It is difficult to recall a time when the issue of personal data transfers from the European Economic Area ("EEA") has been as widely and hotly debated as it has over the past year or so. Significant movements during the past year saw not only continued discussion in connection with the draft EU Regulation ("Draft Regulation") to replace the existing EU Data Protection Directive but also concerns following the revelations of former U.S. National Security Agency contractor Edward Snowden, amongst other things. "Where is data going?", "Who is receiving it?", "On what basis are companies transferring data?" and "Are those transfers lawful?" are all questions brought into fresh focus.

In our earlier article, "Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0" (see WDPR, April 2013, page 4), we proposed that, for a variety of reasons, Binding Corporate Rules ("BCRs") were worthy of fresh consideration by companies operating internationally as a way to adequately safeguard personal data transferred out of the EEA, thereby ensuring that their transfers are compliant with EU data protection laws relating to extra-EEA transfers.

Originally published in Bloomberg BNA's World Data Protection Report in February 2014.