EDPB Adopts Information Note on BCRs in Preparation for Brexit
On July 22, 2020, the European Data Protection Board (the “EDPB”) adopted an information note (the “Note”) to assist organizations relying on Binding Corporate Rules (“BCRs”) for international personal data transfers, as well as supervisory authorities, in preparing for the end of the Brexit implementation period on December 31, 2020. The Note is provided specifically for those groups of undertakings and enterprises that have the UK Information Commissioner’s Office (“ICO”) as the competent supervisory authority for their BCRs.
The EU General Data Protection Regulation (“GDPR”) sets a general prohibition on the transfer of personal data to countries outside the European Economic Area (the “EEA”) (i.e., third countries) unless the European Commission has made an adequacy decision with regard to the recipient jurisdiction, or a transfer mechanism has been put in place to ensure the data is protected. BCRs are one such transfer mechanism, and they require that each member within a group of undertakings or enterprises engaged in a joint activity is legally bound and required to comply with certain standards of data protection. BCRs must be approved and overseen by an EEA supervisory authority (a “BCR Lead SA”).
As of January 1, 2021, the UK will be a third country, and as a result the ICO will no longer be an EEA supervisory authority. BCRs that have been approved by the ICO will require approval from a new BCR Lead SA in the EEA in order to remain valid. The identification of the new BCR Lead SA and the required approval must occur before the end of the implementation period. Those organizations whose BCR approval from the ICO is currently pending will need to contact their proposed new BCR Lead SA in the EEA and provide the information required to demonstrate why that supervisory authority is the appropriate replacement for the ICO. This will allow the proposed BCR Lead SA to take over the application and initiate an approval procedure subject to an EDPB opinion. If an organization instead chooses to wait for the ICO’s approval process to conclude, an approval decision by the new BCR Lead SA following an opinion from the EDPB will be required before the end of the Brexit implementation period in order for the BCRs to remain valid.
The Note provides an annex containing a detailed checklist of elements for controller and processor BCRs that require amendment in the context of Brexit, including in relation to the change in the BCR Lead SA. Other changes include the need to update the BCR itself to remove references to the UK or instead refer to the relevant EEA jurisdiction. Legal instruments used to make the BCRs binding must be signed by a BCR member in the EEA rather than in the UK, and a UK entity can no longer serve as the BCR member that accepts liability for violations of the BCR by BCR members outside of the EEA. References to the Lead BCR SA will require updating to refer to the appropriate supervisory authority in the EEA, rather than the ICO.