On June 14 2012 Citigroup Inc became the latest of 15 international companies to obtain approval of its binding corporate rules from the UK Information Commissioner's Office (ICO).
Approval of its binding corporate rules will give Citigroup a flexible new way to ensure that any transfers of personal data between its global operations meet the strict EU rules on international data transfers. High-profile adopters such as Citigroup, coupled with increased cooperation between European regulators, mean that this may be the start of a wave of approvals as companies seek new commercial solutions to this familiar challenge.
Binding corporate rules are essentially a set of intra-group governance policies, agreements, declarations and undertakings that relate to the transfer of data within a group company structure. They are designed to allow multinational companies to export personal data from the European Economic Area (EEA) to other group entities in territories outside the EEA. European data protection law prohibits such transfers unless the relevant territory provides an adequate level of protection for personal data. The EEA comprises 30 countries (the EU member states plus Norway, Iceland and Liechtenstein), while an additional nine jurisdictions outside the EEA have been deemed by the European Commission to provide adequate protection for the rights of data subjects (Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey and Switzerland).
Where a UK-established company carries out a transfer with a group member that is outside the EEA, the transfer must comply with the eighth data protection principle and Article 25 of the EU Data Protection Directive (95/46/EC). Compliance can be achieved if such transfers are governed by a set of legally enforceable binding corporate rules that have been approved by the ICO.
Binding corporate rules can be a more flexible alternative to the other frameworks that are in place to enable multinational companies to comply with the eighth principle when transferring personal data within the corporate group. Although the uptake of binding corporate rules began slowly in 2005, 13 successful applications have been in the United Kingdom since April 2009. Four of these were made in 2012 alone.
Other options available to data controllers for compliance with the eighth principle include:
- the safe harbour scheme for EEA-to-US data transfers;
- model contract clauses;
- consent of the data subject; and
- the data controller's own finding of adequacy.
Once developed and operational, binding corporate rules can provide a framework for a variety of intra-group transfers throughout an organisation. Binding corporate rules are maintained through the data controller's ongoing obligation to:
- monitor compliance;
- provide regular training to employees; and
- conduct regular internal audits.
Key benefits of binding corporate rules include the following:
- Awareness – a significant increase in staff awareness of data protection compliance is an inevitable by-product of the stringent training and strategy requirements that form part of the approvals process. The company's data protection policy is also likely to be communicated externally.
- Flexibility – if drafted widely enough, binding corporate rules should be able to support changes in the company structure and some variation in the flows of data transfer that take place.
- Ease – binding corporate rules remove the need to rely on one of the more onerous options available for compliance with the eighth principle regarding data transfers. For example, in a complex organisation, maintaining compliance by using contracts based on the model clauses can entail hundreds of individual contracts.
Binding corporate rules offer an efficient approach to safeguarding personal data as it is transferred internationally. It is often impractical for large international corporations with complex structures to implement numerous contracts to cover transfers between all group companies, which must then be kept up to date with a changing corporate structure and constantly flowing data. Binding corporate rules harmonise the groups' data protection practices and help to manage risks resulting from data transfers to countries which offer lower levels of protection for personal data than the EEA.
However, binding corporate rules do not provide a basis for transfers made outside a corporate group.
The application procedure has been designed to allow companies to avoid having to approach each individual data protection authority separately.The applicant company must select a data protection authority to be the lead authority. This is determined by either the location of the European headquarters of the company or the most appropriate European location to take responsibility for the company's global data protection compliance. Once the lead authority is satisfied with the adequacy of the safeguards put in place by the binding corporate rules, it will refer the application to the other European data protection authorities for approval.
Applicants must demonstrate to the lead authority that their binding corporate rules establish adequate safeguards for the protection of personal data throughout their organisation. In the United Kingdom, the ICO encourages companies to use Paper 133 and the model checklist (WP108) prepared by the Article 29 Working Party (an independent European policy body that advises the European Commission on data protection) when submitting their application.
Authorisation is given in the United Kingdom on the basis that the binding corporate rules satisfy the requirements of Working Party Paper WP74, in that they provide adequate safeguards within the meaning of Article 26(2) of the directive. WP74 was adopted by the Article 29 Working Party in 2003 and includes observations on the substantial content that should be included in binding corporate rules and how compliance with the eighth principle can be achieved through binding corporate rules.
Key features of this content are unilateral declarations by a company that its group companies will perform in a certain way in relation to data transfers. However, one problem with binding corporate rules is that in some EU member states, the national law does not allow for the concept of unilateral declarations. In these jurisdictions, the applicant may have to find another solution that is enforceable under the laws of the relevant member state. Binding corporate rules are therefore not always the perfect pan-European solution that it was hoped they would be. Another disadvantage of binding corporate rules is the length of time that it takes to gain approval. A straightforward application can take 12 months to conclude and delays may occur in the authorisation process with other data protection authorities. The applicant's ability to respond to the comments made by the data protection authorities will also affect the timeframe of the application.
Mutual recognition is a development that has improved the binding corporate rules process. If the lead data protection authority is satisfied that the rules provide adequate safeguards, then other data protection authorities can accept its findings without further scrutiny. Since April 19 2011, 19 countries have taken part in such mutual recognition, including the United Kingdom.
Having seen the rise in successful implementation of binding corporate rules in the past year, it is likely that over the course of the next 12 months, more companies with international outreach will submit their own applications to the ICO. Companies that have had their binding corporate rules approved to date include:
- JP Morgan Chase & Co;
- British Petroleum plc;
- Accenture Limited; and
- eBay Inc.
Organisations that may particularly benefit from using binding corporate rules include those in the US financial services and telecommunications sectors, because at present, companies in those sectors cannot take advantage of the US Safe Harbour Scheme.
The ICO and other data protection authorities are aware of the drawbacks of the binding corporate rules model and are working on ways to address these concerns. The growing emphasis on cooperation between data protection authorities is giving significant momentum to binding corporate rules for the first time. As the application process for binding corporate rules becomes more streamlined, companies will have increased confidence in them and it is likely that more companies benefiting from approved status will be seen.
For further information on this topic please contact Oliver Bray or Caroline Kenny at RPC by telephone (+44 20 3060 6000), fax (+44 20 3060 7000) or email (firstname.lastname@example.org or email@example.com).
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.