Binding corporate rules – Ecija

As international companies are slowing adopting BCRs, saving them time, money and resources, law firms had better ensure they are up to speed

Las Reglas Corporativas Vinculantes (Binding corporate rules) no son algo muy común para los despachos, dice Alejandro Touriño de Ecija. Sin embargo se está popularizando entre las empresas. Las ventajas son numerosas, particularmente por el ahorro de tiempo en procesar solicitudes de protección de datos en distintas jurisdicciones.

Binding corporate rules (BCRs) may not be something many firms have heard of, says Alejandro Touriño, a Madrid-based IT Partner at Ecija. BCRs are, however, coming onto their  radars as clients are slowly signing up. BP, eBay, Novo Nordisk, Citigroup and Intel, for example, have all signed-up over the past two years.
BCRs were established by the European Union Article 29 Working Party with the goal of allowing pan-European businesses to transfer personal data to their subsidiaries located outside the EU in compliance with the EU Data Protection Law. The rules, based on this EU Data Protection Law, have 19 countries currently participating, including Austria, Cyprus, Germany, Ireland Italy, Liechtenstein, Spain and the UK.
Touriño explains that, in practice, BCRs allow a company to identify a national data protection authority (DPA) – usually the jurisdiction where the European operations of the business are headquartered – with the authority then reviewing the standards of data protection within the company. “If the information authority believes the company meets the standards and safeguards and approves the BCRs, the company is then free to transfer data amongst its non-European businesses without having to reapply for any new international data transfer.”
BCRs, according to the EU Article 29 Working Party, make it possible for companies to “be in compliance with article 25 and 26 of the European Directive 95/46 for all flows of data…. harmonise the protection of personal data within a group…prevent the risks resulting from data transfers to third countries…avoid the need for a contract for each single transfer and provide an internal guide for employees with regards to the personal data management”.
Companies are, of course, required to monitor BCR compliance, but the idea is that once the structure is in place, a DPA needs only be contacted if substantial changes are made to the business that surpass the initial clearance. Regulation for any breaches remains in the jurisdiction of the DPA where the offence occurred.
In order to implement the BCRs, an EU company looking to transfer data to countries in Asia or Africa has to prove that a non-EU affiliated branch meets the same standards as the other entities in the EU business, says Touriño. As such, companies that already have high data protection standards across the globe should have no problems in gaining clearance for such transfers.
In this case, therefore, joining the BCRs could be a substantial advantage to companies in cloud computing; compliance could give clients confidence that their data is protected to the highest standards no matter where the servers are physically based in the world.
“The benefits of BCRs are that they are cost effective and save time and recourses in processing data protection requests in different jurisdictions; once clearance is granted a company does not need to go back to the DPA,” says Touriño. The main disadvantage is that the start-up process can be quite long, taking months from start to finish. The UK Information Commissioner’s Office (ICO), for instance, believes a straightforward application could take 12 months to conclude. The process is not easy but is definitively better for companies in the mid-long-term.
No Spanish companies have signed up to the BCR yet (although Spanish affiliates of other EU businesses are in the scheme) but Touriño says his firm is working for a number of clients looking to adopt the structure. The group of companies that have completed the BCR process remain small; the UK ICO has cleared 16 companies for compliance over the past seven years, including General Electric and Intel. However, Touriño believes that the scope of BCRs has the potential to be extended to include other aspects of corporate operations.
“The BCRs were established specifically for data protection, but the structure could easily be used as a wider instrument to help with any relevant corporate laws,” he says. “Banks could establish a BCR for global financial standards, for example, or companies could look to establish official global corporate governance or corporate social responsibility models sanctioned by regulators.”