A recent opinion by a learned group within the EU Commission, the Article 29 Working Party, has provided for Binding Corporate Rules for data processors, a method to transfer data legally out of Europe which may provide a significant advantage for those companies which adopt these new Binding Corporate Rules.
One of the single most complex issues facing multinational companies today is how to manage the personal data of their customers in an effective manner while maintaining compliance with applicable law. The real challenge comes from the fact that personal data is an intangible, and it can cross the globe with the click of a button.
Data protection and privacy regulators are fearful that personal data which is adequately protected and safeguarded under the laws of their jurisdiction will lose those protections once transferred to a foreign jurisdiction. In light of this fear, many countries have enacted data protection and privacy laws which regulate the transfer and export of personal data. The most notable of these are the laws in Europe where data protection and privacy law is considered to be the most difficult and have greatly influenced many other jurisdictions.
Under Article 25 of the European Data Protection Directive (Directive 95/46/EC, the “Directive”), personal data may only be exported from the European Economic Area (the “EEA”) to entities located in destinations that are considered to have adequate data protection law, as determined by the EU Commission. If an entity is not located in a destination with adequate data protection law, then the data exporter must comply with one of the exemptions provided for under Article 26 of the Directive such as Binding Corporate Rules, EU Model Contractual Clauses and user consent, among others.
Further, if personal data is transferred from an EEA location to a non-EEA location, and then further transferred to another third party, this is described as “onward transfer”. Onward transfer is regulated not through the Directive, but through the international transfer exemptions of Article 26. For example, personal data may be transferred outside of the EEA through the use of EU Model Contractual Clauses. As part of these clauses, there is a provision on “onward transfer” which requires the data importer to impose the same obligations that were put on them onto the new third party data importer.
Binding Corporate Rules allow for an organisation to bind itself to a set of policies through a binding intra-group agreement which is then approved by the different Member States in which the organisation is active. The benefit of Binding Corporate Rules is two-fold:
- It allows the organisation to transfer personal data freely within the organisation; and
- It makes the organisation a safe harbour in the sense that it is then considered “adequate” under European data protection law and may receive personal data from other organisations without the use of other transfer mechanisms such as EU Model Contractual Clauses.
In recent years, Binding Corporate Rules has become the most well regarded and prestigious method to legitimise the transfer of personal data in both the eyes of the European regulators and the data privacy community. So much so, that it has become a marketing tool for those companies that have it, a metaphorical seal of privacy compliance on which a company’s customers and business partners can rely.
However, up until recently, Binding Corporate Rules have only been available for data controllers and not data processors. A data controller is the entity which determines the purpose and means of processing while the data processor is the entity which acts on the behalf of the data processor. For example, a company might outsource its pre-employment background screening activities to a third party. In this instance the hiring company is the data controller as they are determining the purpose for the screening (potential employment) and the means (background checks) while the third party company is acting as the data processor because they were hired by the controller to carry out the designated task.
Under Binding Corporate Rules for data processors, it is still required that the data controller and data processor enter into a contract stipulating that the data processor will only act on the written instruction of the data controller and then that transfer of data is legitimised through Binding Corporate Rules for data processors. In addition, the Binding Corporate Rules themselves must be annexed to the contract.
Now that Binding Corporate Rules have been approved for data processors, a unique opportunity has presented itself for those companies wishing to seek compliance through this higher standard. As data controllers continue to outsource different parts of their business, they will need to transfer personal data to these outsourcers and frequently, this will require that the transfer be legitimised under the Directive or other applicable national law. If the third party outsourcer, the data processor, has implemented Binding Corporate Rules, then it may import the data controller’s personal data from the EEA without entering into an additional data transfer agreement or asking for the consent of the individual’s whose data is being transferred. Further, to offer this data protection and privacy compliance to a data controller will save them time and money as it will solve an expensive compliance issue for them which in turn can allow the third party outsourcer to charge higher fees and distinguish itself among its competition.
In going forward, Binding Corporate Rules is gradually becoming the standard for data privacy compliance the world over, and those companies which are at the forefront of this process, may earn themselves the goodwill of the regulators, their customers, their suppliers, their employees and the data privacy community.
Binding Corporate Rules, used to legitimise the transfer of personal data out of Europe, has now been extended to data processors, those companies that act as outsourcers, specialising in providing specific services for corporations. This extension of Binding Corporate Rules to data processors is providing a significant opportunity for these outsourcers to set themselves apart from their competitors by offering a marketable advantage while achieving strong data protection and privacy compliance.