EU privacy watchdogs have given the go ahead to 'data processors' to put in place 'binding corporate rules' (BCRs) that commit those organisations to certain data security and privacy standards relating to their processing operations. Previously only organisations primarily responsible for individuals' personal data - 'data controllers' - were able to put in place BCRs.
Data controllers are organisations that determine the purpose for which and manner in which personal data is or is likely to be processed. They are responsible for complying with all aspects of data protection law in the EU. In contrast, data processors – third-parties contracted by data controllers to process personal data on behalf of the controller – only have to comply with data security rules and any other data protection obligations that are prescribed in the terms of their contracts with data controllers – such as those that define the scope of their processing activities.
Current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. New Zealand last month became the latest country to qualify as meeting the standards. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.
When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another.
One mechanism open to companies to achieve those 'adequacy' standards is to put in place BCRs. BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the EEA to a country that is not a European Commission pre-approved country.
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that data processors could make themselves attractive to data controllers looking to outsource their processing operations if they apply for and obtain approval for BCRs from data protection authorities.
"Data processors may be encouraged to obtain BCRs as a means by which to attract prospective business from controllers as this would potentially demonstrate a high quality approach to compliance with the adequacy rules," Dautlich said. "Processors may also find BCRs act as a real selling point in convenience terms, for example where currently the parties are using large numbers of model contract terms."
"Data controllers stand to benefit from the changes because they will be able to rely on processors' approved BCRs. This should see a reduction in the costs businesses can incur when negotiating contracts relating to personal data processing. The fact that the application process is identical to that for data controllers will be of interest to those organisations that are now considering applying for both controller and processor BCRs.”
In a statement the Article 29 Working Party, which is a committee made up of representatives from each of the national data protection authorities in operation across the EU, said that BCRs for processors would benefit both data processors and controllers.
"Once a BCR for processors is approved it can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into," the Working Party said.
"BCR for processors will be part of the guarantees brought by a controller to data protection authorities in order to demonstrate adequate protection and obtain the necessary authorisation for transfers of their personal data to the different entities of their processors (for example subprocessors and data centres)," it added.
Last year the Article 29 Working Party published a 'working document' which set out a checklist data processors must be meet when they agree to BCRs. Under the terms processors can form BCRs if they wish to conduct processing outside of the EEA, and it is the processors that would generally be liable for any breaches of those rules that occur.