Schrems II: approval of BCR invalid?

The ECJ requires in “Schrems II“ a level of data protection which is “essentially equivalent“ to the level within the EU, when data is being transferred outside the EU. This new requirement is equally applied to BCR¹. Since the ECJ has declared the Privacy Shield as invalid, How can the data transferred to the US be justified by BCR? Therefore, after „Schrems II“ the SAs² are required to check, whether their approval of BCR can be upheld or needs to be dismissed?

The concept of BCR

International groups of enterprises are often using BCR as a legal instrument to justify the data transfer between different legal entities and locations worldwide. The basic idea is that a group can rise its own level of data protection by implementing internal policies, which are to be adhered by all subsidiaries worldwide. BCR usually reflect the structure of the former Directive 95/46 and GDPR by implementig inter alia:

1. Basic principles of data protection – like lawfulness,³

2. Granting rights to data subjects⁴ – e.g. for employees or customers and

3. Requiring adequate technical and organizational measures to protect personal data.

BCR act as an instrument of self-governance. However, BCR have to be approved by the SAs. The lead authority, which is competent for the headquarters of the group, and the concerned authorities in the affected countries are cooperating according to the consistency mechanism. Eventually, the EDPB has to provide an opinion to the relevant SAs.⁵

While GDPR was entering into force more than 130 BCR were approved by the SAs.⁶ Since 25 May 2018, the SAs have approved seven BCR.⁷

GDPR expressly states that approvals unter Directive 95/46 shall remain valid under GDPR.⁸ Nevertheless, WP29 recommended to bring the BCR in confirmity with GDPR and to inform the competent SA.⁹

Schrems II: level of protection “essentially equivalent“

In “Schrems II“ the ECJ raised the bar for data transfer outside the EU. The level of protection in a third country has to be “essentially equivalent“ to the level within the EU.¹⁰ This threshold applies to all instruments like e.g. the adequate decision of the EU Commission, the SCC¹¹ and the BCR.¹² The contractual clauses and similarly the legal system in the third country have to be taken into consideration. In respect of the legal system, firstly the question arises, whether the European data subjects are granted rights, which are enforceable within independent courts? Secondly, the access of public bodies to personal data has to be limited to the principle of proportionality?¹³

The ECJ held both the criteria of the legal system that are not met by the Privacy Shield in the US. Since, granting the enforceable rights to the data subject is an aspect, which needs to be addressed by the requirements of the BCR, I shall focus within the limited access of public bodies.

As the court held in respect of the SCC¹⁴, public bodies cannot be bound by SCC nor by BCR. This is derived from the fact that SCC is a contract between data exporter and importer. BCR – as internal policies – have legal effect to the subsidiaries of the group of undertakings and on the data subjects, who are granted third-party beneficiary rights. However, a group of undertakings owns no legal power to restrict the access of public bodies. This legal power is reserved for the legislative branch of the third country.

In theory, the SCC can be amended with additional clauses to meet the new requirements of the ECJ. These supplementary measures may be used similarly as an amendment for the SCC and for the BCR.¹⁵ However in practice, the EDPB did not publish any clause which fits to address the new requirements of the ECJ.

Therefore, estimatedly most of the BCR will not fully comply with the new requirements of the ECJ.

Is the approval of BCR invalid?

The BCR remain valid as long as these are replaced whether by the group or by the competent SA.¹⁶ Therefore, the BCR are not automatically invalid after the decision “Schrems II“ of the ECJ.

However firstly, the group has to inform the SAs about a conflicting legal system according to Art. 47 (2) (m) GDPR. After the decision of the ECJ this is the case for the US. Secondly, the ECJ held in “Schrems II“ that the SAs shall enforce the GDPR and therefore, are bound by a duty to act.

This duty to act will be adressed in the first instance to the SAs which have approved the BCR. Nevertheless, any SA, which is of the opinion that the data transfer outside the EU based on specific BCR is not valid hence is bound to order the suspension of the data transfer to a third country according to Art. 58 (2) (j) GDPR.

Assessment

The consequences of ECJ “Schrems II“ are not only far reaching rather they modify the data exchange within group undertakings in a deep and fundamental way.

Currently, there is no viable solution available for the data exchange with the US. The situation of Brexit is the next concerning topic. Eventually, any data exchange with a non-democratic country is very likely to be an unlawful act.¹⁷

Who will drop the first stone into the water?