This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Law & Policy

Current Issue (September 2014)

Volume: 11 Issue: 9



Recent Searches:
Switzerland   FATCA   Austin   governance   included   obtain   litigation   offers   intensive   telemarketing  

Popular Searches:
France   cookie   trust   EU   filed   internet   protection   issues   asia   draft  

About Data Protection Law & Policy:

The monthly law journal which covers all aspects of data protection and data privacy: data transfer & outsourcing, marketing and e-marketing, freedom of information (FOI), employee monitoring, privacy compliance, online data acquisition and consent, personal data, website compliance and emerging technologies such as behavioural advertising, cloud computing and smart grids. / read more

Why Binding Safe Processor Rules are key to global privacy

Ask any data protection officer or privacy counsel what tops their list of trepidations, and engaging global data services vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate, given all the practical benefits and the crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It need not be this way.

As a starting point, we must acknowledge the reality of today’s data handling ecosystem. Data processors – using European data protection jargon – know a lot more about the data uses going on than the customers themselves. Modern data processors often make key operational decisions about the way in which personal data is handled without any significant input from the controller. In addition, it is normally in the customer’s interest to delegate any decisions concerning the appropriate measures in place to safeguard the data to their suppliers. On top of that, we live in a world where global access to information is a given, so providers of global data services invariably rely on the open nature of the internet in order to maximise accessibility and cost efficiency. 

This challenging situation urgently requires a solution that is aligned with the decisive role that data services vendors play in making decisions about the right level of protection of our information and, hence, our privacy. This solution already exists and it consists of motivating global providers of data processing services to adopt and implement their own set of data protection rules from which their clients will benefit. These rules should be recognised by policy makers and regulators as providing appropriate safeguards that give customers the comfort they need, whilst allowing operational flexibility to the provider. The good news is that this concept – popularly known in Europe as Binding Corporate Rules for processors or Binding Safe Processor Rules (BSPR) – has now received the unconditional support of the EU data protection authorities, who are eager to secure full legislative recognition for this model. 

However, this is just the beginning. BSPR must evolve and come out of its European shell to become a global model for privacy protection. All responsible processors and leading cloud providers should feel compelled to follow this model - not just because of legal compliance requirements, but because the market will demand it and those who fail to adopt it will be outdone by their competitors. Crucially, as off-putting as following a European-flavoured approach to data protection rules may be for global data service providers, those rules can still be moulded so that they become truly global and, more importantly, practically viable. 

If that is the case, safe processors will have a very compelling message to give to their customers: please let us process your data and we will guarantee that wherever in the world the processing takes place, irrespective of the technology involved, the data will be protected in accordance with our own universally applied and internationally recognised standards. The real winners will not be the service providers or their customers. All of us – humble data subjects – will benefit from the protection deployed by those who best understand the technology and processes employed. Safe processors have a huge role to play in the quest for technology-savvy privacy protection. Those who take the lead through mechanisms such as BSPR will make a highly commendable contribution towards achieving the goal of protecting our privacy whilst delivering innovation. 


Eduardo Ustaran


Data Protection Law & Policy


Future of Privacy_Eduardo Ustaran

"The timing for this book is perfect. At no other time in recent history have privacy and its challenges been at the forefront of global news." - IAPP Privacy Advisor

A must-read for privacy professionals worldwide, this book anticipates the key elements that organisations and privacy professionals will need to tackle to comply with the regulatory framework of the future.

Click HERE to order your copy.

Search Journal Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to Data Protection Law & Policy
Subscribe to Data Protection Law & Policy
Register for a Free Trial to Data Protection Law & Policy
E-Law Alerts
Data Protection Law & Policy Pricing
Cookie Consent Guide - DataGuidance

Social Media

Follow Data Protection Law & Policy on TwitterView Data Protection Law & Policy LinkedIn ProfileData Protection Law & Policy RSS Feed