Corporations are seeking to mitigate the risks associated with data flows beyond Europe’s borders. Measures such as binding corporate rules, though cumbersome, slow and costly, are for many a sensible precaution, says Lewis Crofts, MLex editor-in-chief.
The General Data Protection Regulation (GDPR) enters into force in May, and organisations are advanced in rolling out new compliance plans. However, it’s far from clear how multinationals with data-crunching operations that span the Atlantic will manage their risks.
Regulators in Brussels and Washington agreed a Privacy Shield, which provides companies on both sides of the Atlantic with a mechanism to comply with data protection laws, but not everyone is convinced, and many companies are opting for binding corporate rules (BCRs) – internal procedures governing how multinationals make intra-company transfers from country to country – to ensure EU regulatory approval for data transfers abroad.
The increasing appeal of BCRs lies primarily in the uncertainty surrounding the legality of other, simpler transfer methods: specifically, fears that the EU-US Privacy Shield and so-called standard contractual clauses could be declared void by the EU courts.
Standard contractual clauses are templates pre-approved by watchdogs for use in contracts, while ‘adequacy’ agreements such as the Privacy Shield let companies self-certify compliance.
At the same time, BCRs have been seen as overly complicated and drawn out. They must be approved by the data protection authority in each EU country the data will touch, and getting approval typically takes between one and two years.
But, BCRs are gaining a new lease of life as companies worry about the future of overarching agreements such as the Privacy Shield – and realise that complying with EU data privacy rules entails much of the same work as getting certified for international data transfers. Hence, it is efficient to do both at the same time. Indeed, Ireland’s data protection commissioner has recently encouraged companies to look into the use of BCRs. They should look at the various mechanisms available and see which is most appropriate for them.
Negotiations on BCRs happen on two levels. First, a company needs to justify its legitimate interest for transferring data; this is normally a straightforward exercise. Second, the extent of the company’s adequacy will be scrutinised; and that means a lot of preparatory work. But as many of the criteria that companies need to fulfil to demonstrate BCR compliance are the same as those they need to meet if the data protection authority comes knocking after the GDPR enters into force, some multinationals are turning to BCRs to solve the compliance conundrum.
It’s the risk of a legal earthquake that could leave companies using BCRs sitting pretty if the EU courts start to throw their weight around.
The EU’s past invalidation of a precursor agreement between the EU and the US – known as the Safe Harbour decision – created the storm that ultimately saw it reincarnated as the Privacy Shield.
Privacy experts say that companies with BCRs will be in an enviable position if the EU courts invalidate the use of standard contractual clauses or knock down the fledgling Privacy Shield, both of which are being contested before the European Court of Justice (CJEU).
Brussels cautions that such a strike-down is unlikely. It has done its homework in drafting the new Privacy Shield, and the CJEU over past years has a track record of ruling in favour of strong privacy protections – including declaring Safe Harbour invalid in October 2015.
But for all that, companies opting for the more difficult route are increasingly seeing their choice vindicated. The US government has extended surveillance rules for foreigners that both the EC and privacy watchdogs have said would increase the risk of the Privacy Shield being annulled, not least because it was precisely mass surveillance that triggered the annulment of Safe Harbour.
And while the costs may be higher upfront, once a company has gone through the BCR process it will find that certifying compliance with other privacy safeguards is relatively simple. Trying to do it the other way, by contrast, would likely involve a lot of duplicated work and wasted money.
A key trigger for the wider use of BCRs will be an upcoming set of guidelines from the European regulator to clarify when companies that team up are considered to be ‘joint controllers’ of the use of a person’s data, and what measures should apply in such cases.
If the rules on joint controllers are implemented strictly, BCRs may be a tool to divide liability in case of a violation, which under current rules could amount to four per cent of global turnover for each of the companies involved.
And it is the compliance risk which is the principal reason for companies to opt for the resource-intensive route of getting BCRs approved.
For more insight on data privacy and security and other areas of regulatory risk, visit the MLex Market Insight website.