This article originally appeared on the IAPP’s Privacy Perspectives.
Promptly after the European Council version of the proposed General Data Protection Regulation (GDPR) was adopted, the Article 29 Working Party (W P29) published its overview of outstanding topics, indicating that it is “concerned about the deletion of the possibility of BCR for Processor (BCR-P) and considers it essential to re-insert them.”
The companies that have already introduced BCR-P, or are in the authorization process, were alarmed. Are BCR-P still uncertain? Did the Council delete the possibility of BCR-P?
Looking into it, the status is that the original European Commission (EC) proposal contained the possibility of BCR-P; that the WP29 and commentators believe that the European Parliament (EP) deleted the possibility of BCR-P, but that BCR-P are in any event re-inserted in the version as adopted by the Council. The concern of the WP29 therefore seems to direct itself against the EP version.
The WP29 already expressed its concern directly to the EP, shortly after the EP adopted its version of the GDPR (12 March 2014), in an extensive open letter to the President of the EP dated 12 June 2014. In this letter the WP29 praises the merits of BCR-P as an optimal solution for international data transfers of personal data to processors, and expresses its concern that the EP has dropped the reference to BCR-P in Article 43.1a. According to the WP29, denying the possibility of BCR-P, will unduly limit the choice of processors to use of mode contracts or to apply Safe Harbor, if possible, while BCR-P provide for more transparence and accountability requirements which according the WP29 are “certainly above the existing ones provided in the model clauses and in the Safe Harbor.”
The WP29 further indicates that from June 2012, when it established the framework to authorize BCR-P, already a number of multinational organizations already had their BCR-P approved—the official count to date is eight, with many more applications under review. If BCR-P are not provided for in future legislation, it would, according to the WP29, create legal uncertainty and an important loss for these companies as “adoption of BCR require important human and financial investments, in particular due to implementation of accountability measures.”
I could have written it myself. To add one argument for BCR-P, under the GDPR, the data transfer rules will also become directly applicable to processors. Processors should therefore no longer be dependent on data transfer mechanisms put in place by controllers, but should also have their own tools available to comply with their own requirements. And as indicated by the WP29, BCR as an organizational accountability tool has many merits above contractual solutions such as the EC model clauses.
The WP29 will certainly know more about the true position of the EP, but reading the EP approved text, I do not see that the EP indeed has dropped the possibility of BCR-P. It is correct that in the EP version the reference to BCR-P in article 43(1)(a) is deleted, but Article 43(3) still explicitly provides “that the requirements for BCR as listed in art. 43(2) may be adapted for BCR for processors by the Commission by means of a delegated act.” Article 42(1) of the EP version further still provides that both controller and processor can “adduce appropriate safeguards,” as listed in article 42(2), which includes under 42(2)(a) BCRs as approved under article 43.
As indicated, pursuant to Article 43(3), it is possible for the Commission to adopt a delegated act to adapt the requirements of BCR-C for BCR-P.
Based on these provisions, my conclusion is that BCR-P are still possible, but in the EP version require a further delegated act by the Commission. And though this may cause delay—which is not something I am in favor of—it is less illogical than it may seem at first sight.
In the Commission version, Article 43(2) lists the material requirements for BCRs, which are clearly a transposition of the criteria for BCR for Controllers (BCR-C) as issued over time by the WP29. These are not fit to be one-to-one applied to BCR-P, as some criteria are not relevant for BCR-P while at the same time there are also requirements issued by the WP29 for BCR-P which are not relevant for BCR-C (and are currently not listed).
The solution chosen by the EP to delete the reference in art. 43(1)(a) to BCR-P, but to leave in in article 43(3) the possibility for the Commission to adopt a delegated act for adapting the BCR-C requirements for BCR-P, was therefore at the time a logical one. It was in fact a tidier solution than the text as proposed by the Commission, where in some of the BCR-C requirements a reference to BCR-P is included and in others not, while again, there are also requirements for BCR-P missing.
The Council version solves this in a different manner, by making article 43 of general application, without specifically mentioning controllers or processors. That however both controllers and processors are covered, can be derived from the fact that article 43(2)(f) and (e) refer to both controllers and processors. The Council deletes the possibility in Article 43(3) for the Commission to adapt the requirements for BCR as listed in art. 43(2) for BCR-P.
Apparently, further detailed rulemaking is not considered necessary—as this is considered to be within the scope of authority of the new EDPB. This is a good proposal, and based on the EP version, I do not see why the EP would be against this. The WP29, by so explicitly taking stand against the EP version, may create more disparity in the trilogue than there in fact is and in the meantime causing the uncertainty for companies with BCR-P it is striving to avoid.