Data protection: Art. 29 Working Party guidelines on BCRs
EBF advisor: Helene Benoist
Article 29 Data Protection Working Party: EBF’s comments on the WP29 updated adequacy referential and working document on BCRs (wp254 & wp256)
Publication date: 17 January 2018
- The European Banking Federation (EBF) welcomes the Article 29 Data Protection Authority (hereafter ‘WP29’) paper on Binding Corporate Rules (BCRs) and the updated adequacy referential which provide further clarity on how international data transfers will be managed under the General Data Protection Regulation (GDPR).
- Cross-border data transfers are today an important part of the modern global economy as data has become its lifeblood. Digital trade and cross-border data flows are expected to continue to grow faster than the overall rate of global trade.
- Financial institutions often need to process personal data within the group of which they are members in order to achieve objectives, such as offering a broader variety of products to the clients, or, efficiently tackling fraud. In that respect, clarity and legal certainty are necessary.
- Nevertheless, there will be greater difficulties going forward for three reasons:
- The new provisions in the GDPR will make third country transfers more difficult. Under the GDPR, the possibility to make an internal adequacy decision within the firm is no longer possible.
- However, the slowness of the BCRs adoption process is today an important obstacle. We note that BCRs currently require 18 months or more to be approved and demand will likely increase under the GDPR.
- There is uncertainty over firms’ ability to rely even on the safeguards provided for under the GDPR. The EU-U.S. Privacy Shield and SCCs, for example, have an uncertain future, given the striking down of the Safe Harbour adequacy decision in 2015 and a more recent court challenge against SCCs and referral to the Court of Justice of the European Union (“Schrems II”).
- We believe further assessment should be conducted on the barriers that prevent banks from processing or storing data inside and outside the EU (linked to data protection, confidentiality, bank secrecy requirements, etc.). Ultimately, there should also be a clear legal basis to share information among jurisdictions at group company level.