Building a common EU and UK BCR framework

12 December 2022

Hogan Lovells, London

Overview

Considering adopting Binding Corporate Rules for your organisation?

Date: Monday 12 December 2022
Times: 09.30 to 15.30
Location: Hogan Lovells, London
Type: In-person only
CPE Credits: up to 4

Objective: The main objective of this event is to identify differences between the current EU BCRs and the ICO’s new UK version, and to take the initiative to encourage the ICO and the European Data Protection Board (EDPB) to have harmonised BCR schemes with mutual recognition in a way that enhances the role of BCRs as a model for global data protection.

The starting point is the ICO’s new approaches to BCRs published on 25 July, so we need to understand what is new and what has changed. The ICO regards BCRs as “the gold standard” and declares “Using them demonstrates …. commitment to implementing appropriate safeguards.” To what extent is the new approach simpler and less time-consuming?

In parallel, the EDPB is seeking to refresh its own approach to BCR authorisations in order to hopefully streamline the process further, while in the UK, the Government is looking at the most appropriate model to facilitate international data flows in a way that still provides for the protection of personal data.

Issues to be discussed will include, does the ICO’s new approach respond sufficiently to the common view that BCRs are very time-consuming and expensive? What should be further improved so that BCRs can more easily be adopted by far more organisations? What needs to be done to achieve compatible UK and EU BCR schemes?

The output from this event will be a memo to policy makers and regulators which will be drafted by host firm lawyers, in cooperation with Privacy Laws & Business, and provide a record of the participants’ policy recommendations. The rationale is that companies would much prefer one set of BCRs to cover transfers from both the European Economic Area and the UK. This paper will not attribute comments to individuals nor their organisations but provide their sector if relevant to the context. This memo will also be sent to all the participants, in both draft for comments and final form, so they know that their substantive views have been recorded and submitted to the relevant parties.

  Programme
09.30 Registration
10.00

A new UK perspective on BCRs

  • To what extent the UK approach differs from the EU approach
  • How the ongoing UK data protection reform affects BCRs
  • What are the essential requirements that the ICO is focusing on?

Speakers:

  • Eduardo Ustaran, Partner, Hogan Lovells, who is a member of the DCMS’s International Data Transfers Expert Council, which has members from different countries, and provides valuable contributions and advice to the government.
  • Joe Jones, Deputy Director - International Data Transfers, Data Policy Directorate, DCMS
  • Sharon Cunliffe, Group Manager (Regulatory Assurance), ICO, who leads the ICO’s BCR and International Transfers team, is responsible for overseeing the review of the UK BCR process and leading the team on its work with the DCMS on the UK’s adequacy decisions

Chair: Stewart Dresner, Founder and Chief Executive, Privacy Laws & Business

11.30 Break
11.45

Building a common EU and UK BCR framework

  • What is the direction of travel of EU BCRs?
  • How the pan-European approval process works in practice
  • Is there room for mutual recognition between EU and UK BCR models?

Speakers:

  • Joke Bodewits, Partner, Hogan Lovells
  • Honor von Schmieder, Senior Legal Counsel, International Privacy, Verizon, who has direct responsibility for the BCR programme at Verizon
  • Nicola Coogan, Assistant Commissioner (Head of International Transfers/BCR unit), Data Protection Commission Ireland
  • Eduardo Ustaran, Partner, Hogan Lovells

Chair: Stewart Dresner, Founder and Chief Executive, Privacy Laws & Business

13.15 Lunch
14.00

Confidential exchange of practical experience

This session will allow companies and lawyers, without ICO participation, to confidentially discuss and share experience on applying for and using BCRs. This will help ensure a problem-solving approach to drafting the Memo to the ICO and practical action points.

15.30 Close

 

The Memo

The output of this event was a joint PL&B & Hogan Lovells memorandum sent to the European Commission, EDPB, ICO and DCMS advocating for a common EU/UK framework for Binding Corporate Rules. 

Read the Memo

 

Thanks to our host