On 14 June 2012, Citigroup Inc became the latest of 15 international companies to obtain approval of its Binding Corporate Rules from the UK Information Commissioner’s Office.
Approval of its BCRs will give Citigroup a new and flexible way to ensure that any transfers of personal data around its global operations meet the strict European rules on international data transfers. High profile adopters such as Citigroup, coupled with increased cooperation between European regulators, means that this may be the start of a wave of approvals as companies seek new ways to find a commercial solution to this familiar challenge.
BCRs are essentially a set of intra-group governance policies, agreements, declarations and undertakings relating to the transfer of data within a group company structure. They are designed to allow multinational companies to export personal data from the EEA to other group entities in territories located outside the EEA. European data protection law prohibits such transfers unless the relevant territory provides an adequate level of protection for personal data. There are 30 countries in the EEA (the EU Member States, plus Norway, Iceland and Liechtenstein), and an additional nine territories outside the EEA have been deemed by the European Commission to provide adequate protection for the rights of data subjects (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey and Switzerland).
Where a transfer is carried out by a UK-established company to other members of its group outside the EEA, the transfer must comply with the eighth data protection principle (Eighth Principle) and Article 25 of the Data Protection Directive (95/46/EC) (the Directive). Compliance can be achieved if such transfers are governed by a set of legally enforceable BCRs which have been approved by the ICO.
BCRs can be a flexible alternative to the other frameworks currently in place to enable multinational companies to comply with the Eighth Principle when transferring personal data within the corporate group.
Although the uptake of BCRs began slowly in 2005, there have been 13 successful applications in the UK since April 2009. Four of these have been made during 2012 alone.
The other options available to data controllers for compliance with the Eighth Principle include the Safe Harbor Scheme for EEA/US data transfers, model contract clauses, consent of the data subject and data controller’s own finding of adequacy.
Once developed and operational, BCRs can provide a framework for a variety of intra-group transfers throughout an organisation. BCRs are maintained via an ongoing obligation on the data controller to monitor compliance, regularly provide training to employees and conduct regular internal audits.
Key benefits of BCRs include:
- Awareness: a significant increase in staff awareness of data protection compliance is an inevitable by-product of the stringent training and strategy requirements which form part of the approvals process. The company’s data protection policy is also likely to be communicated externally.
- Flexibility: if drafted widely enough, BCRs should be able to support changes in the company structure and some variation in the flows of data transfer taking place.E
- ase: BCRs remove the need to rely on one of the more onerous options available for compliance with the Eighth Principle in respect of data transfers taking place. For example, in a complex organisation, compliance using contracts based on the model clauses can run into hundreds of individual contracts.
BCRs offer an efficient approach to safeguarding personal data as it is transferred internationally. It is often impractical for large international corporations with complex structures to put in place numerous contracts to cover transfers between all group companies, which must then be kept up to date with a changing corporate structure and constantly flowing data. The BCRs harmonise the group’s practices relating to the protection of data and help to manage risks resulting from the data transfers to countries which offer lower levels of protection for personal data than the EEA.
It should be noted that BCRs do not provide a basis for transfers made outside a corporate group.
The application procedure has been designed to avoid companies having to approach each individual Data Protection Authority (DPA) separately. The applicant company must select a DPA to be the lead authority. This is determined by the location of the European headquarters of the company or the most appropriate European location to take the responsibility for the company’s global data protection compliance. Once the lead authority is satisfied with the adequacy of the safeguards put in place by the BCRs, it will refer the application to the other European DPAs for approval.
Applicants must demonstrate to the lead authority that their BCRs establish adequate safeguards for the protection of personal data throughout their organisation. In the UK, the ICO encourages companies to use Paper 133 and the model checklist (WP108) prepared by the Article 29 Working Party (an independent European policy body which advises the European Commission on data protection) when submitting their application.
In the UK, an authorisation is given on the basis that the BCRs satisfy the requirements of the Working Party’s paper, WP74, in that they provide adequate safeguards within the meaning of Article 26(2) of the Directive. WP74 was adopted by the Article 29 Working Party in 2003 and includes among other things, observations on the substantial content that should be included in BCRs and how compliance with the Eighth Principle though BCRs can be achieved.
Key features of this content are unilateral declarations by a company that its group companies will perform in a certain way in relation to data transfers. However, one problem of BCRs is that, in some Member States, the national law does not allow for the concept of unilateral declarations. In these territories, the applicant may have to find another solution which is enforceable under the laws of the relevant Member State. BCRs are therefore not always the perfect pan-European solution it was hoped they would be. Another disadvantage of BCRs is the length of time it takes to achieve approval. A straightforward application could take 12 months to conclude and there may be delays in the authorisation process within the other DPAs. The ability of the applicant to respond to the comments made by the DPAs will also affect the timescale for the application.
Mutual recognition is a development which has improved the BCR process. If the lead DPA is satisfied that the BCRs provide adequate safeguards, then other DPAs can accept its findings without further scrutiny. Since 19 April 2011, 19 countries have taken part in such mutual recognition, including the UK.
Having seen the rise in successful BCRs in the past year, it is likely that over the course of the next 12 months more companies with international outreach will submit their own applications to the ICO. Companies who have had their BCRs approved to date include Linklaters LLP, JP Morgan, Chase & Co, British Petroleum plc, Accenture Limited and eBay Inc.
Organisations that may particularly benefit from using BCRs are those in the US financial services and telecommunications sectors because, at present, companies in those sectors are not able to take advantage of the US Safe Harbor Scheme.
The ICO and other DPAs are aware of the drawbacks of the BCR model and are working on ways to address these concerns. The growing emphasis on cooperation between DPAs is giving BCRs significant momentum for the first time. As the BCR application process becomes more streamlined, companies will have increased confidence in the BCR process and we are likely to see more companies benefiting from approved status.