By: Lynn Goldstein & Steve Wood
Binding corporate rules (BCRs) form a crucial governance and data protection strategy for many multinational organizations, including many IAF members. A recent EDPB decision on criteria for a GDPR Main Establishment in the EU puts the use and benefits of BCRs potentially at risk.
In 2009, the first BCRs were approved under the EU Data Protection Directive. One of the primary reasons companies applied for BCRs then was so they no longer had to keep in place the cottage industry needed to document the standard data protection clauses approved under the Directive so that personal data could be transferred between EU, US and other global companies owned by the same parent company. Due to a recent EDPB Opinion on main establishment under the GDPR, companies may need to go back to using standard contractual clauses (SCCs) rather than BCRs to transfer personal data from the EU.
According to the EDPB Opinion on the main establishment of a controller, the controller’s place of central administration (PoCA) is its main establishment. The PoCA is the place where the Controller takes the decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. An example of a PoCA is a controller’s regional headquarters. Where there is no PoCA in the EU, i.e., it lies outside the EU, then there is no main establishment in the EU.
To a certain extent, the EDPB Opinion is consistent with the Article 29 Working Party’s previous GDPR Guidelines on identifying a controller’s lead supervisory authority. According to the Article 29 Working Party’s previous GDPR Guidelines, identifying a lead supervisory authority is only relevant in order to carry out the cross-border processing of personal data. The ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border processing activity. Identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In order to establish where the main establishment is, it is necessary first to identify the central administration of the data controller in the EU, i.e., the place where the decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented.
Significantly, the Article 29 Working Party’s previous GDPR Guidelines recognized that there may be borderline cases where there is no central administration in the EU, but the company wishes to be regulated by a lead authority to benefit from the one-stop-shop principle. In these circumstances, the company should designate the establishment that has the authority to implement decisions about the processing activity and to take liability for the processing, including having sufficient assets, as its main establishment. The recent EDPB Opinion seems to do away with these “borderline” cases. If a company does not have a PoCA in the EU, then there is no main establishment and hence no lead supervisory authority or BCR Lead.
The recent EDPB Opinion, which unfortunately did not go through the consultative process in order to be issued as EDPB Guidelines, leaves companies almost back where they were in 2009. However, fortunately, given the nature of the 2021 version of the SCCs issued by the European Commission, most companies now are able to avoid setting up cottage industries by having a single global intracompany agreement with various SCC-like addenda.
Given the long-term benefits provided by BCRs for governance and accountability, and the investment made by the companies concerned, it will seem like a backward step for data protection in the EU if the EDPB Opinion has the effect of moving some companies away from BCRs. This is also a matter the European Commission should consider in their upcoming review of the GDPR under the four yearly assessment process. The IAF also calls for the EDPB and individual Data Protection Authorities to engage in further dialogue with companies and clarify the implications of the EDPB Opinion for existing and prospective BCR holders.
Related Articles