At the recent International Association of Privacy Professionals’ Summit in Washington DC, BCR was one of the frequently used buzzwords alongside data beach notification, behavioural targeting and global compliance, which shows that the BCR concept is probably the most popular EU data protection law feature outside the EU.
BCR are finally coming of age and establishing themselves as a real runner. There are a number of factors that evidence this and much of the concern of the previous years has turned into excitement. For starters, BCR is one of the top priorities for the Article 29 Working Party according to its Work Programme for this year. In fact, the Working Party subgroup dealing with BCR has already met several times since the beginning of 2008, which is quite an important indicator given that last year it only met once.
At a national level, EU member states and their data protection authorities are making all the right noises to ensure that the use of BCR to legitimise personal data transfers is a workable proposition. Some countries, like Spain, have even amended primary legislation to facilitate the external binding effect of unilateral declarations made by corporate entities. Other jurisdictions like Italy or Greece are looking to take similar steps, but what is truly encouraging about this is that such moves have been promoted by the regulators themselves.