On May 22, 2015, the Article 29 Working Party published an update to its explanatory document regarding the use of Binding Corporate Rules (“BCRs”) by data processors (“WP204”). The original explanatory document was published on April 19, 2013 and identified two scenarios in which a non-EU processor, processing personal data received under BCRs, should notify the controller and the relevant data protection authorities (“DPAs”) in the event of a legally binding request for the personal data.
In summary, the scenarios are:
- Anticipation of non-EU disclosure requirements – If the non-EU processor believes that local laws (whether current or anticipated) may require it to disclose personal data to non-EU regulators or government agencies (or might otherwise result in the non-EU processor being unable to comply with its obligations under the BCRs), it should notify three parties of the local law requirements:
- the controller;
- the processor group’s EU headquarters; and
- the DPA in the controller’s EU Member State.
- Requests from non-EU regulators or government agencies – If a non-EU processor receives a legally binding request for personal data from a non-EU regulator or government agency, the non-EU processor should notify a slightly different set of parties. In that event, the non-EU controller should notify:
- the controller;
- the DPA in the controller’s EU Member State; and
- the lead DPA that approved the processor group’s BCRs.
The Working Party’s updated version of WP204 does not amend the requirements set out above. Rather the updated version provides additional guidance, including:
- The BCRs should require the non-EU processor to assess each request for personal data on a case-by-case basis and put each request “on hold” for a reasonable period of time, in order to notify the competent DPAs. The notification to the DPAs must explain the legal grounds on which disclosure is requested.
- The competent DPAs must endeavor to respond to notifications from the non-EU processor within a reasonable timeframe, and may decide whether to suspend or prohibit further transfers of personal data to the non-EU processor under the BCRs. Alternatively, those DPAs may decide to authorize disclosures of the type made by the non-EU processor.
- If the laws under which the relevant request is made prohibit the non-EU processor from notifying the parties listed above, the non-EU processor must use “best efforts” to waive that prohibition, and must be able to demonstrate that it did so.
- Where the non-EU processor cannot notify the competent DPAs of a disclosure, it must provide the DPAs with general information (such as the number of requests received in a year, the types of data requested, and the types of requesters, where possible).
- The Working Party states that disclosures of personal data by a non-EU processor to a local public authority cannot be “massive, disproportionate and indiscriminate in a manner that…would go beyond what is necessary in a democratic society.” This is consistent with existing EU data protection concepts, but non-EU processors may find these standards difficult to satisfy under the laws of their respective jurisdictions.
- The Working Party recommends that “international or intergovernmental agreements should be put in place to provide adequate data protection guarantees to EU data.”
Although the Working Party’s guidance provides helpful clarification, there remains a number of unresolved questions. In particular, there is a risk that non-EU processors will send frequent and overly-broad notifications to DPAs (even where a possible future disclosure requirement is entirely hypothetical) in order to comply with the Working Party’s guidance. It is unclear how DPAs will respond if they are inundated with notifications concerning hypothetical disclosure obligations.
BCRs for processors remain an evolving area of EU data protection law, and it is likely that we will see further guidance on these issues from DPAs and the Working Party as increasing numbers of processors begin to use BCRs.