The Information Commissioners Office in the UK has approved more Binding Corporate Rules (BCR) than any other EU Data Protection Authority and this year has been particularly busy in approving BCR for a number of well known organisations.
Ebay had their BCR approved in March, Novo Nordisk had theirs approved in May, Linklaters had theirs approved in June, Citigroup had theirs approved in June (but with a start date of June 2013) and in September Intel had their BCR consisting of the Intel corporate privacy rules deed poll approved.
The increasing use of BCR coupled with the proposal to simplify BCR in the draft EU Data Protection Regulation points to this mode of data transfer solutions as an increasing choice for large multinationals.
On 6th June last year the Article 29 Data Protection Working Party published Working Party Document 195 setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (PBCR).
This presents businesses operating in the EU, as data processors as opposed data controllers, with an opportunity to find a one-off alternative solution to the current EU model contracts for controller to processor transfers of data, both within the EU as well as outside the EU.
The criteria laid out in WP 195 mirrors the representations and warranties in the current model controller to processor clauses and thus should not present any more onerous duties than a processor would currently be used to.
Although it may take some time for PBCR to find an easy approval mechanism this is a solution that many businesses should immediately investigate.