In June, the Article 29 Working Party ('Working Party') wrote to the President of the European Commission, setting out its case for including a reference to Binding Corporate Rules for data processors ('BCR-P') in the forthcoming Data Protection Regulation.

Binding Corporate Rules are one way in which data controllers or data processors in Europe can lawfully undertake international transfers of data. They are an alternative to using EU Model Clauses, or gaining Safe Harbor certification. However, to date, BCRs have been used to a much lesser extent than either of these methods since they are costly and time consuming to implement.

In the proposal for a Regulation published in January 2012, the European Commission had introduced an express reference to BCR-Ps. This reference was dropped, however, in the draft version of the Regulation that was voted on by the European Parliament in March 2014.

In its letter, the Working Party notes that it has officially allowed data processors to apply for BCRs since January 2013. In this connection, "denying the possibility for BCR-P will limit the choice of organisations to use model clauses or apply the Safe Harbor if possible, which do not contain such accountability mechanisms to ensure compliance as it is provided for in BCR-P."

The letter makes clear that the Working Party is strongly in favour of BCR-Ps, which "offer a high level of protection for the international transfer of personal data to processors" and are "an optimal solution to promote the European principles of personal data abroad." It is noted that three multi-nationals have already had BCR-Ps approved, and that approximately 10 applications are currently pending. By not providing for BCR-P in the Regulation, these companies will be put at a disadvantage.

The Regulation, which is currently being negotiated between the European Parliament and the European Council, is widely expected to come into force in 2017. It will implement substantial changes to the current regime, including the introduction of significant new duties for data processors.

This article is presented for informational purposes only and is not intended to constitute legal advice.