In the United States companies are permitted to transfer personal information – including sensitive personal information – as needed between their offices, locations, and corporate affiliates. For example there are no restrictions that prevent a company from sending personal information collected within the US to a company data center located outside of the US.
In the European Union, the EU Data Protection Directive 95/46/EC (the “Directive”) creates a legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intended to transfer personal information from the EU into the United States they had to take an additional step to verify that the data would be treated with an “adequate” level of protection when it arrived in the US. After the Safe Harbor was invalidated, there are functionally only two verification steps that would satisfy the adequacy requirement: (1) have the receiving and transmitting entities enter into a template contract that was pre-approved by the EU Commission, or (2) have a multinational company that was sending data to an affiliated entity in another country enter into Binding Corporate Rules (“BCR”).
The law in the European Union is changing, with a new General Data Protection Regulation (“GDPR”) going into effect in 2018. Not only does the GDPR recognize the validity of BCRs that were approved under the EU Directive,2 it codifies the availability of the BCR solution and codifies the minimum requirements which organizations must meet in order to obtain approval for a BCR.3
When drafting BCRs a company must include, among other things, the following provisions:
- Organizational Structure. A description of the structure and contact information of each member of the multinational company.4
- Data Transfers Envisioned. A description fo the categories of personal data, the type of processing, the purpose of the processing and the impacted data subjects that are envisioned. You must also include a list of the third countries to which information will be transferred.5
- Legally Binding. An affirmation that the rules are intended to be legally binding upon the organization.6
- Application of Privacy Principles. An explanation of how the organization intends to apply basic privacy principles such as data minimization, limited data retention, security by design, etc.7
- Rights of Data Subjects. An explanation of what rights the organization will provide data subjects, and how data subjects can exercise those rights.8
- Acknowledgment of Potential Liability. The portion of the multinational organization that is based in the EU must acknowledge that it will be liable for a breach of the BCRs committed by any member of the organization that is not based in the EU.9
- Monitoring Compliance. How compliance with the BCRs will be monitored internally.10
- Communicating with Data Subjects. How the organization wil communicate information about the BCRs to data subjects and how data subjects may submit complaints about privacy or security practices.
- Data Protection Training. How employees will be trained with regard to their obligations under the BCR.12
- Cooperation with Regulators. A commitment that all intercompany members will cooperate with regulators to confirm that the BCRs are complied with, including a willingness to make available to regulators the results of data protection audits performed within the corporate group.13