The Article 29 Working Party has updated its guidance (the ‘Guidance’) on Processor Binding Corporate Rules (‘PBCRs’) in response to growing concerns that personal data, when transferred outside the European Union to countries without adequate protection, may be subject to access requests from those countries’ law enforcement agencies (‘LEA’) in situations which may not comply with EU data protection rules.
The Guidance sets out additional requirements for processors when they receive requests from LEAs. Processors in third countries should commit to assess each access request on a case-by-case basis, and agree to defer any LEA request for a reasonable period of time so that the data protection authority (‘DPA’) competent for the controller and lead DPA for the Processor BCRs may be notified. The Working Party suggests that DPAs then respond within a reasonable period of time by either issuing a positive opinion or prior authorisation, depending on that country’s national law, or, where appropriate based on the circumstances, exercise their powers to suspend or ban the transfer.
The Article 29 Working Party’s recommendation to notify controllers and DPAs may, however, conflict with laws prohibiting the disclosure of an LEA to preserve the confidentiality of the investigation. Processors awarded PBCRs run the risk of having to decide whether to challenge the confidentiality of such an LEA, or run the risk of some form of enforcement by the DPA. Where a processor does notify the controller and the DPA, the flip side is that lead authorities could find themselves inundated with notifications by processors seeking to protect themselves and their PBCR certification.
As PBCRs continue to develop and increasing numbers of processors seek certification, further guidance is likely to be provided.