Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Friday, December 23, 2011

Binding Corporate Rules and the Proposed EU Data Protection Regulation


by Mehmet Munur

The proposed revisions to the EU Data Protection Directive with a regulation sometime next year is likely to result in multitude of changes for privacy regulation in the EU and around the world and may make the use of Binding Corporate Rules more attractive for midsize companies and data processors. While 2011 was the year of Privacy by Design, 2012 may end up being the year of the BCRs if this proposed regulation becomes law. (You may find some examples of these rules at the end of this blog post.)


The revision to the EU Data Protection Directive is likely to be a regulation instead of a directive, which may result in more uniform data protection laws across the EU. Nevertheless, EU data protection law is based on local employment and labor law to a certain extent. Therefore, there is bound to be some variation in implementation and the differences in culture and enforcement are likely to continue. While there will be many exciting and controversial changes to the Directive, from enormous fines to right to oblivion, BCRs have already taken center stage. (You may read more about the proposed revisions to the EU Data Protection Directive titled “Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” here.)

The original BCR system was overly bureaucratic and costly. When the BCR system first started, the applicant would have to seek authorization from each Data Protection Authority In the EU. Considering all of the language and cultural barriers to reviewing a set of rules, this process was mired with reviews and re-reviews until every DPA’s requirements were met. In fact, Peter Fleischer called BCRs data protection for the rich. Then the system was more streamlined with 5-7 DPA reviews with a single DPA acting as the lead. This shrank the time in obtaining from years to around 9 months. However, the process is still expensive and cumbersome. That may not be the case with the revisions to the Directive.

During her keynote address for the IAPP Europe Data Protection Congress, European Commissioner Viviane Reding shared her plans to make binding corporate rules even more effective with simplicity, consistent enforcement, and innovation. She pointed to the bureaucratic nature of the BCR approval stating:

I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.

I intend to propose a consistent and streamlined approval process with a single point of contact for companies amongst the data protection authorities. And, once the binding corporate rules are approved by one data protection authority, I want them to be recognised by all European data protection authorities. And there should be no need for additional national authorisation in case of further transfers.

Though some DPAs have disagreed with this approach, others have already started pushing for companies to start preparing for these BCRs. Considering that the BCRs are likely to be broad enough to apply to processors as well as data controllers, using BCRs for inter-company as well as intra-company transfers may become a reality in the near future.
                                                                                        
Therefore, if they are simplified and expanded to processors, 2012 may indeed be the year of the Binding Corporate Rules. Instead of relying solely on Standard Contractual Clauses, midsize companies can obtain authorization using one DPA for all of their intra-company data flows. Furthermore, they may also be able to obtain BCR authorization as safe processors.  This should enable cloud service providers to provide cloud services to other companies using their BCRs. Using the older BCR system, companies were only able to obtain BCR authorization applying to data for which they were the data controllers. With this new system, BCRs for data processors should also be possible. As a result,  BCRs should become a true option for midsize companies and processors of all kinds--and quite likely a favored option for cloud service providers.

You may read about some of the BCRs that have already been approved by the EU DPAs below. Note, however, that it is the underlying processes and policies that support the BCRs that are difficult to prove and implement. Nevertheless, these BCRs should prove useful in finding out what the DPAs are looking for in these policies.

Accenture with the UK ICO as the lead DPA.
BP with the UK ICO as the lead DPA.
eBay with the Luxemburg DPA as the lead.
First Data with the UK ICO as the lead DPA.
GE  with UK ICO as the lead DPA.
HP with the CNIL as the lead DPA.
Intel  with the UK ICO as the lead DPA.
JPMorgan Chase with the UK ICO as the lead DPA
Michelin with the CNIL as the lead DPA.
Philips (2) with the UK ICO as the lead DPA.
Sanofi Aventis with the CNIL as the lead DPA.
Spencer Stuart with the UK ICO as the lead DPA.

Aside from these companies, the following companies have obtained authorization for BCRs:

Atmel Corporation with the UK ICO as the lead DPA.
American Express with the UK ICO
Bank Austria Creditanstalt
Bristol Myers Squibb with the CNIL as the lead DPA.
Cargill
CareFusion Incorporated with the UK ICO as the lead DPA.
CMA-CGM with CNIL
Citigroup  with the UK ICO
D.E. Master Blenders 1753 ("DEMB") ex Sara Lee International B.V. (indirect subsidiary of Sara Lee Corporation) with the Dutch DPA
Deutsche Post DHL with Germany's Federal Commissioner for Data Protection and Freedom of Information.
Hermès with CNIL 
Hyatt Hotel Corporation  with the UK ICO as the lead DPA.
International SOS with the CNIL as the lead DPA.
IMS Health Incorporated with the UK ICO as the lead DPA.
Linklaters with the UK ICO
LVMH with CNIL
Novo Nordisk with the Danish DPA as the lead.
Novartis with CNIL
Safran  with the CNIL as the lead DPA.
Schering with the Berlin Data Protection Commissioner.
Schlumberger Ltd.  With the Dutch DPA
Shell International B.V. with the Dutch DPA

Their policies may also be available publicly. We hope to have this list updated with the appropriate links in the near future.

Labels: , , , , , ,

Read More...