1. Binding Corporate Rules To Facilitate Intragroup Data Transfer
Personal data is meant to circulate without boundaries inside the European Union (EU). The General Data Protection Regulation1 (GDPR) subjects personal data transfers outside the EU and the European Economic Area to an "adequate level of protection"2 (i.e., equivalent to that of the EU) or to "appropriate safeguards" provided by the controller/processor (the company or administration).3 Two legal mechanisms are usually employed for data transfers when there is no adequacy decision adopted by the Commission: The first is the negotiation of "contractual clauses" between the data exporter and importer to ensure that the latter puts in place the required safeguards; the second are the "Binding Corporate Rules"4 (BCR), which apply to corporate groups.
Contractual clauses must be negotiated on a case-by-case basis and can be lengthy in the case of multinational companies operating throughout the world. While companies can opt for ad hoc clauses subject to the authorization of the competent supervisory authority, in most cases they use standard protection clauses adopted by the Commission.5 In turn, BCRs are unique legal documents adopted after consulting with supervisory authorities, the content of which is specific to the corporate structure of a given group.
BCRs were designed primarily to allow multinational companies to facilitate intragroup transfers without relying on contractual clauses and while committing to comply with the principles set out by the GDPR. Only data transfers between companies and other stakeholders (e.g., suppliers, customers) in third countries remain based on contractual clauses.
Many large companies, including U.S. companies such as Cisco, American Express, Citigroup and General Electric, have already adopted BCRs. In terms of organization, BCRs are supposed to conform group entities located in third countries — which either have less comprehensive privacy legislation than the GDPR or do not have data protection legislation at all — to these rules. The preparation and approval of BCRs takes several months and is subject to the control of the lead data protection authority (the CNIL for France) and several supervisory authorities, including the European Data Protection Board (EDPB), which is made up of representatives from EU Member State supervisory authorities. The advantage of this consultation among supervisory authorities is that it provides the company with a certain degree of comfort as to the adequacy of its BCRs.
2. The Discretion of the Companies in Determining the Scope of the BCR
Every group of companies has significant discretion in determining the scope of the BCRs.
First, a group can choose the subsidiaries that will be bound by the principles and rules contained in the BCRs. This possibility is expressly provided for in the 2018 standard application form6 of the Article 29 Working Party (G29), which was replaced by the EDPB. Therefore, a group of companies that considers adopting BCR does not have to enforce these rules vis-à-vis its subsidiaries located outside of the EU if no transfer of personal data takes place from the EU to these subsidiaries.
Second, while the BCRs apply uniformly within the entities that are part of the group, their enforceability at the group level may differ according to whether the data is subject to the GDPR (i.e., personal data that is subject to EU law and subsequently transferred abroad) or other categories of data (e.g., in the case of data transfers between subsidiaries located in third countries that are not processing personal data of European citizens). The G29 indicated that it is up to companies to choose between two options — namely, to apply the BCRs to all personal data that is:
- Subject to the GDPR (e., mainly data collected within the EU and transferred abroad)
- Transferred within the group worldwide, whether or not the group is subject to the GDPR7
In other words, a group that intends — at least at the initial stage — to exclude the application of the BCRs for intragroup transfers of data not subject to the GDPR can do so. Several companies have indeed done so by narrowing the scope of their BCRs. For example, a company operating in the aviation sector decided to limit the BCR to data that is subject to the GDPR: "[T]he BCR apply to all personal data ... subject to EEA data protection legislation." An international insurance group has adopted a similar approach, stating that "although BCR ... [c]ompanies may have processes required for BCR implemented everywhere, BCR ... [c]ompanies do not provide BCR guarantees for Personal Data that is not subject to a data privacy law in a Regulated Jurisdiction, i.e., which is not transferred from a Regulated Jurisdiction [any jurisdiction, in the EEA and Andorra, Switzerland, Faeroe Islands, Guernsey, Isle of Man and Jersey]."
3. Sharing of Liability Between Group Entities Bound by the BCR
Adopting BCRs has consequences for a group's responsibility to its entities located outside of the EU. In this respect, the G29 stated that a group's EU headquarters or an EU BCR member with delegated responsibilities must accept responsibility for acts committed in violation of BCRs by members outside of the EU.8
However, in some cases it is possible that every BCR member exporting data out of the EU on the basis of these rules will be liable for any breaches by a BCR member established outside of the EU that received data from this EU BCR member. For example, a large insurance company has specific rules for sharing responsibility: According to its BCRs, each group entity shall bear in principle the sole responsibility for the breaches of these rules. However, in some cases, a data exporter may also be liable for any violations committed by a data importer, even if the exporter can seek reimbursement from the importer. This situation is similar to the scenario provided for in the standard contractual clauses, where the exporter and importer of the data are jointly and severally liable for damages resulting from any violation of these clauses.9
Groups of companies have considerable latitude to define the scope of their BCRs. In this respect, they can (i) determine the scope of application of intragroup transfers of personal data; (ii) define, in the event of a violation of the BCRs, a sharing of liability according to their vision of the relations among different entities throughout the world; and (iii) take into account in the BCRs their specific needs with regard to their business model and group structure.
In other words, because BCRs reflect strategic choices, they are the preferable instruments for multinationals.
BCRs are all the more attractive for transfers outside of the EU, as the future of standard contractual clauses (the scope of which is somewhat different from BCRs, while the purpose is similar) is uncertain. Indeed, the Court of Justice of the European Union is expected to rule in July 2019 on the questions referred by the Irish High Court on the validity of the standard contractual clauses adopted by the Commission. This litigation was brought by the Data Protection Commissioner before the Irish High Court after Maximilian Schrems filed a complaint relating to transfer of data to the United States and touching upon the validity of the standard contractual clauses. It remains to be seen whether the Court's judgment, beyond the standard contractual clauses, will impact all data transfers outside of the EU.10
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2 Article 45 of GDPR.
3 Article 46 of GDPR.
4 Article 47 of GDPR.
5 Commission decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries; Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.
6 G29, Recommendation on the standard application for approval of controller Binding Corporate Rules for the transfer of personal data, WP264, 11 April 2018, section 4.
7 Ibid., section 2.
8 G29, Working Document on setting a table with the elements and principles to be found in Binding Corporate Rules, WP256 rev.01, 6 February 2018, p. 8.
9 Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC.
10 The High Court Commercial, The Data Prot. Comm'r v. Facebook Ireland Ltd. & Shrems, [2016 No. 4809 P.].
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.