The European data protection authority (the Article 29 Working Party) recently announced that from 1 January 2013, binding corporate rules (BCRs) can be used by data processors when transferring any personal data that they process for their customers outside the European Economic Area (EEA).
BCRs set out policies, training procedures and audits in relation to data protection which, once approved by a Data Protection Commissioner in one of the EU member states, become legally binding on the parties to them. Previously only data controllers established BCRs.
This announcement will be of significance to both data controllers (as they may not have to negotiate new deals with data processors every time a transfer is needed) and data processors (who can increase their value proposition by adopting BCRs).
At present, only 29 organisations have approved BCRs in place, including Intel, BP and eBay. However, with this recent announcement, along with the ever-increasing regulation and enforcement of data protection laws, that number is sure to increase as data processors realise the commercial advantages of implementing BCRs.