The belt-and-braces approach to EU data-transfer approval is gaining momentum

Eu Flag at Twilight

10 November 2017. By Vesela Gladicheva and Magnus Franklin.

They may be seen as cumbersome, slow and often costly, but binding corporate rules are beginning to look very attractive to multinationals with big data-crunching operations looking to secure EU regulatory approval for data-transfers abroad.

The increasing appeal of BCRs lies primarily in uncertainty surrounding the legality of other simpler transfer methods: specifically fears that the EU-US Privacy Shield and so-called standard contractual clauses could be declared void by the EU courts.

Standard contractual clauses are templates pre-approved by watchdogs for use in contracts, while "adequacy" agreements such as Privacy Shield let companies self-certify compliance.

By contrast, BCRs have been seen as overly complicated and drawn out. They are internal procedures governing how multinationals make intra-company transfers from country to country. They must be approved by the data-protection authority in each EU country the data will touch, and getting approval typically takes between one and two years.

But BCRs are gaining a new lease of life as companies worry about the future of overarching agreements such as Privacy Shield — and realize that complying with EU data-privacy rules entails much of the same work as getting certified for international data transfers, so it is efficient to do both at the same time.

"I would encourage companies to look at binding corporate rules, where they can be applicable," said Helen Dixon, the Irish Data Protection Commissioner, recently.

"A lot of the bigger companies we talk to that implement binding corporate tools have said to us that they have proved to be hugely useful accountability tools within [their] organizations," she said, adding that each company should look at the various mechanisms available and see which is most appropriate for it.

Negotiations on BCRs happen on two levels. First, the company needs to justify its legitimate interest for transferring data; that is normally easy. Second, the extent of the company's adequacy will be scrutinized; that means a lot of preparatory work.

But many of the things that companies will need to demonstrate for BCR compliance are the same as the ones they need to show if the data protection authority comes knocking after EU data-protection rules enter into force on May 25, 2018.

Precautions

Privacy experts at a conference* this week said that companies with BCRs will be in an enviable position if the EU courts invalidate the use of standard contractual clauses or knock down the fledgling the EU-US Privacy Shield, both of which are being contested before the EU's Court of Justice.

While EU officials say this is unlikely to happen, the court over past years has had a track record of ruling in favor of strong privacy protections — including the EU Court of Justice declaring Safe Harbor, the predecessor EU-US agreement to Privacy Shield, invalid in October 2015.

MLex has learned that a key trigger for a wider use of BCRs will be an upcoming set of guidelines from European data-privacy regulators to clarify when companies that team up are considered to be "joint controllers" of the use of a person's data, and what measures should apply in such cases.

If the implementation of rules around joint controllers is done strictly, BCRs may be a tool to divide liability in case of a violation, which under current rules could amount to 4 percent of global turnover for each of the companies involved.

And it is the compliance risk that is the principal reason for companies to opt for the resource-intensive route of getting BCRs approved. "I'm sure at some point in time, when the regulators will look at potentially fining your organization, I'm sure that this will probably be a mitigating factor. At least, we are hoping," BMC Software's Elodie Dowling told the conference.

* "IAPP Europe Data Protection Congress 2017," Brussels, Nov. 8-9, 2017

Countdown to the GDPR