Binding Corporate Rules (BCRs)

The Data Protection Directive (95/46/EC) prohibits, in principle, the export of data to third countries that lack—from the point of view of the European Commission or the national data protection authorities (DPAs)—an adequate level of protection, like the United States with its sector-specific privacy laws. These restrictions on the free flow of personal data are particularly cumbersome to global corporations. The DPAs may, however, authorise sets of data transfers to recipients in third countries if appropriate contractual clauses provide adequate safeguards to the data subjects.
For multinationals, the standard contractual tool for securing the intra-group transfer of huge quantities of human resources and customer data are Binding Corporate Rules (BCRs). BCRs are enforceable codes of conduct for privacy and data protection compliance to which each member of the corporate group subscribes. In contrast to a multitude of mutual data transfer agreements between the corporate members in the European Union and overseas, (e.g., the Standard Contractual Clauses authored by the European Commission), BCRs are a single set of rules, tailored to the specific needs of the corporation and reflecting its specific group structure and intra-group data flows. In practice, however, BCRs have never become popular among multinationals because of the costly and time-consuming approvals by the DPA of each EU Member State from which data are intended to be transferred to a third country.
Toolbox for Drafting and Filing BCRs
In order to make BCRs more attractive to global corporations, the Article 29 Working Party—an independent committee of data protection officials from EU Member States—launched in October 2008 a toolbox that facilitates the drafting of BCRs and BCR applications. The toolbox contains three components: a checklist of elements to be found in BCRs, a framework for the structure of BCRs and a set of Frequently Asked Questions (FAQs).
The checklist gives an overview of the criteria for the approval of BCRs by the DPAs. It is key that the contractual clauses compensate for the protection deficit in the third country by providing adequate data protection safeguards. These safeguards must ensure that the basic data protection principles of Article 6 of the Data Protection Directive apply to the intended offshore data transfers. Basic data protection principles are, inter alia
• Purpose limitation: Secondary uses and disclosures of the transferred personal data must not be incompatible with the purposes for which the data were transferred to the third country.
• Quality and proportionality: The transferred data must be accurate and be kept up to date.
• Transparency: The data subjects must be informed about the purpose of the data transfer and the identity of the data controller in the third country.
• Enforceability: The BCRs must be binding externally for the benefit of the data subjects and provide the data subjects with appropriate legal remedies to enforce their rights as third-party beneficiaries of the BCRs.
• Closed-circuit principle: BCRs only cover intra-group transfers; onward transfers to third parties in third countries require the entering into separate data transfer agreements by the data recipient and the third party, for instance, SCCs.
The checklist is supplemented by the framework document, which gives practical guidance for drafting and filing BCRs. The FAQs address issues applicants tend to come across when setting up BCRs.
Mutual Recognition Procedure
Another obstacle to the use of BCRs is the burden of the approval. In general, global corporations have to propose a lead authority among the competent DPAs, which will initiate a co-operation procedure. The Working Party recommends a “five-factor test”, which gives priority to the DPA of the EU Member State where the group is headquartered.
The lead authority will discuss the draft BCRs with the applicant, distribute a “consolidated draft” to the other DPAs for comments, discuss the comments with the applicant and circulate a “final draft” for final approval. To overcome this bureaucratic nightmare, at the Working Party’s autumn summit, DPAs of nine EU Member States, including the German federal and state DPAs and the DPAs of France, Italy, the Netherlands, Spain and the United Kingdom, announced that they will mutually recognise BCRs approved by one lead authority. This positive signal is likely to encourage the use of BCRs as the predominant means for intra-group data transfers from the European Union to the United States.