Binding corporate rules (“BCRs”) may now be easier to implement due to much needed guidance issued last month by the European Union’s Article 29 Working Party, the group responsible for the oversight of the EU’s data protection regime. The guidance consists of three documents, which clarify the requirements for establishing BCRs. These documents are: (1) a checklist outlining the required elements of the BCRs; (2) a framework for the structure of BCRs; and (3) a list of frequently asked questions regarding BCRs.
BCRs are legally binding internal corporate data privacy rules that establish a corporation’s practices regarding the transfer of personal information within the corporate group. BCRs are intended to be used by companies that operate in multiple jurisdictions and that need to transfer personal data across borders. Before becoming effective, BCRs require the approval of the EU data protection authorities (“DPAs”) in the member states in which a company operates, a process that may take years. Seeking BCR approval is a complex process because approval requires the adoption of a comprehensive data privacy program. Presently, few companies, which include General Electric and Phillips, have announced receiving BCR approval.
Broadly, the new guidance establishes that for BCRs to be approved: (1) the BCRs must in fact be binding; (2) the entity must demonstrate policies and procedures ensuring the effectiveness of the BCRs; (3) the entities bound by the BCRs must cooperate with the DPAs; (4) the transfers covered by the BCRs must be described, including a statement of the geographical and material scope of the BCRs; (5) the mechanisms for reporting and recording changes to the BCRs must be described; and (6) the entity must describe how it observes the EU’s data protection principles to safeguard personal data.
The new guidance also emphasizes that BCRs must be customized to a particular corporate group’s structure and that merely copying the text of the guidance documents will not suffice. The guidance also provides examples of documentation that may accompany a corporation’s application for BCR approval. Some examples of documentation include a description of an employee training program regarding the use of personal information, a list of entities bound by the BCRs, a description of the internal complaint system, and the security policy for IT systems processing personal data.
BCRs potentially are useful for US companies operating in multiple EU member states. Each EU member state places restrictions on the transfer of personal data to nations whose data protection laws are not judged “adequate” by EU standards. According to the EU, the US does not have “adequate” data protection. Accordingly, US companies seeking to transfer data out of the EU are limited to three methods: through the Safe Harbor (a program established by the US Department of Commerce), by using model contractual clauses approved by the EU, or by establishing BCRs. Presently, BCRs are the least-used of these options. With the release of the new guidance, BCRs may become more prevalent.