• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

After Safe Harbor; before Privacy Shield

Standard contractual clauses as solution for data transfers to the US

Under the EU Data Protection Directive (Directive), which in the UK has been implemented via the Data Protection Act 1998 (DPA), personal data may, in principle, be transferred outside the EEA only if that third country ensures an adequate level of protection for the data. This principle is enshrined in the eighth data protection principle.  One method to ensure adequate protection, which has recently gained increased interest, is the use of standard data transfer clauses (Standard Contractual Clauses or Clauses) established by the European Commission (Commission).

Background: Demise of the Safe Harbor

In addition to the Standard Contractual Clauses, another way to ensure compliance with the eighth principle is if the Commission makes a finding that a non-EU country ensures adequate protection of personal data by reason of its domestic laws or its international commitments.  The Commission did so in 2000 in respect of the US by establishing what became known as the Safe Harbor scheme, through which nearly 6,000 companies were able to become self-certified to receive personal data from the EU to the US. 

In light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services, in particular the National Security Agency, the ability of the law and practice of the US to offer adequate protection against surveillance by public authorities of data transferred to the US, in the case in question via Facebook to servers in the US, was challenged. On 6 October 2015 the Court of Justice of the EU agreed and declared the Safe Harbor regime invalid.[1] As a result, if businesses that previously relied on the Safe Harbor scheme wish to continue to transfer data to the US, in order not to violate data protection legislation, they must make use of another method.

Standard Contractual Clauses as Alternative to Safe Harbor

For the time being the primary alternative to the Safe Harbor scheme is the use of a contract that contains the Standard Contractual Clauses (also referred to as Model Clauses or Model Contracts).  This method, too, is now under threat, however, because the Irish Data Protection Authority has recently indicated that it intends to refer a case that would challenge the legal basis for transferring data under Standard Contractual Clauses to the Court of Justice of the EU. The use of Standard Contractual Clauses was first established by the Commission in 2002 as a mechanism to lawfully transfer personal data out of the EEA and originally applied only to transfers from data controllers to data processors.  An updated version, which became effective in 2010, extended the regime to transfers to sub-processors (there are also controller to controller Standard Contractual Clauses).

The Standard Contractual Clauses are available free of charge and adopting them can be reasonably uncomplicated, but varies depending on the country (for example some data protection authorities require them to be submitted to them, or even to approve them). The use of the Clauses presents both drawbacks and benefits that should be considered prior to deciding on their use.

Clarifications to Guide Interpretation of the Standard Contractual Clauses

The Standard Contractual Clauses are indeed standard form, and as such, in order to function as intended, they may not be altered. Because they cannot be amended some contracting parties resort instead to explaining in their contracts how the Clauses are to be interpreted. Two prominent examples of areas that are often subject to such clarifications are sub-contracting and audit.

As noted above, Standard Contractual Clauses can be used in connection with sub-processors.  The use of a sub-processor is subject to the non-EU data importer obtaining the EU data exporter’s prior written consent.  In practice this consent requirement has at times, led to complex negotiations on where the non-EU data importer might be transferring data to an affiliate or using a third party to store the data.  Additionally, the EU data exporter remains liable for ensuring that the personal data is protected in the manner specified in the Clauses, including after it has been passed to a sub-processor.  If the sub-processor is an affiliate this is typically less of a concern, however, if the sub-processor is a third party there may be disagreements about the clarifications used in connection with this.

Under the Standard Contractual Clauses the data importer must allow materials connected to the agreement in respect of which the Clauses are used, to be audited by the data controller itself, or an independent body selected by the data controller. Oftentimes the underlying agreement in connection with which the Clauses were used already contains its own audit requirements, which might specify when, how, how often and upon how much notice audits may take place.  As a result, the audit requirement from the Standard Contractual Clauses may be accompanied by clarifications about how such audit rights are to be exercised, stating for instance that only the audit rights of the underlying agreement will apply (where these are appropriate).

The use of clarifications of this kind, which usually appear in a covering note, contribute to casting doubt on the unchanged nature of clauses whose intention it is to be the same across all contracts to which they apply.  Such clarifications also complicate a process that can otherwise be relatively streamlined. These clarifications might be understood as the parties’ intended interpretation but parties should specify that in the event of a conflict the terms of the Standard Contractual Clauses will override the clarifications.

