Everybody who has been paying attention to what is happening to the evolving European data protection framework knows that BCR will become the default mechanism to deal with international data
Everybody who has been paying attention to what is happening to the evolving European data protection framework knows that BCR will become the default mechanism to deal with international data transfers within global corporate groups. However one of the regulatory considerations that BCR applicants may not be aware of is the requirement to complete the various administrative formalities in all relevant EU Member States in order to confirm that data transfers can take place under the BCR. These formalities vary from one member state to another and derive from the fact that in some jurisdictions, the DPAs still have to provide a permit for transfers based on the safeguards provided for in the BCR.
The European Commission has recognised the challenges for applicants that are attempting to comply with these requirements in different member states by publishing a helpful ‘table of national administrative requirements’, however in practice the information provided for each member state can be insufficient for the purposes of making an application, either because it does not provide the full legal, administrative and practical requirements for making an application in a particular jurisdiction (for example does the documentation have to be submitted via postal mail or will electronic copies via email suffice?) or unfortunately does not contain any information at all (at the time of writing the table did not contain any applicable requirements for Cyprus, Finland, Latvia, Lithuania, Romania and Slovenia).
Our work with clients in this area has highlighted the broad range of requirements between member states. For example in Ireland, Norway and the UK, a simple email seeking a request for approval of the BCR and attaching a copy of the BCR authorisation granted by the ‘lead’ DPA in the initial cooperation/mutual recognition procedure as a courtesy will normally suffice. However, in Italy for example, the requirements are more comprehensive. This requires a Letter of Application in Italian and signed by an individual who can legally represent the applicable local Italian applicant entities. In addition, ‘sworn translations’ of all documents comprising the applicant BCR are required (‘sworn translations’ are a requirement under Italian administrative law and refer to translations executed by either an Italian law firm or from a translator approved by an Italian tribunal) to be sent via postal mail to the Italian Data Protection Authority, together with a fee of €1,000 for each applicant Italian entity (for an equivalent application in Poland the fees tend to be much lower; covering the small cost of stamp duty and submitting an applicable Power of Attorney).
The mutual recognition procedure, created in 2009 and to which 21 of the 27 EU Member States have signed up (to date), is designed to facilitate a speedier approval process of an applicant’s BCR. To recap, once the ‘lead’ DPA has approved the BCR, it then appoints two additional DPAs to further review and comment on the application to verify that it meets the requisite standard. It is then circulated to the remaining signatory DPAs in order to automatically approve the BCR, without further comment.
Although the mutual recognition procedure is designed to further streamline the overall BCR approval process, our recent experience with clients indicates that it can present challenges when dealing with DPAs - as the latter have to ensure that a BCR is in compliance with their own national interpretation of the EU Data Protection Directive before providing their approval – something which DPAs feel they may not have been able to achieve during the initial mutual-recognition process. As a result, DPAs may seek further information from applicants at the ‘post administrative’ permit stage – in spite of the mutual recognition procedure already having been brought to a close.
In spite of such challenges for both DPAs and applicants alike, we have found that any such issues can be overcome. Having a valid set of BCR approved by a lead DPA is a strong factor in being able to answer applicable questions from other DPAs; and because they will already be familiar with the BCR during the initial approval process, issues can be quickly settled.
Despite BCR being a big feature of the proposed General Data Protection Regulation, the approval process is set to become tougher under the proposed ‘consistency mechanism’ (see our earlier blog for an explanation why) therefore data controllers thinking of implementing BCR should do so now, and not later. Despite current post-approval challenges, the process for achieving BCR today is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.
The European Commission has recognised the challenges for applicants that are attempting to comply with these requirements in different member states by publishing a helpful ‘table of national administrative requirements’, however in practice the information provided for each member state can be insufficient for the purposes of making an application, either because it does not provide the full legal, administrative and practical requirements for making an application in a particular jurisdiction (for example does the documentation have to be submitted via postal mail or will electronic copies via email suffice?) or unfortunately does not contain any information at all (at the time of writing the table did not contain any applicable requirements for Cyprus, Finland, Latvia, Lithuania, Romania and Slovenia).
Our work with clients in this area has highlighted the broad range of requirements between member states. For example in Ireland, Norway and the UK, a simple email seeking a request for approval of the BCR and attaching a copy of the BCR authorisation granted by the ‘lead’ DPA in the initial cooperation/mutual recognition procedure as a courtesy will normally suffice. However, in Italy for example, the requirements are more comprehensive. This requires a Letter of Application in Italian and signed by an individual who can legally represent the applicable local Italian applicant entities. In addition, ‘sworn translations’ of all documents comprising the applicant BCR are required (‘sworn translations’ are a requirement under Italian administrative law and refer to translations executed by either an Italian law firm or from a translator approved by an Italian tribunal) to be sent via postal mail to the Italian Data Protection Authority, together with a fee of €1,000 for each applicant Italian entity (for an equivalent application in Poland the fees tend to be much lower; covering the small cost of stamp duty and submitting an applicable Power of Attorney).
The mutual recognition procedure, created in 2009 and to which 21 of the 27 EU Member States have signed up (to date), is designed to facilitate a speedier approval process of an applicant’s BCR. To recap, once the ‘lead’ DPA has approved the BCR, it then appoints two additional DPAs to further review and comment on the application to verify that it meets the requisite standard. It is then circulated to the remaining signatory DPAs in order to automatically approve the BCR, without further comment.
Although the mutual recognition procedure is designed to further streamline the overall BCR approval process, our recent experience with clients indicates that it can present challenges when dealing with DPAs - as the latter have to ensure that a BCR is in compliance with their own national interpretation of the EU Data Protection Directive before providing their approval – something which DPAs feel they may not have been able to achieve during the initial mutual-recognition process. As a result, DPAs may seek further information from applicants at the ‘post administrative’ permit stage – in spite of the mutual recognition procedure already having been brought to a close.
In spite of such challenges for both DPAs and applicants alike, we have found that any such issues can be overcome. Having a valid set of BCR approved by a lead DPA is a strong factor in being able to answer applicable questions from other DPAs; and because they will already be familiar with the BCR during the initial approval process, issues can be quickly settled.
Despite BCR being a big feature of the proposed General Data Protection Regulation, the approval process is set to become tougher under the proposed ‘consistency mechanism’ (see our earlier blog for an explanation why) therefore data controllers thinking of implementing BCR should do so now, and not later. Despite current post-approval challenges, the process for achieving BCR today is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.