Following the European Court of Justice (ECJ) Advocate General's opinion that the Safe Harbor agreement is "invalid" due to U.S. law enforcement access to EU citizen data, it doesn't seem too far a stretch to imagine companies worried about the future of Safe Harbor may start looking for alternatives, namely, binding corporate rules (BCRs).
Even before the advocate general's opinion, BCRs were becoming an increasingly attractive data transfer mechanism—70 firms have completed the process thus far—partly because the framework closely maps to APEC's cross-border privacy rules, so many organizations are obtaining the two in concert and increasing the geographic borders within which their organization's data may travel.
Advocate general opinions aren't binding but are followed by the ECJ about 85 percent of the time. If that has you worried about the future legality of Safe Harbor, here is a roundup of the IAPP's coverage of BCRs that may prove helpful in determining whether the mechanism is right for your organization and what to expect of the process.
- Morrison Foerster's Lokke Moerel opines on how BCRs for processors will function in the EU's drafted General Data Protection Regulation.
- The UK ICO approves CA Technologies for BCRs, making it one of the first tech companies to receive approval.
- Fieldfisher's Phil Lee, CIPP/E, opines on how the Article 29 Working Party's guidance on processor BCRs may put companies in a catch-22.
- Jay Wholley III, CIPP/US, reports from a session at the IAPP Global Privacy Summit 2015 on whether you're ready for BCRs.
Look for continuing coverage and analysis of the BCR process from the IAPP Publications Team.
If you want to comment on this post, you need to login.