Despite the general restriction on transfers of personal data overseas, Article 26(2) of the Directive does allow member states to authorise a transfer, or a set of transfers, of personal data to non-EU countries that do not ensure an adequate level of protection (such as the US) where the organisation wishing to transfer the information puts in place adequate safeguards to protect the privacy rights of individuals (see box “Safe harbor principles”). In 2001, the European Commission passed a Decision under Article 26(4) of the Directive that included non-binding standard clauses considered to be suitable to meet the safeguard requirements (www.practicallaw.com/9-101-6449).

While the use of standard clauses may work where transfers of personal data are made by an organisation to third parties dotted around the world, the use of ad hoc contractual arrangements is less appealing for ensuring the legitimate transfer of personal data within a multinational organisation. For many multinationals, using personal data is all about sharing information without having to pay attention to borders and national regulatory differences. So, a flexible, tailor-made solution that does away with the inconvenience of having to enter into innumerable contracts among subsidiaries was required.

In 2003, the Working Party published its Working Document (WP74) on BCR for international data transfers (http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp74_en.pdf). According to WP74, as long as the corporate rules are binding (both in law and in practice) and incorporate the essential content principles identified by the Working Party, there is no reason why national regulators should not authorise multinational transfers within a multinational group under Article 26(2) of the Directive.

In practice, implementing a BCR system should be no different from running a comprehensive global privacy programme (see box “Documenting a BCR system”). A key feature of the BCR system is that it is the organisation, and not the regulator, that determines how the system operates. From the regulator’s point of view, a BCR system should demonstrate that the organisation has adopted EU data protection standards and that these are enforceable across the organisation; the method or format chosen to achieve this is a matter for the organisation.

In 2005, the Working Party adopted a co-ordinated approval mechanism (WP107) that allows organisations seeking the approval of their BCR to fast-track their submissions through all the relevant EU data protection authorities (http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp107_en.pdf). An organisation must choose an “entry point” data protection authority which will be the official point of contact until the BCR are ready for approval in that country, and will then assist the candidate to gain approval throughout the EU.

Where it is not clear which data protection authority should have jurisdiction, organisations must consider the following factors set out in the Working Party’s model checklist application for approval of BCR (WP108) (http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2005/wp108_en.pdf):

The Philips’ application was the first to be approved in the UK concerning customers’ personal data. The Commissioner had previously approved General Electric’s BCR, which cover transfers of employees’ personal data.

Despite these approvals, which have also been mirrored in other member states, some multinationals are still questioning whether the BCR system can deliver the desired flexibility for global transfers of personal data. This is mainly due to the perception of the BCR approval process as slow and time-consuming.

However, the EU data protection authorities have come a long way since WP74 was issued in 2003, and today virtually all of them see BCR as a key mechanism to deliver effective data protection, much more so than standard contractual clauses. The Working Party’s recent adoption of a standard form application to accompany BCR submissions is the clearest sign to date of EU data protection authorities’ commitment to BCR (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp133_en.doc).

BCR should therefore be regarded as the most efficient and cost-effective way to ensure data protection compliance internationally for transfers of data within multinationals and, in some cases, to third parties.