Contents
Binding Corporate Rules – Are they the icing on the cake?
03
What are BCRs? – a quick reminder
04
The current process for obtaining BCRs
05
How do BCRs compare with using Model Clauses?
06
What do companies see as the advantages of BCRs?
07
What are the disadvantages?
09
Top tips from those who have gone through the process
10
How will the proposed Regulation change things?
12
BCRs for processors
12
Should we wait and see?
13
What do people think?
13
Binding Corporate Rules –
Are they the icing on the cake?
Binding Corporate Rules (BCRs) are one of the key elements of
the proposed new EU data protection framework. The European
Commission’s emphasis on BCRs highlights their growing importance.
The proposed Regulation aims to streamline what many have found to
be a fairly cumbersome process. The Commission clearly hopes to make
BCRs a more attractive option, certainly for larger companies.
In this article we examine the experiences of some of the few
(but growing number of) companies which have implemented BCRs,
or which are in the process of doing so. We have also drawn on our own
experiences. An understanding of these experiences and lessons learned
should help companies to assess whether implementing BCRs would
be beneficial.
The key question is, do BCRs just replace one expensive compliance
mechanism with another, particularly where a company’s existing policies
and practices are already advanced, or are they set to become widely
What are BCRs? – a quick reminder
Principle 8 of the UK Data Protection Act 1998, which implements Article 25 of the EU Data Protection Directive (95/46/EC), prohibits the transfer of personal data to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. There are a number of derogations.
While BCRs are not formally recognised as a means of satisfying Principle 8 of the UK Data Protection Act 1998 (or the equivalent restriction under the EU Directive) in the legislation itself, the concept was developed by the Article 29 Working Party (Working Party) as an application of Article 26(2) of the EU Directive.
BCRs are a set of binding rules that can be put in place to allow multinational groups to transfer personal data that they control from the EEA to their affiliates outside the EEA in compliance with national laws implementing the EU Directive. To be successful, an applicant must demonstrate that it has in place adequate safeguards for protecting the data throughout the organisation. BCRs do not cover transfers of personal data outside a corporate group.
The draft EU Data Protection Regulation proposed by the European Commission on 25 January 2012 formally recognises BCRs. It also seeks to streamline the existing approval process, although it remains to be seen whether this will make a difference in practice. In addition, the proposed Regulation introduces the possibility of BCRs for processors of personal data and the Working Party has already released a working document to show how they envisage these working. While this article focuses on BCRs for data controllers (eg in relation to employee and customer data), we do briefly consider BCRs for processors at the end.
The Working Party is an independent data protection advisory body composed of representatives from the data protection authorities of the member states (DPAs), the European Data Protection Supervisor and the European Commission.
The process for obtaining BCRs looks, at first glance, fairly simple. The Working Party has published a number of documents to assist, including checklists, FAQs and a framework BCR as guidance. The UK Information Commissioner (ICO), the data protection regulator in the
UK, recommends that the Working Party’s suggested form is followed. The process involves the applicant company choosing a lead DPA based on the criteria laid down by the Working Party. Once this lead authority is satisfied that the applicant’s draft BCRs are acceptable, that authority will facilitate the authorisation process by the other relevant DPAs. Some member states have joined a mutual recognition system which streamlines this process (see below).
While the process has improved over time (such as through further countries signing up to mutual recognition), companies who have implemented BCRs have not generally found it to be a smooth experience. As set out below (see “What are disadvantages”), it is often found to be an expensive, time consuming and, at times, frustrating exercise, which is harder the more countries are involved. Many hope that the process will be greatly improved by the new Regulation and the efforts of the Working Party and the DPAs.
The current process
for obtaining BCRs
Which countries are part of the mutual recognition procedure?
