Transcription of Binding Corporate Rules - Allen & Overy
1 Binding Corporate Rules March 2016. 2 Binding Corporate Rules | March 2016. Allen & Overy LLP 2016. 3. Contents What are BCRs? a quick reminder 05. The current process for obtaining BCRs for controllers 06. BCRs for processors 07. How do BCRs compare with using Model Clauses? 07. What are the advantages of BCRs? 08. What are the disadvantages? 09. Top tips for those deciding whether to 10. go through the process How will the GDPR and recent CJEU decision on Safe Harbor change things? 12. Should we wait and see? 13. 4 Binding Corporate Rules | March 2016. Binding Corporate Rules (BCRs) are one of the key elements of the new EU General Data Protection Regulation (GDPR). The emphasis on BCRs highlights their growing importance. The GDPR aims to streamline what many have found to be a fairly cumbersome process. There is a desire to make BCRs a more attractive option, certainly for larger companies. The key question is, are BCRs finally set to become widely adopted and recognised as the gold standard?
2 Allen & Overy LLP 2016. 5. What are BCRs? a quick reminder Principle 8 of the UK Data Protection Act 1998, BCRs are a set of Binding Rules that can be put in place to which implements Article 25 of the EU Data Protection allow multinational groups to transfer personal data from Directive (95/46/EC), prohibits the transfer of personal the EEA to their affiliates outside the EEA in compliance data to a country or territory outside the EEA unless with national laws implementing the EU Directive. that country or territory ensures an adequate level of A company can put in place BCRs for controllers protection for the rights and freedoms of data subjects (covering data it controls) and/or BCRs for processors in relation to the processing of personal data. There are (for data it processes on behalf of others). BCRs for a number of derogations; for example, if the data processors is a more recent development, introduced by controller concludes that there is not an adequate level the Working Party in December 2012.
3 Of protection, he must put in place adequate safeguards To be successful, an applicant must demonstrate that to guarantee the protection of the personal data. it has in place adequate safeguards for protecting the data While BCRs are not formally recognised as a means of throughout the organisation. BCRs do not cover transfers satisfying Principle 8 of the UK Data Protection Act 1998 of personal data outside a Corporate group. (or the equivalent restriction under the EU Directive). The EU General Data Protection Regulation (GDPR). in the legislation itself, the concept was developed by the agreed on 17 December 2015 formally recognises BCRs Article 29 Working Party (Working Party) as an application as a means of legitimising cross border transfers for both of Article 26(2) of the EU Directive. controllers and for processors. It also seeks to streamline the existing approval process, although it remains to be The Working Party is an independent data protection seen how far this will make a difference in practice.
4 Advisory body composed of representatives from the The GDPR is expected to come into force in mid-2018. data protection authorities of the member states Existing BCRs that were approved under the EU Data (DPAs), the European Data Protection Supervisor Protection Directive will remain valid until the and the European Commission. authorisations of the relevant data protection authorities are amended, repealed or replaced. However, repealing authorisations is unlikely to be a high priority for the data protection authorities once the GDPR comes into force, particularly if a company is actively taking steps to bring its BCRs in line with the requirements of the GDPR. 6 Binding Corporate Rules | March 2016. The current process for obtaining BCRs for controllers The process for obtaining BCRs for controllers looks, at While the process has improved over time first glance, fairly simple. The Working Party has published (such as through further countries signing up to mutual a number of documents to assist, including checklists, recognition), companies who have implemented BCRs FAQs and a framework BCR as guidance.
5 The UK have not generally found it to be a smooth experience. Information Commissioner (ICO), the data protection As set out below (see What are disadvantages ), it is often regulator in the UK, recommends that the Working Party's found to be an expensive, time consuming and, at times, suggested form is followed. The process involves the frustrating exercise, which is harder the more countries applicant company choosing a lead DPA based on the are involved. The GDPR aims to simplify the process for criteria laid down by the Working Party. Once this lead obtaining approval of BCRs as they will only need to be authority is satisfied that the applicant's draft BCRs are validated by the competent data protection authority, under acceptable, that authority will facilitate the authorisation the one stop shop concept established by the Regulation. process by the other relevant DPAs. Some member states It is hoped that involvement of other interested authorities have joined a mutual recognition system which streamlines through the consistency mechanism will work better than this process (see below).
