The European Commission's Article 29 Working Party recently made public an explanatory document on binding corporate rules ("BCRs") for data processors. BCRs are one way that companies can more easily transport personally identifiable data outside of the EU. If a company outside of the EU has its own binding corporate rules (which rules have been approved by an EU data processing authority), then an entity in the EU can send personal information to that non-EU entity. BCRs have existed for companies that own data ("data controllers"), but this guidance represents work done on BCRs for data processors. Processors are typically vendors (for example, a co-location facility that stores data on behalf of the data owner), but might also be a U.S. subsidiary that is storing data at the direction of a European parent. This new guidance comes after an opinion last year from the Working Party about BCRs for data processors, particularly in light of the rise of cloud computing. In its new guidance, the Art. 29 working party states that although businesses take varied approaches to BCRs, at their core, the BCRs must be binding on the entity. The guidance is also very concerned about data security, noting that an entity must have sufficient safeguards in place to protect any personally identifiable information it receives. For this reason, the guidance notes that the proposed BCR must have sufficient detail about security provisions to allow the data protection authority to assess that the safeguards the company will put in place. The guidance also reminds data processor companies considering BCRs that they will need to include: (1) provisions guaranteeing a good level of compliance; (2) data protection audits and/or external supervision; (3) processes for complaint handling; (4) a commitment to co-operation with the Controller (processing instructions) and local data protection authorities; (5) references to liability and the applicable jurisdiction; and (6) a commitment to transparency.
TIP: EU member states' laws prohibit sending personally identifiable information to entities in non-EU countries unless the entity is located in a country with "adequate levels of protection" as that has been determined by the EU. Without adequate protection, there are several methods for cross-border transfers, including consent, model contracts, and binding corporate rules. This new guidance is intended to be a step towards making BCRs easier for data processors.