What are Binding Corporate Rules designed to achieve?
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.
Applicants must demonstrate that their BCRs put in place adequate safeguards for protecting personal data throughout the organisation in line with the requirements of the Article 29 Working Party papers on Binding Corporate Rules (see below).
How do I get authorisation for my BCRs?
The procedure is designed to avoid you having to approach each individual data protection authority separately.
You need to choose a data protection authority (DPAs) to be a lead authority. Your choice of lead authority depends on the location of the EU headquarters of your company or the location within Europe of that part of your company best placed to take responsibility for global data protection compliance. Detailed criteria as to choice of lead authority are set out in Working Party papers (see below).
If the lead authority is satisfied as to the adequacy of the safeguards put in place in your BCRs, that authority circulates the draft BCRs to the other DPAs in Europe from which you need an authorisation. The lead DPA communicates any comments received to you. The role of the lead data protection authority is to facilitate the authorisation process.
When submitting an application, you should use Working Party paper 133, which is an application form based on WP 108, or you can put together your own application. We and other DPAs strongly recommend that you use WP133 – see below.
It is important to note that BCRs do not provide a basis for transfers made outside the group.
What are the benefits of BCRs compared with other ways of satisfying the 8th Data Protection Principle?
The main advantage of BCRs over other means of providing adequate safeguards is that, once developed and operational, BCRs can provide a framework for a variety of intra-group transfers to meet your organisation’s requirements. You will have an ongoing obligation to monitor your compliance with your BCRs. This will include regular audits and a requirement to maintain a training programme for staff handling personal data.
The BCRs should also help you to address privacy concerns and raise awareness of data protection within your organisation. This is because you will need to consider the type of personal data you are transferring, and how you will make staff aware of and respect the rules when you are preparing your application. An essential part of the authorisation process is the requirement for the applicant to demonstrate how staff in affiliates in third countries are made aware of the implications of processing personal data transferred from the EEA for example, through its staff training programmes.
Provided your BCRs are drafted widely enough, they should be able to accommodate changes in your company structure and some variation in the types of data flow. You do not need to tell the DPAs which have given authorisations if company changes don’t affect the authorisation. BCRs therefore allow for significant flexibility.
However, if you make changes to your company or the data flows that go beyond the scope of the authorisations, you will have to reapply for authorisation for all or part of your processing.
Another solution available to multinationals as a means of putting in place adequate safeguards is the use of the model contract clauses authorised by the European Commission. However, there are drawbacks with the use of contracts, particularly in multinational companies with complex structures, because sometimes hundreds of contracts are required to cover transfers between all affiliates. The task of making sure that contracts are kept up to date to keep pace with the changing corporate structure can also be difficult and time consuming.
The extent to which individual DPAs will permit the adaptation of the model contracts to allow for multi-party as opposed to bilateral arrangements also varies from one DPA to another limiting the scope for companies to reduce the number of contracts required. There are also situations in which model contracts cannot be used, for example, where the organisation is only one legal entity.
Despite the fact that the model clauses have been approved for use by the European Commission, in some countries there is still a requirement for exporting data controllers to go through a form of authorisation process which can also be time consuming.
Another option open to data controllers is the Safe Harbor scheme, but this is limited to transfers to the US and also does not include certain sectors, such as financial services.
In the UK, the 8th data protection principle allows you to make your own assessment of adequacy but this, of course, is of limited use if you are a multinational company that also transfers personal data from other parts of the EEA.
Do other DPAs support the concept of BCRs?
A number of DPAs promote BCRs and over time we anticipate that this number will continue to grow.
WP 74 makes it clear that DPAs are free to deal with applications for authorisations in the manner which best fits with their national laws and acknowledges that in some countries the DPAs may lack sufficient resource to deal with such applications. Lack of resource within DPAs is one reason for delays in the authorisation process.
An issue which was mentioned in WP 74 and which has proved to be a problem in practice is that in some Member States the national law does not allow for the concept of unilateral declarations. This is the basis on which some applications are structured to address the way in which the BCRs are binding throughout the group. In these cases, the applicant may have to find another solution which is enforceable under the laws of the Member State in question to deal with this requirement. This is the sort of issue which will have been discussed with the lead DPA before an application is circulated under the co-operation procedure.
In time we foresee that more DPAs will become involved in the process but there may be a few which, because of difficulties with their national laws, cannot. Currently, therefore, BCRs are not the pan-European solution it was hoped they would be.
How many applications for authorisation has the ICO received? We receive regular queries from companies interested in using BCRs and the number of applications is likely to increase if companies have confidence that the authorisation process is becoming more streamlined, and that there is a realistic prospect of an application being successful.
How long will it take to process my application?
One issue that makes companies reluctant to initiate an application is the length of time that the authorisation process is likely to take. We and other DPAs are aware of these concerns and we are working on ways in which to streamline the process.
While we may be able to deal with your application relatively quickly within the ICO, there may be delays in the authorisation process within other DPAs once an application is launched under the co-operation procedure. At the moment we are saying that, realistically, from the start of the co-operation procedure, a straightforward application could take 12 months to conclude.
The co-operation procedure (WP 107) does give some timescales within which applications have to be processed there is some slippage. Your ability to react to comments from the DPA and amend documentation will also be a factor.
