Offshoring and Privacy Aspects A case study under Dutch law from the perspective of an IT provider
|
|
|
- Amy Hood
- 8 years ago
- Views:
Transcription
1 Elisabeth P.M. Thole A case study under Dutch law from the perspective of an IT provider In February 2006 Widmer and Nair described the data protection issues in the context of outsourcing from the Swiss and European perspective to India Widmer/Nair, CRi2006,12-17). Starting from that study of the European, Swiss and Indian privacy laws, this article examines some additional relevant practical legal issues arising out the transfer of personal data from a European country to India. The article analyses the outsourcing options of an IT provider located in the Netherlands. The IT provider wishes to deal with the data protection compliancy issues itself to the highest extent possible and to have the transition effected without causing any nuisance to its customers in moving its activities or parts thereof to India. How should he take care of this? I. The Case Study A relatively new variation on the traditional outsourcing concept is offshoring. Offshoring refers to the migration of (IT) services by taking advantage of lower-cost labor in another country, such as India, Rumania and Ukraine. Analysts expect that the worldwide expenditure on IT outsourcing and offshoring will exceed fifty billion dollars by There is clearly a growing demand for professional IT services. However, there are various risks and pitfalls attached to IT outsourcing and offshoring. The following case study reveals a specific concern: the privacy aspects linked to offshoring of activities by outsourcing companies to their own offshore branches: 0 1. Relevant Facts An IT provider based in the Netherlands provides IT services to various organizations and businesses. One of its activities in that context is the processing of personal l> Dr. Elisabeth P.M. Thole, Amsterdam. Further information about the author at p. 64.
2 CRi 2/2007 Thole 45 data for its customers. From a data protection perspective, the basis for this data processing is to be found in the outsourcing contracts or other agreements between the IT provider and the customers. Typically in these agreements, the IT provider has reserved the right to outsource processing activities to its branch(es) elsewhere in the world. In this case study to India. The IT provider wishes to deal with data protection compliancy issues itself to the highest extent possible and to have the transition effected without causing any nuisance to its customers in moving its activities or parts thereof to India. 2. Relevant Law In Europe, the Privacy Directive and the ensuing implementing legislation of the Member States apply to the processing of personal data. 1 This directive has been implemented in the Act of 6 July 2000 in the Netherlands, providing rules pertaining to the protection of personal data (Dutch Data Protection Act, "DPA"). In accordance with the Privacy Directive, the DPA defines personal data as data that is traceable to individuals (reasonably and without disproportionate efforts). These individuals are also defined as 'data subjects'. Personal data includes name and address as well as gender, marital status and salary. The data to be processed on the systems of the IT provider may pertain to various categories of data subjects, such as employees or clients of the IT provider's customers. Most obligations arising from the EC Privacy Directive, such as the obligation to notify, lie with the 'data controller'. Under the Privacy Directive, a 'data controller' is the person authorized to determine the purposes and means of the processing of personal data. 2 The Privacy Directive also defines the term 'data processor'. 3 Unlike a data controller, a data processor has no control over the data processing; a data processor follows the instructions given by and carries out work under the (explicit) responsibility of the data controller. A data processor may process personal data only at the instructions of the 1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281,23/11/1995 P Article 2(d) Directive 95/46/EC. 3 Article 2(e) Directive 95/46/EC. A Section 14(2) of the DPA and Article 17(3) of Directive 95/46/EC. 5 To verify this, the contents of the outsourcing/processor agreements should be reviewed as to whether they include at least the following elements: (i) The IT provider in its capacity of processor may process the personal data only on the instruction of the data controller [the customer]; (ii) The IT provider must properly observe the security measures which the data controller [the customer] has to take; and (iii) The data controller [the customer] must monitor this and reserve the right to do so by contract. Under Dutch law, for that matter, the subject of a data processor agreement shall solely be the processing of personal data, which means that the mere inclusion of 'data processor provisions' in an outsourcing agreement probably will not be enough. 6 Section IV of Directive 95/46/EC. 7 Besides the 27 EU Member States and three EEA member countries (Norway, Liechtenstein and Iceland) the Commission has so far recognized Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's Safe harbour Privacy Principles as providing adequate protection. Until recently, transferring passenger data to the US could also be added to this list. However, the European Court of Justice annulled the decision on the transfer of Air Passenger Name Records to the United States' Bureau of Customs and Border Protection, cf. European Court of Justice 30 May 2006, Joined Cases C-317/04 and C-318/04 (Parliament v Council), cf. 8 Article 26(la) of Directive 95/46/EC. data controller, and is therefore not permitted to independently decide to process data entrusted to the data processor, unless this is done in the context of satisfying a legal obligation. It is fair to assume that the IT provider's customers must be considered data controllers and the IT provider a data processor. Dutch rules of privacy law provide that a (written) data processor agreement must be concluded between the IT provider and its customers. 