Data Protection will be a recurring theme this year so I’ve asked my colleague, Sherif Malak, to look into an important recent development regarding the use of ‘Binding Corporate Rules’ by organisations processing data on behalf of others.
There is little doubt that the rise of cloud computing services is likely to continue unabated in 2013, as more online consumer services and in-house IT departments roll-out cloud based solutions and enjoy the associated flexibility and efficiency gains they bring. However, the cloud era does bring with it the need to keep on top of data protection compliance requirements. Considering the often bewildering complexity of cloud arrangements, this can be easier said than done!
So for organisations grappling with the legal compliance issues around cloud computing, the European data protection authorities’ decision to launch Binding Corporate Rules (BCRs) for data processors could represent a very welcome tool for the new year. BCRs are a set of rules governing transfers of personal data between entities that form part of the same corporate group. The authorities, which assemble as the ‘Article 29 Working Party’, have announced that organisations that are data processors will be able to use BCRs from 1st January 2013.
There are a number of advantages that Processor BCRs will bring to customers and providers of cloud services but first a quick recap for the uninitiated:- under the data protection rules, organisations that control the purposes and methods by which personal data are processed (i.e. “data controllers”) are prohibited from transferring personal data outside the EEA (EU countries + Iceland, Liechtenstein and Norway) unless the recipient country can ensure an adequate level of protection of the rights and freedoms of the data subjects about whom those personal data relate. BCRs are one way an organisation can comply with requirements under European data protection regime when transferring personal data to countries outside the EEA – but only between companies within its corporate group. Other ways include transferring only to non-EEA countries declared adequate by the Commission e.g. Canada, Israel (or US but only if the organisation participates in the Safe Harbor regime) or including Commission-prescribed “model clauses” in contracts with the transferee.
The introduction of Processor BCRs brings with it a number of advantages including:
- By using data processors that have BCRs approved by regulators, data controllers do not need to negotiate the safeguards and conditions each and every time a contract is entered into. Processor BCRs permit controllers to demonstrate compliance with the ‘adequacy’ rules for all data processed by that processor’s group. Processor BCRs also go some way to solve the problem of the current gap in the model clauses system which does not provide a set of clauses for controllers to use with EEA processors that have non-EEA sub-processors (albeit the solution only applies to sub-processors in the same group).
- Under the BCRs, data processors can transfer the data controller’s data within their corporate group (including any members in non-EEA, ‘non-approved’ countries) without having to manage a matrix of contracts between the data controller and individual group companies to ensure that such data are adequately protected. Also, if the group expands, there is no need for data protection authorities to approve updates to the BCRs once they’re operational (e.g. if a new entity is established or if there’s some other change to the corporate structure), although periodic notification of new members and in some jurisdictions, notification of transfers, is required. So for instance, a UK processor can pass data to its established Indian or Brazilian subsidiaries or a new subsidiary in China – the BCRs will bind them all without requiring an approval process each time.
- Processors with BCRs can use them as a selling point not only to appeal new controller clients but also to existing clients as the take up of new processing services that may be carried out by sub-processors in the group outside the EEA will automatically be covered by the BCRs.
Of course Processor BCRs do suffer from the same issues as those for data controllers: BCRs raise the compliance bar in jurisdictions which might not require such an onerous level of data protection compliance, they only apply to intra-group transfers, the approval process is not straightforward and can be lengthy and they allow data subjects to enforce the rules directly against the organisation. Nonetheless, until the much anticipated Data Protection Regulation shakes up the approach to BCRs in light of the fast-moving transition to the cloud, Processor BCRs will be a welcome addition to the toolkit for both customers and providers of cloud services when tackling the issue of transfers of personal data outside the EEA in their contracts.
So much food for thought!
Have a great week.