Phil Lee guides you through the changes made to the Article 29 Working Party guidance on Processor Binding Corporate Rules and gives his tips on coping with government requests for access to data.
The Article 29 Working Party has published new guidance on Processor BCR. The significance of this document cannot be overstated: it has the potential to shape the future of global data transfers for years to come.
That's a bold statement to make, so what is this document – Working Party Paper WP204 'Explanatory Document on the Processor Binding Corporate Rules' – all about? Well, first off, the name kind of gives it away: it's a document setting out guidance for applicants considering adopting Processor BCR (that's the BCR that supply-side companies – particularly cloud-based companies – are all rushing to adopt). Second, it's not a new document: the Working Party first published it in 2013.
The importance of this document now is that the Working Party have just updated and re-published it to provide guidance on one of the most contentious and important issues facing Processor BCR: namely how Processor BCR companies should respond to government requests for access to data.
Foreign government access to data – the EU view
To address the elephant in the room, ever since Snowden, Europe has expressed very grave concerns about the 'adequacy' of protection for European data exported internationally – and particularly to the US. This, in turn, has led to repeated attempts by Europe to whittle away at the few mechanisms that exist for lawfully transferring data internationally, from the European Commission threatening to suspend Safe Harbor through to the European Parliament suggesting that Processor BCR should be dropped from Europe's forthcoming General Data Protection Regulation (a suggestion that, thankfully, has fallen by the wayside).
By no means the only concern, but certainly the key concern, has been access to data by foreign government authorities. The view of EU regulators is that EU citizens' data should not be disclosed to foreign governments or law enforcement agencies unless a strict mutual legal assistance protocol has been followed. They rightly point out that EU citizens have a fundamental right to protection of their personal data, and that simply handing over data to foreign governments runs contrary to this principle.
By contrast, the US and other foreign governments say that prompt and confidential access to data is often required to prevent crimes of the very worst nature, and that burdensome mutual legal assistance processes often don't allow access to data within the timescales needed to prevent these crimes. The legitimate but conflicting views of both sides lead to the worst kind of outcome: political stalemate.
The impact of foreign government access to data on BCR
In the meantime, businesses have found themselves trapped in a 'no man's land' of legal uncertainty – the children held responsible for the sins of their parent governments. Applicants wishing to pursue Processor BCR have particularly found themselves struggling to meet its strict rules concerning government access to data: namely that any 'request for disclosure should be put on hold and the DPA competent for the controller and the lead DPA for the BCR should be clearly informed about it.' (see criteria 6.3 available here)
You might fairly think: 'Why not just do this? If a foreign government asks you to disclose data, why not just tell them you have to put it on hold until a European DPA sanctions – or declines – the disclosure?' The problem is that reality is seldom that straightforward. In many jurisdictions (and, yes, I'm particularly thinking of the US) putting a government data disclosure order 'on hold' and discussing it with a European DPA is simply not possible.
This is because companies are typically prohibited under foreign laws from discussing such disclosure orders with anyone, whether or not a data protection authority, and the penalties for doing so can be very severe – up to and including jail time for company officers. And let's not forget that, in some cases, the disclosure order can be necessary to prevent truly awful offences – so whatever the principle to be upheld, sometimes the urgency or severity of a particular situation will simply not allow for considered review and discussion.
But that leaves companies facing the catch-22. If they receive one of these orders, they can be in breach of foreign legal requirements for not complying with it; but if they do comply with it, they risk falling foul of European data protection rules. And, if you're a Processor BCR applicant, you might rightly be wondering how on earth you can possibly give the kind of commitment that the Working Party expects of you under the Processor BCR requirements.
How the Working Party's latest guidance helps
To their credit, the Working Party have acknowledged this issue and this is why their latest publication is so important. They have updated their BCR guidance to note that 'in specific cases the suspension and/or notification [to DPAs of foreign government data access requests] are prohibited', including for example 'a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation'. In these instances, they expect BCR applicants to use 'best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible'.
