Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to affiliates located outside the EEA in compliance with the 1995 EU Data Protection Directive.
The Directive provides that personal data can only be transferred to a country outside the EEA in accordance with specific requirements. Data controllers must therefore ensure that all data transfers comply with the relevant requirements.
Failure to comply with the Directive can lead to enforcement and liability issues for the relevant data controller.
BCRs are only one of the options available for ensuring compliance with the international data transfer rules. Alternative options include Safe Harbor (for US data transfers only) and the EU-approved Standard Model Clauses. Identifying the most appropriate data transfer option (or combination of options) requires an analysis of the business and operations of the relevant organisation. Our expert team can assist with this.
Overview of BCRs
BCRs are a set of legally enforceable rules for the processing of personal data. These rules ensure that adequate safeguards are in place to protect the rights of data subjects when personal data are transferred between members of a corporate group to countries outside the EEA that do not have the legally required level of protection.
BCRs must be approved by the relevant national data protection authority. In Ireland, this is the Office of the Data Protection Commissioner.
An application for approval of BCRs should be submitted to the data protection authority in the country where the EU headquarters of the organisation is located or where the part of the organisation best placed to take responsibility for global data protection compliance is located.
Organisations with approved BCRs in place include Intel, Citigroup and eBay.
BCRs are particularly suited to multinational companies that want to regulate intra-group transfers on a worldwide basis to ensure compliance with requirements on the transfer of personal data outside the EEA.
BCRs must address all aspects of proposed transfers, including:
- The scope and type of the data that will be transferred
- The legal basis for processing data
- The rights of data subjects
- Security and confidentiality aspects of any transfer
- The identity of the recipients/processors of the data
- Complaints mechanisms
Advantages & Disadvantages
Advantages of BCRs:
- BCRs can provide a framework for a wide variety of intra-group transfers.
- BCRs avoid the difficulty of having to implement and maintain a matrix of contracts between individual group members.
- BCRs provide a significant degree of flexibility for corporate groups as data protection authorities generally do not need to approve updates to BCRs.
- BCRs set a high standard for data protection compliance, reducing the exposure of organisations.
- Implementing BCRs raises awareness of data protection within an organisation and can cement or improve a company’s internal processes for privacy compliance.
- BCRs can enhance a company’s value proposition as they demonstrate a commitment to data protection.
Disadvantages of BCRs:
- BCRs apply only to transfers of data within a corporate group. They cannot be used to cover international transfers of personal data to companies that are outside the corporate group.
- The approval process can be intensive and drawn out. Some authorities insist on approving specific data transfers even after BCRs have been approved.
- BCRs are not universally applicable and therefore an assessment must be conducted as to whether they are appropriate for a particular organisation.
BCRs for Data Processors
Since 1 January 2013, BCRs can be used by data processors when transferring personal data outside the EEA. Historically, the use of BCRs was confined to data controllers.
Data processors can now increase their value proposition by adopting BCRs and can avail of the associated benefits. The change also means that data controllers may not have to negotiate new deals with data processors every time a transfer is needed.
The extension of the BCR regime to data processors is likely to be of keen interest to major data processors, for example, those operating in the cloud computing sector.
This extension of BCRs will also be particularly useful for data processors in that, while BCRs only apply to intra-group data transfers, they can have broader customer-facing advantages in that they offer a company greater flexibility with which to carry out international data transfers.
Expert guidance is often required to assess whether BCRs are the right fit for an organisation, to determine the appropriate data protection authority to which an application for approval should be submitted and to prepare the BCR documentation.
Key documents that need to be prepared before submitting BCRs for approval include:
- Main principles document
- Documents detailing third party rights
- Application form
- Documents demonstrating the binding nature of the BCRs throughout the organisation
- Documents showing a commitment to the BCRs throughout the organisation (e.g. policies, audit procedures, etc).