The future of Binding Corporate Rules after Schrems II and in light of Brexit

Binding Corporate Rules (BCRs) have long been considered the 'gold standard' for data protection compliance when it comes to data transfers. The CJEU decision in the Schrems II case seems, however, to have fired a silver bullet and puts the BCR standard in danger of losing its lustre. Group organisations which have BCRs in place or are considering applying for authorisation should carefully review their data processing activities against the Schrems II decision and also anticipate the impact of Brexit on their data transfer practices.

What are BCRs?

Purpose and use of BCRs

BCRs are one of the data transfer mechanism available under Article 46(1) to transfer personal data lawfully from the EEA to third countries or international organisations. BCRs are used by organisations (usually within a corporate group) or a group of enterprises engaged in a joint economic activity to transfer personal data within their respective group. Organisations can apply to cover their controller to controller data processing activities (BCRs for controllers) and/or controller to processor activities (BCRs for processors).

BCRs are effectively a set of rules, standards and/or policies which are legally binding on every member of the group joining up to the BCRs and to their staff. One of the reasons why BCRs are considered to provide a high standard of protection is that every member of the group must comply with them and each is liable for any breach of the BCRs, so similar data protection standards apply across the corporate group.

Application process

To apply for BCRs, organisations must go through a lengthy regulatory process which can take months to complete. The BCRs must fulfil the conditions set out in Article 47 GDPR, and requirements set out in the relevant   Article 29 Working Party guidelines as endorsed by the European Data Protection Board (EDPB). Organisations applying for BCRs must get approval from the competent EU supervisory authority (SA), acting as the lead SA.

Enforceable rights and remedies for data subjects

Article 46(1) GDPR requires that the BCRs provide enforceable rights and effective legal remedies to EU data subjects as third-party beneficiaries. Failure to meet this requirement was one of the main concerns raised by the CJEU with respect to the privacy shield adequacy decision in Schrems II.

BCRs should expressly confer on data subjects the right to effective administrative and judicial redress and, where appropriate, to claim compensation in the EU, or from any member of the BCRs located in a third country in case of any breach of one of the enforceable elements of the BCRs (WP 256 rev.01). The principle is that an EU member of the BCRs accepts liability for any breaches of the BCRs by any group member concerned that is not established in the EU. It remains to be seen whether such rights are enforceable in practice by data subjects and within a corporate group, especially against non-EU based members of the BCRs.

Brexit and BCRs

Impact of Brexit on data transfers from/to the UK

The GDPR will continue to apply in the UK until the end of the transition period (31 December 2020). After that, the UK GDPR and Data Protection Act 2018 will apply in the UK and the ICO will no longer qualify as a competent SA under the GDPR for BCR purposes.

According to the latest update of the ICO's FAQs on Brexit, the UK government has said that transfers of data from the UK to the EEA will not be restricted. However, from the end of the transition period, unless the EU Commission adopts an adequacy decision for the UK (which seems unlikely although not impossible), GDPR data transfer rules will apply to any personal data flowing from the EEA into the UK. The UK government has set out  its preferred approach to data transfers in its National Data Strategy, open for consultation until 2 December 2020 and its latest statement on data transfers from 1 January 2021 is set out here.

Measures to implement by the end of the Brexit transition period

Organisations which have the ICO as their lead SA or have their BCR application pending with the ICO will have to implement measures from the end of the transition period to ensure that their BCRs still constitute a valid data transfer mechanism under the GDPR. The measures are outlined in the EDPB's information note and include:

• ‍BCR review: organisations should review their BCRs as these generally contain references to the UK legal order which need to be amended to include references to the EEA legal order.‍
• Current BCR holders with the ICO as lead SA: BCR holders which currently have the ICO as their BCR lead SA should identify a new BCR lead SA in the EEA.
• BCR applicants with the ICO as lead SA: current BCR applicants should identify a lead SA in the EEA and contact them to provide all necessary information as to why they are being considered as the new BCR lead SA. The EDPB states that the new lead SA should then take over the application and formally initiate an approval procedure subject to an opinion of the EDPB. Any BCRs approved by the UK's ICO under the GDPR will require the new EEA BCR lead SA to issue a new approval decision before the end of the transition period, following an opinion from the EDPB. The EDPB also adopted an annex containing a checklist of elements to be amended in BCR documents in the context of Brexit.

The EDPB says that "in the absence of such changes and/or a new approval, where applicable, before the end of transition period, groups of undertakings/enterprises will not be able to rely on their BCRs as a valid transfer mechanism for transfers of data outside the EEA after the end of the transition period" so it is imperative that organisations review their BCRs before the end of the year.

BCRs and data transfers post Schrems II

Although the Schrems II decision invalidates the privacy shield decision, the CJEU's assessment for data transfers to the United States could equally apply to BCRs by analogy. BCR holders should now assess the level of protection provided to personal data transferred from the EEA to the United States and other third countries and, if applicable, implement additional safeguards.

Assessment of adequacy

In its FAQs on the Schrems II decision, the EDPB recommends that organisations carry out due diligence on the content of their BCRs. This should "take into account the circumstances of the data transfers and any supplementary measures organisations could put in place" to compensate for the lack of protection, if applicable. The EDPB focuses on personal data transferred to the US. However, we anticipate that this requirement could be extended to other third countries which have laws which interfere with the EU fundamental rights of the data subjects (eg laws based on national security and public interest requirements or on domestic legislation).

Following the court's rationale, the assessment for EEA-US transfers would require BCR holders to review US laws including whether:

• EU data subjects have enforceable rights and effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation in the US, and
• third party recipients provide appropriate safeguards to ensure that data subjects whose personal data are transferred to a third country pursuant to the BCRs are afforded a level of protection essentially equivalent to that guaranteed within the European Union by the GDPR.

For BCR applicants, the burden of the assessment is likely to rest with the SAs when reviewing the BCR application, while controllers and/or processors of SCCs must, make their own adequacy assessment and will be held accountable. For current BCR holders, SAs can always intervene to suspend transfers.

However, if a BCR holder itself concludes a third country no longer ensures an adequate level of data protection, the transfer of personal data to that third country should be suspended if GDPR safeguards cannot be fulfilled.

Additional safeguards for BCRs

If we follow the assessment of the Schrems II decision, additional safeguards are likely to be necessary where the outcome of the due diligence suggests a risk to data subjects. In practice, this means that organisations will have to explain why, in their opinion, the legal system of the third party recipient does not create a conflict specifically for that organisation, either because of the nature of the data and processing, the absence of any such requests to date, or the other measures or controls it has in place.

We expect the EDPB to issue guidance to assist organisations making the assessment and provide examples of safeguards that could be implemented. In the interim, organisations which have the ICO as their lead SA could well look at the Data Protection Act 1998 (now replaced by the 2018 Act) which sets out criteria for a controller to assess the adequacy of protection in a third country. The ICO guidance based on the 98 Act is still useful even though it needs to be updated in light of Schrems II.

What next for BCRs?

BCRs remain a valid data transfer mechanism and facilitate a robust data protection compliance programme. We expect them to become increasingly popular and form part of a wider commercial and data strategy for multinational groups processing large volumes of personal data internationally. The review of BCR applications by the lead SAs and the BCR holders themselves will make BCRs more robust and contribute to reinforcing their gold standard status to the benefit of data subjects.