Last week, First Data Corporation, an electronic commerce and payment services company, announced that its binding corporate rules (“BCRs”) for data privacy had been authorised by the Information Commissioner’s Office (“ICO”). First Data is the eleventh company, and the first payment processor, to have received such authorisation.
First Data’s BCRs were authorised through the mutual recognition procedure, which is an accelerated approval process. Under this procedure, once the lead authority (in this case the ICO) considers that BCRs meet the relevant requirements, other EU data protection authorities can accept this opinion as sufficient basis for providing their own authorisations. This procedure resulted in the approval of First Data’s BCRs across 18 EU member states. The entire process took approximately four years to complete.
BCRs are used to allow multi-national organisations to transfer personal data from the European Economic Area (“EEA”) to their affiliates situated outside the EEA in compliance with the 8th data protection principle of the Data Protection Act 1998 and Article 25 of Directive 95/46/EC, which provide that personal data cannot be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data.
The main advantage of BCRs over other means of ensuring adequate safeguards is that once implemented, they can provide an effective framework for a variety of intra-group transfers. The authorisation process also helps to raise awareness of privacy concerns within an organisation as it requires consideration of the types of personal data that are transferred outside of the EEA and the introduction of staff training programmes.
The application process for obtaining authorisation for BCRs is rigorous and lengthy. ICO guidance states that companies should realistically allow 12 months for a straightforward application from initiation of the mutual recognition procedure, to approval. However, proposed changes to the EU legal framework for data protection may soon resolve this issue.
The European Commission has acknowledged that international data transfers are essential for doing business in today's global economy and has suggested that, as part of the package for reform, it will streamline current procedures. In particular the Commission has recognised the need to look further at the BCRs model.
Proposals for reform are due to be published by the end of January 2012.