Austria Belgium Bulgaria Cyprus Czech Republic Estonia France Germany Iceland Ireland Italy Latvia Liechtenstein Luxembourg Malta The Netherlands Norway Slovakia Slovenia Spain United Kingdom
Executing standard EU Model Contractual Clauses (Model Clauses) is a common method used to transfer personal data to controllers and processors located in “non-adequate” countries outside the EEA in compliance with national laws implementing the EU Directive. While Model Clauses generally work well for smaller companies and bilateral data sharing, experience has shown that the use of these standard contracts in a large multinational company can be very cumbersome and impractical. This is for several reasons:
– Many companies have found that the Model Clauses are simply not fit for purpose where there is a complex web of processing. For example, if an organisation is one legal entity, perhaps operating through a branch structure, then Model Contracts are not available. In addition there is a concern that once they are signed they often remain in a drawer never to be considered again, which rather defeats their purpose.
– Larger companies with many affiliates abroad can need to put in place hundreds of Model Clauses. These are costly to administer and become out-of-date quickly.
– On top of this, some EU member states require additional formalities, such as filing and approval of Model Clauses by the DPA, making the process lengthy and costly.
While some of these formalities look likely to be removed by the proposed Regulation, many feel that, in light of the other points mentioned above, it is hard to achieve genuine compliance using the Model Clauses. In contrast, many consider that BCRs force companies to adopt compliant and transparent data processing practices.
How do BCRs compare
with using Model Clauses?
The companies that we spoke to raised many advantages of having BCRs (as opposed to using other methods to transfer personal data to affiliates outside the EEA) within their corporate groups such as:
Increased flexibility
Carefully drafted BCRs can allow for some flexibility to allow for changes to a company’s flow of data transfers, and their company structure. Additionally they do not need to cover a company’s entire corporate group. The draft text in the proposed Regulation contradicts this approach, requiring all members of the corporate group to be included, but from our discussions with the Commission, this was not the intention of the draft wording, and this flexibility will be retained.
Increased accountability
Accountability is also a key part of the proposed Regulation and it looks inevitable that various more onerous obligations will be imposed on companies. This will be the case whether a company uses BCRs or other methods of transferring data (such as Model Clauses). BCRs follow the accountability model fairly closely, both being just a set of binding internal rules. Many of the requirements for BCRs to be approved will be met by being “accountable”, such as having Data Protection Officers, controls, audits, impact assessments and so on. In preparing for the accountability obligations under the proposed Regulation a company can put itself in a good position to implement BCRs. Equally, those with BCRs in place are already “accountable” in many respects.
Better global understanding of EU
data protection requirements
The requirements imposed by having BCRs mean that data protection compliance generally receives much greater attention within a company. Training programmes, audits etc are a great excuse to raise awareness about data protection compliance, particularly coupled with the proposed increase in potential fines by the draft EU Regulation. Companies who have implemented BCRs have seen a tangible uplift in compliance which is hard to value. This has come, for example, through the internal training and auditing required, and the way in which BCRs initiate dialogue with other jurisdictions.
Costs (over time)
The big expense with BCRs is predominantly up-front. Once BCRs are in place, less time is required to be spent compared, for example, to maintaining Model Clauses.
Good PR
Applying for BCRs means exposing a company’s policies and procedures to the Regulators. Once BCRs have been granted, customers will know that a company takes its data protection responsibilities extremely seriously and has been prepared to be transparent with the Regulators. The “gold standard” of BCRs is therefore a good PR tool, conveying a positive message to customers.
Improved relationship with the DPAs
There is a possibility that the increased dialogue with DPAs in other jurisdictions from which a company requires approval can help to improve relations with those DPAs, which is of a general benefit. However, some countries may not view BCRs in such a positive light.
What do companies see as
the advantages of BCRs?
