American data centre owner Equinix says it has become the first company to have its Binding Corporate Rules (BCRs) approved by the European Data Protection Board (EDPB)’s 27 members; compliance that means personal data flows that Equinix adopts to move outside of the EU to support its global customer base are fully GDPR-compliant.
The decision gives customers certainty that their data is protected under robust GDPR rules irrespective of what a final Brexit deal looks like, Equinix said.
The move comes after Europe’s EDPB was asked by the UK’s ICO for its opinion on the BCRs: data protection policies for companies established in the EU that regularly share data outside of the EU within a group of undertakings or enterprises. Such rules are legally binding and must be enforced by every member concerned of the business.
The EDPR took two weeks to approve the BCRs, filings show.
Binding Corporate Rules Approval: “An Important Milestone”
Peter Waters, SVP Legal EMEA and Chief Privacy Officer, Equinix said: “As a company that helps facilitate the movement of data globally, we felt that seeking the highest standard of compliance around international transfers of personal data was the right approach for both Equinix and our global customer base, and that meant leveraging BCRs. As our BCRs were the first-ever to go through the process post-GDPR, we were put under scrutiny by the data protection regulators across the 27 EU member states.
He added: “To have secured the approval of our BCRs in this context is a real success story. We believe this is an important milestone for Equinix in our own compliance strategy and for our global customers and partners who look to us to provide the security and trust required around how we operate our global enterprise.”
Under Article 63 of the GDPR, businesses with a broad European geographic footprint report their BCRs to their “competent data protection” organisation, which then communicates its draft decision to the EDPB for approval or otherwise.
“The Equinix BCRs contains all elements required under article 47 GDPR and WP256 rev01, in concordance with the draft decision of the Information Commissioner of the United Kingdom submitted to the EDPB for an opinion. Therefore, the EDPB does not have any concerns which need to be addressed,” the EDPB said.
Russell Poole, Equinix’s UK MD added: “As the UK” continues to prepare to leave the European Union, companies that leverage Equinix as a business partner can be confident that their personal data we obtain will continue to be protected to the high standards set by the European Union, regardless of what a final Brexit deal may look like.”
The announcement comes four months after the company – one of the world’s largest co-location data centre providers – announced that it was was forming a $1 billion joint venture with GIC, Singapore’s sovereign wealth fund, that will provide a capital vehicle to build and expand hyperscale data centres under Equinix’s new “xScale” brand, amid aggressive European expansion plans.