‘Binding corporate rules’ are a welcome potential solution to data protection issues for multinational companies
In an increasingly global economy in which national borders have limited significance, there are aspects of European data protection law that many companies see as cumbersome. Nowhere is this more apparent than in relation to international transfers of data where the European Union (EU) Data Protection Directive and its implementing legislation, such as the UK Data Protection Act 1998, prohibit transfers of personal data outside the European Economic Area (EEA) unless certain conditions are met (‘the Eighth Principle’).
With many of these conditions ill-suited to the reality of multinational business, recent attempts by the European data protection authorities (DPAs) to develop a new solution — known as binding corporate rules (BCRs) — are particularly welcome. However, with take-up of BCRs still slow, it remains to be seen whether the concept will take root or just represent another well-meaning but impracticable data protection solution.
The need for BCRs
BCRs have been developed because many of the existing methods of compliance with the Eighth Principle do not work well in multinational businesses. For instance, a method of compliance favoured by DPAs is for data exporters to enter into a contract on standard terms approved by the EU (so-called ‘model clauses’) with any recipient entity based outside the EEA.
This contractual solution is difficult to implement, however, where the recipient is not a separate legal entity but an overseas branch of the same entity. Similarly, intra-group transfers can be widespread across a multinational group and putting in place numerous different contracts to govern these can be burdensome administratively. As some other methods of compliance — such as obtaining the consent of the data subjects — are less favoured by DPAs (which see consent as a solution that lessens the standard of data protection offered and therefore construe it narrowly) and often impracticable, BCRs have been developed as an alternative.
What are BCRs?
BCRs are corporate data protection policies that apply to all the members of a corporate group (whether based in the EEA or not) and that give data subjects a right of redress against the organisation. In order to qualify for the exemption from the Eighth Principle, the BCRs must be approved by the DPAs in each of the European jurisdictions from which the group intends to transfer data. However, rather than going separately to each DPA to get this approval, the group only needs to apply to whichever DPA is most relevant to the group’s European operations. This DPA will then act as a ‘lead authority’ and liaise with other relevant European DPAs to get the policy approved. As many DPAs — including those in France, Spain and the Netherlands — normally require transfers outside the EEA to be separately notified to and/or approved by them, this streamlined approval process is particularly attractive. Once the BCRs have been approved, transfers of personal data can take place freely within the group.
Gaining approval for BCRs
To gain approval, companies must demonstrate how the BCRs ensure there are adequate safeguards to protect personal data within the organisation. In particular, applications must include:
- evidence that the measures are binding — internally and externally;
- details of an audit programme;
- a description of processing flows;
- a description of any specific data protection safeguards in place (e.g. encryption, firewalls, etc); and
- mechanisms for reporting changes to the BCRs.
In the short history of BCRs — first actively promoted in 2003 and then more vigorously in 2005 — arguably the greatest difficulty has been demonstrating that they are capable of binding third-party data subjects. It is perhaps unsurprising that the only set of BCRs to have been approved in the
What next for BCRs?
Despite the approval of the GE set by the Information Commissioner’s Office and other European DPAs in late 2005 and 2006, the floodgates are far from open and GE remains the only entity to have BCRs approved in the
While DPAs remain publicly committed to BCRs, it will be important for them to resolve these issues if a welcome concept is to become a viable method of data protection compliance.
Jane Finlayson-Brown is a partner and Jonathan Kirsop an associate at Allen & Overy.