By Richard van Staden ten Brink
EU Working Party announces mutual recognition of BCR approvals
On October 1, the Article 29 Working Party—a group of EU data protection authorities— announced that France, Germany, Ireland, Italy, Latvia, Luxembourg, the Netherlands, Spain and the UK have agreed to mutually recognize one another's approvals of Binding Corporate Rules (BCRs).
BCRs are an instrument that allows multinational companies to meet EU data transfer restrictions for intra-group transfers of personal data. BCRs include privacy standards that a multinational can implement in some or all of its worldwide operating companies. After implementation, these operating companies can only process personal data if they meet the privacy standards set out in the BCRs, or the requirements under local privacy legislation, whichever are stricter.
Following approval and implementation of the BCRs, a group company located in an EU country where the approval was granted is allowed to transfer personal data to any other group company that is also subject to the BCRs, even if that other group company is located in a country outside the EU that, according to EU standards, does not provide for an "adequate" level of data protection.
The announced mutual recognition of BCR approvals is a big step forward for multinational companies that have group companies in multiple participating EU countries. Companies can submit their (draft) BCR to one "lead" data protection authority—usually the data protection authority of the country in which the multinational company has its EU headquarters. If the lead data protection authority intends to approve the BCR, it circulates the BCR with a positive opinion to the other relevant data protection authorities, who will then also approve the BCR on the basis of that positive opinion.
Richard van Staden ten Brink is advocaat at De Brauw Blackstone Westbroek in Amsterdam, the Netherlands. He can be reached at email@example.com.