Binding Corporate Rules and Privacy Shield

The eData Guide to GDPR

February 11, 2020

Global organizations need a clear, legal means to share data across borders, whether to conduct day-to-day business, comply with government regulations, perform under a contract, respond to lawsuits, or simply communicate and share information with colleagues. In this installment of The eData Guide to the GDPR, we explore mechanisms provided in the GDPR that facilitate the cross-border transfer of personal data within a global organization to operations or facilities in countries the European Commission (EC) has not found to provide an “adequate” level of protection for personal data, such as the United States.

Chapter V, and specifically Article 47 of the GDPR, provides guidance regarding the use of binding corporate rules as an option to facilitate such cross-border transfers. In previous installments of The eData Guide to the GDPR, we have looked at the EU’s preference for the inclusion of standard contractual clauses to protect the transfer of data by defining the parties involved in the transfer, the reasons for doing so, and the methods by which the data will be protected.[1] This article will explore other mechanisms designed to ensure similar protections.

Article 47: Binding Corporate Rules

bookBinding corporate rules (BCRs) provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.

Article 47 provides some specific requirements for appropriate BCRs. These rules must be

  • legally binding and enforced by all concerned parts of the organization, including employees;
  • expressly conferring enforceable rights on data subjects; and
  • providing particular information, such as the structure of the organization, types of data and data subjects involved, complaint procedures, the general data protection principles employed, and training provided to employees having access to personal data.

BCRs are the most effective way for a multinational organization to transfer personal data internally on a regular basis, such as human resources and payroll information.

Prior to the enactment of the GDPR, the EU Data Protection Board (at the time known as Article 29 Working Party) had provided guidance[2] on the recommended content of BCRs. According to the board, in addition to the GDPR requirements listed above, good BCRs should incorporate the following:

  • A duty on each company entity and employee to respect the BCRs.
  • The creation of third-party beneficiary rights for data subjects. This includes the ability to enforce rights of access, rectification, erasure, restriction, and objection to processing. Data subjects should also be able to complain through internal company mechanisms.
  • The EU company entity responsible for data protection accepts liability for compensation and remedies for breaches of the BCRs.
  • The company bears the burden of proving that its non-EU organization is not liable for rules violations.
  • Data subjects have a right of easy access to the BCRs.
  • The existence of a training program on the BCRs.
  • The existence of a complaint process, which must be handled within a maximum of three months.
  • The existence of an audit program covering the BCRs.
  • The structure, role, position, and tasks of a data protection officer (DPO) or similar function to ensure compliance with the BCRs.
  • Duty to comply with supervisory authorities (SAs).
  • Description of the material scope of the BCRs. This includes the types of data being transferred, the types of data subjects, the countries involved, and the type of processing and its purposes.
  • Description of the geographical scope of the BCRs.
  • A process for updating the BCRs.
  • General data protection principles, including purpose limitation, data integrity, security, and the restriction on transfers outside of the BCR members.
  • Mechanisms for accountability with the BCRs, such as a record of processing activities.
  • The list of entities bound by the BCRs.
  • A commitment to transparency and notification when national legislation might prevent compliance with the BCRs.
  • A statement on the relationship between national laws and the BCRs.

Although these requirements are rigorous, once the necessary structures and processes are implemented in accordance with a company’s BCRs, they allow a much freer and more natural transfer of data within a company than would otherwise be allowed under GDPR.