Using the model application form authorised by the Article 29 Working Party (WP133) and ensuring you have all of the elements specified in WP153 should also help to speed up the process (see 7 below). We strongly recommend using the model application form.
The time involved in circulating an application under WP 107 also has to be weighed against the time (and cost) incurred by companies having to approach DPAs individually and obtaining authorisations for their transfers.
One positive initiative, which some DPAs have welcomed and the ICO supports, is mutual recognition. Under mutual recognition if the lead authority is satisfied that the BCRs put in place adequate safeguards, other participating DPAs should have confidence in their decision and accept their findings without any further scrutiny or comment. From April 2011, the 19 countries taking part in mutual recognition are as follows.
How should I structure my application?
The model checklist (WP 108) sets out the requirements for submitting a set of BCRs. These requirements have now been incorporated into WP 133.
WP133 should help both you and DPAs in the authorisation process. The standardised application form should give you some comfort that the information you are providing is in line with the requirements of WP74 and should in turn facilitate the authorisation procedure for DPAs.
While you are not obliged to use the template application form, as it is intended to help you demonstrate to DPAs how you meet the requirements of WP74 and WP108, we believe that most applicants will wish to use it.
You must have all of the elements specified in table of BCR requirements (WP153) in one or more documents which make up the rules and should also refer to the Article 29 working party FAQs (WP155) which addresses liability and other issues requiring a common interpretation.
The Article 29 working party has produced a BCR framework (WP154) which illustrates what all the requirements of WP 74 and WP 108 might look like in a single document. You are free to base your BCR on this framework but it is not a requirement.
WP153, WP154 and WP155 are available below and from the European Commission’s website.
What about the administrative requirements of many of the Member States? How do these fit in with the authorisation of BCRs?
In the UK an authorisation is given on the basis that the BCRs satisfy the requirements of WP74 in that they provide adequate safeguards within the meaning of Article 26(2) of the Directive. This provides the basis for the authorisation under paragraph 9 of Schedule 4 to the Data Protection Act 1998. Provided that the processing, including the transfer of personal data, is notified to the ICO, there are no other steps that are required before an applicant company may transfer personal data intra-group on the basis of the authorisation.
In many Member States, however, the DPA has to grant a permit allowing the transfer of data from that Member State to a third country or countries in addition to the authorisation of the BCRs.
This may be seen to defeat the object of the co-operation procedure and the underlying principle of WP74, but where the national law provides that such permits are required there is nothing that can be done.
How does the ICO handle requests for information relating to BCRs under the Freedom of Information Act 2000?
As the concept of BCR is relatively new, there has been a great deal of interest in the applications we have already dealt with from other companies and their advisers who are interested in putting together an application. As a result, we have received a number of freedom of information requests for copies of documents.
Organisations seeking authorisation for their BCRs will be treated in the same way as any other data controller seeking compliance advice from the ICO. This means that we cannot disclose the fact that an organisation has approached us with an application without its consent or unless the information has been put into the public domain. Once an authorisation is made, however, this is a matter of public record. Applicants are notified accordingly and authorisations are put on the ICO website.
Article 29 Working Party documents. The most recent documents are as follows.
Table of BCR requirements (pdf) (WP153) which sets out the elements that must be in any set of BCR. This does not create any new requirements and is a summary of WP74 and WP108.
Framework BCR (pdf) (WP154) which is a suggestion of what a BCR might look like containing all of the necessary elements of WP74 and WP108.
Article 29 BCR FAQs (pdf) (WP155) which are based on the experience to date of working with BCR applications.
15 December 2005 - The General Electric Company for employee data. 2 April 2007 – Koninklijke Philips Electronics NV for employee data. 22 April 2009 - The Atmel Corporation for employee data. 30 April 2009 - Accenture Limited 15 September 2009 – The Hyatt Hotel Corporation for employee and guest data 26 February 2010 - JPMorgan Chase & Co. 31 March 2010 - British Petroleum plc 12 May 2010 – IMS Health Incorporated 16 February 2011 – Spencer Stuart Management Consultants N.V. 31 March 2011 – CareFusion Incorporated 14 November 2011 – First Data Corporation 26 March 2012 – eBay Incorporated 21 May 2012 – Novo Nordisk A/S 1 June 2012 – Linklaters LLP 14 June 2012 – Citigroup Incorporated – to take effect on 6 June 2013 5 September 2012 – Intel Corporation 29 October 2012 – American Express Company – to take effect on 28 January 2013 2 May 2013 – Cargill, Incorporate 2 May 2013 – Motorola Solutions Incorporated 7 June 2013 – Ernst & Young 10 June 2013 – GlaxoSmithKline pl 7 August 2013 – Motorola Mobility LLC 24 December 2014 – Astra Zeneca plc 30 June 2015 – Fluor Corporation Incorporated 30 June 2015 – Flextronics International Limited 30 June 2015 – CA Incorporated (trading as CA Technologies) 30 June 2015 – Schlumberger Limited 4 August 2016 – Latham & Watkins LLP 30 August 2016 – Box, Inc 22 February 2017 – International Business Machines Corporation (trading as IBM) 22 February 2017 – BT Group plc