Hogan Lovells 2024 Election Impact and Congressional Outlook Report
This summer, the European Data Protection Board (“EDPB”) published the final version of its Recommendations 01/2022 (“Recommendations”) on Binding Corporate Rules for Controllers (“C-BCR”). During the turbulence caused by the “Schrems II” ruling of the European Court of Justice (“CJEU”), Binding Corporate Rules were able to defend their reputation as the most robust mechanism and “gold standard” for international transfers of personal data subject to the GDPR. Given recent and potential action against the EU-US Data Privacy Framework adequacy decision (see here), BCR could once again serve as a transfer mechanism that ensures long-term legal certainty. In addition to our previous analysis of the draft C-BCR Recommendations, this article provides an overview of the further changes in the final Recommendations on C-BCR and its impact on companies, as well as the status of the anticipated Recommendations on BCR for Processors.
BCR are legally binding internal rules adopted by multinational corporations to facilitate transfers of personal data to non-EEA countries in accordance with Article 46(2)(b) and Article 47 GDPR. In contrast to the Standard Contractual Clauses of the European Commission (SCC), BCR are approved by the European data protection authorities (DPAs) individually and therefore provide a greater level of legal certainty for companies that transfer personal data across borders.
On 14 November 2022, the EDPB published its draft Recommendations for C-BCR which introduced several updates on the material requirements for C-BCR. Following public consultation which closed on 10 January 2023, the EDPB adopted the final version of its Recommendations on 20 June 2023. For more information on BCR as a transfer mechanism under the GDPR and our analysis of the draft Recommendations, please refer to our previous article.
The final Recommendations include very few amendments to the material requirements for C-BCR as proposed in the draft Recommendations (and outlined in our previous article).
Minor revisions are introduced such as the inclusion of examples or clarifications which apply mainly to the following requirements within the table specifying the elements and principles to be found in C-BCR:
Binding Nature - internally: Where a group company relies on internal policies and sanctions or other means for making the C-BCR legally on employees, they are required to properly demonstrate how this will be enforced in practice vis-à-vis the employees (Sec. 1.2) in addition to demonstrating how those means make the C-BCR legally binding on employees.
Binding Nature - externally: The duty to inform all data subjects about any update to the C-BCR and the list of BCR members has been retained and the EDPB has added, by way of example, that this can be undertaken by publishing the new version without undue delay (Sec.1.3.1). In addition, there is focus on explaining, in the application form, how the instrument(s) a company group intends to rely on to make the C-BCR internally binding also enables the C-BCR elements against the group company, for example, with respect to an intra-group agreement, the company group should explain how the agreement will be enforceable by data subjects (Sec 1.3.1).
Effectiveness: A reminder that no transfer can be made under the C-BCR to a BCR member unless the member is effectively bound by the C-BCR and can deliver compliance, which includes that appropriate training on the C-BCR can effectively be provided to the employees of the respective member (Sec. 3.1).
The EDPB states that it expects all new and ongoing C-BCR applicants as well as current holders of C-BCR to bring their C-BCR in line with the updated final C-BCR.
Recommendations:
Groups of companies that are just in the planning stage of setting up their own C-BCR should consider the updated C-BCR Recommendations from the outset.
The recent updates to the EDPB’s guidance only apply to C-BCR, while for Binding Corporate Rules for Processors (“P-BCR”) the “pre-Schrems II” recommendations under Working Paper 265 dated April 2018 still apply. As indicated by the EDPB’s list of approved BCR, the current P-BCR recommendations are still applied by the EU data protection authorities. It is planned to develop a new set of EDPB Recommendations on P-BCR that take into account the requirements formulated by the CJEU. However, the timeline for the publication of the draft for such P-BCR Recommendations is still unclear. Given the significant relevance of P-BCR in practice, companies are well advised to further consider the developments in this regard.
Authored by Henrik Hanssen, Jabeen Rizvi, Julie Schwartz, and Katie McMullan.