August 6, 2020

Volume X, Number 219

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

Article 29 Working Party Updates BCR Guidance: European Union

On June 2, 2015, the Article 29 Working Party updated its published guidance on the topic of Processor BCRs.  In their latest guidance document, the Working Party focus specifically on the sensitive topic of disclosures to  law enforcement agencies (LEAs).

By means of Processor BCRs, data processors are able to share EU-originating personal data within their group globally.  This increases the risk that foreign LEAs will either request or compel production of the data by group affiliates established outside the EU.  European concerns over the broad scope of U.S. government surveillance programs, and similar programs in other countries, undoubtedly provided the impetus for the guidance. The Working Party recognizes this risk and appears to appreciate the difficult situation processors can find themselves in when asked to produce information to LEAs. In line with previous guidance relating to e-discovery, the Working Party proposes a “best-efforts” model.

In short, a processor seeking approval for its Processor BCRs must make the following new commitments to European DPAs evaluating the processor’s BCR application:

  • in addition to communicating the LEA request to the relevant data controller, the processor must assess each LEA request on a case-by-case basis and put the LEA request on hold until the DPA regulating the relevant data controller and the lead DPA for the processor can be informed; DPAs are expected to reply within a reasonable timeframe as to whether the LEA disclosure should be permitted or not;

  • in the event the processor is prevented from notifying the data controller and relevant DPAs (e.g., by “gagging” orders or similar legal restraints imposed by the LEA), the processor must use best efforts to have this restriction waived or suspended as soon as possible and produce evidence to this effect; and

  • if the processor still cannot inform the data controller or competent DPAs, despite exercising its best efforts, it must provide the DPAs with an annual update on such LEA requests (i.e., the number of applications, types of data requested, identity of the requesting party, if possible).  This mirrors industry initiatives, especially in the online sector, to publish statitistical data regarding the number of LEA requests they receive.  The Working Party, however, does not expect such reports to be made publicly available – although once filled they could be subject to access to information (e.g., FOIA) requests.

These new commitments raise a number of issues and practical concerns for companies considering adopting Processor BCRs.  For example, what constitutes a “best effort” and how do you demonstrate those “best efforts”?  The Working Party, unfortunately, does not provide further guidance on these and other important questions.

This post was written with contributions from Kristof Van Quathem

© 2020 Covington & Burling LLPNational Law Review, Volume V, Number 156


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...