Insights overview

Achieving the Gold Standard: Equinix achieves first BCR approval under GDPR

Equinix, a global interconnection and data centre provider, became the first company to go through the BCR approval process post-GDPR. This is particularly significant as a the EDPB has explicitly confirmed in the process that BCRs are still the solid international transfer mechanism it is considered to be.

What are BCRs?

BCRs are binding data protection polices which are designed to be adhered to multinational companies in the EEA for the intragroup transfer of data to their affiliates outside the EU. They are legally binding and enforced on every signatory and include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers.

BCRs differ from the European Commission’s Standard Contractual Clauses (“SCCs”) in two key ways:

For a group: Unlike the SCCs BCRs are only available to a group of undertakings, or group of enterprises engaged in a joint economic activity; and
Regulator stamp of approval: BCRs require a company to seek regulatory approval from their Lead Data Protection Authority, and through a GDPR consistency mechanism the European Data Protection Board who approves the BCRs on behalf of other data protection authorities within the EU).

Why choose BCRs?

One of the most popular reasons to go for BCRs is that they are great PR. It is a truth universally acknowledged that BCRs demonstrate that an organisation has achieved the highest standard of compliance when it comes to intragroup transfers of personal data. They serve as a mark of quality and come with a regulatory stamp of approval unique to the organisation in question. Whilst it is unquestionably time intensive to prepare BCRs and ultimately obtain approval, they do serve as a gold standard in a market sector, and have under the previous data protection regime most commonly been adopted by companies in heavily regulated sectors.

Other key reasons to go for BCRs include flexibility (as they cover most transfers carried out within a group and allow these to change as long as they are within the BCR parameters) and that they are “Brexit proof” as the parties can be EEA or non-EEA entities.

BCRs also offer an alternative to adopting the SCCs, the validity of which are once again the subject of legal challenge in the European Courts following allegations of deficiencies in their protections brought by privacy advocate Max Schrems. For more information about the potential implications of this judgment, please read our earlier blog post here.

Key takeaways

BCRs are stronger than ever. In these uncertain times, a large number of companies are now seeking to achieve the gold standard by bringing BCRs to the forefront of their privacy compliance programmes.

If you are considering BCRs for your organisation, as BCRs can be tailored around your needs (in Equinix’s case they focused on employees and business contacts), you should consider:

which categories of data and territories within your group would benefit from and be able to comply with your compliance regime; and
which group entity would be best placed to prepare, submit for approval, enforce, and be primarily responsible for infringement of its BCRs. Your choice of legal entity will have an impact on identifying who Lead Authority who make a draft approval of your BCRs before seeking approval of the EDPB.

If you would like to learn more, or are otherwise reviewing your international transfers in light of GDPR requirements, please get in touch with a member of our team, who would be happy to assist.