Introduced in 2003, binding corporate rules (BCRs) are intended for use by companies that operate in multiple EU nations and need to move personal data across borders without running afoul of the EU Data Protection Directive (95/46/EC). The data directive does not allow for the sending of personal data from EU nations to countries such as the United States that lack adequate data protections.

BCRs are legally binding internal corporate data privacy rules that are adopted by a company and need the approval of European DPAs. BCRs are intended to safeguard the privacy of all personal data that is housed and moved under one corporate roof. Firms pledge to abide by these internal rules and practices for all cross-border data transfers, and may face criminal or civil penalties for failure.

EU officials are encouraging the use of BCRs as an alternative to other legal means of transferring data outside the EU, such as the Safe Harbor framework, a method used by over 1,200 U.S. companies to comply with the EU data directive.