New Standard Clauses For Data Transfers To Data Controllers In Non-EU Countries

The Data Protection Directive permits the transfer of personal data outside of the EU in certain circumstances, including where a data exporter (based in the EU) and a data importer (based elsewhere) enter into a written agreement guaranteeing that the data importer will adequately protect all personal data received from the data exporter.

In 2001 the European Commission approved standard contract clauses for use in such a situation. However, the clauses were widely regarded as being too onerous on data exporters. In response to a demand from businesses, the European Commission adopted new alternative standard contract clauses in December 2004 for use in contracts between data controllers.

The key differences between the 2001 and 2004 standard contract clauses relate to the liability of the data exporter for the activities of the data importer: The new standard clauses now impose liability for damage suffered by a data subject directly on the data importer, and the data exporter is now only liable where it has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under the standard contract clauses.