Company Lead authority
ABN AMRO Bank N.V. Dutch DPA Dutch DPA
Accenture Limited ICO (UK)
Atmel Corporation (for employee data) ICO (UK)
American Express Company ICO (UK)
British Petroleum plc ICO (UK)
Bristol Myers Squibb CNIL (FR)
CareFusion Incorporated ICO (UK)
Citigroup Incorporated (to take effect on 6 June 2013) ICO (UK)
CMA-CGM CNIL (FR)
D.E. Master Blenders 1753 (“DEMB”) ex Sara Lee International B.V. (indirect subsidiary of Sara Lee Corporation) Dutch DPA
Deutsche Post DHL BfDI, Germany
eBay Incorporated Luxemburg
First Data Corporation ICO (UK)
General Electric (for employee data) ICO (UK)
Hermès CNIL (FR)
Hewlett Packard CNIL (FR)
Hyatt Hotel Corporation (for employee and guest data) ICO (UK)
IMS Health Incorporated ICO (UK)
ING Bank N.V. Dutch DPA Dutch DPA
Intel Corporation Ireland
International SOS CNIL (FR) CNIL (FR)
JP Morgan Chase & Co. ICO (UK)
Koninklijke DSM N.V. and affiliated companies Dutch DPA Dutch DPA
Linklaters LLP ICO (UK)
LVMH CNIL (FR)
Michelin CNIL (FR)
Novartis CNIL (FR)
Novo Nordisk A/S Denmark
Royal Philips Electronics Dutch DPA
Safran CNIL (FR)
Sanofi Aventis CNIL (FR)
Schlumberger Ltd. Dutch DPA
Shell International B.V. Dutch DPA
Spencer Stuart Management Consultants N.V. ICO (UK)
The following companies have authorised BCRs:
Those companies to whom we spoke for the purpose of this bulletin which have implemented BCRs are generally very pleased with the result. Most of the disadvantages mentioned relate to the process of getting to that point. Some of the issues that those companies encountered include:
Timing
The process of obtaining BCRs can take years. This is largely caused by a lack of resource in DPAs leading to delays in the authorisation process. The fact there is no pan-European co-ordinated approach can also lead to streams of comments from the other DPAs, which need to be addressed/resisted. Realistically, the ICO say that a straightforward application will take up to 12 months. The fastest BCRs Allen & Overy have helped to get through for a client took 11 months from initial filing to final validation, although this is unusually quick. There is therefore a lack of confidence that the authorisation process is sufficiently streamlined. However, this does not detract from the fact that a company will already be benefiting from many of the advantages (eg better policies and practices) during the application process.
Costs
The process does require significant investment up front (both in terms of finance and resourcing). However, in the long run, compliance costs will generally be less than the cost of other ways of handling complex intra-group transfers, especially in the current environment where some countries have approval/notification requirements for Model Clauses.
Further administrative steps
While no further steps are required in the UK once a company has its BCRs authorised, in some member states a company still needs to meet further administrative steps. For example, in Hungary a company generally still needs consent from data subjects as well as the BCRs. Some DPAs don’t recognise BCRs at all (eg Romania). Even countries that do recognise BCRs, such as France, may still wish to be notified of data transfers,
and will approve them based on the BCRs. It is not yet the pan-European solution it is intended to be, although the proposed Regulation does seek to remove these hurdles.
Incompatabilities with local laws
Difficulties can be faced where local laws conflict with the way in which a company has approached BCRs. For example, if a company has chosen to make BCRs binding on its corporate group in a way that works in one member state (eg making a unilateral declaration in the UK) a company may find that some member states’ laws do not allow for the concept of unilateral declarations.
Not suitable for smaller companies
Given the cost of implementing BCRs in comparison with using Model Clauses, BCRs are often seen to be for the rarified few who do so many complex transfers globally that BCRs become cost-effective.
Making changes
Once a company’s BCRs are in place, the company must still reapply to its lead DPA (for all or part of the processing) if there are changes to the flows of data which go beyond the scope of its authorisations. Similarly if a company wishes to add further countries, it will need to apply for those countries to be added.
Transfers to third parties are not covered
BCRs do not provide a basis for transfers made outside the corporate group, and therefore other means will need to be used to legitimise the transfer to those third parties.
The long arm of EU law
Some companies have struggled with the idea that implementing BCRs globally puts non-EEA affiliates under the purview of an EU regulator. Many foreign entities do not like or understand this, particularly those with a centre of business outside the EU.
