On 19 April 2013, the Article 29 Working Party (“AWP”), an independent advisory body that represents data protection authorities in the European Union (“EU”), adopted an explanatory document on binding corporate rules for data processors (“Processor BCRs”) to provide further guidance on what should be included within Processor BCRs.
The guidance is aimed at multinational organisations which routinely process and exchange personal data on a worldwide basis on behalf of their business customers based within the EU (e.g. global outsourcing and cloud computing providers) and are therefore likely to have sufficient resources and impetus to invest in obtaining Processor BCRs.
Data transfer restriction
The collection and processing of personal data is strictly regulated in the EU by the Data Protection Directive (95/46/EC) (“Directive”). The Directive only permits the transfer of personal data to countries outside the European Economic Area (“EEA”) that provide an adequate level of data protection (“Transfer Restriction”). The Transfer Restriction has been implemented in the UK by the Data Protection Act 1998.
BCRs are a set of corporate rules which regulate the internal transfer of personal data between members of a corporate group to ensure that transfers of personal data outside of the EEA satisfy the Transfer Restriction. The BCRs must be approved by the national data protection authority (the Information Commissioner in the UK) before they are legally binding. BCRs for “data controllers” (i.e. entities which determine how and why personal data will be processed) have been available for many years but they only satisfy the Transfer Restriction in respect of global data transfers within a data controller’s corporate group and do not extend to legitimising data transfers to third party data processors based outside the EEA.
In order to outsource data processing to such overseas third parties, data controllers in the EEA are in principle able to use data transfer contracts incorporating the Controller-to-Processor Model Clauses approved by the European Commission. However, as the AWP notes in the explanatory statement, these Model Clauses are typically suited to “non-massive” transfers of data and the increasing number and complexity of international data transfers has made it difficult to guarantee a continuously adequate level of protection. In particular, difficulties frequently arise in relation to using Model Clauses with cloud computing services that rely on complex international networks of data centres spread around the world and layered chains of numerous providers and sub-contractors.
Processor BCRs were introduced at the beginning of 2013 to answer sustained calls from the outsourcing industry for a new legal instrument that would allow for a global approach to data protection in the outsourcing business as well as recognise officially any internal rules which organisations may have already implemented.
The explanatory document provides clarification on the following aspects of Processor BCRs:
- Transfers within the data processor’s group – this will be allowed with the data controller’s prior written consent (which may take the form of a general consent)
- Onwards transfer to external sub-processors – is allowed on the same basis as a transfer within the data processor’s group; however, the data processor’s contract with the sub-processor must provide equivalent safeguards to its Processor BCRs;
- Internal compliance– the AWP does not prescribe how compliance with Processor BCRs within a group of companies, or amongst a company’s members and employees, should be achieved. However, the data processor will have to demonstrate that the Processor BCRs are effectively binding throughout the group if they are to be adequate ;
- Legal enforceability by data subjects – data subjects must be entitled to enforce the provisions of the Processor BCRs through third party beneficiary clauses. Additionally, data subjects will be able to enforce compliance through lodging a complaint against the data controller (or, if not possible, then against the data processor’s EU operations) with the competent data protection authority (“DPA”) or court;
- Legal enforceability by controllers – the processor and its group entities will be contractually liable to the controller for breaches of the Processor BCRs; and
- Legal enforceability by DPAs – DPAs may supervise, investigate, intervene and bring legal proceedings against data processing making transfers outside the EEA not in compliance with the Processor BCRs. In such circumstances, the data controller’s authorisation to transfer based on the Processor BCRs may also be withdrawn.
The explanatory document further explains that the Processor BCRs need only set out a general description of transfers outside the EEA but more precise information will have to be given to DPAs in respect of transfers by a particular controller so they can ensure that the Processor BCRs provide adequate protection. Any changes made to Processor BCRs by the data processor should be notified to the relevant group members, data controllers and DPAs and detailed records for the data processor’s corporate group (including details of group membership and BCR updates/amendments) should be kept to avoid the processor having to re-apply to the DPA following each update.
Finally, the explanatory document sets out provisions which must be included in Processor BCRs in order for them to constitute adequate safeguards. These include rules which:-
- guarantee effective compliance with the Processor BCRs throughout the group;
- provide for regular data protection audits of both data processors and sub-processors, the results of which must be made available to the controller and DPA upon request;
- require that a point of contact exists for data subjects and provide a complaints handling procedure;
- impose a duty of co-operation with both the relevant data controller and the DPA;
- explain which group member should be held responsible by data subjects for data breaches;
- allow the relevant controller to enforce the Processor BCRs for breaches by any of the data processor’s group (including for breaches by sub-processors);
- shift the burden of proof by requiring the relevant processor group member to demonstrate it was not responsible where a data subject or the data controller has shown there was likely a breach of the Processor BCRs which has caused damage;
- accept that data subjects have rights of action against the data processor and the right to choose one of several jurisdictional choices relating to the EU and/or a competent DPA; and
- ensure that there is sufficient transparency to allow data subjects to understand the commitments made under the Processor BCRs which they are entitled to enforce.
Data processors that wish to implement Processor BCRs within their organisation can apply using a standard form application available on the Europa website. Additional guidance on the requirements of Processor BCRs can also be found in a checklist issued by the AWP in June 2012.
The key advantage of Processor BCRs for data controllers is that by entrusting the processing of personal data to a data processor that has adopted Processor BCRs the controller will have the reassurance that they are complying with the Transfer Restriction even if the data processor transfers data to group entities or third party sub-contractors outside the EEA. For major multinational providers of global outsourcing and cloud computing services, Processor BCRs therefore represent an opportunity to expand their EU customer base by simplifying the process for potential customers (especially SMEs) to comply with their data controller obligations. Customers of such services should be aware, however, that they still remain primarily liable as data controllers for the provider’s handling of the data and that Processor BCRs cannot be used to transfer in any way their statutory data protection obligations to the provider.