Last month, the Article 29 Working Party sent a letter to the President of the European Parliament about the future of Binding Corporate Rules for processors (BCR-P) in the context of the EU’s ongoing data privacy legislative reform.
The letter illustrates the clear support that BCR-P have – and will continue to have – from the Working Party. Whilst perhaps not surprising, given that the Working Party originally “invented” BCR-P in 2012 (having initially invented controller BCR way back in 2003), the letter affirms the importance of BCR-P in today’s global data economy.
“Currently, BCR-P offer a high level of protection for the international transfers of personal data to processors” writes Isabelle Falque-Pierrotin, Chair of the Working Party, before adding that they are “an optimal solution to promote the European principles of personal data abroad.” (emphasis added)
As if that weren’t enough, the letter also issues a thinly-veiled warning to the European Parliament, which has previously expressed skepticism about BCR-P: “denying the possibility for BCR-P will limit the choice of organisations to use model clauses or to apply the Safe Harbor if possible, which do not contain such accountability mechanisms to ensure compliance as it is provided for in BCR-P.”
The Working Party’s letter notes that 3 companies have so far achieved BCR-P (and we successfully acted on one of those – see here) with a further 10 applications on the go (and, yes, we’re acting on a few of those too).
Taking the helicopter view, the Working Party’s letter is representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions: back in 2012, just 19 organizations had secured controller BCR approval; two years later, and today that figure stands at 53 (both controller and processor BCR).
There are several reasons why this is the case:
1. BCR are getting express legislative recognition: The Commission’s draft General Data Protection Regulation expressly acknowledges the validity of BCR, including BCR-P, as a valid legal solution to EU’s strict data export rules. To date, BCR have had only regulatory recognition, and then not consistently across all Member States, casting a slight shadow over their longer term future. Express legislative recognition ensures the future of BCR – they’re here to stay.
2. Safe harbor is under increasing strain: The ongoing US/EU safe harbor reform discussions, while inching towards a slow conclusion, have arguably stained its reputation irreparably. US service providers that rely on safe harbor to export customer data to the US (and sometimes beyond) find themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different data export solution. Faced with the prospect of endless model clauses or a one-off BCR-P approval, many opt for BCR-P.
3. BCRs have entered the customer lexicon: If you’d said the letters “B C R” even a couple of years ago, then outside of the privacy community only a handful of well-educated organizations would have known what you were talking about. Today, customers are much better informed about BCR and increasingly view BCR as a form of trust mark (which, of course, they are), encouraging the service sector to adopt BCR-P as a competitive measure.
4. BCRs are simpler than ever before: Gone are the days when a BCR application took 4 years and involved traveling all over Europe to visit data protection authorities. Today, a well-planned and executed BCR application can be achieved in a period of 12 – 18 months, all managed through a single lead data protection authority. The simplification of the BCR approval process has been instrumental in increasing BCR adoption.
So if you’re weighing up the pros and cons of BCR against other data export solutions, then deliberate no longer: BCR, and especially BCR-P, will only grow in importance as the EU’s data export regime gets ever tougher.