Binding Corporate Rules (BCRs) were developed by the European Union Article 29 Working Party to allow multinational organisations to make intra-organisational transfers of personal data across borders in compliance with EU data protection law.
Currently to put BCRs in place the organisation must make an application for approval to each data protection authority in each EU Member State in which the organisation will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one Member State's data protection authority may be approved by the other relevant Member States who may make comments on, and ask for amendments to, the BCRs. To be successful, the applicant organisation must demonstrate that it has in place adequate safeguards for protecting personal data throughout the organisation.
BCRs are an alternative to Safe Harbor and the EU Model Contract Clauses but BCRs have historically been unpopular due to the cumbersome process of putting them in place. However, with BCRs set to be recognised as a legitimate means of enabling data transfers under the proposed new Data Protection Regulation and proposals for increased co-operation between regulators with data protection authorities, it is a good time to re-consider the pros and cons of BCRs.
So what do organisations that have BCRs in place report as their benefits?
- they create a better organisation wide understanding of EU data protection principles and requirements – the use of BCRs flags the rules to the whole of the organisation and reduces the risk of breach
- they allow for increased flexibility – if BCRs are carefully drafted they can allow some flexibility to make changes to the organisation's structure and flow of data transfers
- they promote increased accountability – BCRs may already, and can be developed to, include the types of accountability built into the draft Data Protection Regulation
- they have minimal long term costs – whilst costly at the outset once BCRs are in place maintenance is minimal
- they can be used to create positive publicity – having BCRs approved means the organisation's policies and procedures have been put in front of and approved by the data protection authorities
- they foster a strong relationship with data protection authorities
The biggest disadvantages of BCRs are:
- they cannot cover transfers of personal data outside of the organisation
- the process of getting BCRs approved and granted is still a lengthy and complex task
Although historically model contracts have often been chosen as the preferred option for international data transfers, in practice anyone who has gone through the task of putting model contracts in place across large numbers of group companies will appreciate that this is itself not straightforward and provides little flexibility to take account of an organisation's culture and procedures. With BCR approval procedures getting quicker and more certain and enabling more flexibility, BCRs are increasingly looking like a more viable option.
BCRs are becoming the benchmark for data protection compliance and are consistent with the accountability model set out in the draft Data Protection Regulation. There may be a benefit in putting BCRs in place now as this will allow an organisation to anticipate the accountability model (although care needs to be taken to allow flexibility for change). Further, getting ahead of the game and commencing the process of obtaining BCR approval now may prove crucial as once data protection authorities are subject to the extra responsibilities proposed in the draft Data Protection Regulation their capacity will be stretched and the process for approval may slow down again. In a nutshell, if your organisation transfers personal data to group companies outside of the EEA now is the time to revisit and think seriously about implementing BCRs.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.