Listen
to
this
post
This
is
an
excerpt
from
Centre
for
Information
Policy
Leadership
(“CIPL”)
President
Bojana
Bellamy’s
recently
published
piece
in
the
IAPP
“Privacy
Perspectives”
blog,
and
are
the
views
of
the
author.
International
data
transfers
continue
to
be
a
top
compliance
and
legal
issue
for
both
European
and
global
organizations,
requiring
continuous
reevaluation
and
increasing
resources.
In
its
recent
guidance
from
December
2022,
the
European
Data
Protection
Board
(the
“EDPB”)
provided
draft
guidance
with
updated
interpretations
and
requirements
regarding
the
use
of
the
binding
corporate
rules
(“BCRs”)
transfer
mechanism.
In
doing
so,
the
EDPB
missed
an
opportunity
to
address
BCRs
in
a
systematic,
strategic
and
forward-thinking
way,
and
to
enable
this
important
transfer
mechanism
to
evolve
into
a
more
scalable,
powerful
and
globally
relevant
tool
for
sustainable
international
data
transfers.
It
is
high
time
to
reconsider
and
evolve
BCRs
in
light
of
the
GDPR
and
new
laws,
as
well
as
numerous
new
developments
in
international
data
transfers
in
Europe
and
beyond.
To
effectively
and
efficiently
realize
the
potential
of
BCRs,
policymakers
should:
-
Promote,
incentivize
and
recognize
their
special
nature. The
European
Commission,
the
EDPB
and
other
supervisory
authorities
should
proactively
promote
the
wide
adoption
of
BCRs
and
make
it
easier,
and
more
attractive,
for
corporate
groups
of
all
sizes
to
obtain
BCR
approval.
The
BCR
requirements
cannot
be
more
strict
than
for
other
transfer
mechanisms
and
must
reflect
the
unique
nature
of
this
transfer
mechanism. -
Simplify
and
even
transform
the
approval
process. To
facilitate
their
wider
use,
BCRs
must
be
scalable
and
configurable
for
organizations
of
all
sizes
and
corporate
structures.
DPAs
should
lessen
the
overall administrative
burden and
timelines
of
the
BCRs
application
process
and
provide
clear,
workable criteria. -
Ensure
a
risk-based
approach
to
risk
assessments. BCRs
represent
a
binding
commitment
to
a
uniform
level
of
privacy
protection
across
the
entirety
of
a
corporate
group.
Policymakers
should
therefore
ensure
the
guidance
and
requirements
for
transfer
risk
assessments
under
BCRs
do
not
have
higher
standards
than
other
transfer
mechanisms,
such
as
standard
contractual
clauses.
Instead,
the
same
risk-based,
contextual
approach
should
apply
to
BCRs.
Otherwise,
businesses
that
have
invested
in
a
higher
level
of
compliance,
i.e.,
BCRs,
are
effectively
penalized
for
and
disincentivized
from
doing
so
going
forward. -
Make
BCRs
interoperable
and
mutually
recognized
across
jurisdictions. At
present,
organizations
face
a
duplicative
process
of
going
through
the
same
BCRs
approval
procedure
in
the
EU
and
the
U.K.
without
any
difference
in
the
substantive
requirements.
An
informal
mutual
recognition
should
be
expanded
to
the
UK,
just
like
the
past
expansion
for
Switzerland,
for
example.
Also,
the
Global
Privacy
Assembly
should
work
on
a
mutual
recognition
project,
fully
or
partly,
for
BCRs
approved
in
countries
outside
the
EU
under
similar
data
protection
laws,
like
Brazil,
Singapore,
and
Australia. -
Recognize
transfers
from
BCRs
to
BCR-approved
companies. Today,
corporate
groups
with
BCRs
are
only
able
to
rely
on
BCRs
for
intragroup
data
transfers,
i.e.,
to
controllers
and
processors
within
the
corporate
group.
Given
BCRs
are
reviewed
and
approved
by
regulators
under
the
GDPR
and
represent
a
comprehensive
compliance
program
that
delivers
a
high
level
of
data
protection
for
all
data
once
it
enters
a
corporate
group,
companies
with
BCRs
should
be
able
to
facilitate
transfers
to
other
BCR-approved
companies.
An
increased
number
of
jurisdictions
are
adopting
BCR-like
provisions.
This
presents
an
urgent
opportunity
for
policymakers
to
incentivize
the
further
adoption
of
BCRs,
with
an
eye
on
accessibility
for
organizations
of
all
sizes
and
mutual
recognition
between
BCR-approved
organizations
within
the
same
jurisdiction
and
beyond.