The ICO has issued guidance on BCR after the Brexit transition period (here) (the "Guidance"). The Guidance sets out actions that BCR holders must do before 31 December 2020 or, for those who need to apply for UK BCR, later in 2021. In a nutshell:
Transfers out of the EEA
- BCR holders who transferred from the ICO to another lead will have to ensure they have this transfer formally confirmed by 31 Dec 2020 by the new lead, otherwise they EU BCRs will not be valid. Furthermore, their BCR documents have to be updated in light of EDPB guidance issued in August 2020 (Information note on BCRs for Groups of undertakings / enterprises which have ICO as BCR Lead SA).
Transfers out of the UK
- BCR holders who had their BCR approved pre-GDPR by the ICO as lead (or who otherwise received an authorization by the ICO) are automatically eligible for UK BCRs and will have to put together a UK BCR document suite (by 1st January 2021). The UK version of their BCRs will have to be shared with the ICO by the date of their next annual review. The ICO may contact BCR holders any time after 1st January to ensure the necessary amendments have been made.
- BCR holders who had their BCR approved pre-GDPR where the ICO was not the lead (or it did not otherwise issue an authorization) will have to go through a BCR application process by 30 June 2021 (although the ICO requests they contact the ICO about the application as soon as possible). Similarly, holders of post-GDPR BCRs where the ICO was not the lead will have to contact the ICO as soon as possible if they require a UK BCR.
As time progresses, details of the new UK BCR approval process for current EU BCR holders are emerging, including the requirement to submit a separate suite of BCR documents (instead of editing their EU BCRs to cover both EU and UK BCRs) and the need for setting out a new binding mechanism (although existing IGAs might be used under certain circumstances). More details will emerge as the ICO is due to publish the new UK BCR applications and referential documents by the end of the year.
All EU BCR holders will have to take steps in order to put UK BCR in place (with our without going through a formal approval process – depending on whether they have had an ICO authorization in the past or not) if they wish to rely on BCR for transferring data outside of the UK.
In the meantime, EU regulators are debating the impact on Schrems II on BCR and are likely to issue guidance in the months to come (see paragraph 58 onwards in the recent EDPB draft guidance on the impact of Schrems II available here: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data). As the forthcoming developments unfold, an inevitable question is whether the referential documents that the ICO will issue shortly will incorporate measures to address Schrems or, indeed, whether the ICO will wait until the EDPB guidance is issued (and then amend the referential (possibly) in the spring). One way or another, it is a moving goal post for data transfer compliance so, stay tuned!
Sign up to our email digest