A new Explanatory Document aims to give data controllers and processors a better understanding of how to properly implement Binding Corporate Rules (BCRs) that comply with EU data protection law.

The Explanatory Document, issued by the European data protection authority (the Article 29 Working Party), will be of particular interest to those involved in, or looking at procuring, cloud computing services. Cloud computing is a growing area. However, there is a perception that there is a lack of certainty as to how the current legal and regulatory frameworks apply to the use of cloud computing services. The US Department of Commerce’s International Trade Administration recently published a report detailing how it considers the Safe Harbor Framework (an accepted standard for data transfers from the EU to the US) complies with the use of cloud computing services (see our previous article here). The new Explanatory Document seeks to clarify the same issue in relation to BCRs.

The Explanatory Document is a follow-up to a previous explanatory note which set out the criteria necessary for proper BCRs. It considers several key issues that must be addressed when drafting processor BCRs in order to ensure that they will be approved by the relevant data protection authority. These key provisions include the scope of the BCRs, further transfers to sub-processors and the internally binding nature of BCRs, as well as audit and review requirements.

BCRs, when implemented correctly, can result in huge competitive advantages for companies, allowing for increased value propositions resulting from the ability to transfer data to low cost economies for processing, while remaining fully compliant with applicable national and EU data protection law. With the emergence of cloud computing as a service, the relevance of BCRs, Safe Harbor and other data transfer framework models is extremely high.

To read more generally about BCRs, see our previous note here.