Privacy Shield

shieldThe Privacy Shield Framework (Privacy Shield) is a mechanism approved by the EC in July 2016 through which enrolled organizations may transfer personal data from Europe to the United States, and is a replacement for the previous Safe Harbor arrangement.[3] Privacy Shield is administered by the International Trade Administration (ITA) within the US Department of Commerce in cooperation with the European Commission and has over 5,000 active participants. [4] The framework provides

  • data protection obligations on organizations receiving personal data;
  • safeguards on US government access to this data;
  • protection and redress for data subjects;
  • yearly joint review by the United States and European Union of the framework.[5]

US companies can join Privacy Shield by voluntarily self-certifying with the Department of Commerce that they will adhere to the principles of Privacy Shield after developing a privacy policy that is compliant with the framework. Once enrolled, the obligation to follow these principles becomes enforceable under federal law, either by the Federal Trade Commission (FTC) or the Department of Transportation, and recertification must be done on an annual basis.[6]

Privacy Shield operates under a set of principles that ensure compliance with EU standards of data protection and processing, consistent with GDPR. These principles include

  • notice of participation in Privacy Shield, the types of data collected, the purposes for collection, the right of individuals to access their personal data, and recourse options;
  • choice to opt out of personal data being shared with third parties and the requirement of affirmative consent before certain types of sensitive information, such as medical data, can be shared with third parties;
  • accountability for onward transfer of data to third parties;
  • appropriate security measures in place to prevent loss, misuse, and unauthorized access;
  • data integrity and purpose limitation;
  • right of individuals to access their personal data;
  • recourse, enforcement, and liability.

The application to join Privacy Shield requires basic company information, as well as contact information for the personnel within the applying organization who will be responsible for handling complaints from data subjects and data access requests. The applicant also must describe the ways in which it uses personal data and the types it uses, such as human resources data, customer and visitor information, and clinical trial data. Organizations participating in Privacy Shield must also designate whether they will work directly with European DPAs to resolve complaints from data subjects, or with a “private sector developed independent recourse mechanism,” such as the International Centre for Dispute Resolution. They must show that their privacy policies are aligned with the Privacy Shield principles, including specifically providing information on their compliance with each of these principles in the privacy policy.

When data is sent from the European Union to the United States, the data controller in the European Union is required to enter into a contract. This contract ensures that the processor in the United States only acts on instructions from the controller; protects the personal data through appropriate safeguards; and assists the controller in responding to data subjects in the case of complaint or enforcement. These contracts do not require prior authorization from an EU member state for Privacy Shield participants.

In compliance with the Privacy Shield principles, data processors must ensure that data subjects can opt out of processing; that the integrity of the data is maintained; and that the data is only maintained for as long as necessary according to the purpose of the processing. Data processors must also provide data subjects with access to their personal information. This is best achieved by “putting [the data subject] in contact with the EU controller, or by working together with the EU controller to provide access, as prescribed by the EU controller.”[7]

Privacy Shield requires an annual review by both European Union and United States regulators to certify the effectiveness of the program. The third annual review in October 2019 confirmed that the United States should “continue[d] to ensure an adequate level of protection for personal data” and that there had been a “number of improvements in the functioning of the framework.”[8] These improvements include more systematic oversight by the US Department of Commerce: monthly compliance checks; seven enforcement actions by the FTC; assertion of rights by EU data subjects; and the appointment of a permanent ombudsman. The review, however, identified a few areas for improvement, such as the speed of the certification and recertification processes; guidance on human resources data; and the sharing of information by the FTC on ongoing investigations.


The GDPR provides several mechanisms for otherwise impermissible cross-border transfers of data, including binding corporate rules and the use of other checks such as Privacy Sheild. All of these methods come with limitations, but in most cases, will allow businesses to function seamlessly from an operational and compliance perspective despite their disparate geographic locations. Adherence to the GDPR’s listed requirements and guidance from EU authorities is key to keeping these tools in place, enabling the smooth operation of a multinational business.

[1] See Appropriate Safeguards in the GDPR.

[2] Working Document on Binding Corporate Rules for Controllers (wp256rev.01), February 6, 2018.

[3] The Safe Harbor arrangement was invalidated by the European Union Court of Justice in the 2015 Maximilian Schrems v. Data Protection Authority (Case C-263/14).

[4] Read more about the Privacy Shield Framework.

[5] Read more about EU-US data transfers.

[6] Read more about the Privacy Shield Framework

[7] Id.

[8] See EU-U.S. Privacy Shield: Third review welcomes progress while identifying steps for improvement