Binding corporate rules (BCRs) are internal data protection rules that govern transfers of personal data within a group from EEA entities to entities located outside the EEA (third countries).
These rules contain general data protection principles and allow for a right of action by a data subject against the group for failure to comply with the rules. As a package, BCRs can provide the appropriate safeguards to govern all data transfers in a group pursuant to the GDPR.
There are two types of applications: (1) BCRs for controllers suitable for transfers of data that the group is ultimately responsible for and (2) BCRs for processors suitable for transfers within a group where the group is acting as processor for other controllers – generally customers.
Advantages of BCRs
The BCR approval process is rigorous, therefore groups that implement BCRs are rewarded with both a strong and accountable framework for intra-group transfers.
BCRs also provide a significant degree of flexibility as a means of data transfer. While BCRs can easily absorb changes to a group's corporate structure, cumbersome intra-group data transfer agreements with standard contractual clauses must be reviewed and often updated to reflect any structural or data flow changes.
A group submits the BCR application to their chosen lead supervisory authority in the EU (which after 1 January 2021 cannot include the UK ICO). Once the BCRs are reviewed and commented on by the lead supervisory authority, they are circulated to two co-reviewing supervisory authorities for further review and comment. Next, a committee consisting of the lead supervisory authority, one or both co-reviewers, an independent supervisory authority and a member of the European Data Protection Board (EDPB) secretariat will provide their comments which will be incorporated into a final version of the BCRs. This final version is submitted to the EDPB. While all supervisory authorities technically have the right to comment in this final review period, in practice further comments are unlikely. Finally, the EDPB will issue an opinion on the decision to approve the BCRs after which the lead supervisory authority will authorise the group to make intra-group data transfers subject to the approved BCRs.
Tips for BCR applications
In order to streamline the application process, we recommend:
- Stick to the language in the relevant BCR guidance documents. Amending language can be seen by supervisory authorities as an attempt to reduce the level of protection even if this is not the aim.
- Set out in detail how your organisation will audit compliance with the BCRs. Audit plans should have sufficient detail for the supervisory authorities to understand the scope and frequency of the audit and importantly how audit results will be reviewed and acted upon.
- Evidence the binding nature of the BCRs on employees and companies. Failure to comply with the BCRs as an employee and as a company must have real consequences.
Implications of Schrems II on BCRS
The recent Schrems II decision (see here) invalidated the EU-US Privacy Shield as a means of data transfers between the EU and US. Thankfully, groups may still rely on BCRs and standard contractual clauses as valid transfer mechanisms. However, data exporters and data importers alike must consider whether BCRs and standard contractual clauses on their own provide a level of "essentially equivalent" protection in light of the third country's legal regime. If not, supplemental measures must be put in place to reach this threshold of "essentially equivalent" protection (see here). Helpfully, BCRs have certain built-in supplemental measures including a reporting procedure in relation to data access requests from foreign law enforcement or national security bodies and a robust procedure for data subject claims.
Implications of Brexit on BCRs
From 1 January 2021, the UK ICO is no longer a recognised supervisory authority under the GDPR and therefore cannot act as a lead supervisory authority for the BCR approval process. The EDPB issued an information note back in July 2020 to address what this means for UK-based groups.
For BCRs already approved by the ICO under the GDPR, a new supervisory authority in the EEA will have issued a new BCR approval decision (following an EDPB opinion) before 1 January. Failure to secure a new approval before 1 January 2021 means a group will no longer be able to rely on their BCRs as a valid transfer mechanism for transfers of data outside the EEA.
For current BCR applications, a new supervisory authority in the EEA must be identified to take over the application and complete the approval procedure.
The BCR approval process is rigorous and involves a full examination of a group's data protection practices and documentation. The time period for approval can take anywhere from 18 months for well-managed applications to 24 months. This period will also depend on the work load of the lead supervisory authority. Groups that wish to apply for BCRs should plan ahead and leverage existing privacy programs where possible in order to reduce approval time.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.