News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Tracker Privacy Tracker

Alerts and legal analysis of legislative trends

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Privacy List Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 Member Directory

Locate and network with fellow privacy professionals using this peer-to-peer directory.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Sample Questions Train Your Staff Official Training Partners Web Conferences
European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 GDPR Training

Learn the legal, operational and compliance requirements of the EU regulation and its global influence.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 CIPP/E + CIPM = GDPR Ready CIPP/E + CIPM = GDPR Ready

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy and Consumer Trust Report

This report shines a light on what consumers around the globe think about privacy and the companies that collect, hold and use their data.
IAPP-EY Annual Governance Report 2022

This year’s governance report goes back to the foundations of governance, exploring “the way that organizations are managed, and the systems for doing this."
Privacy and AI Governance Report

This report explores the state of AI governance in organizations and its overlap with privacy management.

US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
US Federal Privacy Legislation Tracker

This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
International Data Transfers

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
Privacy Vendor Marketplace

Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the country’s privacy field deliver insights, discuss trends, offer predictions and share best practices.

Data Protection Intensive: Nederland Data Protection Intensive: Nederland

Hear expert speakers address the latest developments in data protection globally and in the Netherlands.

 Asia Privacy Forum Asia Privacy Forum

See top experts discuss the critical privacy issues and regulations impacting businesses across Asia.

 Data Protection Intensive: Deutschland Data Protection Intensive: Deutschland

Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. 2023 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.

Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.

IAPP ANZ Summit IAPP ANZ Summit

Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

 ANZ Members

Review current member benefits available to Australia and New Zealand members
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | BCRs after ‘Schrems II’ decision: A first analysis Related reading: What to expect on revised standard contractual clauses

rss_feed

""

""

""

There has been a lot of discussion on the impact of the Court of Justice of the European Union’s recent “Schrems II” (C-311/18) decision on international transfers of EU personal data. Much of that discussion focused on the EU-U.S. Privacy Shield and standard contractual clauses, until recently two popular methods for securing a legal transfer of EU personal data to recipients in the U.S. There so far has been very little discussion on what the decision in "Schrems II" means for other data transfer methods, such as binding corporate rules.

In its FAQs on “Schrems II,” the European Data Protection Board made it clear the decision also applies to BCRs. The EDPB stated the following:

format_quote"Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool. Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA."

This echoes the position taken by the Head of the International Data Flows and Protection Unit at the European Commission and the Directorate-General Justice and Consumers during a “Schrems II” panel discussion at the 2019 IAPP Congress in Brussels. 

Many will argue the process to obtain BCRs is fundamentally different than what is required for SCCs or even the Privacy Shield and that this should be taken into consideration when considering what additional steps, if any, are required under the BCRs to account for the “Schrems II” decision. It is true the BCR process involves privacy regulators at every single step, from the so-called lead regulator in the country where the BCR application is filed to a second and third reviewer regulator to eventually the regulators in all affected member states. More details on the BCR application and approval process can be found in the WP 263 document by the EDPB. 

The interactions with regulators in the BCR application process are frequent, but these interactions focus on the documents submitted for review, and more specifically the draft BCR policy, the application form, the intragroup agreement that makes the BCRs binding on signatory entities, and some additional documents or company policies that are part of the BCR application such as audit plans or training materials. In their review, regulators check the documents against the list of mandatory elements that any BCR needs to have. That list can be found in WP documents 256 and 257 for controllers and processors, respectively. Those WP documents also contain "suggested" language for each of the mandatory elements. 

WP documents 256 and 257 predate the “Schrems” decision. Neither document contains a requirement to perform a case-by-case analysis and potentially put in place additional measures before transferring personal data originating in the EU under approved BCRs. Both documents do have a specific reference to access by law enforcement authorities in the country of the recipient. Section 6.3 of WP 256 and WP 257 states " [ ] the BCRs should contain a commitment that where any legal requirement a BCR member is subject to in a third country is likely to have a substantial effect on the guarantees provided by the BCRs, the problem should be reported to the competent Supervisory Authority. This includes any legally binding request for disclosure of the personal data by a law enforcement authority or state security body." Section 6.3 then goes on to detail what the BCR member should do and the role of the supervisory authority.

