The Crouch End Chapter of the Institute for Data Protection
held its summer party yesterday. Tall tales of
data protection heroism were recanted, then as the alcohol continued to flow,
the conversation turned into a good-natured argument about the most pointless
bit of data protection practice.
Could anything beat the futility of registering all of your
data protection processing purposes with the ICO, and creating lists of classes
of recipients for each purposes?
After about half an hour, there was general agreement on what
was the most pointless bit of data protection practice. Someone mentioned that
when contracts were negotiated at their workplace, the data protection team ensured
that, stuffed inside one of the schedules, were the EU model clauses that
relate to data controller – controller or data controller – processor relationships.
Just in case anyone has forgotten why these clauses are
considered important, they are used, in Eurospeak, “to ensure that the contracts provide adequate
safeguards with respect to the protection of the privacy and fundamental rights
and freedoms of individuals as regards the exercise of their corresponding rights.”
Yeah, right.
Let’s put it another way.
The Controller / Controller clauses were originally
introduced in 2001, and were revised in 2004. The Controller / Processor
clauses were originally introduced in 2002, and were revised in 2010. They
involve the creation of a standard template, which then (usually) needs to be formally
agreed by way of an exchange of paper documents, as lots of lawyers don’t trust
the authenticity of the electronic versions.
But.
I’m not sure who reads them before they are agreed, or who audits
them to offer an assurance about compliance after they have been agreed. I’m
actually not sure if there has ever been any litigation that tested or was
based on any of these clauses.
If anyone knows of any occasion where anyone has ever taken action to enforce compliance
with any of these clauses, please let me know and I’ll ensure that their fame
spreads across the globe.
It was the unanimous view of everyone still standing at the
end of the summer party that the clauses were, in practice, worthless. They
might well have given someone the impression that the relevant protections were
in place, but these protections are virtual, rather than real.
There was a grudging acceptance, though, that the standard
contractual clauses were of value in that they gave data protection teams
something to do. If clauses were required, then they needed to be inserted into
contracts, and formally agreed. All good work for the working man to do.
Anecdotal evidence suggested that some global companies actually employed teams
of people whose sole purpose was to ensure that the right words were in place
for the relevant agreements between all subsidiary companies, and others. Is this
a complete waste of money, or simply a cost of doing business in the EU?
Given the lack of any evidence of any effort to do anything
once the contracts have actually been signed, it appears that the administrative
burden of inserting the relevant clauses in the relevant contracts is simply a
cost of doing business in the EU.
Source:
.
Posts
