The position under the General Data Protection Regulation (GDPR) relating to cross-border transfer rules on personal data is similar to that under the 1995 Data Protection Directive. However, there are some noteworthy changes and improvements contained within the GDPR over the Directive, particularly in the aspect of Binding Corporate Rules (BCRs).
BCRs are internal rules for data transfers within multinational organisations. They are designed to allow multinationals to transfer personal data internationally within the same corporate group, to countries outside the European Economic Area (EEA) that are not considered as ‘adequate’ 3rd countries by the EU.
The BCR or lack of clarity on cross-border data transfer under the Directive could be argued to have been overly burdensome, slow and prevented business transactions. “For example, one analysis estimates that disruptions to cross-border data flows and services trade could result in a negative impact on the European Union of up to 1.3 percent of GDP”
However, the GDPR directly recognises the concept of BCRs for Controllers and Processors as a legitimate means of intra-group international data transfers. BCRs under the GDPR provide more clarity and transparency. Unlike the Directive, the:
As the BCR approval is given by the competent Data Protection Authority (DPA), it is now subject to more harmonised rules, which would create better consistency in the interpretation and implementation and ease the compliance burdens of companies. This positive step is therefore a welcome change for Data Controllers, particularly for multinational organisations with branches outside the EU member states.
The GDPR’s harmonis
ed BCR rules amongst member states also create good controls. Although easier to follow, it is more stringent and more difficult to circumvent the system. This makes the BCR’s guidelines under the GDPR a good improvement and a good step towards improving information governance across borders as well as result in a positive impact on the European Union GDP.