The EU Article 29 Data Protection Working Party has expanded the availability of Binding Corporate Rules (BCRs) to data processors, facilitating cross-border transfers of personal data. With both data controllers and data processors using BCRs, the required level of data protection for transfers of personal data can be ensured without having to resort to contracting arrangements or other methods. As a consequence, multinational entities will be able to transfer data more easily to countries outside the European Economic Area (EEA).

Mechanisms to Ensure an Adequate Level of Protection

When a company is outsourcing parts of its operative business, for example to a cloud service provider, it often needs to transfer personal data to other entities. An entity that determines the purpose and means by which personal data is processed, also known as a data controller, is required by law to ensure an adequate level of data protection. According to the EU Data Protection Directive (95/46/EC) (“Directive”), personal data may only be exported from the EEA to entities located in countries that the EU Commission has deemed to provide an adequate level of protection through applicable local data protection legislation. An entity who wishes to export data to a non-EEA country without an adequate level of protection must choose to comply with at least one of the alternative mechanisms provided in the Directive. These mechanisms are intended to provide an adequate level of protection in countries where the level of data protection legislation is not up to the standards set by the EU. These mechanisms include among other things BCRs, EU Model Contractual Clauses drafted by the European Commission and the individual data subject’s consent.

BCRs Reduce the Need for Contracts

BCRs are legally binding internal privacy commitments that allow a multinational entity to transfer personal data freely within its own organisation without violating the Directive. The entity can apply for validation of its BCR from local data protection supervisory authorities. If a data controller has not applied for the validation of its BCRs, it must ensure an adequate level of protection of transferred data for example by means of contracts. In case of a multinational corporation, this may result in the data controller having to contract with hundreds of affiliates to cover all transfers of data.

BCRs have traditionally been available to data controllers only. Therefore, each time a data controller wishes to transfer data to a third party, it must ensure an adequate level of protection of the transferred data by other means, such as by using Model Contractual Clauses. If these third parties, referred to as data processors under the Directive, wish to transfer the data onward, for example to a data centre located outside the EU or EEA, a similar contract needs to be concluded to maintain an adequate level of protection. For example, a cloud computing service provider may have numerous data centres around the world. Whenever data is transferred from one of these data centres to another, protection of personal data must, again, be ensured through additional contracts. The task of ensuring that contracts are kept up to date with changing corporate structures can also be time-consuming and burdensome.

Expanded Use of BCRs

The EU Article 29 Data Protection Working Party has recently expanded the use of BCRs, so that they can be used by data processors as well as data controllers. As of 1 January 2013, data processors can also have their own BCRs validated by data protection supervisory authorities. The application procedure for data processors is similar to the existing procedure for data controllers. BCRs for data processors are intended to reduce the burden of negotiating and contracting between data controller and data processors, as data controllers can now rely upon data processors providing an adequate level of protection through their BCRs. Furthermore, BCRs for data processors will function as part of the guarantees brought by a data controller to data protection supervisory authorities in order to demonstrate an adequate level of protection and obtain the necessary authorisation for transfers of personal data to the various entities of their data processors (for example sub-processors and data centres).

BCRs provide data processors with many other advantages. Most importantly, BCRs allow the free transfer of personal data within the data processor’s own organisation. Secondly, other organisations can transfer data to the data processor without needing to use other mechanisms, such as Model Contract Clauses. Data processors can also use BCRs as a selling point, as they can potentially demonstrate a high quality approach to compliance with EU data protection legislation, thus making the data processor appear as a more attractive alternative for data controllers.