A frequently asked question by many clients considering BCR is "How can we apply BCR on a global basis? What if non-EU laws conflict with our BCR requirements?" Normally, this question is raised
A frequently asked question by many clients considering BCR is "How can we apply BCR on a global basis? What if non-EU laws conflict with our BCR requirements?" Normally, this question is raised during an early-stage stakeholder review - typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.
It's a very good, and perfectly valid, question to ask - but one that can very quickly be laid to rest. BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements. Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:
(*) where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply. In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and
(*) where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply. In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.
In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises. But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group's EU headquarters or privacy function is simply required to take a "responsible decision" on what action to take and consult with EU data protection authorities if in doubt.
The net result? Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization - exceeded only if and when required by local law.
It's a very good, and perfectly valid, question to ask - but one that can very quickly be laid to rest. BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements. Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:
(*) where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply. In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and
(*) where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply. In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.
In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises. But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group's EU headquarters or privacy function is simply required to take a "responsible decision" on what action to take and consult with EU data protection authorities if in doubt.
The net result? Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization - exceeded only if and when required by local law.