The European Data Protection Board (“EDPB”) recently issued material entitled “Information note on BCRs for Groups of undertakings/enterprises which have ICO as BCR Lead SA” (“the Note”) designed to help organisations that rely on Binding Corporate Rules (“BCRs”) prepare for when the current Brexit transition period ends. This brief article highlights the key points of the Note.
What’s this about?
BCRs are one of a number of ways to legitimise international data transfers, albeit they are only available for intra-group transfers. Although BCRs have been around for some years they were finally put on a statutory footing by GDPR. They consist of a binding global code of practice based on EU privacy standards, reinforced by an organisation’s internal compliance system, which national regulators approve in accordance with their own legislation, including the UK’s ICO.
The UK left the EU on 31 January 2020. From then until 31 December 2020 the UK is in a transition period, during which it’s mostly business as usual as regards data protection; for more on this see our article here https://www.corderycompliance.com/ico-updated-brexit-dp-guidance-and-resources/. From 1 January 2021 the UK will be a third country from the EU’s perspective (whatever the outcome of the ongoing negotiations between the EU and the UK concerning the future relationship between the two) and so things will change in the data protection arena, including with regard to BCRs.
What does the EDPB’s Note say?
As regards existing authorised BCR holders:
- BCR holders for whom the ICO is the current lead data protection authority (“DPA”) will need to put in place “all organisational arrangements” on the basis of which a new lead DPA in the EEA may be identified, according to criteria laid down in EU WP29 guidance – this change of lead DPA will take effect at the latest at the end of the current Brexit transition period;
- For BCRs already approved under GDPR, the new lead DPA in the EEA will have to issue a new approval decision, following an official opinion from the EDPB, before the end of the current Brexit transition period; and,
- For BCRs for which the ICO acted as lead DPA under the data protection regime that preceded GDPR (i.e. under Directive 95/46/EC) no approval will have to be issued by the new lead DPA in the EEA;
- BCR holders for whom the ICO is the current lead DPA will need to amend their BCRs “with reference to the EEA legal order” before the end of the current Brexit transition period; see further below for reference to the checklist to help with this;
- If the relevant changes are not made and/or no new approval is given, where applicable, before the end of the current Brexit transition period, groups of organisations will not be able to rely on their BCRs as a valid transfer mechanism for transfers of data outside the EEA after the end of the current Brexit transition period; and,
- Following the full application of GDPR over two years ago, groups of organisations should have already updated their BCRs under GDPR in accordance with requirements set out under EU WP29 Guidance. While the taking over of a BCR by a new lead DPA does not mean that it has checked whether these updates have been made, “it remains at any time in a position to do so and to request that relevant changes are made by any BCR holder and adopt any consequent decision in this regard”. Further, any other changes to the BCRs taken over may also be requested if deemed necessary by the new lead DPA – the new lead DPAs reserve all their rights accordingly.
As regards current BCR applications before the ICO:
- Groups of organisations for which BCRs are currently being reviewed by the ICO are encouraged to put in place “all organisational arrangements” on the basis of which a new lead DPA in the EEA can be identified, according to the criteria laid down in EU WP29 guidance, before the end of the current Brexit transition period – they will have to contact the (hoped for) new lead DPA in order to provide all necessary information as to why the latter should be considered as the new lead;
- The new lead DPA will take over the application and formally initiate an approval procedure, subject to an official opinion of the EDPB; and,
- During the current Brexit transition period, a group of organisations might decide to transfer their BCR application to a new lead DPA, after approval by the ICO. In this case, the new lead DPA in the EEA will have to issue, before the end of the current Brexit transition period, a new approval decision, following an official opinion from the EDPB.
- Any group of organisations for which BCRs are currently being approved by the ICO before the end of the current Brexit transition period, following an official opinion of the EDPB, must ensure that their BCRs “refer to the EEA legal order with information about related changes” in order to become effective (at the latest) at the end of the current Brexit transition period; see further below for reference to the checklist to help with this; and,
- In both scenarios above, the lead DPA in the EEA that may be approached to act as the new lead DPA will consider, on the basis of criteria set out in EU WP29 guidance, and in cooperation with other concerned DPAs, whether it is the appropriate lead DPA on a case-by-case basis and inform the Group of organisations accordingly.
The Note also provides in an annex a useful checklist of elements for data controller and processor BCRs which need to be amended for a lead DPA change in the context of Brexit.
Finally, it should be noted that the Note is without prejudice to the European Court’s July 2020 ruling about EU Model Clauses and the EU-US Privacy Shield, which we have written about here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/.
What are the takeaways?
Whether your organisation is a current BCR holder for whom the ICO is the current lead DPA, or whether your organisation currently has a BCR application before the ICO, you ought to start preparing now in line with the Note for when the current Brexit transition period ends.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The EDPB Note can be found here: https://edpb.europa.eu/our-work-tools/our-documents/other/information-note-bcrs-groups-undertakings-enterprises-which-have_en.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|