Views and comments

Mantovani on Contractual Obligations as a Tool for International Transfers of Personal Data

The post below was written by Martina Mantovani, Research Fellow at the Max Planck Institute Luxembourg.

The Schrems II case, currently pending before the CJEU, has brought into the spotlight the possibilities offered by Article 26 of Directive 95/46/EC and by Article 46 of the General Data Protection Regulation (GDPR) for transferring personal data outside the EU by way of contractual mechanisms.

In this preliminary reference, the validity of the Commission’s Decision 2010/87/EC – setting forth a set of model “standard contractual clauses” for international data transfers – is questioned, inter alia, on the basis that such contractual clauses are binding solely as between the data importer and exporter and do not prevent national authorities of a third country from requiring, under local laws, the data importer to make available the transferred personal data to the security services.

While this question is only mildly related to traditional private international law core-issues – spurring reflection on the relations and interplay between the contractual set-up established between the parties and local (public) laws – this case may trigger a broader discussion on the role and function that this area of law and its language has in ensuring the proper functioning of the European regime for international data transfers.

To the present days, private international law seems to have contributed very little to this debate, despite the fact that these mechanisms are, in the vast majority of cases, international commercial contracts between private parties, ie the “natural habitat” of this area of law. As a result, many of the private international law issues arising in connection with the practical implementation of international data transfers presently remain uncharted territory.

An analysis of these contracts through the prism of private international law shall start from the assessment of their nature and function. Since these may be regarded as “something more” than sheer international commercial contracts, (1) being additionally a “governance tool” that the EU legislator deploys in the pursuit of its political objectives (2), these contracts acquire specific features which are of indubitable interest for private international law (3).

1. the contract as a “false friend”: the hybrid nature of the contractual mechanisms for international data transfers

The notion of contract is growingly regarded, by legal scholarship, as a “false friend”, capable of differing significantly in meaning depending on whether it is employed solely in its traditional capacity of source of freely agreed obligations between private parties (i), or whether it is additionally used as a mode of governance (ii).

(i) The contract as a source of freely agreed obligations between the parties

A source of freely agreed obligations. The contractual mechanisms currently listed by the GDPR for international data transfers are standard contractual clauses(SCCs), binding corporate rules(BCRs), certification mechanisms and codes of conduct. These tools all rely on a contractual commitment undertaken by a third state data importer, who is not directly bound by the GDPR by virtue of its article 3, to conform to a set of obligations relating to the processing of data.

Content-wise, the parties remain in principle free in drafting these contractual commitments, in the respect of the twofold requirement se out by article 46 GDPR. Firstly, they should provide “appropriate safeguards”, ie compensating for the absence of a general level of adequate protection in the third country of destination, by including the essential elements of protection which are missing in any given particular situation. In essence, the data importers and/or exporters agree to bear the joint and/or several responsibility of ensuring that the transfer and the further processing of the transferred data will continue to comply with essential mandatory requirements of EU law. Moreover, under article 46 GDPR, these contracts shall also confer enforceable data subject rights and effective legal remedies upon (European) data subjects. For these purposes, the data subject is usually made a third-party beneficiary, authorised to these contracts against the EU-based data exporter, the non-EU data importer or both depending on the case.

Between the parties (often private parties): The aforementioned obligations could be enshrined in a specific contractual commitment entered into between a non-European data importer and: a EU-established data exporter, in relation to a specific transaction or set of transactions (ie transfers of data) in the case of the SCCs; the other entities affiliated to the same group of undertakings, all agreeing to conform to the same privacy policy (BCRs) in relation to intra-group data transfers; a certification body (a national supervisory authority or a private body accredited pursuant to article 43 GDPR) in the case of certification mechanisms; or the promoter of a code of conduct.

It is worth reminding that the eventual “public nature” or the “exercise of public functions” by any of these parties (e.g. by the certification body or promoter) does not, as such, exclude a characterisation of these commitments as “civil and commercial” contracts for the purposes of European private international law, as the pending case Rina may further clarify.

However, another factor may impact on the characterisation of these contracts as “public” or “private” in nature, namely the fact that they can be used for extra-EU data transfers only once they get approved by a national supervisory authority, called to assess that the guarantees provided therein meet the standard of “appropriate safeguards”. As concerns SCCs, there are also three model sets, which have been pre-approved by the Commission itself and enshrined in EU Decisions binding in all Member States.

Nonetheless, while the need for approval by a public authority unquestionably is a distinctive feature of these contracts, it seems doubtful that this could, as such, alter “the private law nature” of the contractual engagements undertook as between the data importer and exporter.

