Publications

---

Two notable developments will make Binding Corporate Rules (BCRs) a more attractive option for companies that transfer data from Europe to the United States and other parts of the world.

First, the Article 29 Working Party has released a third revision of the Frequently Asked Questions (FAQs) for Binding Corporate Rules (BCRs). Second, several new countries have agreed to a “mutual recognition procedure” which greatly simplifies the heretofore cumbersome approval process required for companies that choose to use BCRs as a mechanism to lawfully transfer personal data outside of Europe.

Background: The EU Data Protection Directive and Restrictions on Transfers of Personal Data

The European Union Data Protection Directive (95/46/EC) (Directive), adopted in 1995, permits the transfer of personal data from Europe to a non-EU country only if the receiving country is deemed to offer an “adequate” level of data protection. Many countries, including the US, are not deemed by EU authorities to have enacted laws that “adequately” protect personal data. However, the Directive permits transfers to those countries if adequate safeguards and mechanisms have been implemented by the “data controller.”¹

Thus, when a company (i.e., data controller) (i) is established in the EU or (ii) uses equipment (e.g., computer servers) located in the EU to process personal data, the company must implement one of several mechanisms for complying with the Directive (unless an exception applies):

• incorporate the European Commission’s model contractual clauses into a company contract that addresses such data transfers;
• obtain consent from each affected individual (where consent is considered “freely given”);
• certify compliance with the US Department of Commerce’s Safe Harbor program; or
• adopt BCRs.

Binding Corporate Rules

BCRs are internal corporate rules that allow data to flow freely between a company’s affiliates and subsidiaries without violating the Directive. As a general rule, each EU country’s government - through its Data Protection Authority (DPA) - must approve BCRs before they can become a valid mechanism for data transfers to such country.

In some instances, BCRs may be a more attractive alternative to adopting the European Commission’s model contractual clauses, which often require multinational companies to execute numerous data processing agreements between various corporate entities. Because BCRs shift the burden of ensuring compliance from DPAs and individuals to companies themselves, BCRs may in many instances end up being the most viable option for companies that operate in countries with DPAs who carefully scrutinize and may reject intra-company data processing agreements.

In the past, however, BCRs had to be submitted to and approved by each DPA in various EU countries. The approval process was therefore long and costly. Furthermore, disagreements among the EU’s 27 member countries meant that strikingly few BCR applications were approved by multiple DPAs, diminishing their practical utility.

Fortunately, a total of 13 European DPAs have now agreed to abide by a “mutual recognition” procedure, whereby one EU member country acts as the lead authority on a company’s BCR application and the other DPAs agree to accept the lead authority’s approval as the basis for their concurrent approval of the application. Nine EU member countries had already agreed to this mutual recognition of BCRs--France, Germany, Ireland, Italy, the United Kingdom, the Netherlands, Spain, Latvia and Luxembourg. Four additional European countries - Norway, Iceland, Liechtenstein and Cyprus - are now also participating.

Clarification Regarding Binding Corporate Rules - New FAQs

Another important development involves the FAQs that clarify the requirements for implementing valid BCRs. The Article 29 Working Party (comprised of top data protection officials from each EU nation) recently released a third revision to its FAQs.

This revision highlights the need for companies to consider individual third party beneficiary privacy rights when drafting BCRs. In particular, the new FAQs specify 12 rights, enforceable before “appropriate data protection authorities or courts,” that individuals should have pursuant to third-party beneficiary right clauses in BCRs. Third-party beneficiary clauses in BCRs should also cover “rights of access, rectification, erasure, blocking of data and objections to the processing.” The new FAQs also clarify the terminology that should be used when describing personal data processing and transfers, and they encourage companies to set forth BCRs in one document rather than multiple documents.

The third revision to the BCRs supplements existing FAQs that, among other things:

• describe the level of detail needed for BCRs to adequately cover data processing and transfers within a group of companies;
• clarify data subjects’ rights;
• explain to whom BCRs must apply; and
• provide guidance on liability.

Recommendations

Companies that transfer personal data from the EU to non-EU countries increasingly face risks if they are not in full compliance with EU data protection laws. In the past, BCRs were not a viable option for most multinational companies to comply, since the approval process was long and costly. Fortunately, now that more countries have agreed to the mutual recognition procedure and additional FAQs have been published by the Article 29 Working Party, BCRs are a more attractive option.

For additional information or for assistance on ensuring your company is compliant with EU data protection laws, please contact us.