Monday, June 29, 2015
Article 29 WP Expands Guidance on Processor BCRs
At the beginning of the month, the Article 29 Working Party updated its earlier guidance on how companies that act as data processors, such as cloud-based service providers, can adopt Binding Corporate Rules (BCRs) as the basis for compliance with European data protection requirements. The 20-page document (WP 204 rev.01, "Explanatory Document on the Processor Binding Corporate Rules") most notably addresses for the first time the controversial issue of how Processor BCR companies should respond to requests for access to data from foreign governments. While not retreating from its requirement that any such request be put on hold until the relevant European DPA is informed and determines the appropriate response, the Working Party recognizes that such notification may be prohibited by a law in the originating country. Where this is the case, companies are urged to exercise their “best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible”. In addition, these efforts should be documented and annual summaries containing as much information as permitted by law should be forwarded to the relevant DPA.