(ii) The contract as a tool of governance

When used as a tool of governance, the contracts for international data transfers aim at achieving, in one go, a twofold political objective: giving continuity to the high level of protection granted under EU law to the fundamental right to data protection, while promoting the world-wide dissemination of the European standard of data protection.

The expression “contractualisation of society” designates an ongoing political phenomenon consisting in the extension of private law contractual techniques outside their traditional domain, in fields hitherto reserved for unilateral public policy instruments. The contract thus acts not only as a vector of obligations in the technical sense, but also as a mode of governance. Therefore, it loses some of its traditional characters while acquiring new features.

From the standpoint of legislators, “governing by contract” presents undeniable advantages: the contract appeals for its flexibility, and its use by the political power may reflect its desire to make people forget that “it imposes”, in order to gain the voluntary support and compliance of those it intends to govern. Such a governance technique may be particularly appealing to the European legislator, since voluntary compliance to European data protection law by economic operators who are not directly and immediately bound by it by virtue of article 3 GDPR is regarded as an important political objective.

In the attempt of “making Europe the (global) standard setter for modern data protection rules in the digital age”, the EU Commission has in fact frequently stressed not only the essential role played by business responsibility in ensuring the effective protection of the fundamental right to data protection, but also the (economic) benefits that compliance with EU law could bring to both European and non-European businesses. Notably, compliance with the EU data protection law was advertised as “a golden opportunity” and “competitive advantage” for businesses, insofar as these rules are “a trademark thatpeople recognise and trust worldwide”. As a consequence, literally “everyone” was invited to put these rules to life.

The Commission also stressed the important role that the voluntary adoption of EU data protection rules by business is having in favouring, at the global level, the upward convergence of legal orders, insofar as “a growing number of companies are addressing [data protection concerns] by extending of their own volition the rights created by the GDPR to their non-EU based customers.”

The contractual mechanisms for international data transfers set out by the GDPR are particularly suited to accommodate and promote this political ambition of the EU legislator. They condition the international transfer to the application, in the third country, of a contractually-created ersatz of EU law, thus favoring “its migration” and “silent absorption” in the legal order of third states.

2. Favouring the creation of global standards: the “migration of EU law” through the contractually-mediated application of its private law “ersatz”

All the contractual data transfer mechanisms provided for by the GDPR share an important common feature in that they determine the (mediated) application of EU law to the data processing activities carried out by a data importer in a third-state, who voluntary agrees to undertake (some of) the obligations which follows from the GDPR to gain access to European data.

(i) The extended application of EU law

The technical way in which this mediated application of EU law is realised varies depending on the specific tool considered.

As concerns the SCCs, the existing model sets approved by the Commission provide, in Set I,a general freedom to choose the substantive data protection rules to be applied by the importer in the third-state, subject however to the necessary respect of certain “mandatory data protection principles” which “should apply in any event” and “read and interpreted in the light of the provisions (principles and relevant exceptions) of Directive 95/46/EC” (Appendix 2). On the other hand, Set II, limits the importer’s choice to three alternatives, notably between the application of  (a) the lawsof the Member State in which the data exporter is established or (b) the relevant provisions of any adequacy decision adopted by the Commission limited to certain sectors of activity only, if the data importer is based in that adequate third country and is not directly covered by that sectorial Decision or (c) the data processing principles set forth in Annex A (which does not expressly require an interpretation in light of the 1995 Directive, but explicitly refers nonetheless to specific provisions of that instrument). Party autonomy seems conversely play no role in Set III, applicable to transfers to non-EU-established processors, insofar as the transfer of personal data to processors established outside the EU “should not prejudice the fact that the processing activities should be governed by the applicable data protection law” (Recital 18), defined as “the legislation protecting …[the] right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established” (Article 3).

Moreover, both BCRs and certification mechanisms follow a similar pattern. As concerns the former, the guidelines issued by the Article 29 WP list a series of essential elements and principles, directly derived from specific provisions of the GDPR (§ 6.1.1), whereas, concerning the latter, a EU Commission Study recommends the inclusion, in the certification contract, of certain core principles of EU data protection law, derived from Arts. 5, 24, 25 and 28 of the GDPR.

(ii) The contract as a geographical space with inherently expanding boundaries.

The section above should demonstrate that the contractual mechanisms for international data transfers allow for the exportation not only of “European data”, but also of “European law” by means of contract.

In analysing the impact of place/location (lieu) and space (espace) on a contract, Hortense Fabre-Dubout put forth the idea that contractual relations could be represented, in themselves, as an espace, ie a surface delimited in space, a geographical spacecorresponding to the spatial scope of application of the obligations it creates. This “contractual territory” created by the meeting of the parties’ minds influences the behaviour of its inhabitants and impacts on the manner in which a fact occurred within it is legally assessed and dealt with by individuals and public authorities.

