The Article 29 Working Party have published an explanatory document on Binding Corporate Rules for Data Processors, to provide further detail on using the template they published last year.
European data protection law requires that any export of personal data from the European Economic Area be covered by adequate measures to protect individuals whose data is held by organisations that are not directly subject to EU law. This is known as the eighth data protection principle. For the situation where a data controller within the EEA wants to export personal data to an overseas company, model contract clauses have been agreed to provide this protection. However these are less appropriate for exports that take place within a multi-national company or group of companies, as commonly happens with cloud, social network and similar large service providers. The idea of Binding Corporate Rules (BCRs) is that those providers can have their internal rules and processes certified by a national Data Protection Authority as providing adequate protection. The provider can then give its customers assurance that Principle 8 will be satisfied.
However, as with any national or international transfer, satisfying Principle 8 isn’t the only issue. Any organisation disclosing personal data to another needs to ensure that this satisfies the other seven principles as well. If the recipient organisation is acting as a data processor then this requires a contract (which the Working Party call a Service Agreement) between the organisations to specify what processing will be done, what security measures are required, etc.
Approved BCRs make international transfers within a data processor company or group easier, but they don’t replace all the duties. The data controller needs to be informed of what countries are involved, and may object if there are particular issues with any changes. The data processor must inform the controller and the accrediting Data Protection Authority of any local law that may prevent it fulfilling its contractual obligations. Some countries – fortunately not the UK – require that international transfers be approved by national authorities, even if Principle 8 is satisfied. If the data processor wishes to transfer to external sub-processors then this needs to be covered by a separate contract ensuring that all the processor’s duties extend to the sub-processor.
BCRs need to be followed within the organisation, so authorities approving them will expect to see information, training and disciplinary sanctions, particularly in countries where EU standards are not the norm. They also need to be legally enforceable by both data subjects and the data controller. Individuals must have the right to sue for any breach that causes them harm, and the BCRs must form part of the contract or service agreement with the customer so that a breach of BCRs is a breach of contract. The document also has further guidance on what the BCRs are expected to contain on compliance, audits, complaint handling, duty to cooperate with controller and DPAs, liability, jurisdiction and transparency.
BCRs for Data Processors seem to offer regulatory clarity for those considering moving services to cloud providers. It would be good to see both cloud providers and regulators using them.
