The Role of Binding Corporate Rules (BCRs) in Ensuring Compliance with European Law

BCRs european union data privacy

Transferring personal data within your organization, without violating European data privacy and protection laws, requires the use of mechanisms approved by regulators.

What happens to consumer data once in the hands of companies with operations around the globe has long troubled regulators, especially those within the European Union. Nonetheless, multinationals often see a need to transfer customer data among divisions and departments outside of the confines of the European market.

So how can organizations comply with European data privacy and protection laws and regulations without hobbling their ability to operate?

Among a few transfer mechanisms, the EU accepts the use of Binding Corporate Rules (BCRs), which provide multinationals with a mechanism to facilitate the transfer of customer data, without running afoul of European Union data privacy rules and regulations.

There's a small, but growing list of firms with approved BCRs, with many household names based in the United States among them.

Organizations with BCRs in place have achieved the means to protect personal data to the highest standards demanded by EU regulators. BCRs are an approved transfer mechanism making EU Standard Contractual Clauses unnecessary as between the customer and such company.

But how do these rules work, and what happens when a multinational fails to follow them?

A Corporate Policy, Blessed by Regulators

BCRs are corporate policies governing internal data transfers within a group of companies under the same parent, vetted by European data protection regulators. To that end, BCRs must adhere to the data privacy concepts and principles enshrined in the GDPR, such as transparency, security and lawfulness of data processing. Of course, the group of companies must also implement processes and technology to ensure internal data transfers comply with the policy.

And, as the name states, firms must acknowledge the binding nature of the rules, meaning that the group of companies must ensure ongoing compliance with the BCRs that will govern their interactions with their data subjects.

An Efficient Approval Process

To adopt BCRs, a business must seek approval from the Data Protection Authority (DPA) of each member state where it plans to transfer data. The first step involves the selection of a lead DPA to coordinate the approval process, which includes disseminating copies of the proposed rules to the DPA of each country in which the organization plans to transfer data. The decision regarding which DPA to select as a lead depends on a number of factors, including the location of the organization's European home office, and the location of the organization to assume, manage and ensure compliance with the BCRs.

Next, a firm must develop rules in compliance with the European Union's guidelines. These have been created by the Article 29 Working Party, an organization made up of representatives from each member state's DPA, now known as the European Data Protection Board (EDPB). When preparing BCRs, organizations must also refer to working papers 256 and 257, which the Article 29 Working Party released earlier this year in an effort to ensure compliance of BCRs with the GDPR requirements.

In an attempt to streamline the approval process, 21 of the EU member states allow a lead DPA and two co-leads to approve the BCRs, which then automatically earns the approval of the other 18 data protection authorities. For the remaining DPAs that do not participate in the mutual recognition program, they may scrutinize the BCRs independently within a one-month window.

GDPR and the Case for BCRs

Given that the GDPR is now in effect, many organizations may wonder whether they need to adopt BCRs. Article 47 of the GDPR legislation reaffirms the role of BCRs and how businesses can use them to transfer data in compliance with the GDPR.

With suitably rigorous BCRs in place, companies gain a protective mechanism that allows them to transfer data outside of the European Economic Area to jurisdictions with data protections laws that are not deemed to be adequate, without violating EU law.