International data transfers: standard contract clauses vs binding corporate rules

The GDPR (General Data Protection Regulation) restricts transfers of personal data outside of the EU to prevent organisations circumventing the Regulation by processing  the personal data in a country where personal data is not adequately protected. For a data transfer to be allowed under the Regulation, the level of data protection afforded to individuals must be fundamentally the same as the protections under the GDPR.

Many organisations transfer data from the EU, but this must be controlled to ensure that adequate data protection practices are in place when the data is being processed internationally. Once the UK leaves the EU, transfers from the EU to the UK will need to take this into consideration.

The EU Commission has so far acknowledged that the following countries provide an adequate level of data protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield Framework). Their data protection is comparable to that of the GDPR and therefore personal data can be transferred to those countries under the Regulation.

How to transfer personal data internationally

If an organisation wants to send personal data to a country outside of the EU that has not been recognised as providing an adequate level of data protection, it needs to use an appropriate safeguard mechanism provided by the GDPR.

Currently, the two most appropriate mechanisms for such personal data transfer are model contract clauses (also known as SCCs (standard contractual clauses)) and BCRs (binding corporate rules).

The European Commission has decided that SCCs offer sufficient data protection safeguards to allow personal data to be transferred internationally in compliance with the GDPR.

BCRs are a set of internal rules (like a code of conduct) that regulate international personal data transfers within multinational companies. Their use is regulated by the European Commission, and organisations wishing to use BCRs must apply to one of the supervisory authorities across Europe to have their rules approved.

How and when should I implement Standard Contract Clauses (SCCs)?

SCCs work well for organisations that are likely to participate in two-way data sharing and in internal personal data transfers where the processing is fairly straightforward. SCCs only apply to the data processing activities set out in them, meaning new SCCs will have to be drafted every time personal data processing activities change. They are currently the only practical, useable mechanism for transferring personal data internationally between organisations. For example, a business based in Spain that uses a data cleansing service based in Brazil (which does not have an adequacy decision) could use SCCs to ensure the data is well protected as it is being processed.

SCCs are legal contracts, and we advise an organisation engages a data protection lawyer in their execution, as personal data transferred thereunder loses its protection and compliance if the SCCs are inadvertently amended (only their commercial terms can be varied). You also need different SCCs in accordance with whether you are the data controller or data processor of the EU personal data being transferred internationally.

If an international organisation has an ongoing or complicated set of internal personal data transfers to undertake, it could soon be tied up with hundreds of SCCs to cover each of its group companies’ various processing activities, which is where BCRs are more suitable.

How and when should I implement Binding Corporate Rules (BCRs)?

There are certain circumstances in which implementing BCRs may be advised, but they always apply to one organisation and are therefore specifically useful for international organisations to implement. BCRs can apply to both the organisation’s controller and processor agreements and personal data activities.

BCRs cover an entire organisation with offices in various countries, providing clarity, consistency and legal certainty for data transfers across the group. They also act as a public acknowledgement of the privacy rights of individuals whose data is being processed, improving the organisation’s reputation among anyone who may be considering handing over their personal information.

BCRs can be cumbersome to put in place, because they cover a much larger and more complex web of processing than SCCs. The organisation would need to designate a lead authority, who advises other authorities affected (e.g. in all countries where the organisation has offices). The rules are then drafted, as well as the supporting documents, e.g. data privacy policies, data protection audit plans, list of entities included and guidelines for employees. These are supplied to the lead authority; once it is happy with them, it circulates them among all the relevant data protection authorities in the applicable EU member states (such as the Information Commissioner’s Office in the United Kingdom, CNIL in France, AEPD in Spain, etc.). The role of the lead data protection authority is to facilitate the other applicable data protection authorities’ authorisation process.

BCRs can currently take at least 12 months to complete and, without legal assistance, can become extremely onerous and time-consuming. However, once implemented, BCRs have many advantages, including providing flexibility when introducing new products, reducing data protection compliance costs when processing changes, and making data protection integral to the way an organisation carries on its business. BCRs can also give an organisation a competitive advantage by demonstrating that it has harmonised its data protection practices.

Let GRCI Law help

Large organisations with a complex internal web of processing activities should opt to implement BCRs for the additional legal certainty and global impact they provide, while organisations with a more limited internal network of international transfers or that transfer data to third parties may choose to adopt SCCs.

Large organisations will often have both BCRs and SCCs to ensure that both their internal and external personal data transfers are compliant.

GRCI Law offers Contract and Legal Services including reviewing, drafting or updating SCCs and BCRs. We can also manage the registration of BCRs with the supervisory authorities for you.

Our team of qualified lawyers has extensive experience working in data protection law, including writing contracts, enabling GDPR compliance and dealing with the supervisory authorities.

Find out more about Contract and Legal Services >>