Brexit raises critical issues regarding the future transfer of personal data outside of the EU, not least as to the role of the UK Data Protection Authority, the Information Commissioner’s Office (“ICO”), and as to its relationship with the remaining EU Member States’ Data Protection Authorities (“DPAs”). In this context, the ICO posted a blog entry on November 20 to clarify the status of the Binding Corporate Rules (“BCRs”) it may approve prior to Brexit. BCRs are internal rules that define a company’s global policy regarding international transfers of personal data within the same corporate group. Companies can use BCRs to transfer personal data to entities located outside the EU where EU DPAs have approved them. In this process, one authority called the “lead authority” handles the cooperation procedure amongst the other European Data Protection Authorities. Listed below are the most interesting bits of information the ICO provided in this blog post.
- The ICO Has Played a Leading Role Regarding BCRs Applications. The ICO has approved about 25% of all BCRs approved across Europe (the list of ICO BCRs approvals is available here; European Commission figures are available here).
- BCRs Approved by the ICO Will Remain Valid After Brexit. The ICO clarified that the BCRs it has approved will not be cancelled because of Brexit. It cannot, however, be excluded at this stage that some amendments (to be submitted for approval to other EU DPAs than the ICO) may be required in the aftermath of Brexit. The ICO will obviously no longer be able to approve any BCR applications after Brexit.
- The ICO Is Still Working on BCRs Applications. The ICO confirmed that it will continue to review BCR applications even after the GDPR takes effect, on May 25, 2018. This is because the GDPR will apply in the UK before Brexit, which is currently expected to happen on March 30, 2019. The ICO said in its blog post that it is currently working on about 40 BCR applications at various stages of the process. The most recent BCRs approved by the ICO are dated February 22, 2017.
- Companies Planning to Apply to The ICO For BCRs Should Ensure Their Application Aligns with The GDPR Rather Than with The Data Protection Directive. The ICO will ask companies that have already submitted their BCR applications to update them in light of the GDPR requirements. The ICO also invites companies that have already obtained approval for their BCRs to inform the ICO about the changes they make to comply with the GDPR.
- Timing of BCRs Applications. The ICO said that BCR applications submitted from November 2017 will receive approval after May 2018. However, there is still uncertainty about the role of the ICO in the BCR approval process if such approval is not granted before Brexit, as well as on the transition of the ICO’s “lead authority” role to a different data protection authority in the EEA. These topics should be discussed early with the ICO and other relevant DPAs after filing an application for approval of BCRs.
- The ICO Is Dedicating More Resources to BCRs Applications. The ICO has deployed extra staff to improve its BCR approval process and its timeliness. This is crucial as, last year, companies faced significant bottlenecks in the process because of the ICO’s limited staff resources allocated to BCR processing and review.
- There Is Uncertainty Regarding the ICO’s Cooperation with Other DPAs After Brexit. The ICO has insisted that it will continue to work on BCRs with other DPAs. However, the other DPAs have so far not indicated how they intend to handle the ICO after Brexit. This will depend to a large extent on how hard Brexit is and on how UK data protection law and practice will be assessed by the remaining EU DPAs.
- The Article 29 Working Party Is Updating the Guidance for BCRs Under the GDPR. We expect the new guidelines to be published by the end of 2017, potentially impacting BCRs currently under review by the ICO.