6 The current approach. Which countries are part of the mutual recognition procedure? Iceland Norway Estonia Latvia Luxembourg The Netherlands Belgium Ireland United Kingdom Germany Czech Republic Slovakia Austria France Slovenia Italy Bulgaria Spain Liechtenstein Cyprus Source: European Commission Website (March 2016) Malta Allen & Overy LLP 2016. 7. BCRs for processors The GDPR also formally recognises BCRs for processors as The biggest concern which, if not addressed, could be a means of legitimising intra-group international data transfers. a barrier to uptake, relates to the liability the processor needs BCRs for processors cover a group handling client data as a to assume. This is going to be particularly hard if the processor processor (such as outsourced services and cloud computing is an SME. The Working Party makes it clear that the services). As with BCRs for controllers the Working Party has EU headquarters of the data processor (or EU entity delegated produced guidance on what these need to contain.)
7 These are, this responsibility) must accept responsibility for all breaches/. in many respects, very similar to BCRs for controllers. For damages by its sub-processors (including potentially those caused example, they must also be Binding on the members of by external sub-processors). The GDPR requires processors to the group and employees, and create third party beneficiary accept liability for breaches by sub-processors established outside rights for data subjects. However, the emphasis is naturally the EU, and they will only be exempted from this liability if they on security and the data processor and data controller must can prove that the sub-processor is not responsible for the refer in the services agreement to the fact that the data event giving rise to the damage. processor must only act on the instructions of the data controller, which might be a third party customer. The BCRs must be attached to the services agreement and must be made Binding towards the data controller.
8 How do BCRs compare with using Model Clauses? Executing standard EU Model Contractual Clauses Larger companies with many affiliates abroad can need (Model Clauses) is a common method used to transfer to put in place hundreds of Model Clauses. These are costly personal data to controllers and processors located in to administer and become out-of-date quickly. non-adequate countries outside the EEA in compliance On top of this, some EU member states require additional with national laws implementing the EU Directive. formalities, such as filing and approval of Model Clauses by While Model Clauses generally work well for smaller companies the DPA, making the process lengthy and costly. and bilateral data sharing, experience has shown that the use of these standard contracts in a large multinational company can be The GDPR should improve the process of making international very cumbersome and impractical. This is for several reasons: transfers in some jurisdictions as it removes the need for prior authorisation of transfers that are based on approved safeguards, Many companies have found that the Model Clauses are such as the Model Clauses.
9 However, many feel that, in light of simply not fit for purpose where there is a complex web of the other points mentioned above, it is hard to achieve genuine processing. For example, if an organisation is one legal entity, compliance using the Model Clauses. In contrast, many consider perhaps operating through a branch structure, then Model that BCRs force companies to adopt compliant and transparent Clauses are not available. In addition there is a concern that data processing practices. once they are signed they often remain in a drawer never to be considered again, which rather defeats their purpose. 8 Binding Corporate Rules | March 2016. What are the advantages of BCRs? Increased flexibility Better global understanding of EU. Carefully drafted BCRs can be flexible to allow for changes data protection requirements to a company's flow of data transfers, and their company The requirements imposed by having BCRs mean that structure.
10 Under the GDPR they will need to cover every data protection compliance generally receives much member concerned of the Corporate group that is engaged greater attention within a company. Training programmes, in a joint economic activity including their employees. audits etc are a great excuse to raise awareness about data protection compliance, particularly coupled with the increase Increased accountability in potential fines under the GDPR up to 4% of worldwide Accountability is also a key part of the GDPR and as turnover in some circumstances. Companies who have a result more onerous obligations will be imposed on implemented BCRs have seen a tangible uplift in compliance companies; including requiring them to maintain records of which is hard to value. This has come, for example, through all processing activities under their responsibility and conduct the internal training and auditing required, and the way in a data protection impact assessment for risky processing.
