The Article 29 Working Party has updated its guidance on processor Binding Corporate Rules (“BCRs”). In response to increasing concerns that personal data transferred to third countries under processor BCRs may be subject to legally binding requests for disclosure under circumstances that do not meet the rigorous requirements applicable in the EU, the Working Party has suggested that such access requests must be assessed on a case by case basis. Prior notification must also be made to the relevant EU data protection authority competent for the data controller who may veto the request unless prohibited under criminal law.
BCRs are legally binding sets of standard contractual clauses approved by national data protection authorities which aim to ensure that rigorous data protection principles are applied when personal data is transferred between members of a corporate group.
In June 2012, the Article 29 Working Party issued a document and accompanying application form that provides a basis for data processors to transfer personal data processed on behalf of customers to other members of their corporate group whilst ensuring compliance with Article 25(1) of the Data Protection Directive and corresponding national legislation, extending the scope of BCRs which were previously only applicable to data transfers between data controllers. The accompanying explanatory document, issued in April 2013, set out guidance for organisations on how to use the processor BCRs for applicable data transfers.
The latest guidance is identical to that issued in April 2013 except in relation to the procedure that must be adopted in the event of any legally binding request for disclosure of pertinent data by a law enforcement authority. Due to concerns that certain requests made by foreign law enforcement agencies may not meet the rigorous requirements applicable in the EU under Article 25(1) of the Data Protection Directive, the Working Party has sought to clarify the procedure that must be followed by an organisation that has transferred data to a third (non-EU) country under processor BCRs if they receive a request for disclosure from a non-EU government or law enforcement agency.
If a processor receives a legally binding request from a non-EU country government or law enforcement agency, the following procedures apply:
- The processor must commit in the BCR to assess each request by a requesting body on a case-by-case basis and must put the request on hold for a reasonable delay in order to notify the competent data protection agency for the data controller and the lead data protection agency for the processor BCR prior to the disclosure to the requesting body. In the notifications, the processor must clearly explain what data has been requested, who the requesting body is and the legal basis for the disclosure.
- The competent data protection agencies must endeavour to reply within a reasonable timeframe and may decide, on the basis of concrete circumstances, to order a suspension of, or a ban on, the data transfer, or authorise the transfer in accordance with national laws. Processors must ensure that transfers of personal data to requesting bodies have a legal basis since the requirements for BCRs for processors are only procedural and do not in themselves legitimise international data transfers.
- If the processor is prohibited from notifying the data controller and relevant data protection agencies, for example due to restrictions under the criminal law to preserve the confidentiality of an investigation, the BCR must state that the processor will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can, and as soon as possible, and the processor must be able to produce evidence that it has done so.
- As a last resort, if despite its best efforts, a processor still cannot notify the competent data protection agencies, it must commit to provide general information on the access requests it has received to the competent data protection agencies on an annual basis. Such information may include, for example, the number of applications it has received for disclosure, the type of data requested in each case and, if possible, the identity of the requester.
The Working Party also suggests that international or intergovernmental agreements should be put in place to provide adequate data protection guarantees for EU data and to data subjects in these circumstances.
The latest guidance has most likely been issued in response to European concerns regarding the broad scope of U.S. and other government’s surveillance programs. The Working Party has clearly acknowledged the risk that foreign law enforcement agencies may compel the disclosure of personal data by group companies established outside the EU and appears to appreciate the difficult situation processors can face when asked to produce such information to law enforcement agencies which may be in conflict with the requirements of EU or national data protection legislation. The measures suggested should provide some clarity to organisations when faced with such third party requests.