EU tightens personal data outsourcing rules

The European Commission has updated the standard contractual clauses for the transfer of personal data outside the European Union in response to changes in the way that businesses manage data.

The new clauses demand greater transparency from overseas companies providing data processing operations to clients in the EU, requiring them to obtain written consent before subcontracting any processing of personal data to another firm.

The change will affect market research agencies in Europe that outsource data processing work to countries such as India.

Commission vice president Jacques Barrot said: “This updated version of the standard contractual clauses takes account of new business models and the growing trends to global processing and outsourcing. The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens’ personal data.”

The Commission said in a statement that existing contracts will not be affected “as long as the transfers and data processing operations remain unchanged”.

The new requirements do not apply to the transfer of data within the European Economic Area (all 27 EU countries plus Iceland, Norway and Liechtenstein) or to Argentina, Canada, Switzerland, the Isle of Man, Jersey and Guernsey – all of whose data protection regimes have been recognised by the Commission as offering sufficient protection.

The US also has a special arrangement whereby companies that are part of the Department of Commerce’s ‘Safe Harbor’ scheme can receive data without using the standard clauses.

The UK’s Market Research Society (MRS) said it would be informing members soon of how the new rules may affect them.