On 25 July 2022, the Information Commissioner's Office (ICO) published its updated guidance on UK Binding Corporate Rules (UK BCRs), signalling a meaningful shift from the traditional document-heavy EU approach, to one that puts flexibility for businesses and pragmatism at the forefront, while simultaneously promoting transparency and the protection of individuals’ rights. 

In this article, associates Matt Quezada and Miles Harmsworth outline the key changes and consider their impact on organisations applying for UK BCRs in the future. 

This analysis was first published by LexisNexis on 23 August 2022  (subscription required). 

Original news 

The Information Commissioner’s Office (ICO) has updated its Guide to Binding Corporate Rules (BCRs) with new guidance, application forms and tables for controllers and processors. The BCRs are intended for ‘multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships’, and approved by the Information Commissioner under Article 58.3(j) of Retained Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation. The new guidance published on 25 July 2022 supersedes all previous documents and guidance.

Recap on BCRs 

Originating from EU data protection law, BCRs have long been considered the ‘gold standard’ transfer mechanism, acting as a set of internal rules for multinational organisations which seek to transfer personal data (within the same corporate group) to countries which do not provide an adequate level of data protection.

BCRs come in two types in the UK: 

• UK Controller BCRs (UK BCR-C) apply to transfers of personal data from a UK-based controller to other controllers or to processors established outside the UK within the same group. 
• UK Processor BCRs (UK BCR-P) apply where personal data is received from a UK-based controller (which is not a member of the group) and is processed by group members as processors or sub-processors. 

What are the changes? 

The ICO has published new controller and processor guidance, along with revised application forms and a referential table, demonstrating a significant change in its application process and what constitute ‘UK BCRs’.

The new guidance provides more flexibility than its procedural-focused predecessor, while also providing organisations and practitioners with clarity on what the ICO needs to see from applicants.

The guidance covers controllers (11 sections) and processors (13 sections), focusing on the overarching principles of both Article 47 of Retained Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation (UK GDPR) and accountability and transparency, ensuring individuals have effective enforceable rights and the ICO has effective regulatory oversight.

The guidance also takes into account the decision in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II) Case C-311/18 (which remains applicable to the UK), though the ICO will not require applicants to provide transfer risk (or impact) assessments (TRAs) during the application process, instead requiring organisations to make certain assurances (such as undertaking regular reviews of risk assessments and adjusting their UK BCRs where the rights afforded to individuals are undermined if transfers continue). Note that the ICO may request evidence or copies of TRAs as part of its ongoing monitoring of approved UK BCRs, so it is crucial that these are still undertaken.

Application documentation 

The ICO considers the UK BCRs to comprise: 

• the application form (UK BCR-P or UK BCR-C) 
• the referential table (plus Annex 1 for UK BCR-P) 
• the binding instrument (usually an intragroup agreement (IGA)) 
• the BCR Policy (more on this below) 
• other relevant policies and procedures as referenced in the UK BCRs. 

The application forms and referential table have been simplified significantly and the prescriptive requirements and comments found in the previous versions have been removed, replaced with the principles-based guidance mentioned above. While there are overlapping themes with EU BCR criteria, the ICO has departed from prescriptive form-filling to encouraging applicants to focus on the intent and spirit underlying Article 47 and the UK GDPR generally.

The BCR Policy is the public-facing document that provides individuals with the key Article 47 information concerning their data and its transfer under the UK BCRs. As a concept this is not new, but the ICO now emphasises the importance of making it accessible to individuals—a recurring theme throughout the guidance, and one that will require organisations to be creative and consider implementing legal design concepts such as plain drafting, tailored towards the data subjects in question, in their approach.

Less duplication 

A key issue with the previous process was that applicants wishing to simultaneously apply for UK BCR-C and UK BCR-P had to submit separate application forms and supporting documentation, which led to unnecessary duplication and delays in terms of production and review time.

The ICO’s revised approach addresses this and, although separate application forms are still required, applicants may submit: 

• one combined UK BCR Policy for both UK BCR-C and UK BCR-P 
• one combined IGA for UK BCR-C and UK BCR-P 

• a combined set of supporting policies and procedures if they cover both the UK BCR-C and UK BCR-P. 

Where combined documentation is submitted, applicants must clearly delineate controller/processor obligations, as necessary.

All applicants are now required to complete the same referential table, with a supplementary annex to be completed only by those applying for UK BCR-P, further streamlining applications.

Why have the changes been made and how significant are they likely to be? 

The recently announced three-year plan of the ICO (known as the ICO25 strategy) to empower individuals and businesses can be seen throughout the new guidance, principally in its pursuit of simplicity and efficiency, which are overarching themes.

While all applicants may benefit from the revised approach in terms of reduced costs involved in preparing application documentation and possibly approval time, organisations applying for both UK BCR-C and UK BCR-P will likely reap the most benefit, having the ability to condense the documentation needed for each application. Notably, the ICO will only request supporting documents and commitments once during the UK approval process which, with greater clarity and simplicity throughout the application documentation, may lead to a more streamlined approval process.

The changes also mean that organisations have the opportunity for greater flexibility on how they develop and design their UK BCRs. The less prescriptive requirements previously found in the application forms and referential tables have been replaced with a more free-form principles-based regime, allowing applicants to take more initiative and control over the drafting of their BCR Policy and associated documentation.

Conclusion 

The ICO’s updated guidance signifies a material shift in focus from the traditional EU approach to BCR approval (ie prescriptive, document-heavy, granular requirements) to a principles-based approach, prioritising flexibility and practicality (while also encouraging transparency for individuals).

The guidance certainly embraces the ICO’s strategic theme of ‘empowerment’, though we await to see if the benefits to business and individuals materialise in practice. The ICO’s new approach will also draw the attention of its EU counterparts, as the UK demonstrates further divergence from EU data protection law.