It is difficult to recall a time when the issue of personal data transfers from the European Economic Area ("EEA") has been as widely and hotly debated as it has over the past year or so. Significant movements during the past year saw not only continued discussion in connection with the draft EU Regulation ("Draft Regulation") to replace the existing EU Data Protection Directive but also concerns following the revelations of former U.S. National Security Agency contractor Edward Snowden, amongst other things. "Where is data going?", "Who is receiving it?", "On what basis are companies transferring data?" and "Are those transfers lawful?" are all questions brought into fresh focus.
In our earlier article, "Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0" (see WDPR, April 2013, page 4), we proposed that, for a variety of reasons, Binding Corporate Rules ("BCRs") were worthy of fresh consideration by companies operating internationally as a way to adequately safeguard personal data transferred out of the EEA, thereby ensuring that their transfers are compliant with EU data protection laws relating to extra-EEA transfers.
In this article, we consider whether the same is still true, or even more valid, one year on, assessing the current status of other routes to ensuring that transfers are "adequately safeguarded", i.e., the EU-U.S. Safe Harbor Program ("Safe Harbor Program") and Model Contract Clauses ("MCCs").
In concluding that the merits of BCRs have in fact been enhanced over recent months, we also draw upon pan-EU BCR filing experience to provide what we hope is helpful insight into some of the practical aspects of filing a BCR application, and some of the factors to consider when selecting which EU data protection authority to deal with an application.
This article was originally published in the February 2014, Volume 14, Number 3 issue of Bloomberg BNA's World Data Protection Report.