The guidance reflects the rigorous stance of the EDPB in relation to BCR, and its clear message is that the top priority for any company that has the ICO as its lead authority is to set in motion as quickly as possible the move to a new EEA lead SA so that the formalities associated with the move may be completed before the end of the transition period.
This article examines the requirements of the EDPB guidance and considers the likely expectations of the EEA SAs and the UK in light of this guidance. As no examination of international transfers would be complete without consideration of the possible impact of Schrems II, this article also looks at the likely impact of the judgment on BCR and some of the residual issues relating to GDPR that may also have to be taken into account in the context of a move to a new SA.
The EDPB guidance is divided into two sections, the first of which deals with holders of an authorised BCR, while the second covers applications for BCR approval currently before the ICO.
Authorised BCR
The EDPB guidance contains the stark reminder that companies with an authorised set of BCR that do not complete the formalities covered in the guidance will not be able to rely on their BCR for transfers from the EEA after the end of the transition period.
In cases where BCR have already been approved under the GDPR, the new lead SA in the EU will have to issue a new approval decision following an opinion from the EDPB before the end of the transition period. For those familiar with the speed at which the approval process works in practice, this may seem a somewhat alarming prospect. However, the publicly available information regarding BCR approved post May 2018 indicates that there is only one UK approved BCR to which this provision will apply. One hopes that given the increasing uniformity of approach to the approval criteria set out in the referential tables on the part of the SAs, and the fact that the documents submitted for approval should be in substantially the same format as those that were submitted for the original approval, this should be something of a formality.
For BCR approved by the ICO pre-GDPR under the EU Data Protection Directive (95/46/EU) (and the ICO lists thirty-one current approvals to which this applies), to the relief no doubt of all organisations with an approved BCR for which the ICO was lead, the guidance states that no approval will have to be issued by the new BCR Lead SA in the EEA.
Practical steps – The application process
The new Lead EEA SA is identified on the basis of criteria laid out in the approval procedure, WP263. The criteria are as follows:
- the location(s) of the Group’s European headquarters;
- the location of the company within the Group with delegated data protection
responsibilities;
- the location of the company within the Group that is best placed (in terms of management
function, administrative burden, etc.) to deal with the application and to enforce
the binding corporate rules;
- the place where most decisions in terms of the purposes and the means of the
processing (i.e. transfer) are taken; and
- the member state within the EU from which most or all transfers outside the EEA
will take place.
Having assessed the criteria and decided upon a new EEA Lead SA, the organisation has to make a formal application to that SA on the basis of these criteria, providing supporting evidence as appropriate. If the European headquarters is in the country of the prospective new EEA lead SA, this lends particular weight in favour of that SA. Although the EDPB guidance states that the SA that has been selected may exercise some discretion in the decision-making process, it also says that the SAs may decide between them whether another SA is better placed to act as lead based on the information put forward. This could include a particular SA acting alongside the selected SA if that SA has no capacity to deal with the BCR.
The prospective new lead is likely to treat this submission as it would a new application by seeking feedback from other SAs as to whether they have any objection to that SA taking over from the ICO. Organisations that find themselves in the position of having to select a new lead SA should bear in mind that some SAs are taking a very strict interpretation to the criteria, with the result being that great care has to be taken to avoid any impression of forum shopping. The process may not, therefore, be particularly straightforward, therefore providing a greater incentive to start the process as soon as possible.
Current BCR applications before the ICO
To its credit, the ICO has been flagging to applicants since the early part of this year the need for them to identify an appropriate EEA lead authority, making it clear that there would be a limited number of applications that it would be able to progress through to the EDPB opinion stage before the end of the transition period. Applicants with the ICO as lead are, therefore, unlikely to have been waiting for the EDPB guidance before at least devising a strategy for moving to a new EEA lead authority. Some, no doubt, have been trying to reach a landmark stage in the ICO approval process (such as the review stage) and treating this as a natural point at which to move.
The EDPB guidance acknowledges that, during the transition period, applicants might decide to transfer their BCR application to a new BCR Lead SA after approval by the ICO. In that case, the BCR application would be in the same position as applications authorised under the GDPR. In such cases, the new BCR Lead SA in the EEA, as the new competent SA, is required to issue, before the end of the transition period, a new approval decision following an opinion from the EDPB. It is not clear how many, or indeed if any, applicants will have reached this point, or whether the ICO will have encouraged applicants at an advanced stage in the process to move on to a new lead and obtain an EDPB opinion via an EEA lead authority in order to avoid being caught by this requirement.
Practical steps – updates to the BCR documentation
To be accepted by the new lead EEA SA the BCRs themselves must be amended to reflect organisational changes made as a result of Brexit. To assist with this exercise the EDPB guidance includes by way of an annex a checklist of aspects of the BCR that must be updated (as required) to meet the expectations of the EEA SAs in this regard.
