The Article 29 Working Party on 6 June 2012 adopted Working Paper WP 195 as a new “toolbox” with recommendations for Binding Corporate Rules (BCRs) for data processors. BCRs are becoming increasingly popular among corporate groups as a legal means for providing adequate protection to personal data which is covered by Directive 95/46/EC and transferred out of the European Union to countries that are not considered to provide an adequate level of protection.
The EU website lists 28 corporate groups for which the EU BCR process for data controllers is closed. Very similar to WP 153 (adopted in 2008) with tools to facilitate the use of BCRs for data controllers, the Working Party now targeted data processors. This document was expected for a long time, since many cloud service providers process data on a global basis for their customers, and had to rely on the Model Contracts for Data Processors or Safe Harbor certification, but were not eligible for BCRs.
The clearest difference from the BCRs for controllers are the rules on the relationship with the “Service Agreement”, the agreement between controller and processor containing the instructions regarding the data processing and the security and confidentiality measures. The BCRs must become part of such Service Agreement. The BCRs have to contain obligations toward the controller, like the duty to inform the controller about data breaches, or to co-operate and assist the controller to comply with data protection laws, such as its duty to handle complaints by data subjects.
WP195 tries to balance the interests of the parties to the Service Agreement, by enabling the processor to change sub-processors under existing BCRs, but at the same time requiring notice to the controller about such change to give the controller a chance to terminate the Service Agreement.
A particular concern could be raised by the rules on liability and burden of proof. The BCRs must contain a duty for the EU headquarter of the processor to accept responsibility for all breaches caused by external sub-processors established outside the EU and to pay compensation for any damages. It is for this member of the group to prove that such sub-processor was not responsible for the breach of the BCR. This sounds very similar to the Working Party’s FAQs in WP155 for controllers. However, the burden of proof requested here directly affects the contractual risks and rights between the two commercial parties of the Service Agreement. It will be interesting to discuss whether the commercial parties (controller and processor) may validly deviate in their negotiations from this rule, provided the data subject’s rights (which WP195 requires to be protected identically) remain unaffected.
Similar to the toolbox for controllers the BCRs for processors need to clarify the internal and the external binding nature and the means to guarantee it. The BCRs must especially grant certain rights to the data subjects, e.g., the right to enforce the BCR as a third-party beneficiary, or the right to lodge a complaint before the DPA or courts having jurisdiction over the EU controller. Further the BCRs need to state several methods of effectiveness like an appropriate training program for the processor’s employees, a guideline and special contact points for the case a data subject complain about a breach of the BCRs, the implementation of an audit program covering the BCRs or the duty to cooperate with the DPAs.
The BCRs for processors also need to comprise a description of processing and data flows, including the entities which are part of the BCRs and a statement of the material as well as geographical scope. Hence, the BCRs shall give a general description to the DPA of the expected nature of the transferred data, the anticipated purposes and data importers/exporters in the EU and outside of the EU. Further it is necessary to establish a process for updating the BCR and a detailed description of the privacy principles including the rules on transfers out of the EU.
The new document of the Article 29 Working Group fills an important gap. In particular against the background of the new proposal for a EU Data Protection Regulation with – for the first time – provisions on BCRs, the extension of BCRs to processors is a positive step. Cloud service providers, outsourcing providers, and any other company offering global data processing services to customers in the EU will now have to consider current approaches and whether it is time to start the process to adopt BCRs.