Keywords: binding corporate rules, BCRs, personal data, data transfer, European economic area, European data protection

Data processors are now able to apply to use Binding Corporate Rules (BCRs) in order to move personal data outside of the European Economic Area while complying with European data protection legislation instead of having to implement and maintain sophisticated networks of data transfer contracts in the form of the standard contractual clauses approved by the European Commission.

The European data protection authorities convened together as the Article 29 Working Party (WP29) have announced that, as of 1 January 2013, data processors will be able to apply to a single lead data protection authority for approval to use Binding Corporate Rules in the same way as data controllers are able to. As a result, processors of personal data (e.g. IT outsourcing providers, data centre providers etc) will be able to receive personal data from their data controller clients and then transfer it while complying with the European rules on data protection. The lead data protection authority will take steps to liaise with the other European data protection authorities to obtain mutual recognition of a processor's BCRs throughout Europe.

This will be welcome news to both processors and controllers alike, particularly those that undertake large-scale international data transfers who will no longer have to negotiate complicated data protection safeguards for every processing activity where the receiving party in question has implemented BCRs. Controllers will be able to demonstrate to their stakeholders and data protection authorities that their processing activities comply with European data protection law by working with processors that have already implemented approved BCRs.

Read a copy of the WP29 press release announcing this launch.

Originally published 9 January 2013

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2013. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.