Are BCRs the right step to take?
Consider whether BCRs are the right choice. Carry out a cost/benefit analysis bearing in mind the cost of Model Clauses (including local requirements such as a need to translate into the local language) or other means used to comply (such as having an enormous intra-group agreement). Big up-front costs need to be balanced with long term savings (which can be hard to quantify). BCRs are not currently a solution for every group. They may not be appropriate where transfers are limited or do not change over time.
How well prepared are you?
The process is going to be much easier internally if the relevant policies are already in place – leveraging existing policies means fewer new corporate policy documents need to be drafted and approved. A gap-analysis will need to be carried out to see if there are any holes in the current policies.
What data would you include?
Think carefully about what data to include – some companies have found that only including employee data is much more manageable, while others decided that if they were going to go through the process they may as well include all data they control, including client data. Another tip was that it may be easier to assume from the beginning that all data may go everywhere, building in flexibility to allow for future change.
Senior stakeholder buy-in
It is going to be vital that you obtain buy-in from the relevant senior players in all countries/business lines involved. Think about how to present the business case. It may be necessary to explain the relevant prohibitions on international transfers. Use of Model Clauses may be costly, time consuming (holding up deals) and may not be addressing the needs of the business. It may help to hold a workshop on BCRs explaining the process and benefits. If your state of compliance is good, BCRs may not in fact
change anything the business does – they may be a relatively ‘light gloss’ on an already excellent compliance model, which removes the burden of using Model Clauses. Giving regular updates throughout the process to keep your senior stakeholders on board is important.
Will pure processors sign up?
Some companies have taken the view that affiliate processors within the group should be caught too (and not just
controllers). While this does not technically meet the Principle 7 (Article 17 of the EU Directive) requirements, which require data controllers to enter into an agreement with data processors that require the processor to act in accordance with its instructions and implement appropriate security measures, many have taken the view that this is a logical extension of the BCRs and various experts agree.
Appoint the right team
The person leading the process must be flexible and proactive. They will need to react quickly to DPA requests, remain realistic and be willing to look for alternative approaches where DPAs are resisting. The project manager should be someone who is experienced and has the confidence to call senior stakeholders. Consider appointing a third party or someone on a fixed-term contract. Costs can be kept down by limiting the number of consultants and lawyers you involve to assist and having a strong team internally, particularly if you are starting-off with decent policies. The project manager must keep a tight rein on the costs to prevent them from spiralling.
How are you going to make your
BCRs binding
Will you have a complex internal agreement (with third party rights) entered into by all employing entities, for example? One company we spoke to arranged that the top company of each business line would sign up to the policy. Another company used an inter-company agreement
Top tips from those who have
gone through the process
signed by some key companies in the group on behalf of the others to make it binding. A more controversial solution used by one company we spoke to is using a unilateral declaration (ie having a document which sets out the principles as opposed to a bilateral agreement) which key companies within the group in each country signed. While this is not legal under some countries’ civil codes, some DPAs (including the ICO) do consider this approach valid.
How are you going to deal with liability?
BCRs should identify a member of the corporate group in the EU who accepts liability for breaches of the rules outside the EU (eg paying damages). Alternative solutions may be accepted if the applicant provides sufficient comfort. Think carefully how you will deal with this requirement as this has nearly caused some BCRs projects to fail. Will the lead entity accept liability on behalf of the whole group or will you need to find an alternative approach if that doesn’t work with your structure and liability has to sit locally? Some lead entities have only agreed to accept liability where they themselves are the beneficiaries of a cross-indemnity from the defaulting group company.
Follow closely the wording in the
Working Party papers
Those who have undergone the process found that if you change your application to adopt internal jargon, you will get more pushback from the DPAs.
Remember that the BCRs only cover
European data which is exported
Foreign entities are only bound, for example, if and to the extent they process EU data. However, this can be changed by imposing the policy globally on all relevant affiliates as a matter of internal group policy.
