UK Binding Corporate Rules: Are Updates A Reason To Reconsider The 'Gold Standard' Transfer Tool? - Data Protection

The ICO's steps to lessen a post-Brexit admin burden with the launch of the UK BCR Addendum may again encourage uptake

Binding corporate rules (BCRs) have been referred to by the UK Information Commissioner's Office (ICO) as the "gold standard" transfer tool. The introduction of a new UK BCR Addendum at the end of 2023 has eased the post-Brexit compliance burden and for those considering BCRs covering both the EU and UK they may be worth looking at again.

Transfer 'piggy backs'

The UK ICO published the new UK BCR Addendum and associated guidance on 19 December 2023. This is another example of the ICO adopting a transfer mechanism that "piggy backs" on measures taken in relation to the EU to also cover data flows from the UK.

The UK had already taken this approach with the international data transfer addendum to the EU standard contractual clauses and, in some respects, the UK-US Data Bridge, which borrows elements from the EU-US Data Privacy Framework noting that applicants can apply for both the bridge and framework at once.

This shows a pragmatism from the ICO and recognition that businesses face an unwelcome and unnecessary compliance burden in developing near identical but different transfer mechanism frameworks for the EU and for the UK post-Brexit. It also acknowledged that the overseas transfer provisions of the General Data Protection Regulation (GDPR) and the UK GDPR remain substantively the same.

What are BCRs?

BCRs, as the name suggests, are legally binding internal rules that a multinational group of companies (or a multinational group of enterprises engaged in a joint economic activity) may adopt and rely upon as a lawful transfer mechanism to allow the transfer of personal data to non-European Economic Area or, in the case of the UK GDPR, non-UK countries. They need to be approved by the European or UK data protection authorities respectively before they are effective.

The internal rules that each participating member of the group is required to comply with can only be achieved if a sophisticated data protection compliance regime is adopted (including policies and procedures, training, audit, etc.), which, as part of the approval process, the authorities are invited to scrutinise. The rules are then underpinned by a binding mechanism such as an intra-group agreement that confers third-party rights on data subjects allowing the data subject to seek redress in the event of an infringement.

Brexit and UK BCRs

Pre-Brexit, the BCR regime covered the UK. However, post-Brexit this was no longer the case leaving multinational groups with an EU and UK footprint seeking to rely on BCRs (either existing holders or new applicants) in the position of having to maintain two sets of near identical but subtly different BCRs: "EU BCRs" and "UK BCRs".

There was also the option of simply leaving out the UK, but this risked creating the impression of a multinational not taking its data protection responsibilities seriously in this major territory. In the case of new applicants, this additional burden may have also discouraged businesses from applying for BCRs at all.

Latest developments

In August 2023, the ICO wrote to UK BCR applicants to announce the forthcoming introduction of the UK BCR Addendum to existing EU BCRs as an alternative for a group needing to put in place a full UK BCR alongside an EU BCR. On 17 October 2023, the ICO hosted a webinar to talk existing applicants through the process and mechanics of the addendum in anticipation of it being launched in November or December 2023. It was launched on 19 December 2023.

The UK BCR Addendum incorporates a group's existing EU BCR and extends it to the extent necessary to apply to UK-restricted transfers and to comply with the requirements of UK GDPR article 47, which for now is identical to EU GDPR article 47 and, therefore, mostly comprises administrative changes. These include accepting the jurisdiction of the ICO and UK courts (as opposed to EU authorities and courts) in relation to the addendum and requiring the lead UK BCR member (as opposed to the European-based lead member under the EU BCRs) to accept liability to relevant data subjects for breaches of the addendum by non-UK BCR members. As such, it can be used alongside an existing approved EU BCR to form a standalone UK BCR to allow restricted transfers of personal data from the UK.

Advantages of the addendum

To the extent BCRs had fallen out of favour in light of additional Brexit-related friction, the introduction of the addendum is welcome.

Using the addendum allows a group to keep their EU BCRs and UK BCRs aligned. Moreover, it avoids the need for a group to implement (and publish) near-identical but different EU and UK BCRs – either controller or processor or both – on its website.

Moreover, the approval process is, on the face of things, more straightforward and the ICO has strongly suggested that it will be quicker and easier. This is a significant point: any protracted engagement with the ICO, as with any regulator, invariably risks creating a build-up of issues as the regulator has time to find additional points to question.

Completing the addendum

The addendum is guidance only, so groups can amend or tailor it and still submit it for approval. Alternatively, a group can use it as a standard form.

Any group that holds an approved EU BCR may use the addendum. The application process will require the group to submit the following to the ICO:

A completed addendum. Of note, instead of entering into an intra-group agreement each BCR member (including non-UK and overseas members) may sign the addendum as the binding instrument.
Approved EU BCR documentation, including an application form and referential table, EU BCR policy, binding instrument, EU BCR approvals and other relevant documents, such as EU supervisory authority reviews or audits.
A UK BCR summary of how the UK BCR will work, which will be published in more concise terms alongside the EU BCR.

In completing the addendum, there are invariably issues to consider. For example, the merits of introducing an indemnity in favour of the lead UK BCR member, the need to update internal documentation and, in the case of processor BCRs, the need to update relevant agreements with third-party controllers. However, the addendum is clearly a simplification of the existing process.

Osborne Clarke comment

Pre-GDPR – a long time ago now – the compliance burden that BCRs imposed over and above the basic requirements of the law dissuaded many international groups from considering them. However, post-GDPR, with its extra-territorial applicability and the fact that it has acted as a template for similar laws worldwide, international groups became more willing to consider them, leveraging measures that the GDPR has required them to put in place anyway.

BCRs were rendered less effective for businesses with both EU and UK footprints by the additional post-Brexit admin burden and it is arguable that this had a chilling effect. However, the ICO's steps to lessen this burden with the introduction of the UK BCR Addendum may again encourage their uptake. With pre-approval from the European and UK data protection authorities baked in, BCRs are robust data-transfer mechanisms and one yet to be challenged in the courts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.