The Article 29 Working Party have published an interesting toolbox for Binding Corporate Rules (BCR) for Data Processors. BCRs for Data Controllers have been suggested for some time as a way that large multi-national companies can comply with European Data Protection law. By having its internal rules for handling personal data approved as compliant with European law, a company doesn’t have to worry if its administrative processes involve transfers between different countries and continents. So long as the processing is governed by the BCR then it remains compliant. This sort of internal BCR may be of interest to multi-nationals but isn’t much help to the rest of us.
The possibility of having approved BCRs for Data Processors (referred to as Binding Safe Processor Rules (BSPR)) looks much more interesting. The idea seems to be that provided its internal processing was carried out in accordance with approved BSPRs, a data processor could offer Europe-compliant services to its customers, no matter where in the world the processing actually took place. So, for example, a cloud provider with an approved BSPR might save its customers puzzling over conflicting advice on the scope of US-EU Safe Harbor, or having to perform individual risk assessments (an approach that is recommended by the UK Information Commissioner but prohibited by some other EU countries). Under current EU law BSPRs would need to be approved individually by each national data protection regulator, though one country can act as lead authority to facilitate this process. Even this might still be simpler than individual negotiations with each customer. However the proposed Data Protection Regulation would allow approval by one national regulator to have effect in all Member States, potentially making the approval process much more powerful. This could fill a gap in the Regulation which claims to be “cloud-friendly” but has no obvious provisions to help those outsourcing to cloud service providers, as opposed to cloud services designed for direct use by consumers.
The Art29 paper has almost no detail on how they think BSPRs might work in practice or who they might be used be. All it says is:
In this paper, the Article 29 Working Party intends to develop a toolbox, describing the conditions to be met, to facilitate the use of Binding Corporate Rules (BCR) for Processors (“BCR for third party data”).
BCR for Processors aim to frame international transfers of personal data that are originally processed by the company as Data Processor according to the external instructions of a Data Controllers (such as outsourcing activities).
But there does seem to have been a hint given by the EU Commissioner in a speech last year that clouds were indeed an application she had in mind, and other commentators view the new Article 29 document as very positive. If cloud providers and regulators support the approach, then it could make compliance questions around cloud services much easier to resolve.