The ECJ requires in “Schrems II“ a level of data protection which is “essentially equivalent“ to the level within the EU, when data is being transferred outside the EU. This new requirement is equally applied to BCR1. Since the ECJ has declared the Privacy Shield as invalid, How can the data transferred to the US be justified by BCR? Therefore, after „Schrems II“ the SAs2 are required to check, whether their approval of BCR can be upheld or needs to be dismissed?
The concept of BCR
International groups of enterprises are often using BCR as a legal instrument to justify the data transfer between different legal entities and locations worldwide. The basic idea is that a group can rise its own level of data protection by implementing internal policies, which are to be adhered by all subsidiaries worldwide. BCR usually reflect the structure of the former Directive 95/46 and GDPR by implementig inter alia:
Basic principles of data protection – like lawfulness,3
Granting rights to data subjects4 – e.g. for employees or customers and
Requiring adequate technical and organizational measures to protect personal data.
BCR act as an instrument of self-governance. However, BCR have to be approved by the SAs. The lead authority, which is competent for the headquarters of the group, and the concerned authorities in the affected countries are cooperating according to the consistency mechanism. Eventually, the EDPB has to provide an opinion to the relevant SAs.5
While GDPR was entering into force more than 130 BCR were approved by the SAs.6 Since 25 May 2018, the SAs have approved seven BCR.7
GDPR expressly states that approvals unter Directive 95/46 shall remain valid under GDPR.8 Nevertheless, WP29 recommended to bring the BCR in confirmity with GDPR and to inform the competent SA.9
Schrems II: level of protection “essentially equivalent“
In “Schrems II“ the ECJ raised the bar for data transfer outside the EU. The level of protection in a third country has to be “essentially equivalent“ to the level within the EU.10 This threshold applies to all instruments like e.g. the adequate decision of the EU Commission, the SCC11 and the BCR.12 The contractual clauses and similarly the legal system in the third country have to be taken into consideration. In respect of the legal system, firstly the question arises, whether the European data subjects are granted rights, which are enforceable within independent courts? Secondly, the access of public bodies to personal data has to be limited to the principle of proportionality?13
The ECJ held both the criteria of the legal system that are not met by the Privacy Shield in the US. Since, granting the enforceable rights to the data subject is an aspect, which needs to be addressed by the requirements of the BCR, I shall focus within the limited access of public bodies.
As the court held in respect of the SCC14, public bodies cannot be bound by SCC nor by BCR. This is derived from the fact that SCC is a contract between data exporter and importer. BCR – as internal policies – have legal effect to the subsidiaries of the group of undertakings and on the data subjects, who are granted third-party beneficiary rights. However, a group of undertakings owns no legal power to restrict the access of public bodies. This legal power is reserved for the legislative branch of the third country.
In theory, the SCC can be amended with additional clauses to meet the new requirements of the ECJ. These supplementary measures may be used similarly as an amendment for the SCC and for the BCR.15 However in practice, the EDPB did not publish any clause which fits to address the new requirements of the ECJ.
Therefore, estimatedly most of the BCR will not fully comply with the new requirements of the ECJ.
Is the approval of BCR invalid?
The BCR remain valid as long as these are replaced whether by the group or by the competent SA.16 Therefore, the BCR are not automatically invalid after the decision “Schrems II“ of the ECJ.
However firstly, the group has to inform the SAs about a conflicting legal system according to Art. 47 (2) (m) GDPR. After the decision of the ECJ this is the case for the US. Secondly, the ECJ held in “Schrems II“ that the SAs shall enforce the GDPR and therefore, are bound by a duty to act.
This duty to act will be adressed in the first instance to the SAs which have approved the BCR. Nevertheless, any SA, which is of the opinion that the data transfer outside the EU based on specific BCR is not valid hence is bound to order the suspension of the data transfer to a third country according to Art. 58 (2) (j) GDPR.
The consequences of ECJ “Schrems II“ are not only far reaching rather they modify the data exchange within group undertakings in a deep and fundamental way.
Currently, there is no viable solution available for the data exchange with the US. The situation of Brexit is the next concerning topic. Eventually, any data exchange with a non-democratic country is very likely to be an unlawful act.17
Who will drop the first stone into the water?
3 Art. 47 (2) (d) GDPR.
4 Art. 47 (2) (e) GDPR.
5 Art. 47 (1) GDPR; WP29, Working Paper 17/EN WP263 rev.01, „Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR“, 11 April 2018.
6 EU Commission, Binding Corporate Rules.
7 EDPB, list of BCR.
8 Art. 46 (5) GDPR.
9 WP29, WP 256 rev.01, “Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules“, 28 November 2017 last revised 6 February 2018, page 4.
10 EuGH “Schrems II“, paragraph 93.
12EDPB, “Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems“, 23 July 2020, page 3.
13EuGH “Schrems II“, paragraph 104, 105.
14EuGH “Schrems II“, paragraph 125, 132.
15“The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance.“ in EDPB, “Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems“, 23 July 2020, page 5.
16Art. 46 (5) GDPR.
17Thomas Kahler, Schrems II: ECJ sets GDPR as a global standard for IT-business, DPOblog.eu, 31.07.2020.