EU Provides Additional Guidance for Binding Corporate Rules to Permit Cross-Border Data Transfer

November 7, 2008

The European Union’s Article 29 Working Party, the group responsible for administration of the Binding Corporate Rules (BCRs), has recently updated its BCR Guidance. The documents constituting this update include a checklist setting forth the required elements of the BCRs, and a framework for the structure of BCRs that can serve as a template. In addition, the Working Party issued a set of FAQs based upon the experience of the Data Protection Authorities with applications made for approval of BCRs, and inquiries received by them for interpretation of the EU documents authorizing the use of the BCRs, WP 74 and WP 108.

European Union data protection laws restrict the transfer of personal data of residents of EU member countries to countries whose data privacy regimes have been judged by the EU as providing inadequate protection. Those countries which have been deemed by the EU to provide adequate protection constitute a short list. As a result, alternative solutions have been approved by the EU with respect to data transfers to those countries who are not on the “adequate protection list”, including the United States. Data controllers in the United States must either utilize the Safe Harbor Protection designation negotiated by the US Department of Commerce and approved by the EU, or provide the necessary protections contractually, or use Article 29 Working Party-approved BCRs for transfers only within a corporate group.

Originally adopted in 2003, the BCRs permit a multinational company, with companies in its corporate family operating in multiple EU member states, to adopt “codes of conduct for international transfers” of personal data between or among the various companies within the corporate family. Companies that wish to transfer personal data of customers or employees to its headquarters in the US or in another EU member state without “adequate protection” designation, may find the use of BCRs provides greater control and flexibility than other options.

The BCRs consist of a set of principles and procedures that create third party beneficiary rights that can be enforced by lodging a complaint before the competent data protection authority and before a competent court. The process for adopting the BCRs involves submitting to the appropriate data protection authority an application for an authorization for an international data transfer, and by doing so, the corporate group binds itself vis-à-vis the data protection authority to respect the safeguards adduced (in this case the binding corporate rules). The application should set forth BCRs that are based upon the EU Guidance, but which have been customized to suit the corporate group’s unique structure.

The recently issued documents provide expanded guidance for the creation and approval of BCRs, and the FAQs clarify issues such as whether the BCRs apply to all the personal data processed by the corporate group; which member of the corporate group is liable if a breach of the BCR occurs outside the EU; whether the BCRs should always contain a right for a third party beneficiary/data subject to lodge a complaint with the data protection authority for violation of the BCRs; and whether information about third party beneficiary rights should be made readily available to the data subjects that benefit from it.

If you have any questions about the BCRs or need assistance obtaining approval for cross border transfers of personal data, please contact a member of the International Services Group .

Additional Documents: