In the wake of the Schrems II decision, businesses and organizations around the world have been forced to reevaluate their data transfer practices. With the invalidation of the Privacy Shield and the added scrutiny on Standard Contractual Clauses (SCCs), many have been looking for alternative data transfer mechanisms.

The situation has improved again for data transfers to the US when the EU-U.S. Data Privacy Framework came into place in summer 2023. However, many companies are not self-certified under this new framework. Moreover, the framework’s longevity is uncertain since initiatives to challenge and invalidate it have already been set in motion.

In this blog post, we will explore the concept of other 3rd country data transfer mechanisms with a focus on Binding Corporate Rules (BCRs) as a potential solution.

The limitations of SCCs and the search for alternatives

As a result of the Schrems II decision, organizations relying solely on SCCs for data transfers may face challenges in ensuring adequate safeguards for data subjects’ rights and protection. This has prompted many to seek alternative mechanisms that can provide a higher level of certainty and compliance in the post-Schrems II era.

Exploring Binding Corporate Rules (BCRs) as an alternative mechanism

What are BCRs and how do they compare to SCCs?

Binding Corporate Rules (BCRs) are legally binding contracts between entities within a corporate group that establish a privacy program for the group’s data transfers. They are used for intra-group transfers of personal data, inspiring confidence and demonstrating an organization’s commitment to privacy protection.

BCRs differ from SCCs in several key ways:

• BCRs are only applicable to transfers within subsidiaries of the same parent organization, while SCCs can be used for transfers between different organizations.
• The burden of assessing the adequacy of safeguards rests with supervisory authorities for BCRs, minimizing the risk of fines or other corrective measures. In contrast, SCC users must conduct their own adequacy assessments and may be held accountable for any shortcomings.
• BCRs undergo an approval process involving competent supervisory authorities and collaboration with the European Data Protection Board (EDPB), while SCCs are provided by the European Commission as a template.

Advantages and disadvantages of BCRs

BCRs offer several advantages that make them an attractive alternative to SCCs:

• Simplification: BCRs harmonize data management and governance processes within a group, simplifying transnational data flows and reducing administrative burden.
• Flexibility: Unlike SCCs, BCRs provide flexibility for introducing new products or members to the group and reduce compliance costs when there are processing changes.
• Safety: The involvement of supervisory authorities in the approval process minimizes the risk of enforcement actions against data transfers based on BCRs.
• Competitiveness: BCRs are considered the “golden standard” for international transfers, inspiring customer confidence and showcasing an organization’s privacy maturity.

However, BCRs also have some disadvantages to consider:

• Long approval process: BCRs typically require at least 18 months to complete the approval process, involving ongoing collaboration with supervisory authorities.
• Costly: Implementing BCRs can be resource-intensive and come with significant costs, making them a suitable choice for organizations committed to long-term strategic privacy programs.
• No self-certification: Unlike the Data Privacy Framework, BCRs do not provide a self-certification mechanism and require thorough scrutiny by supervisory authorities.

Schrems II’s impact on BCRs

Although the Schrems II decision did not directly address BCRs, its findings regarding the excessive intrusiveness of US law suggest that a case-by-case analysis may be necessary for transferring personal data outside the EEA under approved BCRs. This approach aligns with the EDPB’s guidance on the implications of the decision.

However, some argue that the rigorous BCR approval process, which involves privacy regulators at every step, sets BCRs apart from SCCs. They contend that the same additional measures required for SCCs may not be necessary for BCRs, as doing so could undermine the key advantage of BCRs — the creation of a transcontinental zone for the free circulation of personal data within an organization.

Exploring Alternative Data Transfer Mechanisms

While BCRs are widely considered the “golden standard” for data transfers, other alternatives exist that may suit certain organizations or specific data transfer scenarios. These alternative mechanisms include:

Adequacy Decisions

Adequacy Decisions are issued by the European Commission, recognizing that a non-EEA country offers an adequate level of data protection, allowing for data transfers without further safeguards. Currently, only a handful of countries (such as United Kingdom, New Zealand, and Japan) have received adequacy decisions.

Derogations

The GDPR includes specific derogations that allow for data transfers without relying on any specific mechanism. These derogations are applicable in limited circumstances, such as data transfers with the data subject’s explicit consent or transfers necessary for the performance of a contract.

Navigating the 3rd country data transfer landscape

Organizations must carefully consider their data transfer practices and select the most appropriate mechanism. When navigating this landscape, it is crucial to:

1. Conduct a thorough assessment of data transfer activities, identifying the countries involved and the legal basis for each transfer.
2. Consider the advantages and disadvantages of alternative mechanisms, such as Standard Contractual Clauses, EU-U.S. Data Privacy Framework, BCRs, adequacy decisions and derogations.
3. Regularly review and update data transfer mechanisms to adapt to changing legal requirements and emerging best practices.
4. Leverage technology solutions, such as data protection management platforms like DPOrganizer, to streamline the data transfer compliance process and track obligations.

DPOrganizer is a comprehensive privacy management software that can help businesses of all sizes protect their customer’s data and streamline their compliance with data protection regulations. With DPOrganizer, businesses can stay on top of their privacy program and ensure they are adhering to complex data protection laws and regulations. Contact us today to learn more about how DPOrganizer can help your organization protect your data.