Following the European Commission’s endorsement of BCR for processors or ‘Binding Safe Processor Rules’ (BSPR) in the proposed EU Data Protection Regulation, the EU data protection authorities have now given their definitive and public backing to a concept that is set to make a massive contribution to the protection of personal data throughout the world. In their new WP195 Document, the Article 29 Working Party provides a toolbox, describing the conditions to be met, for the adoption and approval of BSPR (or as the Working Party puts it “BCR for third party data”).
With the publication by the Article 29 Working Party of their expectations for BSPR programmes, suppliers of data processing services all around the world have been clearly told what it takes to be a safe recipient of data in their role as service providers. Whilst pure contractual solutions will remain as a mechanism to legitimise the engagement of global data service providers, the prospect of getting an upfront approval by the EU regulators is likely to become a much more appealing way forward.
The benefits of BSPR are obvious:
• The official approval of a set of BSPR will automatically grant the service provider the status of “safe processor” which will, in turn, allow its clients to overcome the data transfers limitations under EU data protection law.
• BSPR replace the need for inflexible and onerous data transfers agreements.
• BSPR can be tailored to the data protection practices of the service provider – they are a form of self-regulation.
As with the current proposal for a new EU data protection framework, the success of BSPR in realising their potential depends on how realistic the relevant obligations and compliance expectations are. Fortunately, if the criteria for BSPR approval set out by the Article 29 Working Party is anything to go by, the success of BSPR is well within reach of any responsible data processing services provider.