American Express Company, the parent company of the American Express group, has obtained approval from the Information Commissioner’s Office (ICO) for use of its binding corporate rules (BCRs) throughout the EU, with effect from 28 January 2013. Approval of its BCRs will allow it to transfer personal data from the European Economic Area (EEA) to its affiliates located outside the EEA in compliance with the Data Protection Directive. American Express is the seventeenth company to have obtained BCR approval from the ICO.
The Data Protection Act (DPA), which implements the EU the Data Protection Directive, requires that personal data may only be transferred to a country outside the EEA under specific circumstances. You can only send personal data to a country or territory outside the EEA if that country or territory “ensures an adequate level of protection for the rights and freedoms of individuals when processing their personal data”.
There are a number of possible options by which a data controller can comply with the requirements for the transfer of personal data to countries outside the EEA.
- Consent – a transfer to a jurisdiction outside the EEA is permitted where the person whose data is being transferred has consented to the transfer. However, this may not be a secure route to compliance particularly where consent is difficult to obtain reliably, for example, in the case of employees.
- Safe harbor framework – for transferring data to a business in the US, compliance by the US company with the safe harbor framework agreed between the European Commission and the US government ensures compliance with the eighth data protection principle.
- Standard contractual clauses – for transferring data to other businesses, including US businesses that do not participate in the safe harbor, EU data controllers may rely on contractual requirements they impose on the non-EEA recipients of the personal data. Those contractual requirements are subject to authorisation by the national data protection authority.
- Binding corporate rules (BCRs) – for transferring personal data between companies forming part of multinational groups of companies, adequate safeguards can be ensured through the use of BCRs, provided they are specifically approved by the UK authority.
What are binding corporate rules?
BCRs are a set of legally enforceable rules for the processing of personal data that ensure that a high level of protection is applied when personal data is transferred between members of a corporate group.
BCRs are suitable for multinational companies that want to regulate intra-group transfers on a worldwide basis to ensure compliance with the requirements on the transfer of personal data to outside the EEA.
The key features of BCRs are that they are binding within the group and that they confer legally enforceable rights on third parties.
Advantages and disadvantages of BCRs
There are several advantages and disadvantages that a corporate group should consider when deciding whether to implement BCRs to legitimise transfer of personal data outside the EEA.
- BCRs avoid the challenges of having to put in place a matrix of contracts between individual group members based on the approved standard contractual clauses.
- Once BCRs have been implemented and are operational, they are easier to maintain than a matrix of intra-group contracts. This is especially useful for very large corporate groups which are present in a large number of different jurisdictions.
- BCRs provide a significant degree of flexibility for corporate groups as the data protection authorities do not need to approve updates to BCRs. For example, if a new entity is established or there are other changes to the company structure, provided this is notified to the relevant data protection authorities and an accurate record of the changes is kept, no authorisation or approval from the data protection authorities is required.
- Implementing BCRs not only raises awareness of data protection compliance within an organisation, but can also cement or improve a group’s reputation for privacy compliance. BCRs can be used also as a selling point as they can demonstrate the group’s commitment to data protection compliance.
- BCRs require a high level of protection for personal data and the rules must apply throughout the group even though in some jurisdictions the underlying law may not require such a high level of compliance.
- For the policy to satisfy approval requirements, it needs to be made binding within the organisation and individuals must have the right to enforce the rules.
- The approval process can be intensive and drawn out. Although the process is becoming easier as authorities gain experience of the mutual recognition system, that system currently does not cover all EU member states so further approvals may be required. Also, some authorities insist on approving specific data transfers even after BCRs are approved.
- BCRs apply only to transfers of data within a corporate group. BCRs can therefore not be used to cover international transfers of personal data to companies that are outside the corporate group.
Process for approval of binding corporate rules
BCRs must be submitted to the local data protection authorities in the EEA for approval. Under the current approval process, applicants must submit BCRs to the local data protection authority in each EEA jurisdiction from which it intends to transfer personal data.
Data protection reform
In January 2012 the European Commission published the proposed Data Protection Regulation, which is intended to replace the Data Protection Directive. The draft Regulation gives legislative recognition, for the first time, to BCRs. The European Commission envisages that the Regulation will simplify the process for seeking approval of BCRs as they will only need to be validated by one data protection authority, and once that data protection authority has approved the BCRs, they will be valid for the entire EU without the need for further authorisations at a national level.