At the end of June, the European Data Protection Board (EDPB) published its Recommendations (Recs) on Binding Corporate Rules (BCRs). Among other things, the Recs require existing and in process BCRs to:

• Incorporate the requirements stemming from the Schrems II Judgement of the Court of Justice of the EU (including to carry out a documented assessment of the company’s ability to comply with its BCR commitments in the face of government requests for data).
• Include much more granular information on the BCR audit program.
• Expand third-party beneficiary rights.
• Provide an exhaustive list of all legal bases for processing, which companies intend to rely on.
• Incorporate wording that more closely and explicitly tracks the language of the GDPR.
• Incorporate (even more) accountability obligations and new/improved commitments as outlined more fully below.

In 2024 all current BCR holders must bring their Controller BCRs in line with the Recs as part of their annual update. All new and ongoing BCR applications will have to be brought in line with the Recs before progressing in the approval process, subject to the limited exceptions we outline below.

Given the breadth of the changes, BCR holders should ensure that they have enough time to make the relevant changes in their documentation, as well as implement the necessary internal processes to meet this deadline.

Below, we explain what BCRs are, how they work, and which companies generally implement them, along with a list of key changes ushered in by the new Recs.

IN DEPTH

WHAT ARE BCRs?

Under the GDPR, companies must implement one of the approved mechanisms for transferring personal data subject to the GDPR to a country outside of the EEA that is not recognized by the European Commission as providing an adequate level of protection to that of the GDPR (adequate countries include Canada, Japan, South Korea, the United Kingdom, and others) 1.

BCRs are one of the approved data transfer safeguard mechanisms (along with others, such as EU Standard Contractual Clauses). BCRs are a set of binding policies and other commitments, adopted and implemented by businesses of the same group that afford protections to personal data transferred under the BCRs, which are essentially equivalent to the protections to personal data provided under the GDPR.

HOW DO THEY WORK?

BCRs can be used to by companies to safeguard and therefore, transfer personal data subject to the GDPR between entities of the same group bound by the BCRs (so-called ‘Controller BCRs’), or to its processor’s group of companies, which adopted their own BCRs (so-called ‘Processor BCRs’). Large service providers acting as vendors typically have Processor BCRs in place to facilitate transfers of personal data from their customers to their group of companies.

One of the groups’ companies within the EEA serves as a ‘guarantor’ for the compliance of the group (including in terms of liability for other group members) and generally administers the BCRs overall (acting as an ‘EU entity with delegated data protection responsibilities’).

BCRs are subject to the approval of all competent EU regulators working under the umbrella of the European Data Protection Board – the EDPB – , led by the lead supervisory authority for BCRs (the ‘BCR Lead’)

The BCR Lead is generally determined internally by the group based on (i) where the group’s EEA headquarters are; (ii) the location of the EU entity with delegated data protection responsibilities (or another entity within the company best suited to administer the BCRs); (iii) the place where most decisions are taken in terms of why and how personal data are processed; or (iv) the entity, where most data transfers originate. However, the BCR Lead may not accept the company’s internal determination if it does not reflect reality.

WHO SHOULD (NOT) USE BCRs?

Controller BCRs

BCRs are best suited for multinational companies (corporate groups) with entities both inside and outside of the territory of the EEA that regularly transfer personal data outside the EEA. BCRs allow multinationals to cover a wide variety of intra-group data transfers without drafting and maintaining separate contracts between individual members of the corporate group.

Processor BCRs

BCRs are a useful tool for multinationals, which in addition to internal transfers, need to cover data transfers from their EEA B2B customers to themselves in their role as vendor (i.e., processor under the GDPR). BCRs are often used by large service providers, allowing them to receive personal data from their B2B customers without concluding rather lengthy Standard Contractual Clauses (completing the required detailed annexes), cutting down the time needed to conclude data protection agreements.

The Good, the Bad, and…the Ugly?

BCRs also mean regular, and at least at the time of the initial approval process, very close contact with EU regulators. Moreover, the approval process can be lengthy, depending on the BCR Lead’s country of establishment. Companies seeking BCRs therefore need to have a certain level of privacy compliance maturity, given that at least initially, they will be under quite intense regulatory scrutiny. The big advantage is that once the approval process is over, BCR companies are generally more trusted by the regulators and transfers subject to BCRs tend to be scrutinized less.

WHAT’S NEW?

