Binding Corporate Rules for the Transfer of Personal Data: New Approval Procedure

The cross-border transfer of personal data is a reality within multinational groups. Indeed, most corporate groups constantly exchange data, using shared service centres, shared databases, etc.

When the controller (i.e. the entity that determines the reasons for and means of the processing) transferring the data is established in Belgium, the transfer must comply with the provisions of the Data Protection Act of 8 December 1992, as amended in 1998 ("DPA"), which implements into Belgian law Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Cross-border transfer of personal data

Transfers of personal data within the European Economic Area ("EEA") generally do not require the fulfilment of specific formalities, since all EEA Member States have implemented Directive 95/46/EC and thus offer a similar (and adequate) level of protection.

The same cannot be said, however, for transfers to recipients located in countries outside the EEA. Such transfers are in principle only allowed if the country in question offers an adequate level of protection. Based on the European Commission's decisions, only Switzerland, Andorra, Argentina, Jersey, Guernsey, the Isle of Man, Canada (for certain processing activities), the Faeroe Islands and Israel are deemed to do so. The United States is generally not considered to offer an adequate level of protection, unless the US data recipient (importer) has adhered to the Safe Harbor Principles (data protection principles agreed between the European Commission and the US Department of Commerce).

Transfers to other countries are in principle prohibited, unless certain measures are taken, namely:

  • the transferor and the transferee enter into a standard data transfer agreement based on the European Commission's standard contractual clauses for the transfer of personal data; or
  • for corporate groups, binding corporate rules (rules on the protection of personal data that apply within the group and offer sufficient guarantees in terms of data protection) are implemented.

The use of standard clauses is relatively easy in Belgium since, provided no amendments are made to the European Commission's model, the competent authority's approval is not required to transfer the personal data. However, the use of such clauses is inadequate for groups that constantly exchange personal data, for which binding corporate rules are a much better option.

New procedure for the approval of binding corporate rules

In Belgium, binding corporate rules must be approved by royal decree. Until recently, requests for approval had to be addressed to the federal Ministry of Justice. Experience indicated, however, that approval was seldom granted, most likely due to a lack of political will. In practice, this meant that binding corporate rules could often not be implemented at the group level in the absence of approval by the competent authority.

Following discussions between the Ministry of Justice and the Privacy Commission, however, a protocol agreement was entered into on 13 July 2011, pursuant to which the Privacy Commission is now in charge of a greater part of the approval process. Although approval by royal decree is still necessary, requests for approval should henceforth be sent to the Privacy Commission, which will issue a written opinion and propose a royal decree within 60 days' time. The Ministry of Justice's role will thus be limited, as requests for approval will be examined by the Privacy Commission within binding time periods. In the best case scenario, this means that a decision should be taken within three to four months from the filing of a request. Although the approval process remains time consuming, it is expected to be more efficient and thus encourage groups of companies to use binding corporate rules.