On 1 January 2013, the Article 29 Working Party, an advisory body that represents data protection authorities in the EU, launched new binding corporate rules (“BCRs”) for data processors. The launch comes after the publication of an Article 29 Working Party document (“WP195”) which was adopted on 6 June 2012 and provided guidance on BCRs for data processors together with a checklist of the requirements that must be met.
The collection and processing of personal data is strictly regulated in the EU by the Data Protection Directive (95/46/EC) (“Directive”). The Directive only permits the transfer of personal data to countries outside the European Economic Area (“EEA”) that provide an adequate level of data protection (“Transfer Restriction”). The Transfer Restriction has been implemented in the UK by the Data Protection Act 1998.
BCRs are a set of rules which regulate the internal transfer of personal data between members of a corporate group to ensure that transfers of personal data outside of the EEA satisfy the Transfer Restriction. The BCRs must be approved by the national data protection authority (the Information Commissioner in the UK) before they are legally binding. Once approval has been given, BCRs:
- allow corporate groups to transfer personal data freely within the group without needing to obtain authorisation from each national data protection authority; and
- can be relied on by both the controller and the processor to demonstrate that the processor’s group provides adequate safeguards for the purpose of the Transfer Restriction. This means that safeguards do not have to be assessed each time data is transferred by a processor outside of the EEA and removes the need to legitimise such transfers by other means (e.g. by adopting EU Model Contractual Clauses).
Processors wishing to adopt BCRs must file an application with the relevant national data protection authority. Applicants must demonstrate that their BCRs provide adequate safeguards for protecting personal data in line with the requirements set out in WP195, namely:
- Binding nature: the application must contain an explanation of how the rules are made binding on the members of the group and its employees;
- Effectiveness: the applicant must demonstrate that a suitable training and audit program and a complaint handling process are in place;
- Cooperation duty: the BCRs must contain a duty to cooperate with both the Data Protection Authorities and the data controller;
- Description of processing and data flows: a statement of the geographical scope of the BCRs must be included in the application;
- Mechanisms for reporting and recording changes: there needs to be a process in place for updating the BCRs; and
- Data protection safeguards: details of the data protection safeguards that are in place, including a description of the privacy principles and the rules on transfers or onward transfers out of the EU, must also be included.
Whilst BCRs for data controllers have been in existence for some time, the absence of BCRs for processors was hindering the ability of cloud computing and other ICT service providers (which are typically treated as data processors for the purposes of the Directive) to transfer data to any of their data centres situated outside the EEA. The introduction of BCRs for data processors demonstrates that the EU data protection authorities are becoming more willing to accommodate the global nature of many data processing operations and offer practical solutions that aim to facilitate such global services while ensuring that personal data is adequately protected.
Specific advantages of BCRs for such service providers include: (i) helping to reduce time and costs by removing the need to negotiate data transfer processing terms for every separate contract entered into; (ii) reducing compliance risks; and (iii) providing a competitive advantage by demonstrating that their data processing activities comply with European data protection and privacy laws. Whilst the procedure for approving BCRs can be time-consuming, a mutual recognition procedure has been agreed to speed up the review of BCRs by EU data protection authorities and which to date operates in respect of 21 out of the 27 EU Member States.