J.P.Morgan’s BCR based international data transfers approved in Belgium

Last week, a Royal Decree was published in the Belgian official journal authorising J.P. Morgan’s international transfers of personal data based on its binding corporate rules. This is the first time such transfers via binding corporate rules are approved in Belgium and the Royal Decree was issued under the protocol recently concluded between the Belgian Privacy Commission and the Belgian Ministry of Justice. Linklaters Brussels worked with both authorities to help develop this procedure including the protocol. It is likely that in the near future other multinational organisations will also be authorised in Belgium to transfer personal data internationally based on binding corporate rules.

Binding corporate rules

European data protection laws prohibit the transfer of personal data to a country outside of the European Economic Area unless certain conditions are satisfied. One possible solution is for an organisation to adopt binding corporate rules, a set of internally binding compliance measures to ensure personal data is protected within that organisation.

The restriction on international transfers was implemented in Belgium by the Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of personal data. According to this Law, the approval of international transfers based on binding corporate rules requires a Royal Decree, i.e. an act to be adopted by the King, which can be a time-consuming and complex exercise.

Streamlined approval process

In the context of J.P.Morgan’s application, Linklaters Brussels worked with both the Privacy Commission and the Ministry of Justice to help develop a new streamlined process to approve international data transfers based on binding corporate rules. This involves the adoption of an individual Royal Decree (“acte individuel” / “individuele bestuurshandeling”) using a standardised template. These individual Royal Decrees do not require prior review by the Finance Inspectorate and the Belgian Council of State. They do not require the publication of the binding corporate rules’ documentation either.

Instead, the new approval procedure relying on the protocol requires the submission of the binding corporate rules to the Privacy Commission for review of the international transfers they are meant to cover. Once the review is completed, the Privacy Commission communicates its advice to the Ministry of Justice. If such advice is positive, the Ministry prepares an individual Royal Decree based on the template attached to the protocol to officially approve the international data transfers. The Royal Decree is then signed by the King and published in the Belgian State Gazette.

Transborder dataflow

Binding corporate rules are not the only means of achieving compliance with European rules on international transfers of personal data but they are the most flexible. Alternative approaches, which may suit some organisations, include the use of intra-group agreements and adhesion to the US Safe Harbor. For other organisations, however, binding corporate rules are becoming an increasingly attractive option to achieve compliance.

For further information on this subject or any other TMT issues please contact: Tanguy Van Overstraeten, (+32) 2 501 94 05 or your usual Linklaters contact.