We all know that the times when data processors could try to shield themselves from data protection compliance by arguing that the law did not apply to them are long gone.
In recent years the role of data processors has become so sophisticated as to test the boundaries of the definition of data controllers to the limit. In addition, the new draft General Data Protection Regulation of the European Commission (“draft Regulation”) establishes obligations directly applicable to data processors. Therefore data processors will soon be directly liable and subject to monetary penalties.
However, is this really bad news? Leaving aside the additional red tape that some of the obligations may generate, it seems that data processors have finally been given a voice. So, for those data processors wanting to get it right and already working on organisational data protection compliance programs, this is actually good news.
At last, data processors will get deserved recognition for the measures they have adopted to ensure compliance with fundamental data protection obligations, such as those related to the international transfers of personal data outside the EEA. As Binding Corporate Rules (“BCRs”) continue to establish themselves as the preferred way to legitimise international transfers of personal data within multinational data controllers, Binding Safe Processor Rules (“BSPRs”) are the obvious next step for global data processors. The draft Regulation recognises this – expressly instructing data processors to take the necessary steps to legitimise international transfers of data by putting in place BSPRs or appropriate contractual arrangements.
However, some European data processors will not have to wait until the approval and implementation of the Regulation in order to take the bull by the horns. The Spanish data protection authority (“Spanish DPA”) has recently announced that it has drafted a new set of proposed model clauses (based on the 2010 controller to processor clauses) that will allow data processors in Spain to engage sub-processors outside the EEA.
Of particular interest is the proposal that data processors can enter these new model clauses directly with sub-processors outside the EEA (i.e. not simply on behalf of the data controller) and seek their own data transfer authorisation from the Spanish DPA.
By drafting these model clauses the Spanish DPA has responded to the demands of the outsourcing industry to provide a more flexible instrument that covers processor-to-processor exports and, by doing so, eliminate some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors.
For those familiar with the existing data transfer authorisation process in Spain, there is no doubt that the new processor authorisation process will be similarly burdensome. However, an express recognition that data processors should be entitled to request data transfer authorisation and directly manage their own sub-processors is, in itself, is a breath of fresh air.