On 28th January 2015, the U.K. Information Commissioner’s Office (“ICO”) has cleared binding corporate rules (“BCRs”) in respect to First Data Corp., a global electronic commerce and payment card processing company. This is the first time the ICO has authorised BCRs for a data processor and the UK is only the third member state to authorise a data processor BCR after France and the Netherlands.
BCRs are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the eighth principle of the U.K. Data Protection Act 1998 and Article 25 of the European Union Data Protection Directive (95/46/EC), according to the ICO.
However, the issue of data processor BCRs remains unsettled whilst the EU considers the data protection regulation which will eventually replace the Data Protection Directive. The uncertainty arises as whilst the European Commission’s proposal for a regulation in 2012 contained a specific provision on the recognition of BCRs for data processors, the consolidated amendments to the regulation adopted on the 21st October 2013 removed the reference. Commentators have generally stated that this does not necessarily prohibit data protection authorities (“DPAs”) approving BCRs for data processors but it does mean that DPAs will not be obligated to accept them.
The proposed regulation is being debated by the EU Council, the EU institution that represents the governments of the 28 EU member states, after which there remain negotiations with Parliament over the final text of the proposal so it remains to be seen what the final conclusion will be in respect to data processor BCRs.