The Article 29 Working Party has issued updated guidance for applicants considering adopting binding corporate rules (BCRs). The guidance, WP204 Explanatory Document on the Processor Binding Corporate Rules, is a revised version of guidance first adopted in April 2013. The intervening two years have seen a change in attitudes, catalyzed by the Snowden revelations, and the revisions attempt to address some of the dilemmas that those changes have spotlighted. The main change is in relation to responses to government requests for access to data.
The revised guidance can be downloaded from the panel opposite.
At para. 2.3.4, the guidance sets out the procedure where ‘mandatory requirements of national legislation’ may prevent a processor from fulfilling the instructions from the controller or its obligations under the BCR. In the best-case scenario:
‘the Processor shall commit in the BCR to assess each access request (by any law enforcement authority or state security body, hereinafter “requesting body”) on a case-by-case basis and has to commit to putting the request on hold for a reasonable delay in order to notify the DPA competent for the Controller and the lead DPA for the processor BCR prior to the disclosure to the requesting body. The Processor shall clearly inform the competent DPAs about the request, including information about the data requested, the requesting body, and the legal basis for the disclosure.’
But the Article 29 Working Party recognises rougher realities:
‘If in specific cases the suspension and/or notification are prohibited, such as in case of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, the BCR shall provide that the Processor will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so.
If, in the above cases, despite having used its best efforts, the Processor is not in a position to notify the competent DPAs, it must commit in the BCR to annually providing general information on the requests it received to the competent DPAs (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.).
In any case, transfers of personal data by a processor to any public authority cannot be massive, disproportionate and indiscriminate in a manner that it would go beyond what is necessary in a democratic society.’
One has to say that this involves a limited acknowledgement of rough reality. One can only wish good luck to the processor explaining to a swoop from the NSA that they are being a trifle indiscriminate in a manner that goes beyond what is necessary in a democratic society.
There is an excellent analysis of the change and its impact by Phil Lee of Field Fisher on the Privacy and Information Law Blog here. It is well worth reading.