Building a common EU and UK BCR framework

Responsible companies need to ensure a proper legal basis for the international transfer of identifiable personal data and want to assess Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) as options.

Government policy-making on data protection law issues has now settled down after the ministerial resignations in July and re-installation at the DCMS of Michelle Donelan MP as Cabinet Minister and Julia Lopez MP as Data Minister in late October. The ministers are taking a new look at the first version of the Data Protection and Digital Information Bill which had its first reading in Parliament but was then withdrawn.

Privacy Laws & Business is taking an active and constructive role with Memos to the Minister providing 15 recommendations in July (PL&B UK Report September 2022) and seven recommendations in October. At PL&B’s October Roundtable on international data transfers, the DCMS policy staff gave us clear insights into the UK government’s work on International Data Agreements with many other countries. The discussion included SCCs. The group was eager to learn more about the ICO’s work on conducting Transfer Risk Assessments which it is planning to publish by the end of this year.

At the October event, we noted that the DCMS supports BCRs, but as this is more of an ICO regulatory than a DCMS policy matter, we did not go into detail. There was interest in assessing the ICO’s new guidance on BCRs, so PL&B is planning an event in London, in cooperation with Hogan Lovells, with BCRs as the main subject and the responsible ICO manager the main speaker.

Building a common EU and UK BCR framework

If you are considering adopting BCRs for your organisation, I invite you to register now for our 12 December London workshop: Building a common EU and UK Binding Corporate Rules framework.

Objective: The main objective of this event is to identify differences between the current EU BCRs and the ICO’s new UK version, and to take the initiative to encourage the ICO and the European Data Protection Board (EDPB) to have identical BCR schemes, or at least, harmonised BCR schemes with mutual recognition.

The starting point is the ICO’s new approaches to BCRs published on 25 July, so we need to understand what is new and what has changed. The ICO regards BCRs as “the gold standard” and declares “Using them demonstrates …. commitment to implementing appropriate safeguards.” To what extent is the new approach simpler and less time-consuming?

The current BCR system has attracted relatively few companies. Only 8 BCR schemes from 5 organisations have been accepted by the ICO (under the UK GDPR) and only 28 BCR schemes from 22 organisations have been accepted by the ICO (under the UK Data Protection Act 2018 following the rules of the EU Data Protection Directive 1995)

Issues to be discussed will include; does the ICO’s new approach respond sufficiently to the common view that BCRs are very time-consuming and expensive? What should be further improved so that BCRs can more easily be adopted by far more organisations? What needs to be done to achieve compatible UK and EU BCR schemes?

Participants will contribute anonymously to the output from this event, a Memo to the ICO on BCRs signed by PL&B and Hogan Lovells. The rationale is that companies would much prefer one set of BCRs to cover both the European Economic Area and the UK over any minor UK “improvements.”

The morning session will be with the ICO’s Sharon Cunliffe, Group Manager (Regulatory Assurance) and Eduardo Ustaran, Partner, Hogan Lovells. Sharon leads the ICO’s BCR and International Transfers team, is responsible for overseeing the review of the UK BCR process and leading the team on its work with the government’s Department for Digital, Culture, Media and Sport (DCMS) on the UK’s adequacy decisions. Eduardo is a member of the DCMS’s International Data Transfers Expert Council, which has members from different countries, and provides valuable contributions and advice to the government.

The afternoon session will be for companies and lawyers, without ICO participation, for a confidential exchange of experience between participants on applying for and using BCRs. This will help ensure a problem-solving approach to drafting the Memo to the ICO and practical action points.

The Early Bird discount fee ends on Thursday 24 November.

We look forward to meeting you at the BCR workshop on 12 December, helping your understanding of the ICO’s BCR application process, playing a constructive part in ICO decision-making, and helping encourage harmony with the European Data Protection Board’s development of BCRs.

More of an overture than a finale.

Best regards,

Stewart Dresner

Publisher, Privacy Laws & Business

November 2022

News & Blogs

November 2022 Report Contents