To the extent publicly available, an examination of two recent EDPB opinions for Tetra Pack and Jotun, as well as some other pending drafts of BCR policies reviewed after the “Schrems” decision, reveal that so far, regulators do not seem to require additional language in the BCRs, over and above the current requirements listed in WP 256 and 257. Under the heading “Final Remarks,” the EDPB opinions in Tetra Pack and Jotun do contain the following general reference to the Schrems decision:

format_quote“In accordance with the judgment of the Court of Justice of the European Union C-311/188, it is the responsibility of the data exporter in a Member State, if needed with the help of the data importer, to assess whether the level of protection required by EU law is respected in the third country concerned, in order to determine if the guarantees provided by BCRs can be complied with in practice, taking into consideration the possible interference created by the third country legislation with the fundamental rights. If this is not the case, [name of applicant]  and its Group Companies should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EU.”

The EDPB, of course, can revise WP 256 and 257 and include additional requirements. They could do so, for instance, after the revised SCCs come out. That would be particularly bad news for companies with existing BCRs as these then would need to be amended.

If the EDPB were to revise WP 256 and 257, it would be bound by Article 47(2) of the EU General Data Protection Regulation, which sets out the commitments BCRs must contain. In that list, there is — again — no mention of a case-by-case analysis prior to transfer, as seems to be required by the “Schrems II” decision. The EDPB presumably will argue that the list in Article 47(2) of the GDPR is not exhaustive, as evidenced by the use of the words "at least" in the text. The current "suggested" wording in WP 256 and 257 already deviates from Article 47(2) of the GDPR, adding a requirement for a case-by-case analysis would be another deviation. To the best of our knowledge, the reading of the EDPB of Article 47(2) of the GDPR has not yet been tested in a court of law.

Let there be no doubt, however, on the impact of “Schrems II” on BCRs. Even if the EDPB decides to keep WP 256 and 257 as is, it is clearly the position of the EDPB that “Schrems II” applies to BCRs. ... That means companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on SCCs for their data transfers.

Let there be no doubt, however, on the impact of “Schrems II” on BCRs. Even if the EDPB decides to keep WP 256 and 257 as is, it is clearly the position of the EDPB that “Schrems II” applies to BCRs. The above-cited wording of the EDPB opinions approving the BCRs of Tetra Pack and Jotun makes this crystal clear. That means companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on SCCs for their data transfers. This potentially undermines one of the key reasons why companies opt for BCRs in the first place, namely, to create a transcontinental zone within their organization within which data can be freely transferred, subject of course to the BCR policy.

The BCR process is lengthy, complex and costly in terms of in-house resources and outside legal spending. It remains to be seen whether in-house lawyers will continue to engage in this process if they need to perform a case-by-case analysis even with approved BCRs.

Hopefully, the much-anticipated guidance from the EDPB will address this issue and come up with suggested approaches that help maintain BCRs as the efficient and flexible instrument that they currently are.   

Photo by Elena Mozhvilo on Unsplash

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here

European Data Protection Law and Practice, Second Edition

European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.

Print version | Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Jetty Tielemans IAPP Member Contributor
Tags
Europe
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment Christian Drechsler • Oct 29, 2020 
    Interesting reading. I agree. If companies indeed start to shy away from filing for BCRs as a consequence of Schrems II that would certainly be a set-back for the regulators and the GDPR itself since the both promote self-regulatory measures.
  • comment Damyan Todorov • Nov 12, 2020 
    Thank you for this article.
Related Stories
CJEU throws wrinkle into EU-UK adequacy talks
The Court of Justice of the European Union continues to make things interesting in the data protection world. First came the court's "Schrems II" decision last July, and this week, the CJEU issued a ruling that could spring a leak and potentially sink adequacy negotiations between the U.K. and EU. ...
Read More queue Save This
Using SCCs post-'Schrems II': Guidance from DPAs
If you are one of the thousands of companies that exports data from the EU to the U.S. or to another third country that lacks an adequacy decision using standard contractual clauses, are you permitted to continue doing so, following the Court of Justice of the European Union’s ruling in the "Schrems...
Read More queue Save This

""

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View Here

European Data Protection Law and Practice, Second Edition

European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.

Print version | Digital version

Related Stories
Tags
Europe
Transborder Data Flow
Recent Comments