When performing international data transfers, this includes smaller companies with servers being hosted in foreign country offices, companies need to comply with various rules and regulations. 

US companies seeking to transfer data out of the EU are limited to three methods: through the Safe Harbor (a program established by the US Department of Commerce), by using model contractual clauses approved by the EU, or by establishing BCRs. Presently, BCRs are the least-used of these options. With the release of the new guidance, BCRs may become more prevalent.

On January 10, 2007 the Article 29 Data Protection Working Party announced the adoption of a new Model Application for the submission of a company’s Binding Corporate Rules to any European Union Data Protection Authority (DPA). The EU’s approval of the Model Application was a long-awaited and welcome addition, which made Binding Corporate Rules a viable alternative to the two other current approved methods of international data protection transfers, safe harbor and model contractual clauses.

To make matters "more simplified", in September of 2008, the Working Group released guidance on the formation and implementation of Binding Corporate Rules (BCRs).  The guidance consists of three documents, which clarify the requirements for establishing BCRs. These documents are: (1) a checklist outlining the required elements of the BCRs; (2) a framework for the structure of BCRs; and (3) a list of frequently asked questions regarding BCRs.

BCRs are a legally binding, internal corporate document.  The establishment of BCRs gives guidance and direction as to how corporations can transfer data between and out of EU countries.  However, it is not a short or simplified process.

Before becoming effective, BCRs require the approval of the EU data protection authorities (“DPAs”) in the member states in which a company operates, a process that may take years. Seeking BCR approval is a complex process because approval requires the adoption of a comprehensive data privacy program. Presently, few companies, which include General Electric and Phillips, have announced receiving BCR approval.

Broadly, the new guidance establishes that for BCRs to be approved: (1) the BCRs must in fact be binding; (2) the entity must demonstrate policies and procedures ensuring the effectiveness of the BCRs; (3) the entities bound by the BCRs must cooperate with the DPAs; (4) the transfers covered by the BCRs must be described, including a statement of the geographical and material scope of the BCRs; (5) the mechanisms for reporting and recording changes to the BCRs must be described; and (6) the entity must describe how it observes the EU’s data protection principles to safeguard personal data.