The Recs have i) updated and streamlined the standard application form companies for Controller BCRs; and ii) introduced a slew of changes to BCR content to match regulator expectations. Some of the changes are limited to smaller clarifications of commitments already contained in the previous regulatory guidelines from 2018 (e.g., updates to the complaint handling process – such as the requirement that the data subject be informed not only of delays for the reply to the complaint, but also of the consequences of delays and of actions taken).

We have focused on a few key changes that companies with existing Controller BCRs will need to reflect in their documentation and internal practices.

Schrems II Comes to BCRs

The Court of Justice of the European Union’s Schrems II judgment is reflected in BCR requirements in a number of ways, in particular, in relation to potential BCR non-compliance caused by the requirements of law in a third country (such as undue access to personal data by law enforcement authorities), and relevant prior assessment of the same.

a) Laws and Practices in Third Countries Affecting compliance with the BCRs

What do Companies Need to Commit to?

• Documented assessment of whether third country laws (including disclosure requirements, government access or access in transit) could prevent fulfilment of the BCR obligations (this assessment has to be made available to authorities upon request).
• If group members have reason to believe third country laws/practices would prevent them from complying with BCRs, they need to notify each other and identify supplementary measures they could adopt to mitigate the inherent risk in the situation.
• When group members cannot find sufficient supplementary measures, or upon instruction by the competent regulator they must suspend the transfer until they find a suitable solution. These measures may include technical (such as encryption), organizational (such as access restrictions), or contractual (such as additional contractual commitments) actions adopted by the members.
• If suitable supplementary measures cannot be found, data transferred prior to suspension, and any copies, would need to be returned to the data exporter (in the EEA) or wholly destroyed.
• Companies must also continuously monitor developments in third countries that could affect their initial assessment.

b) Data Importer’s Obligations Regarding Government Access Requests

What do Companies Need to Commit to?

• When data importers receive a legally binding disclosure request or become aware that they are subject to direct access by a third country public authority, they must notify the data exporter and, where possible, the data subject (Recs specify the data to be disclosed).
• If such notification is prohibited, the data importer must make and document their best efforts to waive the prohibition.
• The data importer must also review the legality of the request for disclosure and challenge the request if, based on assessment, the request might be unlawful under the laws of the country of destination, applicable obligations under international law, and/or principles of international comity. If necessary, a possibility of an appeal must be pursued. Both cases should be documented and, if possible, under relevant third country law, be made available to the data exporter’s competent EU regulators.
• If a request is challenged, the data importer should seek interim measures with suspensive effects until the final decision is made, and avoid disclosing the personal data requested until required to do so under applicable procedural rules.

Third-Party Beneficiary Rights

What do Companies Need to Commit to?

Prior to the Recs, Controller BCRs were required to confer the right to data subjects to enforce certain elements of the Controller BCRs as third-party beneficiaries. The Recs extend the list to include: i) an obligation to provide exhaustive list of all legal basis BCR members intend to rely on, ii) extended personal data breach notification requirements (see below), iii) obligations in case of government access requests, iv) extended list of information about BCRs, including v) right to information on any update of the BCRs and vi) list of BCR members, as well as vii) the third-party beneficiary clause itself.

Access to the BCRs for Data Subjects and Public Version of the BCRs

What do Companies Need to Commit to?

In relation to Controller BCRs, data subjects must be provided with an extended list of up-to-date, clear, intelligible and transparent information, at minimum including: i) information on their third-party beneficiary rights, ii) a description of the scope of the Controller BCRs, iii) a list of the clauses relating to the Group’s liability and data protection principles, including lawfulness, security, data breach notifications, restrictions on onward transfers and clauses relating to data subject rights (which includes the right to lodge a complaint with EU regulators/ competent EU Member State courts). This information must be provided in full.

As before, companies must decide how this information is made available to data subjects (e.g., published on its websites/ intranet, similarly to how EU privacy notices are presented to data subjects).

If companies choose to publish only the required information for data subjects, rather than the entire BCRs, the BCRs need to specify this (i.e., BCR Lead needs to be made aware of this).

Audits – Regular but not by the Data Protection Officer (‘DPO’)

What do Companies Need to Commit to?

Companies must specify the frequency of audits in advance and include action plans ensuring that corrective actions identified in the audits have been implemented. Audits cannot be carried out by the DPO if there is a risk of a conflict of interest.

Legal Bases – Identifying Which Bases your Company Relies On

What do Companies Need to Commit to?

Companies must include an exhaustive list of all legal bases they intend to rely on for the data transfer, akin to what companies are required to do in their EU privacy notices.