Help the process to move along
Work closely with your lead authority to get through questions and comments from other DPAs, taking a robust approach. Companies find that this is still a hard process, although it has been eased as the mutual recognition group grows.
When can you transfer data?
Remember that even if you have BCRs in place, you still need a legitimate reason to transfer the personal data in the first place. BCRs only facilitiate transfer of data out of the EEA – they do not legitimise the initial collection or processing (including sharing) of data. In addition, compliance does not stop with putting in place BCRs. Internally, you still need to ensure compliance through appropriate policies and training. However, these are easier to communicate if you have made a commitment to the Regulator. Also, remember to address intra-group transfers within the EU. You may wish to try to bring these transfers within your BCRs. However, several DPAs point out that BCRs are to cover data that is transferred out of the EEA and do not therefore apply to controller to processor sharing within the EEA. They expect intra-group agreements to regulate this.
Launching your BCRs internally
Make sure you have a high profile launch within the company to get the benefits internally. A soft launch where the relevant heads are informed may miss the opportunity to capitalise on the BCRs and raise awareness. However, it can take time to get the training ball rolling through the various levels within an organisation. Having had a consultant involved can be beneficial at this point if they hand over to an internal team who have fresh energy. It is also useful to summarise the official policies into digestible one-page documents for ease of understanding.
Be patient
How will the proposed
Regulation change things?
The wording in the proposed Regulation looks set to survive, if not be strengthened following the suggested changes of Jan Philipp Albrecht, the German Rapporteur. We hope that the upshot of this will be a more streamlined approach, although the “one stop shop” concept of the proposed Regulation is getting a lot of attention from interested parties and it is not clear to many how it can actually work in practice as currently drafted.
However, with some work there is a strong hope that the Regulation will solve some of the process issues and that this will be enough to make BCRs easier, cheaper and faster to obtain. Of course, as BCRs get easier, so will obtaining Model Clauses (bearing in mind the Regulation also seeks to remove one of the key drawbacks - lack of consistent approach across member states with extra formalities required). It will be interesting to see the effect this has on interest in BCRs.
BCRs for processors
Another welcome change for many, which would be introduced by the draft Regulation, is BCRs for processors. The Working Party has already produced guidance on what these would need to contain. These are, in many respects, very similar to BCRs for controllers. For example, they must also be binding on the members of the group and employees, and create third party beneficiary rights for data subjects. However, the emphasis is naturally on security and the data processor and data controller must refer in the services agreement to the fact that the data processor must only act on the instructions of the data controller, which might be a third party customer. The BCRs must be attached to the services agreement and must be made binding towards the data controller.
The BCRs for processors would cover a group handling client data as a processor (such as outsourced services and cloud computing services). Once the BCRs are approved, the relevant client would notify the DPA that they are using a processing company that has put in place processor BCRs and the DPA would approve the transfer based on the processor BCRs. While this sounds simple, some are unsure how this will work in practice and whether it is so clearly a better solution than using Model Clauses in each case.
The biggest concern which, if not addressed, could be a barrier to uptake, relates to the liability the processor needs to assume. This is going to be particularly hard if the processor
is an SME. The Working Party makes it clear that the EU headquarters of the data processor (or EU entity delegated this responsibility) must accept responsibility for all breaches/ damages by its sub-processors (including potentially those caused by external sub-processors). It will be interesting to see how this could work contractually, and in practice. We understand that the first application for BCRs for processors has been submitted and a few more are in the pipeline. Interested parties are watching to see where they come out. Whether these BCRs catch on, whether liability can be dealt with in other ways (as it can for controllers), whether they can cover external sub-processors too, and whether they will work only for the largest services providers remains to be seen. However, a lot of work is being put into finding a workable solution at a European level and we can only hope that the wording of the proposed Regulation will be clarified.
% of Respondents
Which three changes do you
welcome the most?