The required amendments may need to cover some of the provisions that go to the heart of the BCR, such as the liability provisions (e.g.to remove references to a single entity in the UK accepting liability for claims under the BCR and replace this with details of the new designated entity in the country of the chosen new lead SA). Changes may also be required to reflect changes in the administrative processes (e.g commitments to co-operate with the new selected lead SA to meet commitments in the BCR to provide annual updates).
Many changes may just require amendments that follow naturally from the move to the new lead SA, and the organisational changes made as a result of Brexit. However, the new lead SA may also want to see, or receive confirmation that, the BCR binding mechanism (e.g an intra-group agreement or unilateral declaration) has been updated and amended, and re-executed if necessary, to give effect to the move to the new EEA lead SA.
The EDPB guidance preserves the discretion of all the SAs to exercise their powers such as the power of conducting an investigation, including of the BCR implementation itself, or to give a special attention to certain aspects of a BCR in the context of a broader investigation of the company, and, where appropriate, an approval.
GDPR
The EDPB guidance makes the assumption that any organisation with an approved BCR should have already updated the BCR documents to reflect the requirements of the GDPR as set out in the referential table, and notified these changes to the lead EEA SA accordingly.
Many companies with an approved BCR will have undergone this exercise, and assiduously made the required changes only to be met with comments and drafting suggestions from some SAs on the changes notified to them, as if the updated documentation is to be subject to a new authorisation or approval. The result is that when moving to a new lead EEA SA, there may be some residual uncertainty as to whether any updates will be subject to further comment or scrutiny. The EDPB guidance does not help to settle the point, but reserves the position of the new EEA SA to verify whether updates have been made, and to 'request that relevant changes are made by any BCR holder and adopt any consequent decision in this regard'. This may be regarded as an unhelpful prospect for an organisation seeking to prepare an updated version of its BCR policies for publication or incorporation into customer contracts.
What happens next?
In relation to BCR that were already approved under the Directive, the relationship between the new lead SA and the organisation should continue along the same lines as was the case with the ICO, with annual updates and general co-operation being provided to the lead SA to meet commitments contained in the BCR, and the BCR evolving over time to meet any changes in the law or in regulatory guidance.
For any BCR application still subject to the approval process, the priority for the applicant is likely to be to try to maintain momentum with the application and to avoid delays in what can be a protracted process. Inevitably, there will be some reading in time for the new SA. The focus for the applicant is likely to be to try to ensure that its application is accepted by the new lead SA and is slotted in at the same point in the approval queue as it was with the ICO.
The BCR authorisation process since GDPR came into force has been notable for the length of time it appears to be taking to obtain an EDPB opinion and lead authority approval. There would, however, appear to be some desire on the part of SAs to achieve some uniformity of approach, and so as time goes on the manner in which the SAs are interpreting the referential tables is likely to become increasingly more consistent and transparent. As a result, although the EDPB guidelines remind organisations that changes to BCR moved to a new lead SA may be requested by the new BCR lead SA, an organisation moving to a new lead SA should, in theory, be subject to the same requirements whichever its choice of new lead.
What about Schrems II?
An organisation with an approved BCR is likely to be in a better position in many respects in terms of addressing some of the concerns raised in Schrems II because the referential tables contain obligations that relate directly to key aspects of the judgment. Crucially, a BCR policy must set out the process to follow when dealing with requests from law enforcement or state security bodies, as well as commitments to be transparent about local law requirements that prevent the BCR company from fulfilling its obligations under the local law. In due course we may find that the EDPB will issue guidance to reflect additional requirements in this regard, but as one of the benefits of having BCR is the in-built flexibility to respond to changes, an organisation with an approved BCR should find it relatively straightforward to incorporate into its BCR policies and procedures.
Brexit – the UK
The focus in the EDPB guidelines is on transfers from the EEA, and ensuring continuity of transfers after the end of the transition period. Organisations established in the UK will also need to put in place appropriate safeguards for data transfers from the UK to countries outside the EEA. What this means for an organisation with an approved BCR is that an updated version of the BCR will need to be prepared and submitted to the ICO reflecting the role of UK entities as exporting entities, including appropriate liability provisions. For companies for which the ICO was the original EU lead, the updates are likely to be fairly straightforward. The ICO has not yet issued any formal guidance to address this, but individual companies are likely to have been contacted by the ICO to remind them of their obligations in this regard. Ideally, an organisation operating across the EEA and in the UK should be able to incorporate both EU and UK requirements into a single policy given that the substantive obligations will be identical, but it remains to be seen how the EU SAs will approach this in practice.
Conclusion
In the early years of BCR, representatives from commercial organisations and the Article 29 Working Party sat around a table to share ideas as to how BCR might operate in practice to provide a flexible solution for businesses to meet the data export requirements of the Directive. Now may be a good time to re-visit that approach (even though that table may be a virtual one) to make BCR fit for purpose for life post Brexit under the GDPR.
This article was originally published in the September 2020 issue of Privacy Law and Business UK Report.
Authored by Sian Rudgard.
