On 12 February 2019, the European Data Protection Board ("EDPB") adopted an information note on Binding Corporate Rules ("BCRs") for companies that have the Information Commissioner's Office ("ICO") as their Lead Supervisory Authority for BCRs.
In this note, the EDPB advises that in the event of a no-deal Brexit:
- Groups headquartered in the UK wishing to apply for BCRs should identify the most appropriate BCR Lead Supervisory Authority in an EU Member State.
- Groups for which BCRs are at the review stage by the ICO need to identify a new BCR Lead Supervisory Authority. The new BCR Lead Supervisory Authority will take over the application and formally initiate a new procedure at the time of a no deal Brexit.
- If a draft ICO decision for approving BCRs is pending before the EDPB at the time of a no-deal Brexit, the Group needs to identify a new BCR Lead Supervisory Authority. The new BCR Lead will take over and re-submit a draft decision for the approval the BCRs to the EDPB.
- Authorised BCR holders need to identify the new BCR Lead Supervisory Authority.
Each of these determinations are to be made in accordance with the BCR criteria set down in the relevant Article 29 Working Party paper (which our team would be happy to share with interested parties).
The EDPB confirms that in the above scenarios the Supervisory Authority that may be approached to act as the new BCR Lead Supervisory Authority will consider in cooperation with other concerned Supervisory Authorities whether it is the appropriate BCR Lead Supervisory Authority on a case-by-case basis and inform the Group accordingly.
In light of the above, it is timely to remind ourselves of BCRs and their benefits. BCRs are a legally binding internal code of conduct that govern transfers of personal data from a Group's European Economic Area (the "EEA") entities to that same Group's non-EEA entities (i.e. located in "Third Countries"). To be effective, BCRs require advance approval by the relevant data protection Supervisory Authorities with the EU. Adoption of BCRs can provide organisations with a stable, reliable and effective mechanism to transfer personal data from and between Group entities within the EEA and Third Countries.
Why adopt BCRs now?
- Brexit The implications of the UK's vote to leave the EU are not certain and the nature of Brexit remains unclear. If the UK leaves the EU on the basis of a negotiated agreement, there will be no immediate disruption to personal data flows between Ireland and the UK following the withdrawal date. Instead, there will be a transition period up to 31st December 2020 during which the UK will continue to be subject to EU law (including EU data protection laws), and personal data will be able to flow between Ireland and the UK without the need for additional safeguards, such as EU-approved standard contractual clauses ("Model Clauses"). Should there be a no-deal Brexit, there will be a requirement for personal data transfers from the EU to the UK to be in full compliance with the GDPR. While the use of Model Clauses provide one solution in such circumstances, organisations engaged in significant levels of intra-group personal data transfers between the EU and UK might consider BCRs as a longer term means of ensuring the legal transfer of personal data post-Brexit. Further guidance on data transfers in the context of Brexit is set out in our earlier briefing.
- Long term savings While there are upfront costs in creating and implementing BCRs, long-term savings could be realised as compared to maintaining Model Clauses over a number of years with a variety of different processors and controllers. BCRs remove the need to prepare and enter into separate data transfer agreements for international intra-group data transfers.
- Uncertainty for Model Clauses In recent years the validity of Model Clauses has been called into question. While organisations may still continue to use, and rely upon, Model Clauses until a ruling from the CJEU (which is not expected until 2021), BCRs are a worthwhile alternative investment.
- Flexibility BCRs are drafted to reflect an organisation's intra-group data sharing and therefore, can be tailored to allow for flexibility within the relevant Group. This offers an advantage over the more rigid Model Clauses. A well-drafted set of BCRs can form the basis of Group data transfers for a number of years.
- Leverage GDPR project and build positive relationships with regulators The welcome effect of the time and resources spent on intensive GDPR projects is the increased awareness across the organisation of data privacy and security issues. GDPR preparatory work can be leveraged into the development of BCRs. The audits and training involved in the BCRs can further help to raise awareness of GDPR requirements across the Group.
The adoption and approval of a set of BCRs for a large organisation will be seen as good privacy PR in a global climate where data subjects are increasingly querying the use and location of their personal data. We work with clients to develop a roadmap outlining the steps involved in the BCR application process. During the process we work closely with those responsible for data protection within the Group and with the relevant Lead Supervisory Authority in order to manage efficiently the BCR application process through to successful regulatory approval.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.