Binding Corporate Rules (BCRs) are an intracompany code of conduct that regulates the principles and rules that apply to the processing and transfer of personal data within a company group, including cross-border. BCRs were established through the standard practice of data protection authorities (DPAs) and the guidance of the Article 29 Working Party (WP29). The upcoming General Data Protection Regulation (GDPR) explicitly recognizes BCRs, both for controllers (BCR-C) and processors (BCR-P). It also extends the scope of application not only to a corporate group but also to a group of enterprises engaged in a joint economic activity, for instance joint ventures.
After WP29 endorsed BCR-C as a useful mechanism for data transfers of complex international structures in 2003, several companies adopted them. Instead of having to justify international transfers on an individual basis, and concluding model contracts with numerous parties, BCRs allow a single set of transfer rules for the entire company group. In today’s interconnected world, it is increasingly important to easily transfer data wherever needed, and BCRs offer the flexibility required for such elaborate transfers.
A framework for BCR-Ps was introduced much later, in 2012, and their further inclusion in the GDPR was fiercely debated. In endorsing their inclusion, WP29 praised the merits of BCR-P as an optimal solution for international data transfers. At the same time, WP29 held that BCR-P provides more transparency and accountability requirements beyond those provided in model clauses or other transfer mechanisms (e.g., the current Privacy Shield).
To date, 88 companies have had their BCR procedures concluded, 10 of them pertinent to BCR-Ps. This number is expected to rapidly increase in light of the GDPR and the several benefits associated with BCR-Ps.
BCRs will become more flexible under the GDPR. Under the current regime, countries have to first approve their BCRs in all relevant countries through mutual recognition or a cooperation procedure. They still need to obtain national DPA authorizations in certain countries to allow for the transfer of personal data under the BCRs. These transfer permits only allow specific transfers, and any time a company wants to expand or alter its transfers, a new notification and permitting procedure is required. Making things more complicated, BCRs are not recognized in Portugal as a valid legal basis to transfer personal data outside of the European Economic Area (EEA).
The GDPR does not contain DPA notification and authorization requirements for data transfers. National authorizations of BCRs will be abolished, which will significantly reduce the time required to introduce a BCR and will increase flexibility altogether. Because of the direct applicability of the GDPR in all EU member states, any remaining inconsistencies (e.g., Portugal) will be automatically ironed out. As a result, processors will likely increasingly rely on BCR-Ps to justify transfers outside the EEA since they will be able to engage in practically unlimited data transfers within their company groups.
Under the GDPR, the data transfer rules are also directly applicable to processors. Processors should, therefore, no longer be dependent on data transfer mechanisms put in place by controllers, but rather have their own tools available to comply with these requirements. Besides, WP29 has indicated that a BCR is an organizational accountability tool that has many merits beyond contractual solutions such as the EC model clauses.
For intragroup transfers, BCR-P not only provides a good basis for transfers but also helps demonstrate broader compliance with the GDPR, for instance the principles of accountability, lawfulness of processing, general processing requirements, and security of processing.
Meet the By-Default and By-Design Requirement and Avoid High Fines
GDPR refers to the requirement of ensuring data protection by design and by default. Therefore, companies should introduce appropriate technical and organizational measures so that all the data protection principles are met. This is a relatively wide concept, and high GDPR fines (up to 4% of a company’s global turnover or €20 million, whichever is higher) leave no room for experimentation.
To this end, the GDPR provides that an approved certification mechanism, like a BCR-P, may be used as an element to demonstrate compliance with the by-design and by-default requirements. This tangible uplift in compliance may save companies substantial amounts of money.
Reduce a Company’s Operational Cost and Administrative Burden
A BCR-P can also reduce a company’s overall operational cost. While a processor, a company may be required to make several cross-border transfers across the globe. If it opts for Model Clauses, for example, the overall cost of the process will be higher, and the administrative burden of dealing with several different schemes particularly heavy. The cost of a BCR is significant in the beginning, yet once in place, less time and money is required for daily company operations.
Enhance Customer Confidence
A BCR is a very detailed code of conduct that exposes a company’s policies and procedures to regulators and the public. Once enforced, a BCR signals to customers that the company takes its data protection duties very seriously and that their data is in safe hands. Processors may operate in various sensitive industries (e.g., financial services, telecoms, technology) where reputation is extremely important and may have a significant impact on a company’s viability and profitability. BCRs communicate a transparent, robust, and holistic data protection approach.
Future Procedural Flexibility
The GDPR gives leeway to the European Commission, upon consultation with the newly introduced European Data Protection Board (EDPB), to create procedural rules in the future to better facilitate the approval process. Since the European Commission may specify the format and procedures for BCR-Ps, it is likely we will experience model BCR approval procedures, which may streamline the BCR approval process even further.
 Article 47, GDPR
 Recital 110, GDPR
 Article 5, GDPR
 Article 6, GDPR
 Article 28, GDPR
 Article 32, GDPR
 Article 25, GDPR
 Art. 47(3), GDPR
This advisory is published by Alston & Bird LLP’s Privacy & Data Security practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.