Following its launch of processor binding corporate rules (“BCRs”) on 1 January 2013, the Article 29 Working Party (the “Working Party”), the independent body set up under the European Data Protection Directive to advise on the protection of individuals with regard to the processing of personal data, published an explanatory document on 19 April 2013. Controller BCRs became an increasingly succesful method of guaranteeing safeguards to personal data in a global context in the almost ten years since their adoption, so the launch of processor BCRs comes as a welcome development.
Processor BCRs help frame the international transfer of personal data originally processed under the instruction of an EU controller which is then sub-processed within the processor’s organisation outside the EU. They are essentially internal rules governing data privacy entered into by group companies creating obligations for company entities and rights for individuals which can be exercised before the courts or data protection authorities.
The explanatory document makes a number of important clarifications:
- Processor BCRs must be binding and enforceable “internally and towards the outside world”, by clear and compelling internal rules that can be enforced externally by data subjects, data protection authorities and controllers;
- Processor BCRs “do not aim to shift controllers’ duties to processors”, so data controllers remain liable for ensuring sufficient safeguards are in place to protect any personal data processed under its instructions; and
- Certain elements must be provided for in Processor BCRs, including external audits, a complaints handling procedure, specific rules on liability, a statement of a general right to obtain redress and statement that group members will cooperate with the controller and data protection authorities.
Processor BCRs have a number of advantages over other methods of transferring data outside the EU such as the Safe Harbor Framework or the implementation of model contracts, not the least of which is that they eliminate the need to negotiate specific contracts for each data processing arrangement within a group. Of course, there are downsides as well, such as the complex and sometimes lengthy process for obtaining approval for the BCRs in the first place. This explanatory document presents useful clarification for any organisation weighing their options.