Binding Corporate Rules (BCRs) have long been considered the 'gold standard' for data protection compliance when it comes to data transfers. The CJEU decision in the Schrems II case seems, however, to have fired a silver bullet and puts the BCR standard in danger of losing its lustre. Group organisations which have BCRs in place or are considering applying for authorisation should carefully review their data processing activities against the Schrems II decision and also anticipate the impact of Brexit on their data transfer practices.
BCRs are one of the data transfer mechanism available under Article 46(1) to transfer personal data lawfully from the EEA to third countries or international organisations. BCRs are used by organisations (usually within a corporate group) or a group of enterprises engaged in a joint economic activity to transfer personal data within their respective group. Organisations can apply to cover their controller to controller data processing activities (BCRs for controllers) and/or controller to processor activities (BCRs for processors).
BCRs are effectively a set of rules, standards and/or policies which are legally binding on every member of the group joining up to the BCRs and to their staff. One of the reasons why BCRs are considered to provide a high standard of protection is that every member of the group must comply with them and each is liable for any breach of the BCRs, so similar data protection standards apply across the corporate group.
To apply for BCRs, organisations must go through a lengthy regulatory process which can take months to complete. The BCRs must fulfil the conditions set out in Article 47 GDPR, and requirements set out in the relevant Article 29 Working Party guidelines as endorsed by the European Data Protection Board (EDPB). Organisations applying for BCRs must get approval from the competent EU supervisory authority (SA), acting as the lead SA.
Article 46(1) GDPR requires that the BCRs provide enforceable rights and effective legal remedies to EU data subjects as third-party beneficiaries. Failure to meet this requirement was one of the main concerns raised by the CJEU with respect to the privacy shield adequacy decision in Schrems II.
BCRs should expressly confer on data subjects the right to effective administrative and judicial redress and, where appropriate, to claim compensation in the EU, or from any member of the BCRs located in a third country in case of any breach of one of the enforceable elements of the BCRs (WP 256 rev.01). The principle is that an EU member of the BCRs accepts liability for any breaches of the BCRs by any group member concerned that is not established in the EU. It remains to be seen whether such rights are enforceable in practice by data subjects and within a corporate group, especially against non-EU based members of the BCRs.
The GDPR will continue to apply in the UK until the end of the transition period (31 December 2020). After that, the UK GDPR and Data Protection Act 2018 will apply in the UK and the ICO will no longer qualify as a competent SA under the GDPR for BCR purposes.
According to the latest update of the ICO's FAQs on Brexit, the UK government has said that transfers of data from the UK to the EEA will not be restricted. However, from the end of the transition period, unless the EU Commission adopts an adequacy decision for the UK (which seems unlikely although not impossible), GDPR data transfer rules will apply to any personal data flowing from the EEA into the UK. The UK government has set out its preferred approach to data transfers in its National Data Strategy, open for consultation until 2 December 2020 and its latest statement on data transfers from 1 January 2021 is set out here.
Organisations which have the ICO as their lead SA or have their BCR application pending with the ICO will have to implement measures from the end of the transition period to ensure that their BCRs still constitute a valid data transfer mechanism under the GDPR. The measures are outlined in the EDPB's information note and include:
The EDPB says that "in the absence of such changes and/or a new approval, where applicable, before the end of transition period, groups of undertakings/enterprises will not be able to rely on their BCRs as a valid transfer mechanism for transfers of data outside the EEA after the end of the transition period" so it is imperative that organisations review their BCRs before the end of the year.
Although the Schrems II decision invalidates the privacy shield decision, the CJEU's assessment for data transfers to the United States could equally apply to BCRs by analogy. BCR holders should now assess the level of protection provided to personal data transferred from the EEA to the United States and other third countries and, if applicable, implement additional safeguards.
In its FAQs on the Schrems II decision, the EDPB recommends that organisations carry out due diligence on the content of their BCRs. This should "take into account the circumstances of the data transfers and any supplementary measures organisations could put in place" to compensate for the lack of protection, if applicable. The EDPB focuses on personal data transferred to the US. However, we anticipate that this requirement could be extended to other third countries which have laws which interfere with the EU fundamental rights of the data subjects (eg laws based on national security and public interest requirements or on domestic legislation).
Following the court's rationale, the assessment for EEA-US transfers would require BCR holders to review US laws including whether:
For BCR applicants, the burden of the assessment is likely to rest with the SAs when reviewing the BCR application, while controllers and/or processors of SCCs must, make their own adequacy assessment and will be held accountable. For current BCR holders, SAs can always intervene to suspend transfers.
However, if a BCR holder itself concludes a third country no longer ensures an adequate level of data protection, the transfer of personal data to that third country should be suspended if GDPR safeguards cannot be fulfilled.
If we follow the assessment of the Schrems II decision, additional safeguards are likely to be necessary where the outcome of the due diligence suggests a risk to data subjects. In practice, this means that organisations will have to explain why, in their opinion, the legal system of the third party recipient does not create a conflict specifically for that organisation, either because of the nature of the data and processing, the absence of any such requests to date, or the other measures or controls it has in place.
We expect the EDPB to issue guidance to assist organisations making the assessment and provide examples of safeguards that could be implemented. In the interim, organisations which have the ICO as their lead SA could well look at the Data Protection Act 1998 (now replaced by the 2018 Act) which sets out criteria for a controller to assess the adequacy of protection in a third country. The ICO guidance based on the 98 Act is still useful even though it needs to be updated in light of Schrems II.
BCRs remain a valid data transfer mechanism and facilitate a robust data protection compliance programme. We expect them to become increasingly popular and form part of a wider commercial and data strategy for multinational groups processing large volumes of personal data internationally. The review of BCR applications by the lead SAs and the BCR holders themselves will make BCRs more robust and contribute to reinforcing their gold standard status to the benefit of data subjects.
Debbie Heywood looks at the impact of the end of the Brexit transition period on data transfers to and from the UK.
1 of 4 Insights
Axel von dem Bussche and Paul Voigt look at the requirement on non-EU established organisations to appoint an EU representative under the GDPR.
2 of 4 Insights
Vin Bange and Debbie Heywood look at the impact of the Schrems II decision on the future of international data transfers, particularly from the EEA and the UK to the USA.
3 of 4 Insights