On November 15, 2022, the European Data Protection Board (EDPB) adopted draft recommendations (here) for data controllers when applying for approval of their binding corporate rules for international data transfers (Recommendations).

Binding corporate rules (BCRs) are a set of internal data protection requirements that entities of a multinational group agree to comply with. BCRs must be approved by supervisory authorities (SAs) in the EU. Once approved, BCRs allow participating entities to lawfully transfer personal data outside of the European Economic Area (EEA). The Recommendations update the existing criteria and standard application form that data controllers must use to seek approval of their BCRs.^[1] The Recommendations clarify the required content of controller BCRs (BCR-Cs) and the information to be provided to the competent SA. They further bring the existing criteria in line with the groundbreaking Schrems II ruling, where the EU’s highest court increased the standard for companies to lawfully transfer personal data outside of the EEA. The Recommendations are open to public consultation until January 10, 2023. The EDPB is also working on a second set of recommendations for processor BCRs (BCR-Ps).

Background

The EU General Data Protection Regulation (GDPR) restricts transfers of personal data out of the EEA, unless appropriate safeguards, such as BCRs, are in place.^[2] BCRs provide a framework for companies to transfer personal data outside the EEA to controllers or processors within the same group^[3] subject to policies and practices that satisfy GDPR standards. There are two types of BCRs:

• BCR-Cs apply to transfers of personal data from controllers established in the EU to other controllers or to processors established outside the EEA within the same group.
• BCR-Ps apply to personal data received from a controller established in the EEA that is not a member of the group and then processed by the concerned group members as processors or subprocessors of that controller.

The GDPR sets out the criteria that BCRs must meet in order to be approved by an SA. These criteria are supplemented by regulatory guidance, including a standard application form. This guidance will be updated and replaced by the Recommendations. The draft Recommendations consist of three parts: (1) an introduction, (2) an application form to be completed and submitted by the company applying for approval of its BCRs, and (3) a table of the minimum content required in the BCR-C.

The UK’s data protection regime also provides for BCRs. The UK SA (the ICO) updated its guidelines on BCRs in July 2022 to simplify the UK BCR approval process, which is similar to the EU BCR approval process.^[4]

Key Takeaways

• Changes to the application form.^[5] The BCR application form and its annexes have been updated. The referential table (provided in Part 3 of the Recommendations) will need to be completed and attached as Annex 2 to the application form. In that table, the applicant will have to set out, for each requirement, where such requirement is addressed in the applicant’s BCRs or the application form. This is similar to the application process for UK BCRs.
• New Schrems II requirements. To align with the Schrems II ruling, the BCR application form and table require that companies conduct a transfer impact assessment before transferring personal data under the BCRs and, where necessary, putting supplementary measures in place to protect the data.^[6] The Recommendations also set out the steps to follow when the non-EEA BCR member importer receives a request for access by a public authority.^[7] In addition, references to Schrems II-related requirements are present throughout the document (e.g., staff training should include how to manage requests for access by public authorities^[8]).
• Additional detail for existing requirements. The referential table is more prescriptive about how the BCR requirements must be met. For instance, to meet the transparency requirement, the new referential table specifies that individuals must receive information about changes to the BCRs. The BCR-C should also specify how it will be made available to individuals (e.g., through publication on the internet or intranet).^[9] Further, the referential table provides more details on exactly what third-party beneficiary rights need to be specified in the BCR-C.^[10] The new referential table also specifies the consequences of non-compliance with the BCRs (such as suspension of the transfer and return/deletion of the data).^[11] Remarkably, the new referential table specifies that the data protection officer (DPO) should not conduct data protection impact assessments or audits related to the BCRs if this would create a conflict of interest (e.g., if such activities could lead to the determination of purposes and means of processing).^[12]
• Additional mandatory content. Companies must provide new information in their BCR-C, such as a list of definitions of data protection terms used,^[13] an exhaustive list of all the legal bases that members of the BCRs will rely on,^[14] and steps to be taken by importers who cease to be bound by the BCR.^[15]
• Updates to existing BCRs. All existing BCRs need to be updated as needed. Companies that rely on existing BCRs, as well as organizations with pending BCR applications, will need to re-assess their BCR-C once the final version of the Recommendations is adopted and may need to update their BCR-C to meet the new requirements. However, some of the new requirements may already be part of existing BCR-Cs, since the Recommendations build on SA’s current practices in BCR approval processes.

Next Steps

The EDPB will accept written comments on the draft Recommendations until January 10, 2023, following which it will prepare a final version of the Recommendations. While the draft Recommendations are still open to changes, they already provide insights into upcoming new requirements for BCR-Cs.

Wilson Sonsini Goodrich & Rosati routinely helps clients prepare BCR submissions and manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Laura De Boel, or another member of the firm’s privacy and cybersecurity practice.

Laura Brodahl and Hattie Watson contributed to the preparation of this post.

^[1] Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256 rev.01), https://ec.europa.eu/newsroom/article29/items/614109, and Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data (WP264), https://edpb.europa.eu/sites/default/files/files/file2/wp264_art29_wp_bcr-c_application_form.pdf.

^[2] Art. 44 GDPR.

^[3] Art. 47 GDPR.

^[4] Available at https://ico.org.uk/for-organisations/guide-to-binding-corporate-rules/.

^[5] Part 1 of the Recommendations.

^[6] Section 4 of the application form in Part 2 of the Recommendations, and section 5.4.1 of Part 3 of the Recommendations.

^[7] Section 5.4.2 of Part 3 of the Recommendations.

^[8] Section 3.1 of Part 3 of the Recommendations.

^[9] Section 1.7 of Part 3 of the Recommendations.

^[10] Section 1.3.1 of Part 3 of the Recommendations.

^[11] Section 7.1 of Part 3 of the Recommendations.

^[12] Section 3.3 and 3.4 of Part 3 of the Recommendations.

^[13] Section 9 of Part 3 of the Recommendations.

^[14] Section 5.1.2  Part 3 of the Recommendations.

^[15] Section 6.1 of Part 3 of the Recommendations.