On 24 March, the French data protection authority (Commission Nationale de l’Informatique et Libertés – the “CNIL”) announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs). BCRs are becoming increasingly popular among multinationals as a legal means for providing adequate protection to personal data (covered by EU Data Protection Directive 95/46/EC) which are transferred from the European Union to countries that are not considered to provide an adequate level of protection by the European Commission. In the CNIL’s view, the implementation of BCRs shows a strong commitment from multinational organisations to protect personal data. Indeed, the CNIL has been a champion of the emerging “BCR for processors” initiative which is also prompting interest from sophisticated processors who operate globally.
Currently, data controllers subject to French data protection law who have obtained BCR approval (whether the CNIL was the lead data protection authority or not) must also obtain the CNIL’s prior approval every time the data controller implements a new type of data transfer outside the European Union. This procedure considerably slows down businesses making data transfers, and BCRs therefore become more burdensome in practice than other legal means available for providing adequate protection to personal data transferred outside the European Union, such as the Safe Harbor scheme and the use of Standard Contractual Clauses.
So that the French entities concerned can avoid going through this process, the CNIL has decided to grant a “personalised” single decision (“Autorisation unique“) to group entities that have adopted BCRs and are subject to French data protection legislation. The relevant entities will simply need to file an online declaration once whereby they undertake to comply with the terms of the single decision before transferring personal data to entities within their group which are located outside the European Union. There will be no need to request an authorisation from the CNIL for each category of transfer.
The CNIL requests that the data controllers concerned keep a record of all transfers implemented in accordance with the terms of the single decision issued, along with the following information:
- The general purpose of each transfer based on the BCRs;
- The categories of data subjects concerned by the transfer;
- The categories of personal data transferred;
- The information on each data recipient (name of the company, group of companies to which it relates and the type of BCRs adopted, country of establishment, categories of recipients, and nature of the processing operated by the recipient).
The CNIL may ask for this information at any time. The CNIL has indicated that it will contact more than sixty multinational organisations within the next few weeks in order to define the content of their respective single decisions.
This step towards a simplified implementation of BCRs from a French perspective will hopefully lead to more and more multinationals adopting BCRs, in particular given that the Safe Harbor scheme, one of the other legal means for providing adequate protection to personal data transferred from the European Union to the United States, has been under attack recently. This simplification measure is in line with the upcoming European Regulation (GDPR) which requires, at this stage, that BCRs be approved by one national data protection authority. The GDPR would then not require a prior approval for each category of transfers. The GDPR will also impose accountability obligations consistent with the documentation requirements contained in the new CNIL “single authorisation”.
This simplification will have no consequences for French entities transferring data outside the European Union under the US Safe Harbor scheme or relying on contracts based upon the EU approved Standard Contractual Clauses.