0 10 20 30 40 50
Increased fines Other
Obligation to have a data protection officer (250+ employees etc) Right to be forgotten
Data breach notification Consent to be explicit
More direct obligations on data processors Accountability
Privacy by design Recognition of BCRs
Removal of notification requirement
What do people think?
Should we wait and see?
Many companies are adopting a “wait and see” strategy. With the future European data protection framework being a little unclear, as we watch the discussions take place in Brussels, companies want to see if the process really will become simpler (and the final position adopted in relation to Model Clauses). The more recent approval of the concept of BCRs for processors by the Working Party may also present an attractive opportunity for larger data processors.
However, BCRs are becoming the gold standard for data protection compliance and are a far better fit with the accountability model. There may also be something to be said for getting ahead of the game before the DPAs are inundated with extra responsibilities from the new data protection framework. Perhaps, for some, now is, in fact, the time to think seriously about implementing BCRs.
In June 2012 we carried out a survey to find out what people thought about changes to the European data protection framework. An extract of the result relating to BCRs is set out below.
Yes No Don’t know yeS no don’t Know 46% 10% 44% Yes No Don’t know yeS yeS yeS no no don’t Know don’t Know 35% 10% 13% 25% 65% 40% 12%
Are you more likely
to implement
BCRs as a result of
the Regulation?
Would you consider
BCRs for processors?
Do you have BCRs in
place for your company?
and they cover all of our group entities but they only cover some of our group entities
The underlying data in this research was collected and analysed using surveymonkey.com The results of the survey are based on 54 respondents
Many thanks to those who contributed their thoughts
and tips for this article.
If you would like to discuss any point raised further,
please contact any of the individuals named on the
back cover of this article (or your usual A&O contact):
About the research
The underlying data to this research comes from interviews conducted by Allen & Overy with a number of companies that have implemented or are in the process of implementing BCRs. The interviews were conducted between December 2012 and January 2013
Tel +32 2 780 25 78 [email protected]
Czech republic
Prokop Verner
Senior Associate, Prague +420 222 107 140 [email protected] France Ahmed Baladi Partner, Paris +33 1 40 06 53 42 [email protected] uK Mark Mansell Partner, London Tel +44 20 3088 3663 [email protected] +49 69 2648 5942 [email protected] hungary Balázs Sahin-Toth Counsel, Budapest +36 1 429 6003 [email protected] italy Lydia Mendola
Senior Associate, Milan +39 02 2904 9713
uK
Nigel Parker
Senior Associate, London Tel +44 20 3088 3136 [email protected]
+352 44 44 55 515
netherlands
Hendrik Jan Biemond
Partner, Amsterdam +31 20 674 1465
poland
Magdalena Bartosik
Senior Associate, Warsaw +48 22 820 6131 [email protected] uK Charlotte Mullarkey Senior PSL, London Tel +44 20 3088 2404 [email protected] Tel +40 31 405 7777 [email protected] Spain Rafael Beneyto Associate, Madrid +34 91 782 98 00 [email protected] Slovakia Zuzana Hecko Associate, Bratislava Tel +42 12 5920 2438 [email protected] uK Jane Finlayson-Brown Partner, London Tel +44 20 3088 3384 [email protected]
Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP’s affiliated undertakings.
GLOBAL PRESENCE
Allen & Overy is an international legal practice with approximately 5,000 people, including some 512 partners, working in 42 offi ces worldwide. Allen & Overy LLP or an affi liated undertaking has an offi ce in each of: Abu Dhabi
Amsterdam Antwerp
Athens (representative offi ce) Bangkok
Beijing Belfast Bratislava Brussels
Bucharest (associated offi ce) Budapest Casablanca Doha Dubai Düsseldorf Frankfurt Hamburg Hanoi
Ho Chi Minh City Hong Kong Istanbul
Jakarta (associated offi ce) London Luxembourg Madrid Mannheim Milan Moscow Munich New York Paris Perth Prague
Riyadh (associated offi ce) Rome São Paulo Shanghai Singapore Sydney Tokyo Warsaw Washington, D.C.
