There has been a lot of discussion on the impact of the Court of Justice of the European Union’s recent “Schrems II” (C-311/18) decision on international transfers of EU personal data. Much of that discussion focused on the EU-U.S. Privacy Shield and standard contractual clauses, until recently two popular methods for securing a legal transfer of EU personal data to recipients in the U.S. There so far has been very little discussion on what the decision in "Schrems II" means for other data transfer methods, such as binding corporate rules.
In its FAQs on “Schrems II,” the European Data Protection Board made it clear the decision also applies to BCRs. The EDPB stated the following:
[quote]"Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool. Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA."[/quote]
This echoes the position taken by the Head of the International Data Flows and Protection Unit at the European Commission and the Directorate-General Justice and Consumers during a “Schrems II” panel discussion at the 2019 IAPP Congress in Brussels.
Many will argue the process to obtain BCRs is fundamentally different than what is required for SCCs or even the Privacy Shield and that this should be taken into consideration when considering what additional steps, if any, are required under the BCRs to account for the “Schrems II” decision. It is true the BCR process involves privacy regulators at every single step, from the so-called lead regulator in the country where the BCR application is filed to a second and third reviewer regulator to eventually the regulators in all affected member states. More details on the BCR application and approval process can be found in the WP 263 document by the EDPB.
The interactions with regulators in the BCR application process are frequent, but these interactions focus on the documents submitted for review, and more specifically the draft BCR policy, the application form, the intragroup agreement that makes the BCRs binding on signatory entities, and some additional documents or company policies that are part of the BCR application such as audit plans or training materials. In their review, regulators check the documents against the list of mandatory elements that any BCR needs to have. That list can be found in WP documents 256 and 257 for controllers and processors, respectively. Those WP documents also contain "suggested" language for each of the mandatory elements.
WP documents 256 and 257 predate the “Schrems” decision. Neither document contains a requirement to perform a case-by-case analysis and potentially put in place additional measures before transferring personal data originating in the EU under approved BCRs. Both documents do have a specific reference to access by law enforcement authorities in the country of the recipient. Section 6.3 of WP 256 and WP 257 states " [ ] the BCRs should contain a commitment that where any legal requirement a BCR member is subject to in a third country is likely to have a substantial effect on the guarantees provided by the BCRs, the problem should be reported to the competent Supervisory Authority. This includes any legally binding request for disclosure of the personal data by a law enforcement authority or state security body." Section 6.3 then goes on to detail what the BCR member should do and the role of the supervisory authority.
To the extent publicly available, an examination of two recent EDPB opinions for Tetra Pack and Jotun, as well as some other pending drafts of BCR policies reviewed after the “Schrems” decision, reveal that so far, regulators do not seem to require additional language in the BCRs, over and above the current requirements listed in WP 256 and 257. Under the heading “Final Remarks,” the EDPB opinions in Tetra Pack and Jotun do contain the following general reference to the Schrems decision:
[quote]“In accordance with the judgment of the Court of Justice of the European Union C-311/188, it is the responsibility of the data exporter in a Member State, if needed with the help of the data importer, to assess whether the level of protection required by EU law is respected in the third country concerned, in order to determine if the guarantees provided by BCRs can be complied with in practice, taking into consideration the possible interference created by the third country legislation with the fundamental rights. If this is not the case, [name of applicant] and its Group Companies should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EU.”[/quote]
The EDPB, of course, can revise WP 256 and 257 and include additional requirements. They could do so, for instance, after the revised SCCs come out. That would be particularly bad news for companies with existing BCRs as these then would need to be amended.
If the EDPB were to revise WP 256 and 257, it would be bound by Article 47(2) of the EU General Data Protection Regulation, which sets out the commitments BCRs must contain. In that list, there is — again — no mention of a case-by-case analysis prior to transfer, as seems to be required by the “Schrems II” decision. The EDPB presumably will argue that the list in Article 47(2) of the GDPR is not exhaustive, as evidenced by the use of the words "at least" in the text. The current "suggested" wording in WP 256 and 257 already deviates from Article 47(2) of the GDPR, adding a requirement for a case-by-case analysis would be another deviation. To the best of our knowledge, the reading of the EDPB of Article 47(2) of the GDPR has not yet been tested in a court of law.
Let there be no doubt, however, on the impact of “Schrems II” on BCRs. Even if the EDPB decides to keep WP 256 and 257 as is, it is clearly the position of the EDPB that “Schrems II” applies to BCRs. ... That means companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on SCCs for their data transfers.
Let there be no doubt, however, on the impact of “Schrems II” on BCRs. Even if the EDPB decides to keep WP 256 and 257 as is, it is clearly the position of the EDPB that “Schrems II” applies to BCRs. The above-cited wording of the EDPB opinions approving the BCRs of Tetra Pack and Jotun makes this crystal clear. That means companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on SCCs for their data transfers. This potentially undermines one of the key reasons why companies opt for BCRs in the first place, namely, to create a transcontinental zone within their organization within which data can be freely transferred, subject of course to the BCR policy.
The BCR process is lengthy, complex and costly in terms of in-house resources and outside legal spending. It remains to be seen whether in-house lawyers will continue to engage in this process if they need to perform a case-by-case analysis even with approved BCRs.
Hopefully, the much-anticipated guidance from the EDPB will address this issue and come up with suggested approaches that help maintain BCRs as the efficient and flexible instrument that they currently are.
Photo by Elena Mozhvilo on Unsplash