European Union’s Binding Corporate Rules In Cross-Border Transfer Of Personal Data

With the popularization of computers and the development of new technologies such as big data,cloud computing and artificial intelligence,personal data can bring huge profits to enterprises after processing.Personal data contains personal privacy,how to keep personal data safe is gaining increasing attention worldwide.The European Union is an important advocate of personal data protection,and its personal data protection legislation is extremely influential around the world.In order to prevent that personal data cannot obtain the same level of protection as European Union after transferring to third countries,the 1995 Data Protection Directive stipulates that personal data can only be transferred to third countries if certain conditions are met,one of which is to provide appropriate safeguards.One of the appropriate safeguards is binding corporate rules.Binding corporate rules are a set of self-regulated rules concerning processing and transfer of personal data,they are made by multinational enterprises according to requirements of European Union and observed within multinational enterprises.Binding corporate rules do not officially appear in the text of Data Protection Directive,and Data Protection Directive only enumerates data protection contractual clauses as appropriate safeguards.During implementation of Data Protection Directive,Article 29 Working Party plays a vital role in the development of binding corporate rules.Article 29 Working Party believes that appropriate safeguards stipulated in the Data Protection Directive should include binding corporate rules,and Article 29 Working Party issues a series of documents to guide multinational enterprises on how to apply for approval of binding corporate rules.After nearly twenty years of implementation of Data Protection Directive,European Union began to reform European Union’s data protection law,and the most important achievement is General Data Protection Regulation.In May 2018,General Data Protection Regulation came into effect,replacing Data Protection Directive,becoming the main legal basis for personal data protection in European Union.General Data Protection Regulation modifies and improves the Data Protection Directive,one of the improvements is that General Data Protection Regulation establishes the legal status of binding corporate rules,and officially recognizes binding corporate rules as one of the appropriate safeguards.Although multinational enterprises have no legal obligations to adopt binding corporate rules,once they adopt and European Union approves binding corporate rules,binding corporate rules will be legally binding.Binding corporate rules can be divided into two types,one is binding corporate rules for Controllers,the other is binding corporate rules for Processors.Approval procedure of binding corporate rules can be divided into two phases,the first phase is selection of leading authority,the second phase is European Union cooperation procedure.At present,European Union’s binding corporate rules system and APEC Cross-Border Privacy Rules system are in cooperation and seeking compatibility.European Union’s binding corporate rules can inspire China’s personal data protection.The development of binding corporate rules in European Union reflects European Union’s active efforts in improving personal data protection legislation,especially relevant legislation in cross-border transfer of personal data.Binding corporate rules can be considered as perfect combination of industry’s self-regulation and legal regulation in personal data protection.The Chinese government should improve China’s personal data protection legislation,promote industry’s self-regulation in personal data protection,strengthen international cooperation in personal data protection.Chinese enterprises should actively face the challenge that global personal data protection standard is increased,voluntarily make enterprises’ own personal data protection rules,improve enterprises’ personal data protection level.