BCRs as a robust alternative to Privacy Shield and SCCs

Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis.

BCRs are also not in the scope of the “Schrems II” decision, and the Court of Justice of the European Union has not in any way touched upon the validity of existing BCRs. That said, BCRs are essentially another “adequacy instrument,” just like the standard contractual clauses and EU-U.S. Privacy Shield. In other words, when approving BCRs, the supervisory authorities must have been convinced that the group companies, including those in the U.S. and the U.K., were required and able to comply with the contractual safeguards of the BCR arrangement. However, in the aftermath of the “Schrems II” decision, it is likely that, if individual SCC-based transfers would be considered noncompliant on grounds related to U.S. government surveillance, the same would apply to BCR-based transfers to the U.S.

In practice, the main difference is that the burden on assessing the adequacy of the safeguards rests with the supervisory authorities if a company uses BCRs, while the user of SCCs must, according to the CJEU, make its own adequacy assessment and is accountable if wrong.

Click here to read the full article.

BCRs as a robust alternative to Privacy Shield and SCCs

Note: This is the fifth in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.

For more on Schrems II, visit our Schrems II Resource Hub.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Wouter is a partner in the Firm's IP/IT & Commercial Practice Group in Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data. Wouter has a particular interest in all internet-related issues on the subject of intellectual property rights.

Write A Comment