At the doorstep of 2020, advocate general Hendrik Saugmandsgaard Øe (a.g.) rendered his opinion in the so called “Schrems II case” and opined on how European Court of Justice should deal with the GDPR’s regime for international data transfers. See here for a summary on the Schrems II case. In a series of blogs, we further elaborate on the consequences of that opinion and the impact it may have on the current international data transfer practices. This update focuses on inter-company transfers, based on Binding Corporate Rules (BCR) as an alternative to the Standard Contractual Clauses (SCC), which are under scrutiny.
Remember, the a.g. advised the Court to affirm the validity of Standard Contractual Clauses (SCCs) as a means of legitimizing transfers from the EEA to third countries. However, the a.g. also held that SCC-based transfers are only valid if the provisions in the SCC are effectively complied with by the ‘data importer’. It is up to the data exporter to verify this on a case by case basis. In other words, the burden to prove the local importer materially complies with the SCC obligations is put on the exporting data controller. This implies that the data exporter must inter alia assess the risk that its data recipients may be forced to surrender personal data to national security agencies.
If the Court follows the a.g.’s opinion, this local compliance assessment does not just concern the USA, but will be required for all third countries for which SCCs are used as transfer vehicle. That may include major industrial nations such as Brazil, India and, after Brexit has taken place, potentially even the UK.
For intra-group transfers, Binding Corporate Rules (‘BCRs’) may be a more robust alternative. As opposed to using SCC, multinationals will have to substantiate their position on whether their affiliates in ‘third countries’ can really comply with the SCC obligations. If this assessment turns out to be wrong, the data transfer will be unlawful with retroactive effect. In the BCR scenario, this assessment is made by the supervisory authorities. Companies that have BCRs in place can rely on the EDPB’s approval decision, whilst those using SCC only have their (self-) assessment to rely on. The latter can be challenged by a Supervisory Authority at any time.
Binding Corporate Rules (BCRs)
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the GDPR.
BCRs are drafted by the company, then reviewed by the supervisory authorities in the EU Member States and finally submitted to the EDPB for approval.
BCRs, once approved, are legally binding upon and applicable to every member the Group. They expressly confer enforceable rights on data subjects with regard to the processing of their personal data. The BCRs will at minimum satisfy the requirements baseline laid down in Art. 47(2) GDPR. For the Group companies that are located in the EU this baseline does not really raise the bar – in fact, any self-respecting global privacy compliance program will meet this standard already.
BCRs as a compliance lever
Having BCRs in place means establishing a harmonized data privacy standard across the international Group. Although BCRs are designed as an international data transfer instrument, there can be more benefits to having them in place, such as:
- Gold Standard: BCR are considered the “Gold standard” for data protection compliance, and only a limited number of companies can claim to have them. This can have significant commercial value, especially for companies that have customers with a heavy focus on regulatory compliance.
- Compliance Effectivity: Where SCC must be agreed in bilateral instruments between all Group Companies involved (which might involve hundreds of agreements and local assessments), the BCRs are binding upon all Group Companies ‘by design’.
- Agility and Efficiency: BCRs introduce a company-wide data privacy governance and policy framework. If the Group structure changes (for instance due to de-mergers, acquisitions and divestments) additional contracts or amendments have to be executed to put the SCCs in place. BCR are often easier to push to new Group Companies.
- Regulator Approved Practices: In the absence of accredited GDPR certification mechanisms, BCRs are the only available instrument to get your data privacy practices ‘rubber stamped’.
BCR’s are an attractive alternative for intra-group data transfer agreements, and if SCC-based transfers will become subject to more scrutiny, the benefits of BCR would only increase. Moreover, global data privacy programs could benefit from BCRs, not only as an ‘easier to drive’ data transfer vehicle, but also increasing operational efficiency and reaching out for regulatory blessings of the implemented compliance approach.