Just five companies in the UK are authorised by the Information Commissioner's Office to use Binding Corporate Rules (BCRs) to transfer data outside of the EEA. Hyatt Hotels recently became the fifth company to use BCRs to transfer personal data from the UK to its other entities outside of the EEA.
No Irish companies have yet been authorised by the Data Protection Commissioner (DPC), as part of an Irish application, to use BCRs to transfer data from Ireland to outside of the EEA. However those BCRs in other countries are technically indirectly authorised by the Irish DPC as a result of their local application, and can transfer from Irish companies. The EU Data Protection Directive and the Data Protections Acts 1988 & 2003 impose certain conditions which must be satisfied before personal data can be transferred to third countries (i.e. countries outside of the EEA). BCRs were developed to facilitate multinational companies wishing to transfer personal data between its own companies on an international basis.
Organisations transferring personal data to third countries must ensure that the country in question provides an adequate level of data protection. The European Commission has prepared a list of countries pre-approved as having adequate data protection, including, Argentina, Canada, Switzerland, Guernsey, the Isle of Man, and Jersey. The US 'Safe Harbour' arrangement has also been approved to facilitate transfers of personal data to US organisations which have signed up to the arrangement. If the third country does not have an adequate standard of data protection then the data controller can use BCRs or use EU-approved model contracts or for international transfers within the company, or rely on one of the other alternative measures contained in the Acts.
BCRs have proved unpopular in the past due to delays in the approval process. Unlike the EU approved "model contracts", BCRs are required to be individually approved by the Data Protection Authority (DPA) in each country where a business has a legal presence.
Recent efforts have been made to remove delays in the approval process and make BCRs more workable. Last year a number of DPAs signed up to a mutual recognition declaration, with the result that when one DPA circulates a draft of the BCR with a positive opinion, other DPAs accept this opinion as sufficient basis for facilitating authorisation for the BCR in their jurisdiction. Despite this effort at streamlining the process to encourage more companies make use of BCRs, EU-approved model contracts so far remain the more popular means by which companies may transfer to data to third countries.