The Article 29 Working Party has designed a “toolbox” composed of a framework, a checklist, and frequently asked questions (FAQs) to assist multinational companies with the implementation of binding corporate rules. The Working Party hopes that it will foster the use of binding corporate rules as a legal basis for cross-border transfers of personal data.

Binding corporate rules (BCRs) are internal rules adopted by multinational corporations to facilitate intra-group transfers of personal data in compliance with data privacy laws worldwide. More and more multinational corporate groups that routinely exchange personal data on a global basis are discovering BCRs as a possible alternative to the EU/U.S. Safe Harbor or the European Commission’s Standard Contractual Clauses to export data outside Europe.

As background, the EU Data Protection Directive allows personal data to be transferred outside the European Economic Area (EEA) only if the importing country provides an “adequate level of protection” for personal data or if the data controller adduces adequate safeguards with respect to the protection of privacy.

Adherence to the EU/U.S. Safe Harbor, adoption of the European Commission’s Standard Contractual Clauses, and the use of BCRs are different ways for companies to demonstrate that such adequate safeguards are in place. Compared to other data transfer options, BCRs offer a global and simplified solution, especially for large international groups that would otherwise have to enter into a myriad of data transfer contracts with their different corporate entities worldwide.

The Working Party has been actively promoting the use of BCRs for more than five years, but so far relatively few multinational companies (e.g., DaimlerChrysler, General Electric, and Shell) have adopted BCRs to self-regulate aspects of their international data transfers. The Working Party attributes this lack of popularity partly to misconceptions about the scope, impact, and approval process of BCRs.

In particular the length and complexity of the approval process — in most EU Member States, BCRs must be approved by the relevant data protection authority before their implementation — appear to discourage some multinational groups from adopting BCRs.

In 2005, as an attempt to reduce administrative burdens for BCR applicants, the Working Party designed a coordination procedure for data protection authorities reviewing draft BCRs as well as a checklist to assist companies applying for approval of their BCRs. The coordination procedure simplifies the BCR approval application process considerably, as it allows applications to be submitted to one “lead” data protection authority, which is to coordinate with the other data protection authorities to streamline the approval process.

In addition, last year the Working Party introduced a standard application form for use by companies seeking approval of BCRs, which aims to ensure that applicants provide all information necessary to assess the BCRs at the outset. Both the coordination procedure and the standard application form should — at least in theory — make the BCR approval process more efficient.

On June 24, 2008, the Working Party provided further guidance to companies applying for BCR approval by releasing a BCR “toolbox,” designed specifically for applicants and data protection authorities. The toolbox consists of a framework for BCRs, an updated and revised checklist, and FAQs related to BCRs.

  • The BCR framework provides suggested content and structure for BCRs. However, it does not include model BCRs, so companies will still need to design and customize their own rules, taking into account their group structure and data processing activities, as well as the policies and procedures that will be implemented to ensure privacy protection.
  • The new BCR checklist consists of a table that clarifies what content should be included in BCRs and what information should be provided to the data protection authorities when applying for BCR approval (using the 2007 standard application form). The checklist also provides further explanations and comments with regard to the required content, summarizing previous guidance from the Working Party. Particularly useful for BCR applicants — and their legal advisors — are references to the Working Party’s relevant guidance documents.
  • The FAQs have been drafted based on experience of the Working Party’s members in dealing with BCR applications. They are rather limited in scope (only six questions and answers), but the Working Party intends to update them regularly. Some clarifications in these FAQs are particularly helpful, as they shed light on controversial issues, such as the possibility for a multinational group to have a single set of rules while at the same time limiting third-party beneficiary rights in the BCRs to personal data transferred from the EEA. As a general rule, BCRs should be enforced internally, but they should also grant third-party beneficiary rights to individuals who may, if necessary, turn to the data protection authorities and courts for enforcement. Another example is the relationship with data processors based outside the EEA which are not part of the corporate group. In that case, the corporate group adopting the BCRs can seek to adduce adequate protection via data transfer contracts (e.g., the European Commission’s Standard Contractual Clauses) or by subjecting the data processors to the BCRs’ provisions.

Multinational companies planning to adopt BCRs, as well as privacy counsel, will welcome the BCR toolbox, as it will enable them to prepare for the BCR approval process more efficiently. However, one major concern that remains is the fact that many data protection authorities do not have sufficient staff dedicated to BCRs, which may lead to long review periods.

The Working Party is aware of this problem and is currently working on the improvement of its 2005 coordination procedure for BCRs in order to streamline the process.

FOR MORE INFORMATION

The Article 29 Working Party Working Documents

(1) for setting up a table with elements and principles to be found in Binding Corporate Rules (WP 153) is available here.

(2) for setting up a framework for the structure of Binding Corporate Rules (WP 154) is available here.

(3) of FAQs related to Binding Corporate Rules (WP 155) is available here.

TAKE A LOOK BACK

Search Engine Activity and Data Storage Scrutinized by EU Data Privacy Authority. (April 16, 2008)