Privacy & Information Security Law Blog

On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth  responded to a call for public comments from the European Data Protection Board (“EDPB”) regarding their Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (“Recommendations 1/2022”). The Recommendations 1/2022 are intended to bring existing Controller Binding Corporate Rules (“BCR-C”) in line with the GDPR and the Schrems II ruling.

CIPL emphasized the importance of BCR as one of the most effective data transfer mechanisms permitted by the GDPR and noted that BCR should be proactively promoted and made easier and more attractive for corporate groups to adopt. Organizations seeking BCR-C must demonstrate their commitment to data privacy usually through a comprehensive data privacy management program implemented consistently across all operational levels and throughout their global entities. CIPL noted that some of the new requirements in Recommendations 1/2022 may however create additional burdens to BCR-C organizations without a notable improvement to the level of data protection.  

CIPL recommended that the EDPB’s guidance for current and potential BCR-C holders should:

• adopt a risk-based and contextual approach for data transfers and allow BCR-C holders to consider the specific circumstances of a transfer when conducting transfer risk assessments;
• clarify that BCR-C holders may consolidate accountability requirements;
• allow BCR-C holders to designate a single method for individuals to submit requests and complaints (e.g. a ticketing system); and
• clarify that BCR-C holders have a duty to communicate only substantive or material changes in the publicly published version of the BCR.

To further promote and enable the use of BCR, as, in the view of CIPL, they ultimately deliver more effective data protection compliance and protection for individuals, CIPL encouraged the EDPB to be more explicit in this regard in Recommendations 1/2022 and also in its future work. In particular, CIPL encouraged the EDPB to continue promoting a wider adoption of BCR and make it easier for organizations to obtain approval by:

• streamlining the policies and procedures required as part of the BCR-C application and approval process;
• mutually recognizing BCR holders among data protection authorities in the European Union and the United Kingdom;
• exploring and expanding the utility of BCR as a data transfer mechanism between organizations engaged in joint economic activities; and
• streamlining the approval process by considering the use of a third-party, such as an accredited certification body under the GDPR or an “Accountability Agent”, for the initial evaluation or eventually consider a self-certification system.

You can read CIPL’s full comments in response to the EDPB’s Recommendations 1/2022 here.