All multinational companies are constantly transferring data relating to identified or identifiable human beings (data subjects). Data is moved between different parts of the same business and to and from suppliers, customers and other third parties. When such data moves between countries, the laws of multiple countries may become relevant, potentially including a multinational business within their jurisdiction when that multinational acts as a data controller determining the purposes, conditions and means of processing involved. This also renders the business vulnerable to potential penalties for breaches of law. One way to manage the ongoing problems of moving data across the world is to introduce Binding Corporate Rules (BCRs) to govern global data transfer.
The Compliance Problem
The Organisation for Economic Co-operation and Development (OECD) realised more than 30 years ago, in 1980, that the proliferation of different data privacy laws could be a costly barrier to cross-border business. It proposed voluntary uniform guidelines rather than legislation to try to strike a business-friendly balance between the interests of individual consumers or employees and international data controllers. The OECD guidelines had the opposite effect than those intended, however; their simplicity appealed to legislators all over the world, which have duly used them as the basis for creating different data privacy regulations. See the Global Privacy Snapshot below, in which countries coloured in red have comprehensive data privacy laws covering all industry sectors and those in blue have either sectoral data privacy laws or none.
This variety of laws is, as the OECD predicted, a headache for compliance officers and general counsel because of the dissimilar registration, penalty and general enforcement provisions.
Perhaps the biggest sources of irritation and confusion are the 30 different sets of legislation of the Member States of the European Economic Area, all of which include provisions (which are required to implement the European Data Protection Directive) generally prohibiting the transfer of data outside the European Economic Area to receiving jurisdictions that do not ensure “an adequate level of protection.” Despite the proliferation of laws outside the European Economic Area that are based on the OECD guidelines, only a handful of countries have secured the European “adequate level of protection” accolade: Andorra, Argentina, Canada, the
Faroe Islands, Guernsey, the Isle of Man, Israel and Jersey.
Available Compliance Solutions
There are a number of exceptions to/derogations from the general rule. Individual consent is one permissible precondition, but entirely impracticable to procure owing to the vast number of international data transfers. The European Union has recognised a self-certification programme, the US Safe Harbor, which was devised by the US Federal Trade Commission (FTC) based on implementation of OECD Guideline principles and subject to FTC/EU enforcement powers. This works well for many companies in legitimising data transfers from the European Economic Area, but only covers inward transfers into the United States. The European Commission has issued model contractual clauses for use between EEA exporters of data and non-EEA importers. Many businesses have found these useful for certain intra-group transfers, such as those involving a global human resources database or whistleblowing hotline.
So far, however, only a very small number of—usually very large—multinationals have opted for BCRs as a global solution. It is time for more multinationals to consider this route. An example of a successful implementation of a BCR involves a transfer of employee data among a group of 144 companies in 16 countries for which the authors secured approval in 2012. Once the application was filed in Europe, this process took only six months from start to finish. Although it involved consultation with some of the most active data protection authorities in Europe, including France, the Republic of Ireland and the United Kingdom, this resulted in only a small number of changes to the submitted set of corporate rules and policies.
The BCR Application Process Today
Since the first set of BCRs was pioneered in 2005, fewer than 30 companies have, at the time of going to press submitted applications that have been approved across Europe. It is very likely that the lengthy, costly, time-consuming experiences of early applicants (much lectured about by their lawyers on the data privacy conference circuit) put many others off. If so, this is a pity, as the current process has been streamlined and simplified dramatically. It requires, of course, a good set of internal policies and procedures that employees are trained properly to implement effectively.
Once these elements are in place, the BCR approval application process is handled by one lead data protection authority in Europe, the determination of which is based on the group’s EEA headquarters or, if outside the European Economic Area, by appointing a group member within the European Economic Area to undertake “delegated data protection responsibilities.” For non-EEA headquartered multinationals, smaller Member State data protection authorities are generally eager to assist in securing their first BCR approval, and their attention and assistance, rather than obstruction and obfuscation, are now the norm, in contrast with the experiences of a few years ago.
The European Union Article 29 Working Party, which is the independent advisory body on data protection and privacy comprising representatives of the data protection authorities of the Member States, has also issued extremely clear and helpful working papers that demystify and assist the process: WPs 74, 108, 133, 153, 154 and 155 in particular. These enable businesses to do an enormous amount of legwork internally and cost effectively.
There is no rocket science involved: the process is designed to show that compliance with the principles of the OECD guidelines is alive and well across all entities within a group, and that all businesses, employees and agents understand they are bound to follow the principles. Provided there is an audit protocol for policies, an effective complaint-handling procedure, a commitment to co-operation with relevant data protection authorities and a mechanism for showing the binding force of the rules, it should be possible to secure approval within a relatively short period.
The BCR Application Process Going Forward
The approach by the European Economic Area to data protection is, since January 2012, under consultation, with a new Regulation expected to harmonise all 30 approaches some time in 2015 or later. What is not changing, however, is the core set of principles available to all multinationals since 1980, nor the commitment by the European Economic Area to making BCR approval simpler and more accessible. Article 43 of the draft Regulation deals specifically with transfers by way of BCRs, and the European Commission explanatory memorandum on it states that it is “based on the current practices and requirements of supervisory authorities.”