Binding Corporate Rules (“BCR”) are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
The Safe Harbor program is a streamlined process for US and EU companies to comply with the EU Directive 95/46/EC on the protection of personal data. It is intended for companies operating with the US and EU only.
There are several advantage of Binding Corporate Rules (BCRs) over The Safe Harbor program. Many organisations are now seeking BCR approval over other data export protection solutions. The following information has been provided by the international law firm Fisher Field;
1. BCR are getting express legislative recognition: The Commission’s draft General Data Protection Regulation expressly acknowledges the validity of BCR, including BCR-P, as a valid legal solution to EU’s strict data export rules. To date, BCR have had only regulatory recognition, and then not consistently across all Member States, casting a slight shadow over their longer term future. Express legislative recognition ensures the future of BCR – they’re here to stay.
2. Safe harbor is under increasing strain: The ongoing US/EU safe harbor reform discussions, while inching towards a slow conclusion, have arguably stained its reputation irreparably. US service providers that rely on safe harbor to export customer data to the US (and sometimes beyond) find themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different data export solution. Faced with the prospect of endless model clauses or a one-off BCR-P approval, many opt for BCR-P.
3. BCRs have entered the customer lexicon: If you’d said the letters “B C R” even a couple of years ago, then outside of the privacy community only a handful of well-educated organizations would have known what you were talking about. Today, customers are much better informed about BCR and increasingly view BCR as a form of trust mark (which, of course, they are), encouraging the service sector to adopt BCR-P as a competitive measure.
4. BCRs are simpler than ever before: Gone are the days when a BCR application took 4 years and involved traveling all over Europe to visit data protection authorities. Today, a well-planned and executed BCR application can be achieved in a period of 12 – 18 months, all managed through a single lead data protection authority. The simplification of the BCR approval process has been instrumental in increasing BCR adoption.