After the Schrems II decision, Binding Corporate Rules (BCRs) are seen by many as the salvation to international data transfers. The decision touched upon the other transfer mechanisms, invalidating the Privacy Shield and adding the implementation of “adequate safeguards” as a prerequisite for using Standard Contractual Clauses. In light of this, the question is whether BCRs also need to be amended or whether they are still the golden standard for international transfers.
In this article, we aim to explain what BCRs are, go through their advantages and disadvantages, and examine what impact the Schrems II decision may have had on them.
What are BCRs and how do they compare to SCCs?
BCRs are one of the mechanisms that the GDPR provides for the facilitation of transfers of personal data to countries outside the European Economic Area (EEA) that have not obtained an Adequacy Decision. They are legally binding contracts between the various members of a corporate group that establish the group’s privacy program. It is essential that they establish enforceable rights for data subjects and that they are legally binding and enforced by every member concerned of the group.
BCRs are used only for intra-group transfers of personal data. They apply only to within subsidiaries of the same parent organisation, and are specifically useful for large businesses. They cannot be used for transfers between different organisations, for which the Standard Contractual Clauses (SCCs) are the only mechanism available. This is the reason why so few organisations use them as their transfer mechanism.
Something else that differentiates BCRs from other transfer mechanisms is that the burden on assessing the adequacy of the safeguards rests with the supervisory authorities. On the one hand, this minimises the risk of receiving fines or other corrective measures by said authorities. It also lessens the accountability burden, contrary to what happens with users of SCCs that must, according to the CJEU, conduct their own adequacy assessment and are accountable if they are wrong. On the other hand, this leaves less room for the user of BCRs to determine their content, making them a less flexible mechanism.
Moreover, the BCR approval process, contrary to the one of the SCCs, does not include the European Commission. BCRs are approved by the competent Supervisory Authority, in collaboration with the other SAs concerned and the European Data Protection Board (EDPB).
Advantages of BCRs
- Simplification. After their approval, BCRs do not come with the administrative burden of managing and updating hundreds of intra-group agreements, as it happens with SCCs. They harmonize the data management and governance processes of the members of the group, and they create a “zone” for free circulation of personal data among them, simplifying transnational data flows.
- Flexibility. Contrary to SCCs which only apply to the data processing activities set out in them, BCRs provide flexibility when introducing new products or new members to the group, and reduce data protection compliance costs when there are processing changes.
- Safety. As all concerned supervisory authorities, as well as the European Data Protection Board, have participated in the review and approval process of the BCRs, the possibility that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis is relatively low. Also, during the approval process, the group gets to work closely with its Lead Supervisory Authority and create a connection with it.
- Competitiveness. Privacy has become a competitive differentiator. For those considering handing over their personal data to a company, it is a very positive indicator that it belongs to a group that has harmonized its data protection practices. BCRs are considered the “golden standard” for international transfers, inspire customer confidence and help the group show its privacy maturity and stand out among peers.
Disadvantages of BCRs
- Long approval process. It usually takes at least 18 months to finish the approval process, during which the group must be in constant contact and collaboration with the Supervisory Authority.
- Costly. BCRs are a more expensive solution, both from the resource and the cost perspective, and are a good choice only if they are seen as a long-term strategic solution for the group’s corporate privacy program.
- No self-certification. Unlike the (now invalidated) Privacy Shield, BCRs are not a self-certification mechanism and their approval process involves a lot of scrutiny by the Supervisory Authorities.
How does the Schrems II decision affect BCRs?
One of the main questions raised after Schrems II was whether the decision applies as well in the context of the BCRs. It is true that the decision focused on the Privacy Shield and the SCCs and did not directly touch upon BCRs. However, its finding that the U.S. law is excessively intrusive to the fundamental rights of data subjects is something that applies to all transfer mechanisms.
For this reason, many believe that in light of the decision, for the use of BCRs it is also required to perform a case-by-case analysis and potentially put in place additional measures before transferring personal data originating in the EU under approved BCRs. The EDPB in its “Frequently Asked Questions” document on the Schrems II judgement also takes this approach.
However, many argue that the process to obtain BCRs, which involves privacy regulators at every single step, is fundamentally different than what is required for SCCs and therefore there is not the same need to take additional steps under the BCRs to account for the Schrems II decision. The contrary would undermine the key advantage of the BCRs, namely, the possibility they provide for the creation of a transcontinental zone for the free circulation of personal data within an organization.
Since the Privacy Shield did not survive the scrutiny of the Court and more prerequisites were added to the use of SCCs, BCRs are still considered the “golden standard” for international transfers of data. However, they come with the important disadvantage of a lengthy, complex and costly approval process. On top of this, the Schrems II decision could mean that even companies with approved BCRs need to perform a case-by-case analysis before transferring the data outside the EEA. If this turns out to be true, BCRs would become a less flexible and efficient instrument. Perhaps it is time for the EDPB to address the matter and provide valuable guidance to the companies interested.