This thesis offers a critical approach to the current regime of Binding Corporate Rules (“BCR”) used by large companies to transfer personal data within the same corporate group to third countries which do not offer adequate levels of data protection. Our study focuses on the substantial and formal shortcomings that multinational companies particularly highlighted in connection with the implementation of the BCR mechanism. The analysed substantial shortcomings mainly relate to burdensome requirements set by the Working Documents issued by the Article 29 Working Party (“WP”), as well as to the problem of the binding nature of BCR when they adopt the form of unilateral declarations. The investigated formal shortcomings have to do with the complex and time consuming process to have the BCR approved at the EU/EEA level and from the relevant Data Protection Authorities (“DPAs”). Our thesis statement is that the BCR -as developed today- has proven ineffective. Multinational corporations are nowadays demanding more reliance on their own internal mechanisms of corporate governance to transfer personal data internationally within the same corporate group. Mandated accountability could have been the key in the proposed Regulation to reform the EU Data Protection Directive, combined with a stronger ex-post privacy control by the competent supervisory authorities. Unfortunately, the proposed reform does not follow such path.