The position under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) relating to cross-border transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. rules on personal dataInformation which relates to an identified or identifiable natural person. is similar to that under the 1995 Data Protection Directive. However, there are some noteworthy changes and improvements contained within the GDPR over the Directive, particularly in the aspect of Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs).
BCRs are internal rules for data transfers within multinational organisations. They are designed to allow multinationals to transfer personal data internationally within the same corporate group, to countries outside the European Economic Area (EEA) that are not considered as ‘adequate’ 3rd countriesCountries that are not part of the European Economic Area (EEA). by the EU.
The BCR or lack of clarity on cross-border data transfer under the Directive could be argued to have been overly burdensome, slow and prevented business transactions. “For example, one analysis estimates that disruptions to cross-border data flows and services trade could result in a negative impact on the European Union of up to 1.3 percent of GDP”[1]
However, the GDPR directly recognises the concept of BCRs for Controllers and Processors as a legitimate means of intra-group international data transfers. BCRs under the GDPR provide more clarity and transparency. Unlike the Directive, the:
As the BCR approval is given by the competent Data Protection Authority (DPA), it is now subject to more harmonised rules, which would create better consistency in the interpretation and implementation and ease the compliance burdens of companies. This positive step is therefore a welcome change for Data ControllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data., particularly for multinational organisations with branches outside the EU member states.
The GDPR’s harmonies
BCR rules amongst member states also create good controls. Although easier to follow, it is more stringent and more difficult to circumvent the system. This makes the BCR’s guidelines under the GDPR a good improvement and a good step towards improving information governance across borders as well as result in a positive impact on the European Union GDP.
[1] World Economic Forum: http://reports.weforum.org/global-information-technology-report-2016/1-2-cross-border-data-flows-digital-innovation-and-economic-growth/