On January 1 2013 the Article 29 Working Party (an independent European policy body that advises the European Commission on data protection) launched binding corporate rules for data processors (third parties engaged by data controllers to process personal data on their behalf). Previously, the binding corporate rules data compliance framework had been available only to data controllers – the organisations that determine the purposes for which personal data is processed.
Binding corporate rules for data processors can be used as a way to ensure that transfers of personal data outside the European Economic Area (EEA) comply with EU data protection rules.
Binding corporate rules are essentially a set of intra-group governance policies, agreements, declarations and undertakings relating to data privacy and security. They are designed to allow multinational companies to export personal data from the EEA to other group entities in territories located outside the EEA in compliance with EU data protection rules. Binding corporate rules create not only legally binding obligations for the company, but also rights for individuals, which can be exercised before the courts or data protection authorities (for further details please see "International data transfers: the rise of binding corporate rules").
The Data Protection Act 1998 prohibits transfers of personal data to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of their personal data. The EEA comprises 30 countries (the EU member states plus Norway, Iceland and Liechtenstein) and the European Commission considers that an additional 12 territories outside the EEA have an adequate level of protection for personal data (Andorra, Argentina, Australia, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Switzerland, Uruguay and, most recently (December 2012), New Zealand).
Where a transfer is carried out by a UK-established company to other members of its group outside the EEA and the approved territories, it must comply with the eighth data protection principle. Compliance can be achieved if such transfers are governed by a set of legally enforceable binding corporate rules that have been approved by the United Kingdom's data protection regulator, the Information Commissioner's Office. Other options available to controllers for compliance with the eighth principle include the safe harbour scheme for EEA-to-US data transfers, the European Commission's model contract clauses, consent of the data subject and the controller's own finding of adequacy.
Until January 1 2013 binding corporate rules were available only between the controller and another member of the controller's group. The new rules allow transfers of personal data between controllers and third-party processors also to benefit from the binding corporate rules regime.
Controllers have primary responsibility for personal data under the act. By contrast, processors are required only to comply with data security rules and any contractual terms set out in their service contracts with controllers. This means that there is no direct restriction in the act which prevents a processor from transferring data outside the EEA or approved territories; any such transfer is the responsibility of the controller. This has meant that processors previously had limited scope to assist their controller clients in complying with the eighth principle. Processors could either sign up to the safe harbour scheme for EEA-to-US transfers or agree to comply with the model clauses. Other than this, a processor would need to offer or accept terms that, in the opinion of the controller, provided the controller with an adequate level of protection for personal data.
Processors can now apply for approval of binding corporate rules in their own right and their controller clients can also benefit from this flexibility. Once a processor's binding corporate rules are approved, it can be used by both the controller and processor to ensure compliance with EU data protection rules without having to negotiate safeguards and conditions every time a contract is entered into. This is particularly useful where data is processed by different entities of the processor (eg, through data centres or sub-processors).
The use of binding corporate rules by processors is not obligatory, but has the potential to offer processors a competitive advantage. The benefits might include:
- Awareness – the processor will increase awareness of data compliance within its organisation through binding corporate rules training requirements.
- Fewer contracts – once approved, binding corporate rules remove the need to rely on one of the more onerous options available for compliance with the eighth principle in respect of data transfers. In a complex organisation, compliance using contracts based on the model clauses can amount to hundreds of individual contracts. When both the controller and processor work together on an international scale, negotiating safeguards and conditions in respect of every contract can become a major demand on resources.
- A quality standard – processor binding corporate rules will be a way of demonstrating the processor's commitment to best practice to potential clients, who in turn will benefit by using them to demonstrate adequate protection and compliance in relation to the processing of the personal data under their control.
- Future-proofing – the proposed new EU Data Protection Framework Regulation threatens to expose both controllers and processors to more onerous obligations and bigger fines. Processors that get binding corporate rules approved could benefit from having systems in place that help ensure that they do not fall foul of the proposed new regime. This may also attract new clients, as controllers look to minimise their exposure to greater fines by using processors that are a 'known quantity' and operate under an approved standard.
The application procedure for processor binding corporate rules will be the same as the process for controller binding corporate rules. The applicant processor must therefore select a data protection authority to be the lead authority (this is usually determined by the location of the European headquarters of the company or the most appropriate European location to take responsibility for the company's global data protection compliance). Once the lead authority is satisfied with the adequacy of the safeguards put in place by the binding corporate rules,it will refer the application to the other European data protection authorities for approval. These other authorities can accept the lead authority's findings without further scrutiny through the mutual recognition system.
Applicants must demonstrate to the lead authority that their binding corporate rules establish adequate safeguards for the protection of personal data throughout their organisation. The application for processor binding corporate rules is drafted on the same basis as that used for controllers. Each company acting as a processor may decide to file an application with its local data protection authority.
In June 2012 the Article 29 Working Party published a working document that sets out a table of the elements and principles that processors must meet to secure binding corporate rules approval, including a description of the data flows and an acceptance of liability for breach. The checklist provides that processor binding corporate rules must be unambiguously linked to the service contract and service levels in place with each controller.
Processors now have an opportunity to enhance their offering to controllers looking to outsource data processing activities on a large scale or international basis.
Working with a binding corporate rules-approved processer may be a considerable benefit for controllers in terms of the accessibility and expediency of managing the data processing relationship. Using a binding corporate rules-approved processor also allows the processor to demonstrate the quality of its activities and its grasp of data protection compliance. Although using a binding corporate rules-approved processor does not negate the need for a controller to meet its own data compliance obligations, engaging such a processor will undoubtedly provide assurance for controllers and may ease the due diligence process on potential processing partners.
The uptake of binding corporate rules by controllers began slowly in 2005. There have been 15 successful applications in the United Kingdom since April 2009; six of these were approved in 2012, the latest one being American Express Company in October 2012, which took effect on January 28 2013. Having seen the rise in successful controller binding corporate rules in the past year, the uptake of processor applications is likely to follow suit.
The UK Information Commissioner's Office has yet to comment on the new processor binding corporate rules. Processors that wish to apply for approval of binding corporate rules should contact the Information Commissioner's Office for more information on the process requirements.
For further information on this topic please contact Oliver Bray or Caroline Kenny at RPC by telephone (+44 20 3060 6000), fax (+44 20 3060 7000) or email (firstname.lastname@example.org or email@example.com).
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.