The Portuguese regulatory regime for Binding Corporate Rules

Abstract

Given the vast number of requests for authorisations for the transfer of personal data to countries outside of the EU and the growing complexity of how companies and corporate groups choose to structure their international activities, it should hardly have come as a surprise when, in 2003, the Article 29 Data Protection Working Party recommended that the approaches afforded by the standard contractual clauses and Safe Harbor Principles should be complemented by Binding Corporate Rules. Citing a growing demand on the part of multinational companies, which due to their complex architectural structures worldwide would like to benefit from the possibility to adopt ‘codes of conduct for international transfers’ (WP 74, p. 5), the Working Party analysed the possibility of authorizing cross-border data transfers under a BCR system and came to the conclusion that it would be a useful additional alternative to the already existing methods of conducting international transfers. While the Working Party endorsed BCRs in this manner, however, the actual decision of whether to accept BCRs was left to the individual data protection authorities of each member state. Portuguese Law 67/98, of 26 October 1998, on the Protection of Personal Data (the Data Protection Law) implements the EU Data Protection Directive 95/46/ EC. Article 20(2) of the Data Protection Law, which is analogous to Article 26(2) of the Directive, expressly empowers the national data protection authority (the CNPD) to authorize transfers of personal data to a State which does not ensure an adequate level of protection as long as ‘the controller adduces adequate safeguards with respect to the protection of the privacy