Against this backdrop, the contractual tools for international data transfers could successfully carve out, within the third state, different “spaces” where the behaviour of theirs inhabitants (notably of businesses) is indirectly influenced by the EU legislator, who requires the contractually-mediated application of at least some of the core principles of its data protection legislation.

From the standpoint of legislative technique, the contractual tools for international data transfers belong to the genus of territorial extension. In line with the conceptualization of this technique developed by Joanne Scott, the GDPR regime for international data transfers creates incentives, over and above “mere” access to European data, for compliance to be achieved at a higher level, ie for expanding the geographical boundaries of these “spaces” beyond the limits of the single transaction. So, for example, while SCCs operate on transaction-per-transaction level, BCRs cover, with a single contract, a bigger variety of data transfers within a bigger geographical area, ie the entire group of companies.

By scaling-up compliance at group-level, businesses are rewarded, inter alia,by regulatory simplification, with one single contract replacing the numerous contracts which would otherwise be required to cover intra-group transfers. The same reasoning applies to certification mechanisms, where firm-level compliance is rewarded with simplification (with all data flows directed toward this importer being presumedcompliant and therefore authorised, without the need of adducing additional contractual safeguards), as well as with the potential benefits that the “branding power” of certified respect of EU law may have on the EU market.

(iii) The migration of EU law

The creation of  “contractual regulatory spaces” within third countries, coupled by the incentives to expand their area of influence, may favour the “migration” of EU rules and principles towards third States.

This notion is used by Judith Resnik to underline that States cannot fully control the entry of foreign values and rules within their legal orders. Conversely, the “importation” of foreign rules and principles remains in principle a “highly democratic” process, depending on how, and through which actors, lessons from abroad will be brought home and how, and through which actors, a legislature will attempt to affect the law and practices of other nations.

By teetering on the thin line between top-down imposition of its data protection law and its voluntary adoption by profit-seeking economic actors, the contractual mechanisms for data transfers described above assist the European legislator in promoting the widespread dissemination of its standard of data protection. If no dispute arises in relation to the performance of these contracts in the third-country, the application of EU principles in the third state remains largely off the radar of its courts, which cannot consequently “block” its entry through overriding mandatory provisions or public policy exceptions.

Taking the idea of the law’s migration to the extreme, it may be argued that, in the long run, these processes of voluntary compliance with the European standard may favour its “domestication” or silent absorption in the foreign legal order, thus eventually triggering legislative change within the third state through a bottom-up approach.

However, as mentioned above, however, the Schrems IIcase might put an end or drastically limit the practical impact of this phenomenon. As recognised by Advocate General Øe in his Opinion, the potential reverberations of this case go well beyond the sole issues of the validity of the SCCs Decision of 2010. Rather, it calls into question the actual possibility of ensuring an adequate level of protection of such data “by means of exclusively contractual mechanisms”, given that BCRs, certification mechanisms and codes of conducts all rely on similar contractual set-ups.

3. The potential contribution of private international law scholarship to the debate on international data transfers based on contractual mechanisms

Supposing that the CJEU will rule in favour of the use of exclusively contractual mechanisms for international data transfers, further analysis by private international law theories could be necessary, insofar as it may shed some light on several controversial aspects of these contracts, relating, in essence, to the interaction of the data protection regime with the instruments adopted by the EU on the basis of article 81 TFEU. In this respect, private international law theory could, in particular, perform the following functions.

(i) PIL and the limitations to conflict-of-laws party autonomy

Two elements emerge from the analysis of the model SCCs adopted by the Commission. First, that this institution is not generally opposed to the idea of granting a certain freedom in the choice of the applicable data protection regime; and, secondly, that not all provisions of European data protection law shall be regarded as being “overriding and mandatory”.

Against this backdrop, private international law could lend its language and its theories on conflict-of-laws party autonomy with an aim to better identifying its extent and limits in relation to these contracts.

The fact that these express an overriding public interest, and are moreover used as mode of governance, might entail that the room for manoeuvre left to conflict-of-laws party autonomy may be narrower than it is in “ordinary” international commercial contracts.

In particular, the margin of freedom granted to the parties, as well as the identification of the provisions to be regarded as “overriding and mandatory” may vary depending on whether the parties’ choice concerns (a) law applicable to the “contractual clauses” as such, ie to (all or some of) the issues listed by article 12 of Regulation Rome I (cfr the provisions titled “Governing law” enshrined in the model SCCs); or (b) the law applicable to the international transfer of data, as a processing operation in itself, carried out by a data exporter directly bound by the GDPR and its national complementing laws; or (c) the law applicable to the processing of data by an importer in a third state. It seems conceivable, in principle, that the scope of the parties’ freedom might be wider in the latter case, given that it concerns the application of principles of EU law to processing operations which are not directly regulated by the GDPR itself. The interaction between the GDPR and the Rome I Regulation needs in any case to be clarified, especially in relation to the issues listed sub a) and c).

