EU DPAs prepare for future use of BCRs for processors

As the EU Data Protection draft Regulation specifically mentions Binding Corporate Rules (BCR) for processors or 'Binding Safe Processor Rules (BSPR)’, the EU Data Protection Authorities have now adopted a working document on this topic. This working document includes a full checklist of the requirements for processor BCRs and is designed both for companies and for Data Protection Authorities. The checklist explains which elements must be found in processor BCRs, much in the same way that the DPAs have set requirements for the use of BCRs for data controllers.

Eduardo Ustaran, Partner at Field Fisher Waterhouse LLP, who has played a leading role in advocating this new instrument, commented:
“The main difference is that under BSPR (Binding Safe Processor Rules), the substantial obligations are mainly about assisting the controller to comply with its own obligations regarding transparency, purpose limitation, data quality and data subjects' rights.  In this respect, BSPR is much more realistic than Safe Harbor in terms of setting out obligations that a processor can comply with.”

The EU DPAs say that a contract between a controller and a processor must grant rights to data subjects to enforce the BCR as third-party beneficiaries in case the data subject is not able to bring a claim against the data controller. With regard to liability, the processor would accept liability to pay compensation and to remedy breaches of the BCR.

“Predictably, the liability requirement for processors is very close to the liability under the controller-processor model clauses.  So data processors that go down the BSPR route instead of signing up to the model clauses are no worse off liability-wise.  This is very important if the regulators are aiming for a good take up of BSPR,” Ustaran told Privacy Laws & Business.

The main benefit of BSPR would be for cloud computing and outsourcing. “At the moment, there isn't any mechanism that properly legitimises transfers of data to global cloud service providers.  Safe Harbor and contractual mechanisms are the closest we have, but both have serious legal and practical limitations in this particular context.  BSPR is precisely suited to a cloud service provider targeting European customers and it brings benefits to both - the service provider can adopt a flexible and viable approach to compliance and the customer can easily overcome the limitations affecting international data transfers without the need for model clauses agreements,” Ustaran said.

The EU Data Protection Working Party will develop a European coordination procedure for processor BCRs, which will function in the same way as the current Mutual Recognition system.

See the working document WP 195, adopted 6-7 June.

Privacy Laws & Business's 25th Annual International Conference 2-4 July 2012 includes a session on BCRs with speakers from the UK Information Commissioner’s Office, law firms and companies from Belgium, Denmark, Italy, the UK and the USA.  

Read more about BCRs for processors in the July issue of Privacy Laws & Business UK Report.