Background – data exports outside EEA
EU data protection legislation provides that personal data can only be transferred to countries outside the European Economic Area (“EEA”) when the country of final destination ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals (article 25 of EU Directive 95/46, to be replaced by article 44 of the EU General Data Protection Regulation as from 25 May 2018). The European Commission has approved a so-called ‘white list’ of countries that are being considered as providing such ‘adequate’ safeguards (click here for the white list).
If the destination country’s level of protection is deemed to be adequate, personal data can be transferred as if the transfer took place within the EEA. When a country is not recognised as offering adequate safeguards, there are other grounds allowing for data transfers: (i) EU standard contractual clauses incorporated in a written data transfer agreement, (ii) ‘Binding Corporate Rules’ adopted within multinational groups, or (iii) exceptions established by law (e.g. opt-in consent).
‘Binding Corporate Rules’
Binding Corporate Rules (“BCRs”) are internal rules (such as a code of conduct) that are adopted by multinationals, defining the global policy regarding the international data transfers between the different entities of the group. They focus in particular on transfers to affiliates located in countries which do not provide adequate safeguards.
These internal rules are meant to ensure that all data transfers within the group benefit from an adequate level of protection, regardless of the country of destination. Furthermore, BCRs avoid signing standard contractual clauses for each transfer of personal data transfer to a country that does not provide an adequate level of protection.
In Belgium, the requirements and procedure for the formal authorisation of BCRs for data controllers were set out in a Protocol Agreement of 13 July 2011 between the Ministry of Justice and the Belgian Privacy Commission.
The Belgian authorisation procedure for BCRs requires a standard form to be submitted to the Belgian Privacy Commission, accompanied by the draft BCRs and a list of other relevant information (including a list of related entities, a description of the data flows from Belgium, a list of importers, the purpose of the data processing, the category of data and of data subjects, etc.). Explanations should also be provided on how the Belgian group entities are legally bound by the BCRs, and on how the entities liable for mistakes made outside the EU are legally bound by the BCRs.
As soon as the Privacy Commission is of the opinion that the case file is complete, it will inform the multinational and the Ministry of Justice. The Ministry of Justice will then submit an official request for an opinion to the Privacy Commission. In case of a favourable opinion, the Privacy Commission will draw up a draft royal decree based on the model in the protocol agreement. These documents will then be submitted to the Ministry of Justice, signed by the King, and published in the Belgian Official Journal.
BCRs were initially intended for multinationals acting as data controllers.
In 2012, the Article 29 Working Party decided to set up a regime for binding corporate rules for data processors as well (list of conditions for Processor BCRs: WP195; explanatory document: WP204). As from January 2013, the framework for BCRs for multinational data processors (for data they process on behalf of their customers, e.g. in the context of outsourcing services or cloud computing services) became effective.
Processors are also now able to have BCRs in place to legitimise their international data transfers in compliance with EU data protection legislation. Even though the use of BCRs is not mandatory for processors, it does create advantages for both processors and controllers. Once approved, ‘processor BCRs’ can be used by both the processor and the controller, ensuring compliance with EU data protection legislation, without having to negotiate ‘adequate’ safeguards for each individual contract.
The authorisation procedure for processor BCRs is the same as the procedure for data controller BCRs. It is based on a coordinated process enabling multinationals to apply to one ‘lead’ data protection authority (“DPA”) – instead of having to apply to the various DPAs involved in the data transfer – and on a system of mutual recognition.
In Belgium, the Protocol Agreement of 13 July 2011 has now been replaced by a new Protocol Agreement of 3 October 2016, formally extending the existing BCRs authorisation procedure to the new ‘Processor BCRs’.