Adoption and Applicability of the Standard Contractual Clause

In spite of the drawbacks associated with the interpretative clarifications, as well as the impracticalities of signing multiple Clauses agreements, the Standard Contractual Clauses do present other aspects that can entail marked benefits. In the UK the adoption process is relatively simple because use of the Clauses constitutes a pre-approved method of transferring personal data outside the EEA and does not necessitate further approval from the Information Commissioner’s Office. As a result, implementation in the UK can be very fast. Notably, however, not every EU country has accepted the Clauses as a pre-approved method and some do require the Clauses to be approved by the local regulator subsequent to adoption in order to be effective.  The outcome is therefore that the Clauses do not function as efficiently and quickly as intended in every country.

Compared to the Safe Harbor scheme, the applicability of the Standard Contractual Clauses is significantly broader.  In contrast to the Safe Harbor, which applied to transfers of personal data to the US only, the Clauses can be used in connection with transfers to any non-EU country.   

Future of the Standard Contractual Clauses

Many companies that previously relied on the Safe Harbor for transfers of personal data to the US are now adopting the Standard Contractual Clauses. The Clauses offer an alternative albeit not an ideal one to the void left by the Safe Harbor and it appears that the need to adopt them is perceived largely as an administrative hassle. Following the decision invalidating the Safe Harbor some companies noted, however, that they had not been relying exclusively on the Safe Harbor scheme but had been using the Standard Contractual Clauses as well, suggesting both that the impact of the invalidation and the consequent need to institute an alternate method is perhaps not as wide-spread as it otherwise might be and that the Clauses already have a significant foothold in EU-US data transfers.

In addition to the practical difficulties in implementing the Standard Contractual Clauses, as evidenced by the prevalence of clarifications, their adequacy in protecting personal data is also currently being questioned and there is a danger that like the Safe Harbor they might also be found to be an invalid method of transferring data to the US. Indeed, one regulator in a German federal state (Schleswig-Holstein) expressed the view that the Standard Contractual Clauses are an inadequate data transfer mechanism.  And, as referenced above, in May it was revealed that the Irish Data Protection Authority, the Irish Data Protection Commissioner, is planning to refer a case to the Court of Justice of the EU.  The case would challenge the legal basis for using the Standard Contractual Clauses to transfer data for much the same reason as the challenge brought against the Safe Harbor, namely that the mechanism fails to adequately protect personal data and in particular prevent mass surveillance. The Court of Justice of the EU is the only institution that may declare a Commission decision invalid and unless and until such time as it does so the Standard Contractual Clauses will remain a lawful method for transferring personal data.

In addition to Standard Contractual Clauses alternative methods that satisfy the eighth principle include Binding Corporate Rules or an exception from the rule is if you have consent from the data subject. Binding Corporate Rules, however, are limited to transfers within a specific corporate group and as such do not provide a broad-based alternative to the Standard Contractual Clauses.  Consent from the data subject is not recommended by data protection authorities for long term or repeated transfers.

Following the invalidation of the Safe Harbor mechanism the EU and the US have been working towards establishing a new methodology for data transfers and in February 2016 agreement on a new framework entitled the EU-US Privacy Shield was announced.  However, although this was initially welcomed, in April 2016 the Article 29 Working Party, which consists of EU data regulators, issued an opinion on the Privacy Shield which expressed concerns about the proposal and made requests for clarification.  In May 2016 the Article 31 Committee, which is made up of representatives of all member states and has veto power over the agreement, expressed the view that parts of the proposal were not acceptable and that more time is needed.  In May 2016 the independent supervisor of the EU institutions and advisor to the EU legislator, the European Data Protection Supervisor, issued a press release indicating that the Privacy Shield is not robust enough to withstand future legal scrutiny, that significant improvements are needed to respect the essence of key data protection principles, and that a longer term solution should be sought.  The discussions are still ongoing and it will be some time before the scheme is finalised and approved. Accordingly, albeit far from an ideal solution, it appears as though at present the Standard Contractual Clauses present the most workable solution for transatlantic data transfers but it remains to be seen what their long-term fate will be.  

 

[1] Maximillian Schrems v Data Protection Commissioner, Judgment in Case C-362/14, 6 October 2015.

Contact our experts for further advice

Lina Monten-Lister, Nicola Fulford