On June 2, 2015, the Article 29 Working Party updated its published guidance on the topic of Processor BCRs. In their latest guidance document, the Working Party focus specifically on the sensitive topic of disclosures to law enforcement agencies (LEAs).
By means of Processor BCRs, data processors are able to share EU-originating personal data within their group globally. This increases the risk that foreign LEAs will either request or compel production of the data by group affiliates established outside the EU. European concerns over the broad scope of U.S. government surveillance programs, and similar programs in other countries, undoubtedly provided the impetus for the guidance. The Working Party recognizes this risk and appears to appreciate the difficult situation processors can find themselves in when asked to produce information to LEAs. In line with previous guidance relating to e-discovery, the Working Party proposes a “best-efforts” model.
In short, a processor seeking approval for its Processor BCRs must make the following new commitments to European DPAs evaluating the processor’s BCR application:
- in addition to communicating the LEA request to the relevant data controller, the processor must assess each LEA request on a case-by-case basis and put the LEA request on hold until the DPA regulating the relevant data controller and the lead DPA for the processor can be informed; DPAs are expected to reply within a reasonable timeframe as to whether the LEA disclosure should be permitted or not;
- in the event the processor is prevented from notifying the data controller and relevant DPAs (e.g., by “gagging” orders or similar legal restraints imposed by the LEA), the processor must use best efforts to have this restriction waived or suspended as soon as possible and produce evidence to this effect; and
- if the processor still cannot inform the data controller or competent DPAs, despite exercising its best efforts, it must provide the DPAs with an annual update on such LEA requests (i.e., the number of applications, types of data requested, identity of the requesting party, if possible). This mirrors industry initiatives, especially in the online sector, to publish statitistical data regarding the number of LEA requests they receive. The Working Party, however, does not expect such reports to be made publicly available – although once filled they could be subject to access to information (e.g., FOIA) requests.
These new commitments raise a number of issues and practical concerns for companies considering adopting Processor BCRs. For example, what constitutes a “best effort” and how do you demonstrate those “best efforts”? The Working Party, unfortunately, does not provide further guidance on these and other important questions.