On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive.
The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.
WP204 complements the earlier guidance contained in WP195′s “toolbox” and elaborates on several key provisions required in processor BCRs, including the following:
- Scope of processor BCRs. The Article 29 Working Party cautions that processor BCRs “do not aim to shift Controllers’ duties to Processors,” but rather the data controller remains liable for “ensuring that sufficient guarantees are provided to the data transferred and processed on its behalf and under its instructions.” Furthermore, while a data processor can seek EU recognition of its processor BCRs as providing adequate safeguards in general, in each case the data controller must still “apply for national authorisations with the competent Data Protection Authorities to transfer data to” the processor. The controller can, however, point to the processor BCRs as providing the required adequate safeguards to permit the transfer.
- Onward transfers to subprocessors. WP195 specified that subprocessing can occur only with prior notice and consent of the data controller. WP204 leaves it up to the controller and processor to “decide, depending on their particular needs, if a general prior consent given by the Controller at the beginning of the service would be sufficient or if a specific consent from the Controller will be required for each new sub-processing.”
- Internally binding nature of the processor BCRs. WP204 highlights that an important element of processor BCRs is their binding nature “both internally and towards the outside world.” With respect to making processor BCRs internally binding, the Article 29 Working Party declines to “stipulate the way in which organisations should guarantee that all members are effectively bound or feel compelled by the rules although some examples are well known such as internal codes of conduct backed by intra group agreements.” Instead, WP204 notes that processors will have to demonstrate to Data Protection Authorities (DPAs) that their processor BCRs are “effectively binding throughout the group” of processors in order to receive approval of the processor BCRs.
- Substantive content of processor BCRs. WP204 includes some general guidance on what processor BCRs must include in order to satisfy the Directive’s data protection principles (and thereby ensure an adequate level of protection). The Article 29 Working Party states that the principles need to be developed and detailed “so that they practically and realistically fit with the processing activities carried out by the organisation in the third countries and can be understood and effectively applied by those having data protection responsibilities within the organisation.” The key is that the level of detail in the processor BCRs be sufficient to allow DPAs to “assess that the safeguards adduced to data processing and sub-processing carried out in third countries by a member of the Processor’s group are adequate.”
- Regular audits. Processor BCRs must provide for regular audits, and give both DPAs and controllers the right to access the results of those audits (and in some cases, carry out audits themselves). The audits must be “comprehensive” and contain within their scope certain details, such as “the existence of onward transfers on the basis of standard contractual clauses” or “the decisions taken as regards mandatory requirements under national law which may create conflicts with the” processor BCRs. WP204 further elaborates on the conditions in which DPAs and controllers can conduct audits.
- DPA oversight. WP204 explains that the act of submitting processor BCRs for approval subsequently subjects the processor to the jurisdiction of the processor’s lead DPA with respect to that DPA’s “investigative powers, effective powers of intervention on their territory, as well as the power to engage in legal proceedings” when the DPA suspects that the processor has breached the processor BCRs. Furthermore, a breach of the processor BCRs “might lead to the withdrawal of the authorisation of the concerned transfer granted to the Controller on the basis of the” processor BCRs. Furthermore, processor BCRs must present a clear duty for the processor to cooperate with DPAs and follow their advice “on any issues related to the interpretation and application” of the processor BCRs. WP204 notes that DPAs may seek input from the processor, controller, data subjects, and other DPAs before issuing advice, and that any advice may be made public. And WP204 states that “a serious and/or persistent refusal” to follow advice “may result in the suspension or the withdrawal of the authorization transfer granted to the relevant Controller(s).” With respect to audits, generally DPAs will rely on the results provided by the processor from other audits. But DPAs may conduct audits themselves, although WP204 explains that this is likely to occur only where the DPA finds deficiencies in the processor’s initial audits. According to WP204, any DPA audit would “take place with full respect to confidentiality and trade secrets and would be narrowly limited to ascertaining compliance” with the processor BCRs.
WP204 concludes by noting that this explanatory document “should not be regarded as the final word of the Article 29 Working Party,” but rather “as a solid first step to highlight the possibility to use BCRs for Processors on the basis of a self-regulatory approach and co-operation among the authorities, without prejudice to the possibility to use other tools for the transfer of personal data abroad such as the standard contractual clauses or the Safe Harbor principles where applicable.”
The Article 29 Working Party has posted an application form for processor BCRs. In addition to providing the draft processor BCRs and describing those BCRs, the application form requires processors to describe the expected processing and data flows, as well as explain which DPA should be the lead DPA.