U.K. Privacy Office Assures Multinationals on Data Transfer Mechanism Approvals


The U.K. privacy office has asked that all new company applications seeking approval of binding corporate rules to transfer personal data outside of the European Union align with the fast-approaching new EU privacy regime, General Data Protection Regulation (GDPR).

Binding corporate rules (BCRs) are a set of company privacy procedures and policies to allow intra-corporate, cross-border transfers of personal data from the EU. BCRs have become increasingly important as legal challenges have surrounded other methods of transferring data, such as the EU-U.S. Privacy Shield and model contract clauses developed by the European Commission.

The approval process for BCRs is a long, arduous process, and the U.K. Information Commissioner’s Office has served as the lead EU privacy regulator in approving approximately 25 percent of the total BCRs approved across the EU, the ICO said. The U.K. privacy office has an additional 40 BCR applications in the pipe. Applications submitted with provisions modeled on the GDPR—which recognizes the legality of the BCR mechanism—won’t be approved until after the law goes into effect on May 25, 2018, the ICO said.

The ICO said that for BCR applications drafted with reference to the current privacy regime, it will contact companies as the GDPR deadline approaches to help facilitate any changes necessary to meet new privacy requirements.  

The GDPR provides one EU-wide regulation to replace a more than 20-year-old directive that required each country to pass its own privacy laws. The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($23.5 million) or 4 percent of a company’s annual worldwide income, among other reforms.

Companies that have already had their BCRs approved must update them to be GDPR-compliant when the new regime takes effect, because BCRs include language that requires companies to take account of legal and regulatory updates, the ICO said.

Brexit won’t have any effect on BCRs that are approved by the U.K. before it leaves the EU, the ICO said.

The Article 29 Working Party, which is made up of privacy officials from the 28 EU countries is slated to release GDPR guidance on data transfers by the end of the year.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.