4 In principle, the outsourcing agreements made by the IT provider can be considered data processor agreements as defined in the Dutch Data Protection Act. 5 n. Personal Data Transferred Abroad The Privacy Directive imposes restrictions on transferring personal data to non-eu countries such as India. 6 The Directive imposes these restrictions on the data controller (the IT provider's customers), and not on the data processor (the IT provider). The fact that it is the IT provider rather than its customer transferring the personal data to India is not considered relevant. Transferring personal data abroad is not permitted unless the non-eu country concerned has an 'adequate level of privacy protection'. Essential in this context are the purpose and duration of processing, the country of origin, the final destination, the security measures taken and the nature of the data. India is not on the list of countries recognized by the European Commission in this context. 7 Hence, under the EU rules this country offers no adequate level of protection. This means that there are only two options to exchange data with India in a 'legitimate' way: (1.) The first option is that transmission is effected on the basis of one of the exceptions offered by law. In this case, the following two exceptions particularly qualify: (a) Obtaining unambiguous consent of the data subjects involved; or (b) Transmission is required in the context of performing an agreement. (2.) The second option, under Dutch law, is transmission based on a permit. In the Netherlands, this permit is issued by the Government Minister of Justice. 1. Data Transmission Based on Exceptions a) Consent of the Data Subjects 8 Obviously, asking clear consent from all data subjects poses practical problems. It would not only be a rather drastic way of handling matters; another problem would be that if one or more data subjects refuse to give their consent, the personal data of these data subjects cannot be transferred to India. Moreover, the IT supplier, being not more than a data processor, has no direct relationship with the data subjects concerned. I therefore believe that this is not a realistic option. b) Performance of the Agreement The transmission of personal data to India will be considered legitimate if the customer can demonstrate that transmission is necessary for the conclusion or performance of an agreement made in the interest of the data subject between the customer in its capacity of data
3 46 Thole CRi 2/2007 controller and a third party - in this case: the IT provider. This exception provided by law pertains to the outsourcing agreement made between the customer and the IT provider, the data subject not being a party to this but still having an interest in it. Evidence must be furnished that outsourcing requires the transfer of the data subject's personal data to India, it also being in the interest of the data subject. Hence, two elements must be in place: (i) Transmission to India must be required for the performance of the outsourcing agreement; and (ii) The transfer to India must also be in the interest of the data subject. This exception offered by law must be interpreted in a restricted manner. If, for instance, additional, nonessential data is transmitted or if the purpose of transmission does not fit the purposes of the outsourcing agreement - e.g. direct marketing - the exception will not apply. However, the exception should not be interpreted in too narrow a manner either. Although one could claim that the processing need not necessarily be carried out in India, the argument that it would be far more practical to have it done in India as it also serves the interests of the data subject may also hold water. Moreover, it is highly likely that the interests of the data subjects will be adequately protected in view of the security obligations imposed on the IT provider. As to assessing the possibility of relying on this exception the legislative history relating to the enactment of the Dutch Data Protection Act is of relevance. It gives the following example pertaining to the applicability of this possible ground: For instance, in specific circumstances the reinsuring of an insurance taken out in the Netherlands may necessitate that the personal data of the insured has to be transmitted to a non-eu country in the context of an agreement made between a Dutch insurer and a reinsurer who is established outside the EU. Such reinsurance is in the interest of the data subject as well. 9 Against this background, it is tenable that the customer can rely on this exception offered by law. However, hard evidence in law and legal writing in the Netherlands to support this cannot be found, nor seems there to be any Dutch case law available on the subject. Successfully relying on this exception must therefore be assessed in each individual case. No certainty can be obtained in advance. If an IT provider wishes to follow this route, it should do so on the basis of the contents of the outsourcing agreements. For clarity's sake: from a formal perspective, it is up to the customer to decide whether or not to rely on this exception. The IT provider has no responsibility in this respect. If the IT provider and especially its customers wish to be absolutely sure that transmission of personal data to India is permitted, they should obtain a permit to that end under Dutch law. 2. Permit Assuming that a customer cannot rely on any of the exceptions offered by law referred to above, the desired transmission under Dutch law requires a permit. 