Binding Corporate Rules (BCRs) were the focus of a session yesterday at the IAPP Europe Data Protection Conference in London. Florence Raynal from the French data protection agency (CNIL) stressed that BCRs not only facilitate cross-border data transfers, they constitute the backbone for global privacy compliance programs and accountability. The CNIL is working on a toolkit for BCRs, focusing on their scalability for small- and medium-sized enterprises. Accenture’s Bojana Bellamy stressed that privacy compliance needs to be brought into a corporation’s mainstream compliance programs, just like anti-corruption, competition and financial reporting.
Bellamy challenged the idea that BCRs have to be pre-approved by DPAs: "Safe Harbor is based on self-certification, standard contractual clauses are too, why should BCRs be the exception?" Raynal said that prior review of companies’ BCRs was important to identify serious gaps, such as the absence of a liability clause. "We’re reviewing these BCRs not only on our own behalf, but on behalf of the other European DPAs. We have to do a good job." Richard Thomas of LLD predicted that once BCRs take off, DPAs won’t be able to cope with the volume. "Self-certification has to be the final objective here," Thomas said.
Are BCR’s inevitable? "BCRs are synonymous with effective compliance programs," according to Raynal. They establish rules, and procedures to make sure that the rules are effectively applied, through internal controls, training, and audits. This is exactly what the draft EU Data Protection Regulation will require from all companies. The panel expressed some frustration that the draft Regulation treats BCRs only in the context of international data transfers, instead of addressing them as a means of implementing full accountability under Article 22 of the draft Regulation.
One member of the audience recommended that EU and US policymakers abandon the labels "BCRs" and "Safe Harbor" when they speak about interoperability. "We should use a neutral term such as "compliance programs," so we’re talking the same language. In a later session, Caitlin Fennessy of the US Department of Commerce said that the work that the CNIL and the Department of Commerce are doing to map BCRs to the APEC Cross Border Privacy Rules (CBPR) is an excellent practical example of interoperability.
IAPP panelists agree BCRs have a bright future, but that their utility would be enhanced if they permitted free data transfers between different BCR-holding organizations as well as with organizations certified under the APEC CBPR framework. If that were to occur, BCRs could help deliver global interoperability, the holy grail of global privacy professionals and regulators.