There has been a lot of discussion on the impact of the Court of Justice of the European Union’s recent “Schrems II” (C-311/18) decision on international transfers of EU personal data. Much of that discussion focused on the EU-U.S. Privacy Shield and standard contractual clauses, until recently two popular methods for securing a legal transfer of EU personal data to recipients in the U.S. There so far has been very little discussion on what the decision in "Schrems II" means for other data transfer methods, such as binding corporate rules.
In its FAQs on “Schrems II,” the European Data Protection Board made it clear the decision also applies to BCRs. The EDPB stated the following:
This echoes the position taken by the Head of the International Data Flows and Protection Unit at the European Commission and the Directorate-General Justice and Consumers during a “Schrems II” panel discussion at the 2019 IAPP Congress in Brussels.
Many will argue the process to obtain BCRs is fundamentally different than what is required for SCCs or even the Privacy Shield and that this should be taken into consideration when considering what additional steps, if any, are required under the BCRs to account for the “Schrems II” decision. It is true the BCR process involves privacy regulators at every single step, from the so-called lead regulator in the country where the BCR application is filed to a second and third reviewer regulator to eventually the regulators in all affected member states. More details on the BCR application and approval process can be found in the WP 263 document by the EDPB.
The interactions with regulators in the BCR application process are frequent, but these interactions focus on the documents submitted for review, and more specifically the draft BCR policy, the application form, the intragroup agreement that makes the BCRs binding on signatory entities, and some additional documents or company policies that are part of the BCR application such as audit plans or training materials. In their review, regulators check the documents against the list of mandatory elements that any BCR needs to have. That list can be found in WP documents 256 and 257 for controllers and processors, respectively. Those WP documents also contain "suggested" language for each of the mandatory elements.
WP documents 256 and 257 predate the “Schrems” decision. Neither document contains a requirement to perform a case-by-case analysis and potentially put in place additional measures before transferring personal data originating in the EU under approved BCRs. Both documents do have a specific reference to access by law enforcement authorities in the country of the recipient. Section 6.3 of WP 256 and WP 257 states " [ ] the BCRs should contain a commitment that where any legal requirement a BCR member is subject to in a third country is likely to have a substantial effect on the guarantees provided by the BCRs, the problem should be reported to the competent Supervisory Authority. This includes any legally binding request for disclosure of the personal data by a law enforcement authority or state security body." Section 6.3 then goes on to detail what the BCR member should do and the role of the supervisory authority.
To the extent publicly available, an examination of two recent EDPB opinions for Tetra Pack and Jotun, as well as some other pending drafts of BCR policies reviewed after the “Schrems” decision, reveal that so far, regulators do not seem to require additional language in the BCRs, over and above the current requirements listed in WP 256 and 257. Under the heading “Final Remarks,” the EDPB opinions in Tetra Pack and Jotun do contain the following general reference to the Schrems decision:
The EDPB, of course, can revise WP 256 and 257 and include additional requirements. They could do so, for instance, after the revised SCCs come out. That would be particularly bad news for companies with existing BCRs as these then would need to be amended.
If the EDPB were to revise WP 256 and 257, it would be bound by Article 47(2) of the EU General Data Protection Regulation, which sets out the commitments BCRs must contain. In that list, there is — again — no mention of a case-by-case analysis prior to transfer, as seems to be required by the “Schrems II” decision. The EDPB presumably will argue that the list in Article 47(2) of the GDPR is not exhaustive, as evidenced by the use of the words "at least" in the text. The current "suggested" wording in WP 256 and 257 already deviates from Article 47(2) of the GDPR, adding a requirement for a case-by-case analysis would be another deviation. To the best of our knowledge, the reading of the EDPB of Article 47(2) of the GDPR has not yet been tested in a court of law.
Let there be no doubt, however, on the impact of “Schrems II” on BCRs. Even if the EDPB decides to keep WP 256 and 257 as is, it is clearly the position of the EDPB that “Schrems II” applies to BCRs. ... That means companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on SCCs for their data transfers.
Let there be no doubt, however, on the impact of “Schrems II” on BCRs. Even if the EDPB decides to keep WP 256 and 257 as is, it is clearly the position of the EDPB that “Schrems II” applies to BCRs. The above-cited wording of the EDPB opinions approving the BCRs of Tetra Pack and Jotun makes this crystal clear. That means companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on SCCs for their data transfers. This potentially undermines one of the key reasons why companies opt for BCRs in the first place, namely, to create a transcontinental zone within their organization within which data can be freely transferred, subject of course to the BCR policy.
The BCR process is lengthy, complex and costly in terms of in-house resources and outside legal spending. It remains to be seen whether in-house lawyers will continue to engage in this process if they need to perform a case-by-case analysis even with approved BCRs.
Hopefully, the much-anticipated guidance from the EDPB will address this issue and come up with suggested approaches that help maintain BCRs as the efficient and flexible instrument that they currently are.
Photo by Elena Mozhvilo on Unsplash
This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.
If you want to comment on this post, you need to login.