10 Such permit is issued subject to terms serving to protect the personal data in question. The simplest way to show that these safeguards are in place is by using standard agreements approved by the European Commission. In this case study, the standard agreement made between the data controller/transferor and the data processor/recipient should be used. 11 Hence, this agreement should be concluded between the customer and the Indian branch of the IT provider. a) Binding Corporate Rules Instead of these standard agreements, another option would be to use binding corporate rules ("BCRs"). 12 BCRs can be used by a company as corporate guidelines in order to comply with the protection of personal data being transferred between countries. The main advantage of these BCRs is that they contain generally recognized data protection principles and enable the establishment of homogeneous corporate standards of worldwide data protection regulations. 13 More detailed requirements on the binding nature and necessary substantial contents of BCRs can be found in the working document of the Article 29 - Data Protection Working Party. 14 However, the Working Party explicitly states that BCRs should not be considered as the only or the best tool but for carrying out international transfers but only as an additional one where the use of existing instruments (i.e. Commission decisions on standard contractual clauses or the Safe Harbour Principles where applicable) seem to be particularly problematic. From now on, it appears recommendable that either of the European-Commission approved standard agreements is used. b) Application Procedure The Dutch Ministry of Justice issues the permits, which can be obtained via the Dutch Data Protection Authority (College bescherming persoonsgegevens; "CBP" 15 ). Applicants must use a standard application form, which is also available in English 16 ). Together with the application, documents must be submitted evidencing that there are sufficient safeguards for proper transmission, including the standard agreement. The permit will be issued after the CBP has recommended the Minister of Justice to do so. If the standard agreement approved by the European Commission is used, the CBP procedure 9 Explanatory Memorandum to Section 77(1) of the Dutch data Protection Act, Dutch Lower House ,25892, no. 3, p Section 77(2) of the DPA. 11 Another option is to draw up 'customized' contracts. However, using a standard contract will expedite the issue of a permit. There are merely two European standard contracts: A contract made between the data controller and another data controller, and a contract made between the data controller and a data processor. There is no such thing as a standard contract governing the relationship between a data processor and a data sub-processor, as is the case here. 12 Article 26(2) of Directive 95/46/EC. 13 A. Biillesbach, Binding Corporate Rules, in A.R. Lodder, A.P. Meijboom & D.T.L. Oosterbaan, IT law - The global future: achievements, plans and ambitions, NVvIR Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, WP 74 of 3 June 2003, bttp:/lec.europa.eu/iustice_home/fsj/privacy/docs/wpdocs/2003/ wp74_en.pdf
4 CRi 2/2007 Thole 47 will take 2-13 weeks, subject to whether or not changes have been made to the standard agreement. 17 If none of the exceptions offered by law is available and transmission is effected without a permit, it is unlawful and therefore not permitted. As said earlier, the law provides that it is the customer rather than the IT provider that has the obligation to ensure that transmission to India is carried out lawfully. It is therefore the customer that must apply for a permit. The customer will have to satisfy the required formalities. However, this case study assumes that in the context of moving its outsourcing facilities to India, the IT provider will do its utmost not to bother its customers with formalities and procedures. The IT provider prefers to handle the formalities itself and seeks a way to subcontract data processing activities without invoking compliancy issues for its customers. There are four options. aa) IT Provider As "Data Controller" The first option would be that the IT provider assumes the role of data controller instead of the customer. If the IT provider is also the data controller, the IT provider itself may apply for the permit for the required data transmission to and from its branch in India, without involving the customer. However, this does not appear recommendable. If the IT provider assumes the role of data controller, it gains more powers in respect of the personal data than it actually needs for processing the data. There is the risk of the Data Protection Authority carrying out an investigation, for instance when the permit application is filed, which investigation might reveal that the new division of roles does not correspond with the actual situation. Another - and perhaps even more significant - objection would be that a change in roles is not in accordance with the way the agreements and business relationships were designed and are being executed. It is likely that the customers wish to keep control of their personal data and be the 'owner' of this data at any time. bb) Customers Represented By IT Provider The second option is that