On 1 January 2013, the European data protection authorities (DPAs), as represented by the Article 29 Working Party, announced that the right to use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA) would be extended to data processors. It is anticipated that this move will bring benefits not only to data processors, but also to data controllers - that will be able to rely on a counterparty data processor’s BCRs to show compliance with data transfer obligations. In the lead up to changes in EU data protection legislation, in which BCRs are specifically referenced, this method of protecting data transfers is only going to become more widespread. In turn, both data processors and controllers are likely to find that the longevity of benefits conferred by adopting BCRs far outweigh the initial investment needed to put them in place.
Under Article 25 of the Data Protection Directive, data controllers transferring personal data to organisations (intra-group or otherwise) located outside of the EEA must ensure that adequate levels of protection are in place for the rights and freedoms of data subjects in relation to the processing of that data. As statutory liability for breach lies with the data controller, it is of paramount importance to data controllers that any organisations processing data on their behalf also comply with these obligations. By using BCRs, data processors will be able to present data controllers with a thorough and efficient assurance of this compliance.
BCRs represent an organisation’s intra-group agreement to be bound to a set of policies on the protection of personal data in line with Article 25. Elements that make up an organisation’s BCRs must include details of data protection policies, as well as commitments to data protection training and audits.
BCRs must be approved by DPAs and are then legally binding. For BCRs to be approved, they must be submitted to a lead national DPA, typically determined by the location of the European headquarters of an organisation. Applicants must demonstrate to the lead DPA that their BCRs establish adequate safeguards for the protection of personal data throughout the entire group. Once agreed at this level, the lead DPA is then responsible for coordinating approval of the BCRs with the other DPAs across Europe.
Alongside the BCRs, there are currently a number of other options available to data controllers to seek compliance with Article 25 including: ensuring all relevant parties are signed up to a Safe Harbor arrangement (only available when transferring data to the US); putting Model Contractual Clauses in place with data processors; self-assessment of adequacy of corporate data protection policies; transfer to a country that is on the European Commission’s ‘white-list’ (i.e. a country that has been found to have adequate levels of data protection already in place); or relying on one of the exceptions to this requirement.
However one key advantage to an organisation of putting BCRs into place is that they create a framework under which personal data can be transferred without the need to negotiate the terms relating to the processing for every separate contract entered into. Through contracting with a data processor that has BCRs in place, data controllers will therefore be able to meet the required standards without the increased financial and administrative burden of, for example, entering into multiple Model Contractual Clauses.
Further, with organisations increasingly allowing third parties access to personal data (for example through the use of outsourcing solutions such as off-shoring and cloud computing), ensuring such frameworks are in place for the secure management of data transfers is clearly a priority for DPAs. The all-pervasive commitment to data security an organisation must show to gain approval of BCRs arguably makes these the preferred method of handling data transfers in the eyes of the regulators.
At present approval has only been granted to 29 organisations to use BCRs (including Intel, BP, American Express and eBay), however there has been increased momentum of uptake in recent years. The benefits the recent change will present to data processors (for example when seeking an advantage over competitors bidding for outsourcing contracts involving the transfer of data outside of the EEA), and to data controllers, are likely to spur on this momentum. In addition, opening the use of BCRs out to data processors is likely to focus corporate attitudes on data protection issues which may leave organisations better prepared to deal with changes likely to be implemented by the forthcoming Data Protection Directive.
The BCRs are not without their drawbacks. For example, negotiating and agreeing their form with the DPAs can take time and some DPAs will still require that a permit is granted allowing the transfer of data from that Member State. Nevertheless, when in place, BCRs are a highly regarded method of confirming to the market that an organisation meets the requisite standards for securely handling data and may well be the source of competitive advantage for data processors looking to stand out from their peers.
Co-contributor:
Daniel Bugler, London
Tel: +44(0) 20 7367 2857 ([email protected])
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.