EU Data Protection Directive & Binding Corporate Rules

Data protection laws at their essence outline certain basic privacy requirements involved in the processing of personal data. The main objective of data protection laws The EU Data Protection Directive includes some of the strictest data protection limitations.

Binding Corporate Rules

Binding Corporate Rules (BCRs) is a loosely defined term and relates to a concept, rather than a distinct, clearly articulated vehicle. According to the European Commission, BCRs are,

“Internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.”

In practice, BCRs must contain the following elements:

  1. Privacy principles (e.g. transparency, data quality, security, etc.)
  2. Tools of effectiveness (e.g. audit, training, complaint handling systems, etc.)
  3. An element that proves a BCR is binding

Another way of describing BCRs are as follows:

“A code of conduct setting forth the privacy policy of the entire enterprise is drafted, to which each entity included in the enterprise subscribes, enabling data subjects and other entities to enforce that code against the entity/enterprise.”

Who are they for?

BCRs may offer a viable solution for various multinational companies involved in the export of personal data from the European Economic Area to other group entities located in third countries which do not ensure an adequate level of protection.

BCRs are to be used by multinational companies to develop adequate safeguards for the protection of the privacy and fundamental right and freedoms of individuals within the meaning of Article 26 of the Directive 95/46/CE for all transfers of personal data protected under a European law. BCRs ensure that transfers of personal data are made within a group benefit from an adequate level of protection.

Global corporations have begun to take an interest in BCRs for two major reasons. First, they would like to diminish the amount of paper and effort involved to the legitimizing of their transfers. They also intend to impose less stringent requirements on their transfer activities. A number of global enterprises believe that codes of conduct should be sufficient for the cross-border transfer of personal data.

An American Perspective

From the perspective of a US-based multinational corporation (MNC), BCRs offer a number of advantages, as well as disadvantages. They are outlined as follows.

Advantages of BCRs:

  • Possibility of developing a more flexible privacy regime than other methods of cross-border data transfer
  • Ensure compliance with principles included in Article 25 and 26 of the European Directive 95/46 for all flows of data within the scope of the BCR
  • Harmonize practices relating to the protection of personal data within a group
  • Prevent the risks resulting from data transfers to third countries
  • Avoid the need for a contract for each single transfer
  • External communication on the company’s data protection policy
  • Offer an internal guide for employees, with regard to personal data management practices
  • Ensure that data protection is integral to the way the company does business

Disadvantages of BCRs:

  • Uncertainty around the use of BCRs
  • Reduced efficiency as a result of substituting possibly hundreds of other documents for a single document

EU Perspective

Since 2006, the EU has increased receptivity to BCRs. Its official publications indicate that it favors legitimizing this vehicle of data protection. However, in practice, it remains difficult to use BCRs for transfer from more than a single EU member state. BCRs are outlined in three documents, released by the Article 29 Working Party:

  1. WP 74 – This document states that BCRs offer a viable alternative for cross-border transfer, but suggests a regime that many multinational corporations would view as so burdensome that their main incentive would not be met.
  2. WP 107 – This document sets out a general procedure, under which a corporate enterprise interested in using BCRs for export from more than one EU Member State may seek to do so.
  3. WP 108 – Likewise, this document clarifies what was set out in WP 74.


This article takes a look at Binding Corporate Rules (BCRs), as outlined by the EU Directive 95/46/CE for all transfers of personal data protected under a European law. The article takes a look at official as well as unofficial definitions of BCRs, the elements that consist of a BCR and US and EU perspectives on the implementation of BCRs.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

  • EU Data Protection Directive – Binding Corporate Rules (BCRs) (I.D.c.i.4.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>