GDPR: a new hope for the use of BCRs for cloud providers in Portugal
The General Data Protection Regulation recognises and preserves the existing transfer mechanisms under the Data Protection Directive for transfers of personal data to third countries which do not provide an adequate level of data protection.
Controllers and processors may transfer personal data outside the European Union (“EU”) / European Economic Area (“EEA”) if they have adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Those safeguards are intended to ensure that, post-transfer, the data is processed in compliance with data protection requirements of European standard and data subjects have the same rights as they have in the EU.
Currently, Portuguese Data Protection Law which implemented the Directive, requires that a transfer to third countries outside the EU/EEA must be previously authorised. Whilst EU Model Clauses have been admitted as providing appropriate safeguards, Binding Corporate Rules (“BCR”), as company-specific, group-wide data protection policies, have never been considered as admissible.
All transfers of data to entities located outside the EU/EEA on the grounds of EU Model Clauses have been categorized as “provisional” by the Portuguese Data Protection Authority (“CNPD”) after the decision of the CJEU which invalidated Safe Harbor. On the 22nd of October 2015, the CNPD (following the opinion of the Article 29 WP) decided to revoke all existing authorizations of international transfers based on Safe Harbor and issue only provisional authorizations for the transfers of personal data through alternative mechanisms such as EU Model Clauses until the impact of the CJEU decision on EU Model Clauses is fully assessed as to their sufficiency of guaranteeing an adequate level of data protection.
The position of the CNPD on BCR’s has been not to admit its use based on the fact that according to Portuguese law, they are “unilateral self-binding declarations” and that “declarations of this kind cannot constitute a source of obligations under Portuguese law”. Also, Portugal is not yet part of the mutual recognition process which would allow recognizing another DPA’s decision of adequacy of the BCRs (http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/mutual_recognition/index_en.htm). Therefore, the implementation of the BCR’s in Portugal currently still requires a binding contract (bilateral or multilateral agreement) to be signed by all parties involved in the Data Transfers and respective authorization filings with the Portuguese Data Protection Authority.
The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific recognition in the Regulation, which also sets out in detail the content they must include and the procedure under which they will be approved. However, unless we have some clarification from CNPD until then, we will have to wait for May 2018 to actually put this to test.
Article provided by: Ricardo Henriques, Abreu Advogados, Portugal
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project