BCR are a big feature of the Commission’s proposed General Data Protection Regulation. Previously a regulatory invention (the Article 29 Working Party first established a structure for BCR back in its 2003 paper WP74), the Commission has sought to put BCR on a solid legal footing by expressly recognising them as a solution for data exports under Articles 39 and 40 of the proposed Regulation. The intent being that, by doing so, all EU Member States will uniformly have to recognise and permit global data transfers using BCR, solving the issue presented today where the national legal or regulatory regimes of one or two Member States inhibit their adoption.
As if further poof were needed of the Commission’s support for BCR, Commissioner Viviane Reding has even gone so far as to say: “Indeed, I encourage companies of all size to start working on their own binding corporate rules! Binding corporate rules are an open instrument: They are open to international interoperability. They are open to your innovations. They are open to improve data protection on a global scale, to foster citizens’ trust in the digital economy and unleash the full potential of our Single Market. And more: they are open to go beyond the geographical borders of Europe.”
High praise indeed, and certainly Ms. Reding’s description of BCR matches with our own experience helping clients design and implement them. Clients who implement BCR substantially simplify their global data movemments and embed a culture of respect for privacy that enhances compliance and drives down risk.
What the Regulation will really mean for BCR adoption
But here’s the thing: far from supporting BCR adoption, the Regulation will make authorisation of BCR harder to achieve, and this flies in the face of the Commission’s very express support for BCR.
Historically, the main barrier to BCR adoption has been the bureacracy, effort and cost entailed in doing so – early BCR adopters tell war stories about their BCR approval process taking years and having to address conflicting requirements of multiple data protection authorities all over Europe. This burdensome process arose out of a requirement that the BCR applicant needed to have its BCR individually authorised by every data protection authority from whose territory it exported data.
Thankfully, this is an area where huge strides forward have been achieved in recent years, through the implementation of the so-called “mutual recognition” procedure that allows BCR applicants to submit their BCR to a single lead authority; once the lead authority approves the applicant’s BCR, it then becomes binding across all mutual recognition territories (currently 21 of the 27 EU Member States). No more trekking around Europe visiting data protection authorities individually then.
Mutual recognition has really lifted BCR out of the dark ages into an age of BCR enlightenment, and has been vital to the upswing in BCR applications all over Europe. Now, though, the proposed Regulation – despite its intended support for BCR – threatens to actually inhibit their adoption, pushing controllers back to using “check box” solutions like model clauses that provide little in the way of real protection.
Why? Because under the draft Regulation, any authority wishing to approve BCR must first refer the matter to the European Data Protection Board under the Regulation’s proposed “consistency mechanism” (designed to ensure consistency of decision making by authorities across Europe). The European Data Protection Board can be thought of as the “Article 29 Working Party Plus”, and comprises the head of each data protection authority across Europe and the Data Protection Supervisor. In effect, the consistency mechanism necessitates that an applicant’s BCR must once again be tabled before every data protection authority before authoristion can be granted – a step backwards, not forwards. As the ICO noted in its initial analysis of the Regulation: “It is not entirely clear what would happen if, for example, the UK supervisory authority were to approve a set of binding corporate rules but, once informed of the approval, the EDPB takes issue with it.”
To make things worse, it’s not clear how the consistency mechanism will sit with the mutual recognition procedure we have today. Maybe it will supersede the mutual recognition procedure. Maybe it will apply in addition. Or maybe some kind of hybrid process will evolve. We just don’t know and uncertainty is never a good thing.
The time for BCR is now
What this means is that while BCR will remain the only realistic solution for multinationals exporting data on a global basis, the process for achieving them once the Regulation comes into effect will become much tougher. Add to this that the fact that, as a whole, the Regulation will impose stricter data protection standards than exist under the Directive, and BCR applications will attract an even greater level of scrutiny once the Regulation comes into effect than they do today.
So given that there is strong regulatory support for BCR, but that the Regulation will create barriers to adoption, what strategy should multinational conrtollers adopt?
The answer is simple: do BCR now, not later.
The process for achieving today BCR is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law. When you look at it like that, why not do BCR now?