BCR: yesterday's news today
The term 'Binding Corporate Rules' (BCR) first appeared in the EU Data Protection Working Party in June 2003. The idea was to create a flexible instrument for data transfer that would also meet the requirements of data protection law. The result was a procedure that allows companies to individually structure data protection when transferring data to third countries, provided that the Binding Corporate Rules applied meet certain minimum standards.
These included, among others:
1. development and implementation of a security concept 2. data protection training for employees 3. mandatory participation in an audit program 4. payment of compensation in the event of violations 5. regulated complaints procedure 6. assurance of transparency 7. definition of the scope of application.
The advantage of the introduction of 'corporate binding rules' seemed to be the possibility of individually structuring data transfers to 'unsafe third countries'. The main disadvantage was the high organizational effort and the lengthy review process. However, as data protection was subsequently not guaranteed even in the 'safe third countries' (see, for example, the Facebook scandal and Cambridge Analytica), a European General Data Protection Regulation (GDPR) has now replaced a European General Data Protection Regulation (GDPR) the BCR. The new regulation provides for unexpectedly high penalties for companies that do not handle data protection responsibly.