Greetings from Brussels!
Binding corporate rules seem to be making waves of late. I’ve noted a number of IAPP KnowledgeNets recently in which BCRs were the core theme. For myself, I was a speaker and panelist this week on a webinar co-organized by the London-based international consultancy Ankura and law firm McDermott Will & Emery on BCRs in 2020 and beyond.
Why the rekindled interest? There seem to be at least two key drivers for this new focus. On the one hand, there is the forthcoming "Schrems II" ruling by the Court of Justice of the European Union set for 16 July, which will impact how organizations lawfully transfer personal data from the broader EEA to jurisdictions not providing an adequate level of data protection in line with the GDPR. The ruling will specifically address the validity of the European Commission’s standard contractual clauses, and it may also affect operations under the EU-U.S. Privacy Shield mechanism. This leads to a palpable uncertainty or at least an anxious unease that international companies need to evaluate and monitor for the purposes of their data transfers.
A second catalyst is, of course, Brexit, which comes into effect one way or another at the end of the year. In the event of a no-deal Brexit where the U.K. ICO no longer has a role in the BCR community, companies, either having or that are applying for BCRs via the U.K., would need to identify an appropriate replacement lead supervisory authority in an EU member state. The specifics as communicated by the European Data Protection Board can be found in their information note from February of this year.
If I am not mistaken, as of 25 May, there were 196 companies availing of BCRs, which is up by 65 companies from the same time last year — a significant increase. In talking to some sources either in or close to the supervisory agencies, my understanding is that the levels of BCR inquiries and new BCR applications are experiencing considerable bumps presently. Notably, this may well be supported by the Brexit situation as the ICO to date has been one of the more prolific and experienced DPAs in the field. For example, almost 90 BCRs were approved under the directive pre-GDPR regime, all of which will require a GDPR update, including an annual update report, to the concerned lead supervisory — 30% of those cases were led by the ICO.
The BCR process is arduous, time-consuming and relatively costly for companies. As an intercompany group mechanism for data transfers, arguably there is a heavy emphasis on doing the necessary due diligence and consultation with group subsidiaries and entities before commencing any application work. Furthermore, and as advised to me by supervisory sources, it is important that organizations also seek a consult with the regulatory authorities on feasibility and application prior to any undertakings.
To be fair, it is a given that the wealth of expertise and knowledge concerning BCRs resides primarily within and across the regulatory community. Moreover, if one is considering BCRs, identifying a lead supervisory authority is a critical component and bound by stringent criteria as laid out in the WP 263 BCR guidance. An eventual decision on a lead authority is subject to agreement by concerned DPAs.
Given their robustness, BCRs are often referred to as the gold standard of international data protection compliance. Arguably, some would say, they are the optimal answer to an increasing global complexity associated with SCCs over time. I am led to believe there will be numerous EDPB BCR approvals in the coming months, and at least for now, it seems a space to keep eyes on.