Why BCR are the future of global data flows
On October 3rd, 2017, the Irish High Court issued a decision to refer questions on the adequacy of standard contractual clauses (SCC) to the Court of Justice of the European Union (CJEU). This decision (which is already being referred to as the "Schrems 2.0 case" named after its plaintiff, Maximilian Schrems) follows a similar case that was brought before the Irish High Court in 2014 which ultimately resulted in a decision of the CJEU invalidating the Safe Harbour agreement between the United States and Europe.
Without pre-empting the CJUE's ruling in this case, a decision to invalidate the SCC would certainly have serious implications for business, even more so than the decision invaliding Safe Harbour. It is worth highlighting that the SCC are not limited to transfers to the US (as was the case for Safe Harbour) and on the contrary are used massively by companies to transfer their data to group entities and to third parties worldwide. The fundamental issue for businesses is therefore on what legal basis will they continue to lawfully transfer their data outside Europe if the SCC are invalidated by the CJEU?
Here are five reasons why businesses should consider implementing Binding Corporate Rules (BCR).
1. High degree of future-proofing
Both Privacy Shield and SCC are slowly but surely falling out of favour. With that in mind, businesses are left with few options: they can either stop transferring data and store it all in Europe (this solution is very costly and quite unrealistic in a globally connected world) or they can implement an alternative legal mechanism for transferring their data. While BCR are not free from criticism, they have proven their efficiency over the years and they do provide companies with more legal certainty. Given the way BCR were conceptually designed (as a global policy developed and updated by the company itself), it seems unlikely they will suffer the same fate as Privacy Shield or SCC.
2) A global "GDPR-proof" compliance framework
While companies work their way through the realms of GDPR compliance, it is often forgotten that BCR is not just a data transfer mechanism. The accountability principle is very much at the very heart of the BCR concept in line with article 24 of the GDPR ("the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation"). Companies who choose to implement BCR are required to adhere to and comply with the EU data protection principles (lawfulness, transparency, security, legitimate purpose, etc.) and to demonstrate that they have implemented appropriate measures to guarantee such compliance (data subjects rights procedure, privacy training to employees, privacy audit mechanism, complaints handling procedure, etc.).
Furthermore, the Article 29 Working Party is in the process of reviewing and updating the BCR working documents it adopted a few years ago in line with the GDPR requirements, meaning that very soon GDPR and BCR will impose identical obligations and it will make it easier for companies with BCR in place to demonstrate compliance with the GDPR.
3) Greater trust by EU regulators
The concept, the working documents and the procedure on which BCR are based were all developed by the EU DPAs. The fact that BCR must be approved by the regulators means that from the start a company's privacy compliance program has been reviewed and is approved by the regulators. While this does not shield a company against DPA investigations and possible sanctions for failing to comply with the GDPR, so far no company with BCR approved has been publicly named and shamed in this respect. Given the fact that BCR are deeply rooted into the company's global privacy governance and compliance program, the risks of violating the privacy rights of individuals is much lower.
4) BCR apply both to controllers and processors
One of the biggest advantages of BCR is that they can be used by companies to frame all their data transfers both as controllers and processors in a single document. Forget all the hassle and burden of having to enter into separate data transfer agreements with different parties who receive the data. Once a company gets its BCR approved, all it needs to do is to post them on its website and attach them as an addendum in its service agreements with customers. The fact that a company can rely on a single global policy to frame all its global data transfers provides more clarity, consistency and ultimately more legal certainty too.
5) BCR deal with law enforcement data access requests
The crux of the concern with the Privacy Shield and the SCC is that they do not deal specifically with disclosures of EU data to law enforcement authorities abroad. To a certain extent, BCR do. Indeed, companies applying for BCR as processors are required to liaise with the competent EU DPAs in connection with a request for disclosure of personal data they receive from a law enforcement authority (where legally permitted), which provides some degree of oversight by ensuring that a competent DPA is notified whenever a foreign government requests access to EU data.
In conclusion, EU DPAs are generally more favourable to companies who make the effort of implementing BCR because it shows a stronger willingness to comply with EU data protection law. The future of international data transfers remains uncertain and the journey ahead for companies is fraught with pitfalls. Nonetheless, companies who anticipate the CJEU's ruling on the SCC and start putting in place BCR now will be in a better place in about two years' time.