Bulletin: Legal & Compliance – Binding Corporate Rules: a brave new world for data processors?

Posted · Add Comment

On 28th January 2015, the U.K. Information Commissioner’s Office (“ICO”) has cleared binding corporate rules (“BCRs”) in respect to First Data Corp., a global electronic commerce and payment card processing company.  This is the first time the ICO has authorised BCRs for a data processor and the UK is only the third member state to authorise a data processor BCR after France and the Netherlands.

BCRs are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the eighth principle of the U.K. Data Protection Act 1998 and Article 25 of the European Union Data Protection Directive (95/46/EC), according to the ICO.

However, the issue of data processor BCRs remains unsettled whilst the EU considers the data protection regulation which will eventually replace the Data Protection Directive.  The uncertainty arises as whilst the European Commission’s proposal for a regulation in 2012 contained a specific provision on the recognition of BCRs for data processors, the consolidated amendments to the regulation adopted on the 21st October 2013 removed the reference.  Commentators have generally stated that this does not necessarily prohibit data protection authorities (“DPAs”) approving BCRs for data processors but it does mean that DPAs will not be obligated to accept them.

The proposed regulation is being debated by the EU Council, the EU institution that represents the governments of the 28 EU member states, after which there remain negotiations with Parliament over the final text of the proposal so it remains to be seen what the final conclusion will be in respect to data processor BCRs.

 

HireRight

HireRight is here to help guide you through the biggest screening challenges so you can focus on what’s important to you; attracting top talent. HireRight provides employment background screening services to organisations of any size, in every industry, and nearly anywhere.

More Posts

Follow Me:
TwitterFacebook


The HireRight Blog is provided for informational purposes only and should not be construed as legal advice. Any statutes or laws cited in this article should be read in their entirety. If you or your customers have questions concerning compliance and obligations under United States or International laws or regulations, we suggest that you address these directly with your legal department or outside counsel.

Comments are closed.