Binding Corporate Rules may not save the day
Binding Corporate Rules (BCRs) are one of the key elements of the proposed new EU data protection framework. They are a set of binding rules that can be put in place to allow companies working in multiple jurisdiction to transfer personal data that they control from the EEA to entities outside the EEA in compliance with national laws implementing the EU Directive. To be successful, an applicant must demonstrate that it has in place adequate safeguards for protecting the data throughout the organisation. See this paper by Allen & Overy about BCRs and the EC’s definition here.
It is interesting to see that Salesforce, one of the largest US Cloud Providers has announced, that its BCR (Binding Corporate Rules) have been accepted by the European Data Protection Authorities (WP29). See detailed text here.
The Lead Authority was the French Commission Nationale de l’Informatique et des Libertés, CNIL which as assisted by the Netherlands DPA and the Bavarian Landesamt für Datenschutzaufsicht. You can see a list of the EU’s accepted BCRs here.
This has to be seen in the light of the end of the Safe Harbor Agreement triggered by the Austrian law Student Student Max Schrems (see “EU versus Facebook”) in October 2015. “My personal guess is, that the European BCR will not survive a similar kind of inspection by the European High Court” says Tobias Höllwarth, VP of EuroCloud Europe. The Malta IT Law Association, in which I serve as Vice President, is collaborating with EuroCloud Europe on a project related to Cloud Privacy.
Höllwarth argues, that no matter how well an individual agreement between two companies is worded, it will never overcome the core problem. “The core problem is, that existing US law – related to the Patriot Act – shows in some areas in a fundamental difference to existing European Law. Companies will not be able to overcome this issue even with BCRs”
This seems to be the uncomfortable truth for several thousands of US Cloud Providers that store and process date of European customers. See information of The US House of Representatives here and the ongoing court case of Microsoft versus US (New Jersey case) here and a pertinent article in the New York Law Journal here.
Naturally the situation for European customers that wish to use Cloud Services delivered by providers outside the IT-Schengen area is presently a difficult one.
Despite the ingenious agreement between Microsoft and German Telecom to use Deutsche Telecom as trustee for Microsofts Azure and Office365 services (see here), it is obvious that this can not be a model for every cloud provider outside the EU.
Cover Photo by Flickr user ‘Duncan Hull’ used under Creative Commons Attribution 2.0 license. Image cropped.