Binding Corporate Rules (BCRs) are increasingly an option being considered by multinational organisations as a method for legitimising cross-border data flows within a corporate group - even more so since Safe Harbour is no longer an option to legitimise data transfers from the EU to the US.  However, the number of companies that actually go through the process of adopting BCRs remains relatively low due to the lengthy and costly approval process and other perceived disadvantages such as inflexibility, limited scope of coverage and lack of harmonisation across the EU.  Moreover, there is uncertainty as to what BCRs will look like under the incoming GDPR.  Here is a brief update about which regulators accept BCRs, how many companies have implemented BCRs and where things are heading under the GDPR.

BCRs – A Quick Reminder

As a general rule, the EU Data Protection Directive requires all EEA countries (i.e., the EU countries plus Iceland, Norway and Liechtenstein) to prohibit transfers of personal data to countries outside the EEA unless those countries ensure an adequate level of privacy protection.  However, this rule is subject to exceptions.  For example, EEA countries may allow the transfer of data to third countries not offering an adequate level of privacy protection if the controller adduces adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals.  In 2003, the Article 29 Working Party introduced the concept of BCRs as one option for controllers to adduce those adequate safeguards.  

In a nutshell, BCRs are a set of binding rules or code of conduct which multinational organisations may choose to draw-up and implement within the organisation in order to legitimise cross-border data transfers within their corporate group.  BCRs essentially impose EU privacy standards on an organisation’s affiliates outside the EU in order to allow those affiliates to process data originating from the EU.

Which Countries Recognise BCRs?

The EU Data Protection Directive does not list BCRs as a mandatory derogation from the general prohibition on data transfers outside the EEA.  Rather, it gives EEA countries the option to authorise those data transfers where the controller adduces adequate safeguards.  Consequently, the respective national DPAs are free to choose whether or not to accept BCRs as a means of legitimising otherwise prohibited data transfers.   However, with Hungary being the latest country to accept BCRs (as of 1 October 2015), Portugal is now the only EEA country that does not recognise BCRs.

Which DPAs Participate In The Mutual Recognition Procedure?

The BCR application and approval process is an arduous and lengthy procedure.  To streamline the process, a number of EEA DPAs have adopted the so-called “mutual recognition procedure” (MRP) meaning that once the chosen lead DPA approves a set of proposed BCRs, the other participating DPAs accept this opinion as a sufficient basis for providing their own approval.  Of the 30 EEA countries that recognise BCRs, 21 recognise the MRP.

Click here to view a table providing an overview of which EEA countries accept/reject BCRs and the MRP.

How Many Companies Have Implemented BCRs?

Currently 72 companies (click here for a list) have completed the BCR approval process.  Applicants come from a wide range of industries and include, for example, financial institutions, IT companies and luxury fashion brands.  The French regulator tops the list as the lead DPA for 24 approval processes, closely followed by the UK regulator having acted as lead DPA for 20 approvals.  The Dutch regulator comes third with 12 approval processes.

Will BCRs Be Recognised Under The GDPR?

BCRs will be retained and formally recognised under the GDPR.  While the details are still unclear, the BCR approval process will likely be slightly more streamlined and harmonised across all EEA countries with additional country-specific notification or authorisation requirements being eliminated.   However, this does not mean that businesses should shelve their BCR applications until the GDPR comes into force.  Given the lead time involved in achieving formal BCRs approval, those businesses that would benefit from BCRs should start the implementation process irrespective of the GDPR developments.