Multinationals increasingly turning to BCRs as providing more legal certainty for personal data transfers from the EU

The EU General Data Protection Regulation (“GDPR”) brought about stricter data protection rules, and increased penalties for breaching these rules. For many multinationals this has led to reconsidering their framework for transferring personal data from the EU to third countries.

The prevailing trend so far has been to use the Standard Contractual Clauses (“SCCs”) approved by the European Commission to legitimise any personal data transfers from the EU to third countries. While SCC are still far and away the most common means of safeguarding personal data transferred from the EU, Binding Corporate Rules (“BCRs”) are gaining traction.

What are BCRs?

BCRs are binding data transfer agreements among related entities or entities with a joint economic activity, approved by an EU supervisory authority; specifically: “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity” (Article 4(20) GDPR). Article 47 GDPR lays down several criteria that BCRs need to meet in order to be approved by a supervisory authority. Most notably, BCRs must be legally binding and enforceable upon all members of the group of undertakings, including their employees, and include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data (see also Recital 110 GDPR).

If all applicable conditions are met and the BCRs are approved, they will serve as a valid safeguard for transferring personal data from the EU to third countries between the members of the group of undertakings. This also means that these members will not need any other safeguards – such as SCCs – to justify intragroup transfers.

Why are BCRs gaining popularity?

There are several reasons why multinationals are choosing to adopt BCRs with greater frequency:

1. Gold plating your data protection compliance programme

Drafting BCRs, obtaining approval and implementing are time-consuming, but completing this exercise serves as a stamp of quality and accountability. Having BCRs means that a company’s data protection framework is well-designed and that all proper safeguards are put in place to ensure that the company does not mishandle personal data. Groups with BCRs tend to display greater awareness of and resource allocation to data protection and should logically have lower overall risk of infringing GDPR requirements.

2. Following market leaders

Besides serving as a gold standard for data protection in general, many companies also view BCRs as a necessary benchmark in their market sector. When looking at the lists of groups that have adopted BCRs, it is clear that most operate in highly regulated sectors, such as financial services, pharmaceutical or energy, or in the technology services industry. Nowadays, there are few large market players in these sectors that have not yet adopted BCRs.

This is somewhat of a self-fulfilling prophecy, meaning as more companies in a given market sector start adopting BCRs, the more likely that customers will consider BCRs the norm, pushing other market players to adopt BCRs.

3. Avoiding uncertainty over the future of the SCCs

The final noteworthy reason why BCRs are gaining popularity lies in the fact that the validity of SCCs is under legal challenge. In the context of the so-called “Schrems 2.0” case, the Court of Justice of the European Union will need to decide whether the SCCs truly afford a sufficient level of protection and adequate remedies to data subjects in accordance with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union. For more information about the potential implications of this judgment, please read our earlier blog post here.

The risks of business interruption and overall uncertainty over the legality of data transfers from the EU could be disastrous to many companies. If the CJEU does take the approach that the SCCs violate the Charter and nullifies SCCs, companies relying on SCC for their data transfers will need to quickly find alternatives.

What to consider before adopting BCRs?

Although BCRs offer several advantages and benefits, getting them approved can be a lengthy and costly process. In order to optimise time and resources, multinationals need to consider key issues early on:

  • Material scope – which categories of personal data will be covered by the BCRs? Companies may limit their international data transfers to only that which is necessary for their business. It could be that a company only shares HR data among the group, but client personal data remains with each affiliate. It may also be that a company decides to limit the scope of the BCRs to business contacts, applying other data transfer mechanisms for the transfer of e.g. employee data.
  • Territorial scope – to which third countries will personal data be transferred? Depending on the data flows occurring within the group, a company may adjust the territorial scope of the BCRs. The BCRs can either apply to personal data transferred from the EU to a selection of third countries or to all third countries where the company is active. Alternatively, a company may decide that the BCRs constitute the company’s global data protection standards and that they apply to all transfer of personal data within the group, regardless of whether or not the processing of personal data falls within the scope of the GDPR.
  • Lead EU entity – which company from the group will be primarily responsible for enforcing the BCRs and being held liable for any breaches of the BCRs? This will also determine the Supervisory Authority with which the BCRs will need to be submitted for approval and with which the group will have to negotiate for the adoption of the BCRs. The choice of the Lead Supervisory Authority will be of particular importance, in particular with regard to the delay to have the BCRs approved. While the adoption of the BCRs usually necessitates from one year to eighteen months, some Supervisory Authorities have stated that it would take them up to three years to examine BCRs application.
  • Level of stringency of the BCRs – whether the BCRs will lay down any additional rules or safeguards, beyond those necessarily mandated by the GDPR? While BCRs can provide an opportunity to become a data protection champion in the market by abiding by the best practices in the field, it is just as important not to make promises that cannot be upheld. Companies have to be aware that if a more stringent rule is included in the BCRs, and later infringed, it will not be possible to fall back on the argument that the GDPR did not mandate such a rule.

On 10 October 2018, Equinix, a multinational IT company, became the first company to have its BCRs approved by the EDPB in accordance with the GDPR procedure.