Personal Data Breach Notifications

What do Companies Need to Commit to?

Recs now fully replicate the relevant personal data breach provisions of the GDPR, additionally requiring i) notification to the competent EU regulators of any personal data breach (suffered by companies participating in the BCR) without undue delay but no later than 72 hours, unless the breach is unlikely to result in a risk to data subjects’ rights and freedoms, and ii) notification without undue delay to the controller under the BCRs, when an entity acting as a processor under the BCRs becomes aware of a breach.

The previous guidance only required internal and data subject notification of personal data breaches, including notification to i) the EU headquarters or the EU entity with delegated data protection responsibilities, ii) other relevant Privacy Officer/Function, and iii) data subjects when the personal data breach is likely to result in a high risk to their rights and freedoms.

Effects of Non-Compliance

What do Companies Need to Commit to?

The data importer is obliged to immediately return or delete (at the data exporter’s choice) the transferred personal data (and its copies) in its entirety if it is in substantial or persistent breach of the BCRs or fails to comply with a binding decision of a competent court or regulator, regarding its obligations. It also must certify deletion to the data exporter (which goes beyond what is strictly required under the GDPR).

Until the data is deleted or returned, compliance with the BCRs must be ensured. If return/deletion is prohibited by applicable laws, compliance must continue, and processing can only be carried out as long as required by applicable law.

BCR Updates – Data Subjects, Timing of Significant Changes and Other Notifications to BCR Lead

What do Companies Need to Commit to?

Previously, information to data subjects on changes to the BCRs or the of group entities bound by the BCRs were both necessary only upon data subjects’ request. Under the new Recs, companies must proactively provide this information regardless of whether it is requested. In this respect, companies may consider applying the same approach as they do to updates to their privacy notices (subject to Arts. 13 and 14 of the GDPR).

Additionally, any changes that could hinder the level of the protection or significantly affect BCRs’ enforceability must no longer be communicated ‘promptly’ but must be provided to the BCR Lead in advance of such change.

Companies were previously required to file an annual update with the BCR Lead, in case of any changes to the BCRs or to the list of BCR members, with a brief explanation of the reasons for the changes. Under the updated Recs, the BCR Lead (and by extension the other competent EU regulators), must be notified once a year even where no changes to the BCRs have been made.

Assets – EU Entity with Delegated Data Protection Responsibilities

What do Companies Need to Commit to?

Confirmation that the EU entity responsible for BCRs has sufficient assets to enable itself to pay compensation for damages resulting from a breach of the BCRs on behalf of any group companies bound by the BCRs will now need to be filed with every annual BCR update or notification (see the point above re newly required notifications, even in cases where there are no changes to the BCRs).

Cooperation Duty to Competent EU regulators

What do Companies Need to Commit to?

Previously, companies had an obligation to accept audits by competent EU regulators, with the new Recs, this now explicitly includes on-site inspections. In the case of dispute resolution with competent EU regulators, the courts of the EU Member State of that regulator will handle the dispute, in accordance with that EU Member State’s procedural law, giving an advantage to the regulators, especially over companies which may be offering services in such countries, but do not have active establishments there.

WHAT ELSE TO LOOK OUT FOR?

When are Companies Expected to Implement the Recs?

All current holders must bring their Controller BCRs in line with the Recs as part of their 2024 annual update.

All new and ongoing applications must be brought in line with the Recs before proceeding in the approval process – unless they are already in the ‘consolidated draft’ stage and the EDPB issues its opinion on their draft by the end of 2023. In such case, they will need to bring their Controller BCRs in line with Recs at the time of their 2024 annual update.

Do Updates Mean Re-Approval of Existing BCRs by EU Regulators?

The EDPB expects all BCRs, including those approved before the publication of the Recs, to be updated in line with the new Recs (as noted above). BCR holders will not need to seek a re-approval of their BCRs, after implementing the new Recs (subject to any other changes companies introduce outside of Recs, which may affect data subject protections and BCR enforceability).

We expect a higher scrutiny will be applied to 2024 annual updates compared to current yearly updates companies typically file. Not all BCR Leads will, however, be able to pay close attention immediately, and companies should expect potential follow-up queries from regulators even several months after they have filed their update. The timing and quality of the regulatory review will likely depend on the quantity of BCR updates each regulator will have to deal with at one time, and the resources they have available to process these.

ENDNOTES

1) Unless they are able to rely on a derogation (which is typically reserved for exceptional cases).

[View source.]