ANALYSIS: EU Article 29 Working Party Requirements For Processor Binding Corporate Rules May Ease International Outsourcings
By Tanguy Van Overstraeten, Sylvie Rousseau, and Richard Cumbley, of Linklaters LLP.
The EU Article 29 Data Protection Working Party, the representative body for EU data protection authorities, recently issued its requirements for processor binding corporate rules. International outsourcings and other processing arrangements (e.g., cloud computing) with service providers that implement these rules should become easier. Customers should be able to send personal data to the service provider and its sub-processors without the need for more onerous compliance mechanisms, such as Model Contracts.
We consider these rules in more detail below and their implications for the outsourcing market.
Outsourcing and Data Protection
In almost any outsourcing arrangement, a customer will want to ensure that its information is held securely and that the supplier uses that information only to provide services to the customer. This means there is a close alignment between the intention of data protection laws and the commercial expectations of most outsourcing. However, complying with these laws in practice can be burdensome.
One of the reasons for this is the complex nature of many international outsourcings. They are often entered into for the benefit of a number of customer entities (typically all or part of the customer’s group) and the services may be subcontracted to a number of other entities, many of which may be based outside the European Union. This brings the restrictions on international transfers of personal data into play.
There are a range of ways to comply with these restrictions, depending on the exact structure of the outsourcing and the extent to which the parties are prepared to adopt a robust compliance solution. However, there are outsourcings in which Model Contracts have been put in place between the majority of customer entities within the European Union and the majority of the supplier entities outside the European Union. This “web of contracts” approach can require hundreds, if not thousands, of Model Contracts, some of which will need to be notified or approved by local data protection regulators. This is clearly a burdensome exercise.
Processor Binding Corporate Rules
The use of processor binding corporate rules would resolve many of these issues. The service provider (processor) would enter into a binding commitment to ensure that all of the processing it carries out complies with data protection laws. The service provider commits to comply with these rules both through internally binding measures (such as an intra-group agreement) and through its contract with its customer (via a “service level agreement”).
The customer would then be able to transfer personal data to the service provider and its sub-processors, including those based outside the European Union, in full compliance with data protection laws. This should ease the compliance burden associated with any such outsourcing and could provide a competitive edge to suppliers that are able to offer this solution.
Guidance from the Article 29 Working Party
The Article 29 Working Party on June 6, 2012, adopted a working document setting out its requirements for processor binding corporate rules. Whilst this is a significant step, it does not set out exactly how these rules will be adopted or approved in practice.
For example, will the processor binding rules have to be approved by all of the data protection authorities from whose jurisdictions personal data is transferred? If so, will service providers be able to use a mutual recognition process, similar to that used for binding corporate rules for controllers, to ease the application process? Is an approval even possible where the application is made by a processor rather than a controller? Finally, will controllers that rely on these rules still need to make their own notifications or seek their own approvals for these transfers?
Requirements for Processor Binding Corporate Rules
The working document sets out the requirements for processor binding corporate rules in detail. The more important requirements can be summarised as follows: …