What you need to know on Binding Corporate Rules (BCRs)
Binding Corporate Rules (BCRs) are an intra-group data protection policy for transfers of personal data outside of the European Union. They may cover all processing carried out by the organization or more specifically data transferred outside the European Union. They mainly concern multinational private companies, established in several European countries and outside the European Union.
Binding Corporate Rules (commonly referred to as BCRs) allow groups of undertaking to provide a legal framework for their data transfers out of the European Union (EU) while offering them the possibility to engage in a group-wide compliance process.
BCRs are a tool for providing a global framework for transfers outside the EU. It is an alternative to other tools that allow transfers to be regulated, such as Standard Contractual Clauses.
A group of undertaking may submit a draft BCRs to a competent supervisory authority for approval providing that these rules:
- are legally binding;
- are implemented by all relevant entities of the group of undertaking;
- expressly grant data subjects rights over the processing of their personal data;
- meet the requirements set out in the GDPR (Article 47).
What is the purpose of the BCRs?
Framework of the transfers
Since 2003, Binding Corporate Rules (BCRs) have enabled many groups of undertaking to deploy internal procedures aimed at ensuring continuity in the sphere of data protection when they carry out transfers outside the European Union.
BCRs take the form of an intra-group agreement drawn up by the company in question on the basis of working documents initially designed and adopted by the G29. These working documents were further developed and updated in light of the GDPR before being taken up by the European Data Protection Board (EDPB) on 25 May 2018.
The data protection authorities are in charge of assessing and validating these agreements against these working documents.
The implementation of a global governance policy
BCRs are above all a tool for large groups that have reached such dimensions that they have many consequences on the international transfers implemented. BCRs represent an "appropriate safeguards" within the meaning of the GDPR to ensure the legal basis of transfers (Article 46.2(b)) and are now also conceived by groups as a data management tool, i.e. a proof of compliance with a view to formalizing their data protection policies.
The implementation of such a policy requires the establishment of a single, comprehensive and harmonized governance structure within the same group. This approach has led to BCRs gradually becoming the norm for many groups as the translation of their global policy on the protection of personal data.
Which companies are concerned by BCRs?
The companies concerned are mainly multinationals that transfer a lot of data between their entities and that use BCRs as an accountability tool to unify the safeguards concerning the processing of personal data offered by their subsidiaries throughout the world. Each BCRs file plays an extremely important role in ensuring data processing compliance for a very large volume of data subjects.
BCRs are now internationally recognized and reflect the exemplary nature of the groups that have decided to implement them. These groups are also taking advantage of them to join other equivalent systems abroad, such as the Cross-Border Privacy Rules (CBPR) transfer tool set up by the Asia-Pacific Economic Cooperation forum (APEC) or the binding rules of French-speaking companies (a tool developed by the AFAPDP to govern transfers outside French-speaking countries).
Between 2007 and 25 May 2018, 151 BCRs were approved by all European protection authorities. Since the adoption of the GDPR, the demand for approval of BCRs has been growing steadily, both in France and abroad.
Adequacy of the United States: what impact on Binding Corporate Rules?
On July 10th 2023, the European Commission adopted a new adequacy decision recognising that the United States (U.S.) ensures a level of protection substantially equivalent to that of the European Union (EU).
This decision, which entered into force on the same day, establishes a framework similar to the previous EU-U.S. data protection system (Privacy Shield), based on a self-certification mechanism for US entities.
This mechanism concerns all newly certified organisation, but also those which were subject to a Privacy Shield certification and which had maintained it after the invalidation of the adequacy decision. Indeed, these organisations were automatically included on the new list of the U.S. Department of Commerce. They had three months to update their privacy policy (until October 17, 2023).
It is the presence or absence of the importing entity on that list that will determine whether or not the exporter is required to put in place one of the tools provided for in Article 46 of the GDPR, including the BCRs.
There are two possible scenarios:
- the importing entity is listed by the US Department of Commerce: the exporter does not have to use a tool to carry out the transfer;
- the importing entity is not included in that list: the exporter must set up a transfer tool (BCR or CCT) and comply with the obligations stemming from the CJEU’s Schrems II decision.
As a reminder, this decision requires the exporter to assess, with the help of the importer, whether the legislation of the third country makes it possible in practice to comply with the level of protection required by EU law and the guarantees provided by the transfer tool.
