The European Commission's Article 29 Working Party has recently published a new working document providing guidance on Binding Corporate Rules (BCRs) for data processors. This document will be of particular interest to service providers, such as cloud providers that transfer data overseas during the course of providing services to customers.
The 8th principle of the Data Protection Act 1998 prohibits transfers of personal data out of the European Economic Area (EEA) unless an adequate level of protection is put in place. This standard can be satisfied in a number of ways. These include where data is transferred to certain countries which have been approved by the EU as having appropriate data protection measures in place (although only a limited number of countries have received approval), or using the EU's pre-approved model contracts. The standard can also be achieved if the transfer of data is an intra group transfer which is subject to BCRs – internal documents which demonstrate that adequate safeguards have been implemented within the group.
Until the new BCR guidance was produced there was no official route for data processors to ensure adequate protection for intra-group transfers. This is because both BCRs and model clauses pre-supposed that the data controller would be initiating the transfer. This often poses a problem for service providers and their customers, as there is no sure-fire way for processor to processor transfers to be deemed to be compliant without a long chain of model contracts being put in place.
Before they can be used, BCRs need to be approved by the relevant national data protection regulators (in the UK, this would be the Information Commissioner's Office). The new guidelines for data processors adopt a similar approach to the BCRs for data controllers.
The guidelines include a checklist of conditions which should be met in compiling BCRs. These conditions include the following:
Establishing the binding nature of the rules, ensuring that they be complied with by employees within the group;
Setting out data protection training and audit programmes and a complaint handling procedure;
Establishing a duty to co-operate with the local data protection authority;
Describing how data processing will work within the group;
Ensuring that safeguards for the protection of data are taken.
The new guidelines are a welcome development in this area, and see the regulators recognising the global nature of many data processing operations. Historically, the approval of BCRs has taken a long time. However, the process has speeded up somewhat recently, with an increase in the volume of prospective BCRs forwarded to the regulators, and both the regulators and applicants becoming more familiar with the approval process. Hopefully, the regulators will continue to keep up this momentum to enable data processors to take advantage of the BCR route without incurring significant costs and delays.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.