is also working with the data protection authorities on other possible alternatives, such as “Binding Corporate Rules”, that is, the use of codes of conduct instead of model contracts for the transfer of personal data to third countries.
All these efforts are part of the Commission’s work programme for a better implementation of the Data Protection Directive (see IP/03/697), the results of which will be assessed by the Commission in 2005.
Further information about this Decision and the standard contractual clauses, including exchanges of letters with business associations and the US Departments of Commerce and Treasury, are at:
See also MEMO/05/3 for frequently asked questions on the Standard Contractual Clauses.