the IT provider offers its customers to represent them at the conclusion of the standard agreement and the filing of the permit application. In that case, the IT provider concludes standard agreements and applies for data transfer permits on behalf of its customers. If this option is used, the Data Protection Authority will require evidence of powers of representation, for instance a power of attorney attached as an appendix to the data processor agreement. This option does not appear recommendable either. After all, granting a power of attorney might imply that the data controller (the customer) has less or no say at all in the content of the standard agreement, while the customer continues to be responsible for it. This is in particular a problem if a data subject files a claim on the ground of violation of the rules protecting the data sub en pdf; dat/2002/l006/l_ en pdf. 18 See: Paul Posttna, Veiligheid van persoonsgegeuens ook bij offshoring goed geregeld (Security of personal data also well regulated in case of offshoring), in Outsourcing, December 2006; and Bas Linders, Minder bureaucratie rond offshoring (Less bureaucracy around offshoring); in Gids 13 October ject's personal data. Hence, this set-up is in general not very attractive to a customer. Further, customers will not easily grant a formal power of attorney to an IT provider to apply for a permit, which means that this option will not be an easy one to use. cc) Customers' Applications Via IT Provider The third option is a more practical compromise, and is suggested by the Dutch Data Protection Authority. The customer concludes the standard agreement in its own name and executes it, and the customer signs the application for a permit. The application may state that the IT provider serves as the customer's contact, so that all paperwork associated with the application is handled by the IT provider. Communications with the Data Protection Authority will go through the IT provider. This is an easy option to use. The IT provider may have the customer sign a blank application form at the time the data processor agreement is executed. Subsequently, the IT provider can complete the application, so that the customer need not be bothered with this. The customer need not sign the standard agreement until the permit is granted, so not (yet) at the time the application is filed. All in all, for the IT provider and its customers this option seems to present the most advantageous and safest way to proceed, if the parties opt for applying for a permit. In addition, the IT provider may consider concluding a tripartite standard agreement with its customer (as data controller) and the Indian company (as sub-processor). This way, the IT provider continues to be a party to the contract, which is in line with the outsourcing and data processor agreements. dd) Model Contract Most recently, a fourth option has been negotiated by IBM in the Netherlands with the Dutch Data Protection Authority. 18 This option consists of a model contract that has been drafted specifically on behalf of IBM in order to ease the permit procedure when dealing with different customers in the offshoring situation. This agreement has by now been signed by the following customers: Shell, Akzo, Philips, Heineken and Sara Lee. It is fair to assume that this example will be followed by other global IT providers with branches in the Netherlands, in the near future. HI. Conclusions Basically it is up to the IT provider's customers to assess whether or not offshoring specific activities to India requires a permit or can be lawfully effected without one because the cuctomer can rely on a justification defence found in the law. To assess the extent to which the IT provider must inform and advise its customers on the subject, the legal relationship between the parties should be reviewed on a case-to-case basis. The IT provider must always notify its customers of its intention to offshore activities to India. Offshoring the management and commercial operation of customer environments to a company outside the EU has data protection implications. However, these implications will in the first place affect the IT provider's customers, not the IT provider. It cannot be ruled out that the customers concerned do not or no longer satisfy the
5 48 Belgium CRi 2/2007 Legality of Google News rules of privacy law if data is transmitted to and from the company in India for the purpose of outsourcing 'their' IT processes. Perhaps these customers may take the position, via an extensive interpretation of the justification defence offered by law that this is permitted without being required to satisfy any further formalities. Otherwise, these customers must apply for a permit. Under Dutch law, at present to my knowledge IT providers - without involving their customers - have not yet obtained a data transfer permit for their customers (thus effecting compliance) without setting up a formal representation structure. Finally, for the record, and apart from the exchange of data with India, it must be verified whether or not the outsourcing agreements meet the requirements that privacy laws impose on a data processor agreement; if that is not the case, separate data processor agreements should be concluded between the IT provider and its customers for the purpose of 'remedying' any irregularities. The Indian company can be regarded as a sub-contractor of the IT provider, which means that the customers need not make a direct separate data processor agreement with it. However, the IT provider itself must negotiate separate arrangements pertaining to the processing of personal data with the company in India.
