Re: Cor.
Yep.
What he missed to explain is that the BCRs should formulate a data protection, data retention and data correctness regime which is _EQUIVALENT_ to Eu now. In the absence of a Safe Harbor you cannot just have a BCR effectively saying "I can do whatever I want". You should have a BCRs which provide an equivalent level of data protection if audited.
Here is the rub - the first time BCR and Patriot act + FISA court orders meet in the ECJ, BCRs will be ruled null and void too. This will blow up the big guys who operate under BCRs too.
I suspect that this is only a matter of time until this happens.