The Information Commissioner’s Office (ICO) has approved Binding Corporate Rules (BCRs) applications by both Accenture and Atmel. BCRs are a method of complying with the European Union (EU) rules on transferring personal data outside the European Economic Area (EEA). Now that Accenture and Atmel have both secured ICO approval other businesses may be tempted to follow their lead.
BINDING CORPORATE RULES
BCRs are a set of inter-company group rules governing the transfer and processing of personal data between affiliates of the same group. Once approved, the members of the group can transfer personal data amongst themselves without considering national boundaries.
Company group members cannot transfer the personal data on to third parties based outside the EEA – BCRs only work inside the group; BCRs are legally binding and data subjects have the right to commence an action within either the jurisdiction of the Member State of the group member sending the data or the Member State of the EU head quarters of the group – and as each EU Member State has differing levels of sanctions there can be a material difference whether an action is commenced in say France or the United Kingdom.
BCR APPLICATIONS – MORE DISADVANTAGES
The applications procedure is not streamlined. Companies wishing to use BCRs must file an application with the data protection authority in the EU Member State where the company’s EU head quarters is located (also known as the “lead DPA”). The lead DPA must approve the application however, the approval only applies to data transfer outside the EEA from that particular EU territory. The company must subsequently secure approval from the DPAs in all the EU countries in which group members are located if all such members are to transfer directly personal data outside the EEA.
RECENT ACTION TO STREAMLINE THE BCRS APPLICATION PROCESS
In June 2008 the Working Party issued a toolkit on BCRs – including a table setting out the elements and principles that BCRs should include, a framework for the structure of BCRs and frequently asked questions related to BCRs. Additionally, as of February 2009, 13 EU DPAs (France, Germany, Ireland, Italy, the UK, the Netherlands, Spain, Latvia, Luxembourg, Norway, Iceland, Liechtenstein and Cyprus) have agreed to mutually recognise (effectively automatically approve) BCRs applications which have already secured lead DPA approval.
Accenture and Atmel are the third and fourth organisations to get ICO approval for BCRs. Given the difficulties that companies have generally experienced with the BCRs application and approval process and the consequent slow pickup by companies of BCRs it is good news that the ICO has approved in quick succession BCRs applications by Accenture and Atmel; hopefully, this should encourage other companies to engage with BCRs.