Binding Corporate Rules (BCR): Corporate rules for data transfers within multinational companies.
In my recent foray into information technology ("IT") laws, with a specific focus on European IT laws, I have had an opportunity to delve into data protection laws and how they play out in trans-continental transactions. In future posts, I will talk about the GDPR and Schrems I and Schrems II decisions of the Court of Justice of the European Union ("CJEU"). However, in this post, I want to talk about the "Codes of Conduct for Data Transfer".
On July 7, 2021, the European Data Protection Board ("EDPB") published draft guidelines on codes of conduct for personal data transfers for consultation. These guidelines complement the EDPB's earlier guidelines on codes of conduct and monitoring bodies. The EDPB has invited comments and consultations from interested parties until October 1, 2021.
The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area ("EEA") to third countries that do not provide an adequate level of data protection (India happens to be on this list of countries). They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.
Pursuant to Articles 40(3) and 46(2)(e) GDPR, controllers or processors in the EEA ("data exporters") can lawfully transfer personal data to controllers or processors outside the EEA ("data importers") that adhere to an approved code of conduct. The guidelines clarify that for the transfer to be lawful, it is sufficient that the data importer adheres to the code; the data exporter does not have to adhere to the code.
A valid transfer code of conduct must impose obligations on the data importer to ensure that personal data remains "adequately protected in line with the requirements of Chapter V GDPR" when transferred outside the EEA. This entails, among other things, establishing appropriate safeguards that include:
- the essential principles and main requirements of the GDPR; and
- guarantees specific to the context of the transfer.
The guidelines provide a checklist of minimum elements that a transfer code must include, which may need to be supplemented with additional commitments and measures in certain cases, depending on the transfer scenario. Among others, a valid transfer code of conduct must:
- grant third-party beneficiary rights to data subjects and data exporter(s);
- grant data subjects the right to:
- bring claims/complaints directly against a data importer for violations of the code before EEA courts or the supervisory authority of the data subject's country of habitual residence;
- bring claims/complaints indirectly against a data exporter for a data importer's violation of the code before EEA courts and/or the supervisory authority of the data exporter's country of establishment or the data subject's country of habitual residence; and
- be represented by a not-for-profit body, organization or association when bringing such claims/complaints.
- require the data importer to:
- notify the data exporter and supervisory authority of the data exporter about any "detected violation" of the code and any corrective measures taken by the monitoring body in response to that violation; and
- warrant that, at the time of acknowledging its adherence to the code, it has no reason to believe that the laws applicable to the processing of personal data in the third country of transfer prevent it from fulfilling its obligations under the code, and to implement (where necessary and in coordination with the data exporter) supplementary measures to ensure the required level of protection under EEA law.
Binding Nature of the Code
The guidelines mention that codes of conduct can only serve as a legitimate transfer mechanism if the data importer has undertaken "binding and enforceable commitments" to comply with the obligations set forth by the code via contractual or other legally binding instruments. These commitments must be have a binding and enforceable nature in accordance with EU law.
According to the guidelines, taking such commitments by contract may be the most straightforward solution to satisfy this requirement. The guidelines mention the following two examples of how to establish these commitments via contract:
- inserting a clause in an existing contract signed between the data exporter and the data importer (g., master service agreement or Article 28 data processing agreement) requiring the data importer to commit to comply with the code of conduct; or
- creating a separate model contract which includes the data importer's commitment to comply with the code and which the data importer (adherent to the code) must sign with the data exporter.
The guidelines also outline the adoption process for a transfer code of conduct. To sum, parties submitting a code for approval must obtain:
- a draft decision from the competent supervisory authority approving the code;
- a favorable opinion from the EDPB; and
- an implementing decision by the European Commission giving general validity to the code.
The guidelines clarify that the body responsible for monitoring data importers' compliance with the code can be an entity located outside the EEA, provided it has an establishment in the EEA.
The guidelines appear to be part of the EDPB's broader response to the Schrems II decision issued by the CJEU, which invalidated the EU-US Privacy Shield framework, as well as a response to some industry initiatives to create codes of conduct for transfers. The approval of codes of conduct for transfers would broaden the spectrum of tools available to lawfully transfer personal data outside the EEA, which currently is limited to:
- standard contractual clauses;
- binding corporate rules (for intra-company transfers); or
- derogations under Article 49 GDPR.
The EDPB announced that it will provide further guidance to clarify the application of the minimum elements of a transfer code. The team at Covington will continue to monitor developments in this space.
Originally published 13 August, 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.