Binding Corporate Rules: New Guidance

June 19, 2012

During its 86th plenary meeting on 6 and 7 June 2012 in Brussels, the Article 29 Working Party adopted a working document on Binding Corporate Rules (BCRs) for processors. This working document includes a full checklist of the requirements for BCR Processors and is designed both for companies and for data protection authorities.

The new initiative is based on the success of the BCRs for controllers, companies’ expectations and the proposal to explicitly include BCRs for controllers as well as processors in the future legislative framework of the European Union (see, see articles 42 and 43).

BCRs are internal rules applicable to entities of a multinational company and contain key principles legally covering the transfers of personal data coming from the EU. Currently, for transfers of personal data outside of the EU, BCRs are an alternative to the Safe Harbor Principles (for transfers to the USA) or to the Standard Contractual Clauses adopted by the European Commission.

Processor BCRs are internal codes of conduct regarding data privacy and security and will guarantee to clients of data processors that transfers made in relation with the performance of services agreement are adequately framed and protected according to EU data protection laws.

The Article 29 Working Party has already developed some tools to facilitate the use of BCR for Controllers – see WP153 (toolbox to check all conditions to be met), WP155 (FAQs), WP 154 (Example of BCR), WP107 (European cooperation procedure) and WP 74 and 108 (initial papers. These are intended to regulate the transfers of personal data that are originally processed by the company as controller (eg data relating to its customers, its employees, etc).

With its new working document (WP 195), the Article 29 Working Party provides a checklist describing the conditions to be met in order to facilitate the use of BCRs for processors (‘BCR for third party data’). The checklist defines what must be found in BCRs, and what must be presented to DPAs in the BCR application. Similar guidelines already exist for BCR for controllers (WP 153). The working document aims to meet the expectations of companies acting as data processors by giving them the opportunity to use BCRs in the context of international transfers of personal data, for example in the context of outsourcing activities or cloud computing.

Writing in the Privacy and Information Law Blog, Eduardo Ustaran, a partner at Field Fisher Waterhouse, welcomed the Article 29 Working Party publication on what he calls Binding Safe Processor Rules (BSPRs):

‘With the publication by the Article 29 Working Party of their expectations for BSPR programmes, suppliers of data processing services all around the world have been clearly told what it takes to be a safe recipient of data in their role as service providers. Whilst pure contractual solutions will remain as a mechanism to legitimise the engagement of global data service providers, the prospect of getting an upfront approval by the EU regulators is likely to become a much more appealing way forward.

The benefits of BSPR are obvious:

• The official approval of a set of BSPR will automatically grant the service provider the status of “safe processor” which will, in turn, allow its clients to overcome the data transfers limitations under EU data protection law.

• BSPR replace the need for inflexible and onerous data transfers agreements.

• BSPR can be tailored to the data protection practices of the service provider – they are a form of self-regulation.

As with the current proposal for a new EU data protection framework, the success of BSPR in realising their potential depends on how realistic the relevant obligations and compliance expectations are. Fortunately, if the criteria for BSPR approval set out by the Article 29 Working Party is anything to go by, the success of BSPR is well within reach of any responsible data processing services provider.’ 

The Article 29 Working Party proposes to continue its work on BCRs for processors by developing a European coordination procedure, similar to the existing procedure for BCR for controllers (see WP 107 and the Mutual recognition system) and by drafting an EU application form (see WP133 for BCR for controllers).