Skip to main content

Binding Corporate Rules: boost from European Commission



United Kingdom

Binding Corporate Rules: boost from European Commission

Tech Bytes contents


This article was featured in Tech Bytes, our technology law newsletter.

EU data protection law does not allow the transfer of personal information to countries outside Europe that do not have an adequate level of data protection.  In order to process personal information lawfully on a global basis, organisations must find a way to legitimise transfers of this information from the EU to other countries.  Binding Corporate Rules - a global code of practice based on European data protection standards, which multinational organisations draw up and follow voluntarily - offer a solution.  It is now almost certain that Binding Corporate Rules (BCR) and possibly Binding Safe Processor Rules (BSPR) will feature in the revised EU data protection framework. 

The clearest indication of this was given in Viviane Reding’s keynote speech at the IAPP Data Protection Congress in Paris on 29 November 2011.  The European Commission’s Vice-President dedicated her entire speech to encourage organisations to go down the BCR path and to promise a smoother and faster authorisation process.

In summary, Vice-President Reding made the following points:

  • We need efficient and effective tools to ensure that personal information is properly protected and one way to adequately protect the processing and transferring of personal data is binding corporate rules.
  • We know that one of the strengths of binding corporate rules is that they offer legal certainty and a lot of flexibility as they are compatible with any corporate culture.
  • There are three main aspects of how these rules will be improved in the new framework: simplification, consistent enforcement and innovation.
  • The European Commission intends to propose a consistent and streamlined approval process.  Once the binding corporate rules are approved by one data protection authority, they will be recognised by all European data protection authorities without the need for additional national authorisation in case of further transfers.
  • BCR should be compatible with small innovative companies’ endeavours to operate on a global scale.
  • The reform will make binding corporate rules binding within companies, but also with respect to third parties.
  • Binding corporate rules will apply to all internal and extra-EU transfers of any entity in a group of companies.
  • The Commission will support the development of binding corporate rules that can also be used by processors, including in the context of cloud computing.
  • Vice-President Reding encourages companies of all size to start working on their own binding corporate rules. 

There is no stronger recognition for BCR than the Vice-President of the European Commission giving them her full support.  We can now assume that the Commission will walk the talk, and BCR will get full recognition in the black letter of the law.

Sign up to our email digest

Click to subscribe or manage your email preferences.