Out-Law News | 01 May 2013 | 5:08 pm | 4 min. read
Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that 'data processors' can obtain a "competitive advantage" by agreeing BCRs with data protection authorities. However, he said that the "trade off" for doing so is that EU-based processors are likely to be placed "on the hook" for breaches of the rules by sister companies within the same group based elsewhere in the world.
"Processor BCRs are an extremely useful and dynamic tool for outsourcing providers to put in place to demonstrate that their arrangements for processing and transferring personal data overseas meets EU data protection standards," Dautlich said. "They enable the free transfer of personal data within a processor's group structure regardless of where in the world the group's various offices are based. They are something cloud providers in particular have been clamouring for, since the constant flow of information between servers based across the world is inherent in the use of cloud technology."
"However, EU-based data processors must be aware that they could be held liable for any breach of the BCRs from within the wider group structure or by sub-processors contracted to carry out personal data procession on the group's behalf," he added.
Dautlich was commenting after the Article 29 Working Party, a committee of made up of representatives from each of the national data protection authorities in operation across the EU, published an explanatory note on the subject of processor BCRs. Earlier this year the Working Party gave the go-ahead to data processors to obtain BCRs, which commit those organisations to certain data security and privacy standards relating to their processing operations. Previously only organisations primarily responsible for individuals' personal data - 'data controllers' - were able to put in place BCRs.
In its explanatory note on how the processor BCRs regime should work, the Working Party outlined how companies within a group structure can be held liable for breaches of processor BCRs (19-page / 347KB PDF) even where other organisations in the group or even sub-processing firms are at fault. The Working Party said the firms could have to compensate individuals as a result of infringements, and pay damages for breach of contract to data controllers under certain circumstances.
"BCR for Processors must state that all Controllers shall have the right to enforce the BCR for Processors against any member of the Processor’s group for breaches it caused," the Working Party said. "The Controller should also have the power to enforce the written agreement against any external subprocessor at the origin of the breach."
"In addition to this, in case the breach is caused by a non-EU Processor’s entity or by an external non-EU subprocessor, the Controller shall have the right to enforce the BCR for Processors against the Processor’s entity that accepted to bear liability for paying compensation and to remedy breaches of the BCR, of the Service Agreement or of the written agreements signed with the external subprocessors," it said.
"The organisation will make the commitment in its BCR for Processors’ application form that the entity that has accepted liability for the acts of other members of the BCR for Processors outside of the EU and for external sub-processors established outside of EU has sufficient assets to pay those compensation for damages," the Working Party added.
Current EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.
When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another. One mechanism open to companies to achieve those 'adequacy' standards is to put in place BCRs. BCRs are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the EEA. They are subject to scrutiny by DPAs and confer that adequate data protection is in place.
The Working Party explained that it is possible for data processors to nominate an EU-based group company to bear responsibility for BCRs compliance in cases where the company is headquartered elsewhere. The burden of proof would lie with the processor company responsible for compliance to show that it should not be held liable for damages or compensation in those circumstances, it said.
"BCR for Processors must also state that where data subjects or the Controller can demonstrate that they have suffered damages and establish facts which show it is likely that the damage has occurred because of the breach of the BCR for Processors (or the Service agreement or the written contracts ...), it will be for the member of the group that has accepted liability to prove that the member of the organisation outside of EU or the external sub-processor was not responsible for this breach giving rise to those damages or that no such breach took place," the Working Party said.
In its note the watchdog stressed that data processors need to satisfy data protection authorities that all companies within their group are bound by the processor BCRs they wish to put in place. In addition, it said data processors must also be willing to be audited for compliance with the BCRs and for the results of those audits to be shared with data protection authorities, the Working Party said.