Please note: This is one of a series of guides about overseas transfers of personal data. If you're new to that subject, read the introduction to overseas transfers first.
Following the widespread use of the model contractual clauses, Binding Corporate Rules were developed by the EU Article 29 Working Party for use by a multinational organisation or group of companies as a mechanism of transferring personal data throughout the organisation. Such rules are intended as an alternative to model contracts (see our OUT-LAW guide EU model contractual clauses) and Safe Harbor (see our OUT-LAW guide The US Safe Harbor scheme) and are aimed at providing a compliance solution to multinational organisations.
Binding corporate rules need to be approved by every European data protection authority in whose jurisdiction a member of the group will rely on them, but the advantage is that the approval process is simplified as an application is made to one national "lead" data protection supervisory authority in Europe and that authority liaises with all other authorities to seek approval. For example, a group with entities in five European countries could submit its rules to the UK Information Commissioner for approval. The UK Commissioner would then obtain approval, on behalf of the organisation, from the four other countries. However, in practice the requirements of EU privacy authorities vary and so the approval process may be lengthy.
Content of rules
Although referred to as rules, an organisation does not have to have one document or policy to comply; a set of policies and procedures or measures taken together could be sufficient.
The UK Information Commissioner requires for approval:
- a background paper summarising compliance;
- the "binding corporate rules" themselves; and
- contact details of the responsible person within the organisation to whom queries may be addressed.
The ICO then requires a set of questions to be answered including:
- Does the organisation have its HQ in the UK and/or is the UK group company responsible for data protection? (This determines that the UK Information Commission is the appropriate authority to act as "lead" Authority and for the organisation to submit the rules to);
- How are the measures legally binding? (The rules must be binding both within the organisation and for the benefit of data subjects);
- How will compliance be verified? (The rules must be audited either internally or by external auditors);
- What is the processing being done and what flows of information are there? (Details of the nature of the data, purposes for processing and extent of transfers should be provided);
- What safeguards are in place? (There must be a description of the safeguards in place to protect the data);
- What is the mechanism for reporting and recording changes? (There should be a system in place for dealing with changes to the rules both internally and externally).
Large multinational organisations are starting to look at binding corporate rules as an alternative to Safe Harbor and contracts, primarily because it does offer a global solution. So far only Philip, Daimler Chrysler and GE have submitted binding corporate rules in the UK. However, the concept is at a relatively early stage and organisations may wish to learn from the experience of others before committing to this solution.