Box gives EU customers alternative to Privacy Shield with BCRs

Box logo on EU flag

Box's EU customers can store their files in its US datacentres without relying on the controversial Privacy Shield framework, the company confirmed today after receiving EU approval for its Binding Corporate Rules (BCRs).

BCRs are legally-enforceable agreements between companies and the EU that govern how companies handle the data in their care, covering both customer information and that of Box's EU employees.

It means Box can offer all EU customers a different way to send their data to the US, rather than relying on Privacy Shield, the newly-approved EU-US data transfer mechanism.

"This is a huge milestone as we continue to scale internationally while focusing on offering what we believe to be the most secure enterprise content management platform in the world," said Box's senior director of global legal and advocacy, Joel Benavides.

The UK's data protection authority, the Information Commissioner's Office (ICO), approved Box's BCRs along with watchdogs from Spain and Poland, meaning they are valid in all 28 EU member states.

"The data protection authority's approval of our BCRs enables companies across Europe to deploy a validated cloud environment in accordance with the highest data protection standards available today," added Benavides.

Cloud Pro first reported that Box was seeking an alternative EU data transfer mechanism back in April, when the cloud firm's general counsel, Peter McGoff, told us that BCRs could offer "even stronger protection for our customers [than Privacy Shield]."

Companies set their own BCRs, but they must be specifically approved by EU data protection authorities, an approval process that requires a substantial review of the company's processes and procedures for data protection.

Although Box still supports Privacy Shield, the framework that replaced the defunct Safe Harbour agreement has drawn criticism.

Its critics chiefly point to the fact that US assurances of not spying on EU data are not backed up by any law. Meanwhile the EU's group of data watchdogs are set to challenge other aspects of the new framework in a review next year.

Box has also introduced Box Zones, a service that allows customers to choose between five zones to store their data, meaning they can keep it in countries with tighter data protection laws if they choose to, without moving it to the US.

Box's BCRs will ensure that the company remains complaint with EU data law even when transferring information across state borders.

Duncan Brown, IDC's research director for European security practice in EMEA, said: "BCRs provide the highest level of compliance, accountability and assurance for international organizations. There are very few companies with approved global BCRs and Box is one of the first cloud service providers to achieve this approval."

The approval of Box's BCRs adds to its existing governance and compliance certifications, including ISO 27018, ISO 27001 and the APEC Cross Border Privacy Rules. The cloud provider claims it is now the first company in the world to hold all four certifications simultaneously.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.