Binding Safe Processor Rules are Go
This article was first published in Data Protection Law & Policy in June 2012.
It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service provider taking such a primary compliance role. However, the idea was not ill conceived and fortunately for the future of data protection, that scepticism has turned into pragmatism as the Article 29 Working Party has proved.
For those involved in international data protection, the publication by the Article 29 Working Party of a document with the elements to be found in a set of BCR for processors or Binding Safe Processor Rules (BSPR) will not have come as a complete surprise. For starters, it is patently obvious that many of those who play the role of data processors make key operational decisions about the way in which personal data is handled at a global scale. That justifies from both a public policy and a practical compliance point of view giving those processors a bigger part in relation to compliance with data protection obligations. It is precisely for that reason that the European Commission envisaged the possibility of BSPR in the draft Data Protection Regulation currently being debated in Brussels. So it was only a matter of time before the EU data protection authorities got their act together to rally behind a concept that is set to revolutionise international data protection.
The document issued by the Working Party had been in the making for quite some time and a fair amount of thinking has gone into the process of replicating the complex BCR requirements in a data processor context. The regulators knew that for BSPR to work, the requirements had to be realistic in terms of compliance responsibilities and, above all, suited to the those who do not normally have a direct relationship with the individuals whose data they process. Part of the early criticism about BSPR was due to the fact that in traditional terms, data controllers should always be responsible for complying with the law and for ensuring that the information for which they are primarily accountable is adequately protected. Therefore, the process of crafting a viable set of criteria for BSPR has involved detailed legal work and considerable imagination.
The result is a near perfect balance between what is possible and what is desirable. A key point of reference to determine whether a framework such as BSPR is ever going to fly is the potential liability of the safe processor. Aim for a zero liability approach and no controller in the land will trust you with their data. Impose an unqualified direct level of responsibility and only the bravest (or foolish) service providers will swallow it. The Working Party has gone for a tried and tested level of liability, the same one that appears in the model clauses for international data transfers approved by the European Commission. The effect is that processors will be no worse off under BSPR than under the model clauses.
An equally important measure to determine the viability of BSPR is the scope of the substantive data protection safeguards that apply to safe processors. BSPR was never going to be just about ensuring an appropriate level of security. BSPR, like BCR, are about adopting a holistic approach to responsible personal data processing and the regulators' expectations reflect that. But the good news is that, unlike in the case of Safe Harbor, each of the privacy principles at the core of BSPR have been thought out with the processor role in mind. So safe processors will be expected to do things like being cooperative with controllers, comply with their instructions and help them honour individuals' rights. Clearly, achieving practical data protection is very much the aim.
As the first applications for BSPR status start rolling, we will see how the data protection authorities live up to their own criteria. The work is by no means over but what four years ago was a dream, tomorrow will be the way to go for responsible global data services providers.