As we have written previously, personal information cannot be exported out of European Union Member States unless the recipient is in another Member State or a country with an “adequate” level of protection. There are many exceptions, including execution of Standard Contractual Clauses (with, if necessary, supplemental protection measures). For multinational organizations that make frequent intracompany cross-border transfers, another appealing option has been Binding Corporate Rules. These are created by the company and then reviewed and approved through the local Data Protection Authority. While each DPA has its own system, there are commonalities, which were based on pre-GDPR “Article 29 Working Party” guidance, last updated in 2018.

The EDPB’s recommendations replace this prior guidance for BCRs used by controllers -for example large multinational corporations engaging in intracompany trans-border transfers- and outlines what should be contained in a BCR application. The recommendation also includes the form itself. Information to be provided includes a description of the data flows, how the BCRs will be binding on the group of companies to which it applies, and similar items. While some of the content is not new, the level of detail being requested in the application has increased. Also, not surprisingly, there are provisions intended to address the law enforcement access concerns raised by Schrems II.

Putting It Into Practice: The EDPB has indicated that all controllers who are seeking to implement -or who have already– implemented Binding Corporate Rules will “have to bring their BCR-C in line with the requirements set out in the recommendations.” Multinationals who are seeing to implement BCRs will want to thus familiarize themselves with the new form, as well as the mechanisms developed to address law enforcement access concerns.