So far, so good. But here's the kicker: they then say that BCR applicants must be able to 'demonstrate' that they exercised these 'best efforts' and, whatever the outcome, provide 'general information on the requests it received to the competent DPAs (eg number of applications for disclosure, type of data requested, requester if possible, etc)' on an annual basis.
And therein lies the problem: how does a company 'demonstrate' best efforts in a scenario where a couple of NSA agents turn up on its doorstep brandishing a sealed FISA order and requiring immediate access to data? You can imagine that gesticulating wildly probably won't cut it in the eyes of European regulators.
And what about the requirement to provide 'general information' on an annual basis including the 'number of applications for disclosure'? In the US, FISA orders may only be reported in buckets of 1,000 orders – so, even if a company received only one or two requests in a year, the most it could disclose is that it received between 0 and 999 requests, making it seem like government access to their data was much more voluminous than in reality it was.
I don't want problems, I want solutions!
So, if you're a Processor BCR applicant, what do you do? You want to see through your BCR application to show your strong commitment to protecting individuals' personal data, and you certainly don't want to use a weaker solution, like Model Clauses or Safe Harbor that won't carry equivalent protections. But, at the same time, you recognize the reality that there will be circumstances where you are compelled to disclose data and that there will be very little you can do – or tell anyone – in those circumstances.
Here's my view:
· First off, you need a document government data access policy. It's unforgivable in this day and age, particularly in light of everything we have learned in the past couple of years, not to have some kind of written policy around how to handle government requests for data. More importantly, having a policy – and sticking to it – is all part and parcel of demonstrating your 'best efforts' when handling government data requests.
· Second, the policy needs to identify who the business stakeholders are that will have responsibility for managing the request – and, as a minimum, this needs to include the General Counsel and, ideally, the Chief Privacy Officer (or equivalent). They will represent the wall of defence that prevents government overreach in data access requests and advise when requests should be challenged for being overly broad or inappropriately addressed to the business, rather than to its customers.
· Third, don't make it easy for the government. If they want access to your data, make them work for it. It's your responsibility as the custodian of the data to protect your data subject's rights. To that end, only disclose data when legally compelled to do so – if access to the data really is that important, then governments can typically get a court order in a very short timeframe. Do not voluntarily disclose data in response to a mere request, unless there really are very compelling reasons for doing so – and reasons that you fully document and justify.
· Fourth, even if you are under a disclosure order, be prepared to challenge it. That doesn't necessarily mean taking the government to court each and every time, but at least question the scope of the order and ask whether – bearing in mind any BCR commitments you have undertaken – the order can be put on hold while you consult with your competent DPAs. The government may not be sympathetic to your request, particularly in instances of national security, but that doesn't mean you shouldn't at least ask.
· Fifth, follow the examples of your peers and consider publishing annual transparency reports, a la Google, Microsoft and Yahoo. While there may be prohibitions against publishing the total numbers of national security requests received, the rules will typically be more relaxed when publishing aggregate numbers of criminal data requests. This, in principle, seems like a good way of fulfilling your annual reporting responsibility to data protection authorities; it goes one step further by providing transparency to those who matter most in this whole scenario, the data subjects.
So why does the Working Party's latest opinion matter so much? It matters because it's a vote of confidence in the Processor BCR system and an unprecedented recognition by European regulatory authorities that there are times when international businesses really do face insurmountable legal conflicts.
Had this opinion not come when it did, the future of Processor BCR would have been dangerously undermined and, faced with the prospect of Safe Harbor's slow and painful demise and the impracticality of Model Clauses, would have left many without a realistic data export solution and further entrenched a kind of regulatory 'Fortress Europe' mentality.
The Working Party's guidance, while still leaving challenges for BCR applicants, works hard to strike that hard-to-find balance between protecting individuals' fundamental rights and the need to recognize the reality of cross-jurisdictional legal constraints – and, for that, they should be commended.
Phil Lee is a partner in Fieldfisher's privacy and information law group, and head of the firm's US Office, based in Palo Alto, California. This article first appeared as a blog post on the Privacy and Information Law Blog.