(ii) PIL and the effectivennes of choice-of-court agreements

The data subject’s right to enforce said contracts before a court of a Member State is an essential component of the provision of “enforceable rights” and “effective remedies” required under Article 46 of the GDPR. In this respect, the model SCCs adopted by the Commission enshrine choice of court agreements as between the data importer and exporter. These thereby agree that, in case of a dispute between the data subject and either party which is not amicably resolved, they accept the decision of the data subject, as a third party beneficiary, to refer the dispute to the courts in the Member State in which the data exporter is established. Depending on the set of clauses used by the parties, the data subject is required either to sue directly the third state data importer (Set II) or is given the choice between suing the data exporter, the data importer or both (Set I).

When data subjects sue the third-state data importer (alone or in conjunction with the exporter) before a Member State court on the basis of said jurisdictional agreement, the question is as to what basis, and according to what jurisdictional regime, the seised court shall assess its jurisdiction.

In this respect, private international law’s longstanding experience with national regimes on choice of court agreements may contribute in assessing whether, and to what extent, said jurisdictional agreements between the data exporter and importer could effectively fulfil the objectives set out by article 46 GDPR. Reference could be made, inter alia, to a preliminary studyconducted by The Hague Conference in 2002, evidencing “ a number of difficulties experienced in practice with regard to the enforcement of choice of court clauses in contracts, even within the business to business (B2B) context”. Leaving the regulation of such agreements to the non-unified private international law systems of the Member States could therefore run counter the objective of these clauses and of the GDPR, ie to confer enforceable rights and an effective remedy to data subjects.

The private international law systems of the Member States would nonetheless come into play solely where the Brussels IbisRegulation was deemed inapplicable, ratione materia, to these contracts. As well known, the regime of choice of court agreements established by this Regulation presents the advantage of being applicable irrespective of the parties’ domicile, ie. of being applicable also vis-à-vis a non-EU domiciled defendant. The relationship between the Brussels Ibis and the GDPR remains, however, largely unclear: both instruments establish – respectively in Article 67 and in Recital 147 – that the former does not “prejudice” the latter.

Further conceptualisation by private international lawyers on this point may therefore contribute to developing arguments in favour of the cumulative application of the GDPR and those provisions of the Brussels Ibis Regulation, – such as its Article 25 – which, far from causing a “prejudice”, factually enhance the effectiveness of the EU data protection regime and contribute to the achievement of its objectives.

As it is, protecting such choice of court agreements through the Brussels regime would not prejudice the weaker party, ie the data subject. On the one hand, these agreements do not prejudice (as per expression provision of those clauses) any other substantive and procedural right of the data subject to seek remedies according to with other provisions, such as, for example, to sue the EU-based processor or controller in accordance with article 79(2) GDPR.

On the other hand, they confer upon the protected party an additional possibility of suing a non-EU data processoror controllerbefore a court of a Member State. It is in fact doubtful that such a result could be achieved on the basis of article 79(2) (with the forum of the habitual residence being available only for “such proceedings”, clearly referring to the proceedings mentioned in the prior sentence of that provision, involving a EU-established processor or controller).

(iii) A PIL approach to the “conciliation of data protection laws”

In reading the existing approved sets of BCRs, it is rather common to find provisions, usually titled “conflicts with local laws”, establishing that in case ofconflicts between “applicable local laws” of a non-EU country and the BCRs, including as concerns further transfer of personal data, the relevant Responsible Executive shall consult with the Chief Privacy Officer “to determine how to comply with the BCRs and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company”. Moreover, the Chief Privacy Officer may seek the advice of the Lead Data Protection Authority or another competent public authority (see, for example, Article 16 of JP Morgan BCRs).

Provisions of this kind mark a shift from the standing tradition of private international law to think in terms of “conflict” of laws, rather than in terms of their conciliation. Hence, contracts for international data transfers may be fertile ground to test the potential and limits of the method of the conciliation of law, sketched and developed by the excellent work of Hugh Patrick Glenn.

4. Concluding remarks

The purpose of this post was not to propose any definite solution to the existing private international law issues within the framework of international data transfers. Rather, it was meant to draw attention on an area of data protection law which seems weirdly under investigated by private international law analysis, despite offering much food for thought in connection with the new scenarios of digital economy and the quest for global regulatory standards.

%d bloggers like this: