International transfers of personal data: ICO update on UK Binding Corporate Rules

In late July 2022, the office of the UK data protection regulator, the Information Commissioner’s Office (ICO), issued new guidance on applying for and receiving approval for UK Binding Corporate Rules (BCRs).

What are the Binding Corporate Rules?

BCRs are a permitted ‘safeguard’ for transferring personal data between entities in different jurisdictions within the same corporate group or joint enterprise without undermining the protections afforded to such data in its country of origin. The restriction of extra-territorial transfers of personal data is a concept which originated in EU law. In post-Brexit Britain, when transferring personal data outside of the UK, this concept is still relevant due to the transposition of the EU’s flagship data protection law, the GDPR, into UK law – the UK GDPR. The ICO’s recent update relates to the UK BCRs under the UK GDPR.

According to the ICO, for multi-national organisations making frequent transfers of personal data between group entities bound by the BCRs in different jurisdictions, BCRs are considered the ‘gold standard’ for data transfers. BCRs are a framework of policies and procedures developed by organisations and subscribed to throughout their entities and operations, which the ICO approves so that the organisation may legally transfer personal data.

Article 47 of the UK GDPR outlines the requirements of BCRs. BCRs must specify:

• the structure of the corporate group;
• the intended transfer types and purposes;
• their legally binding nature;
• that application of data protection principles;
• rights of data subjects (i.e. the individuals to whom the personal data belongs);
• the acceptance of the controller or processor for breaches of BCRs by any of its members;
• complaint procedures;
• the tasks of a data protection officer (where designated);
• mechanisms for verifying and reporting on compliance; and
• appropriate training for personnel handling personal data.

In order to receive approval of BCRs, an organisation must display the above by submitting to the ICO:

• an application form;
• a referential table;
• a binding instrument (which is usually an intragroup agreement);
• a BCR policy; and
• details of the policy and procedural requirements set out in Article 47 UK GDPR.

Why is the update necessary?

The likelihood is that international organisations seeking approval of UK BCRs will also be seeking approval for EU BCRs. The bureaucratic load on businesses in respect of their data protection obligations has increased in the wake of Brexit, and the ICO’s workload has increased vastly. One of the main aims of the updated application requirements is to reduce the amount of documentation submitted by applicants and required to be processed by the ICO. This should reduce costs for applicants and shorten processing and approval times.

Judicial scrutiny of transfer mechanisms is another driver behind the update. The July 2020 judgment of the Court of Justice of the European Union (CJEU) in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) cast doubt over the validity of Standard Contractual Clauses as a transfer mechanism for personal data from the EU to the USA and, by implication, the rest of the world. The European Data Protection Board, in an FAQ document published on Schrems II, confirmed that the judgment also applied to BCRs. The Schrems II decision is also relevant to the UK.

The updated guidance bolsters the UK BCRs in response to Schrems II. As part of the application and approval process, applicants must give assurances about regular reviews of Transfer Risk Assessments (TRAs) and commitments to adjust the adopted UK BCRs where individuals’ rights would be undermined by continuing to transfer their personal data. Applicants do not have to provide TRAs as part of the approval process, but the ICO may request evidence or copies of TRAs as part of its monitoring procedures. Organisations with UK BCRs in place, or applicants for UK BCRs, must therefore regularly carry out and review TRAs.

How has the application process changed?

The ICO has issued separate guidance for controller applicants and for processor applicants.

Throughout the updated guidance, the ICO places an increased emphasis on its ‘principles-based’ approach whereby applicants must display an understanding of the spirit of Article 47 and their data protection obligations more broadly.

The application form and referential table have been simplified and many prescriptive requirements have been removed. Applicants must reference the requirements of Article 47, with guidance featuring mainly on the ICO’s website rather than within the application documents themselves. Applicants will still need to provide specific information around destination countries, categories of data and types of data subject.

The ICO now emphasises the importance of the BCR policy, the public-facing document which is accessible to individuals. Organisations with UK BCRs in place or applicants for UK BCRs must therefore ensure that the drafting of the BCR Policy is tailored to data subjects, considering plain language and thorough explanations.

Controller and processor applicants will submit the same referential table, but there is a supplementary annex for processor applicants.

Separate application forms must still be submitted by controller and processor applicants, but applicants can now submit:

• a combined BCR policy;
• a combined intragroup agreement (or binding instrument); and
• a combined set of policies and procedures,

provided that the controller and processor obligations are clearly delineated within each document.

What’s the impact of this on UK businesses?

The overarching theoretical aim of the update is to emphasise the spirit and intent of data protection obligations in data transfers using UK BCRs. The practical impetus for change is the necessity of streamlining the application and approval process. Applicants may see the costs of document production reduced slightly, however the reality of preparing and approving both UK and EU BCRs is a lengthy and costly, but ultimately valuable process for multi-national organisations/enterprises.

Article co-authored by Rose Bickerton, Trainee Solicitor at CMS.