On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.
Background: Convention 108+
Convention 108 was the first binding international instrument protecting granting individuals’ data rights. It influenced modern data protection laws such as the GDPR and established core principles around data transfers.
Convention 108+ modernized the framework to address emerging privacy challenges, strengthening principles like data minimization and introducing obligations for data breach reporting. Under Convention 108+, the transfer of personal data to countries outside the jurisdiction of the parties must comply with specific conditions. These conditions include obtaining the consent of the data subject, ensuring appropriate safeguards for data protection, and respecting the rights of the individuals involved.
Model Contractual Clauses – easier route to compliance
Model clauses provide a ready and cost-effective solution to comply with regulatory requirements, while ensuring that personal data attracts the same level of protection when transferred to another country.
The MCCs aim to achieve convergence among different regions that already possess similar mechanisms (such as EU Member States, Latin America, ASEAN countries, and national laws), while also serving as a streamlined approach to ensure essential safeguards.
Transfers between EU Member States and countries deemed by the EU to have sufficient data protection regulations, such as the UK, Japan, or South Korea, will not require the use of MCCs. Where the MCCs will be most useful is the transfer of data between non-EU or UK Convention 108+ members (due to the EC SCCs and UK IDTA) and others non-party to the Convention. Any country deemed adequate by EC would also be outside the use of the MCCs. For instance, on 10 July 2023, the European Commission adopted the EU-US Data Privacy Framework, which enables unrestricted movement of data for participating organisations.
What do the MCCs say?
The MCCs can be included in broader contracts or used as standalone provisions. They may also be combined with additional safeguards, as long as they do not contradict the model clauses, applicable law, or infringe upon human rights and fundamental freedoms recognized in Convention 108+. These clauses cover various aspects, including data security, onward transfers, data processing principles, data subject rights, and obligations related to governmental access to personal data.
The governing law for the model clauses is determined by the country of the data exporter (controller who is a party to the Convention 108+) unless third-party beneficiary rights are not allowed in that country. The rights and obligations of the parties involved are outlined in accordance with contractual principles, ensuring compliance with data protection standards. Finally, the clauses provide for jurisdiction of a supervisory authority of the data exporter.
The data protection safeguards outlined in the MCCs incorporate the principle of due diligence, placing the responsibility on the receiving party to implement suitable technical and operational measures to fulfill their obligations. In Annex 3 of the MCCs, the data importer is mandated to furnish specific information concerning these safeguards. Further provisions include data minimization, limited retention period and purpose limitation.
The current MCCs will be further complemented by two additional modules due to be issued in the near future. These forthcoming modules are expected to expand the scope and applicability of the clauses.
It’s important to note that the MCCs require pre-approval by competent national authorities to be transposed into national and regional transfer instruments and mechanisms for data controllers. The acceptance of these clauses by competent authorities will play a crucial role in ensuring their effective implementation and adoption.