EU data protection authorities have announced that data processors may now avail of Binding Corporate Rules (BCRs) (with effect from January 1, 2013).
BCRs are codes of practice which allow multi-national corporations to transfer personal data between group companies in different jurisdictions in compliance with data protection obligations.
Under EU data protection law, it is generally prohibited to transfer personal data to countries outside the European Economic Area which are regarded by the European Commission as not providing adequate protection for personal data. There are a number of exceptions to this prohibition, including obtaining user consent to transfer, executing EU Commission approved model contracts, and implementing BCRs.
Previously BCRs were only available to data controllers. This meant that corporate groups could only use BCRs to regulate the transfer of data controlled by them, for example data in relation to their own employees, customers etc. Now, however, companies processing data on the instructions of data controllers (for example service providers) will be able to avail of BCRs for intra-group transfers.
Another welcome development is that BCRs (for both controllers and processors) now require the approval of only one data protection authority. Once approved by this “lead” data protection authority, the BCRs will be recognised by a majority of EU data protection authorities. Previously, BCRs had to be approved by the data protection authority in each EU Member State from which data was being transferred.
It is expected that the new regime in relation to BCRs will be of particular benefit to companies who specialise in general outsourcing, data centre, or cloud computing activities.