Speaking at a recent data protection conference in the UK,14 several European regulators provided insight into European data protection priorities, recent developments generally, and the state of binding corporate rules as a method to address EU transborder data flow requirements. These regulators included Peter Hustinx, European Data Protection Supervisor (EDPS); Richard Thomas, UK Information Commissioner; and Dr. Alexander Dix, Berlin Data Protection and Freedom of Information Commissioner. Also addressed were: the recent Article 29 Working Party15 opinion regarding the definition of the term “personal data,”16 as well as developments regarding the Brussels-based financial transfer network SWIFT and the impact of a November 2006 Article 29 Working Party decision on the definition of the term “data processor.”17
Among the highlights, Mr. Hustinx spoke about the “state of play” of the EU Data Protection Directive (95/46/EC, hereinafter “Directive”) as well as its future, stating that although implementation has improved, some countries should do better. He also stated that the future scope of the Directive will not be broader or narrower, but that efforts should be focused on different means for implementation. As an example of this approach, he pointed to the recent Article 29 Working Party opinion on the definition of “personal data,” which was aimed at providing more clarity regarding the proper interpretation and application of the Directive.
In terms of the EDPS’ interpretative role with respect to the Directive, Mr. Hustinx stated that he will focus on the lines to draw between controller and processor— terms important to determining which obligations under the EU Directive apply to a particular entity’s data processing activities—and how to address instances where there are multiple processors, reflecting the practical realities of data processing arrangements and the important role of sub-processors. In addition, he will focus on provisions regarding incompatible uses, unambiguous consent, and applicable law. Mr. Hustinx also mentioned the current review of the Privacy and Electronic Communications Directive (also known as the ePrivacy Directive, 2002/58/EC), noting that he is looking at issues surrounding appropriate security and breach notification. Further elaborating on his 2007 agenda, he discussed his office’s development of communications on RFID technology (applicability of Directive 95/46/EC and the governance of infrastructure), which would build on the guidance contained in the Working Party’s opinion on the definition of personal data, and privacy enhancing technologies (PETs) (analysis and standards and the need to support practical use of such technologies).
UK Information Commissioner Update
In setting out his strategy and his role as a strategic regulator, UK Information Commissioner Thomas stated that, with limited resources, his office needs to be “selective to be effective” in terms of enforcement and complaint handling. The Information Commissioner’s Office (ICO) will focus on situations where intervention will make a long-term, as well as short-term, difference. He also stated the need for better regulation, with a focus on a risk-based approach, i.e., the risk of harm from improper use of personal information. It is important that there not be rules for the sake of rules, but judgments in terms of likelihood and seriousness of risk. His office is focusing on risks that individuals will suffer harm as a result of factors such as data that is (1) inaccurate, insufficient, or out of date; (2) excessive or irrelevant; (3) retained too long; (4) improperly disclosed; (5) used in an unacceptable or unexpected way beyond individuals’ control; and (6) not kept securely. Mr. Thomas stated that the ICO also will devote significant resources to promoting good information-sharing practices and the development of “privacy friendly tools and approaches.”
Binding Corporate Rules
Dr. Dix and others spoke about current issues faced by companies in connection with the approval process for binding corporate rules (“BCRs”) as a method for transferring data outside the Europe Economic Area (“EEA”) to third countries that, like the U.S., have not received an adequacy determination by the European Union.18 Among the issues that may be obstacles in the current coordination process among the various EU Member State Data Protection Authorities (“DPAs”): in Germany, a company must deal with a state supervisory authority that coordinates the process in-country prior to coordination with other Member States; in Hungary, a company may need to obtain consent of all of the data subjects on top of a BCR; countries such as Spain and France may require translations of the BCRs; many countries consider BCRs as authorizing specific transfers rather than authorization for future transfers; and, importantly in terms of the practical issues, many countries’ DPAs lack sufficient capacity to deal with the volume of applications. As these examples illustrate, many issues remain to be sorted out and carefully considered in connection with determining whether BCRs are the right approach for a particular company and data transfer situation. At present, very few companies have received approval, and those approvals are somewhat limited in scope (e.g., GE has received approval for its binding corporate rules, and the data covered is limited to employee data).
Providing the UK perspective on the state of BCRs, Mr. Thomas stated that BCRs are not an end; they are a staging post to better solutions. He noted that the ICO currently has 13 BCR cases under consideration awaiting approval. He stated that companies considering BCRs should carefully review the Working Party’s papers 107 and 108, which detail the cooperative procedures among the DPAs and set forth a standard checklist for BCRs.19 Mr. Thomas noted that the ICO and other DPAs oppose forum shopping in connection with determining a lead authority for BCRs. He stated that mutual confidence is beginning to develop between the DPAs, which is leading to quicker sign-off by other DPAs if they are comfortable that, for example, a certain DPA has signed off on a BCR. He expressed concern about the costs and time frames associated with the current approval process.
Mr. Thomas stated that the DPAs need to gain more experience and expressed hope that the process will function better when the DPAs have more approvals “under their belts.” He said that the move by the DPAs toward mutual recognition is encouraging. He also opined that what may be needed in the future is a standard template with which companies would comply or disclose areas of non-compliance. Further, he suggested that there may be a role for an approval process similar to that for the Safe Harbor—a self-certification mechanism.
Finally, among the other highlights were discussions about the impact of the decision concerning the SWIFT international financial transaction system (WP128, 22 November 2006)20 on the Directive’s definitions of the terms “data controller” and “data processor.”21 Generally speaking, service providers have been deemed to be data processors that perform services on behalf of their customers. They follow customer instructions and process data on behalf of customers and not for their own purposes. However, many processors distinguish themselves from competitors based on their means of providing services and are relied upon by their customers for their expertise and experience, which may be beyond that of the customer.
Speakers at this conference queried whether the definitions of “controller” and “processor” in the Directive need to be updated to reflect the changing roles of today’s service providers and the increasingly collaborative manner in which these entities work. Among the factors influencing the Working Party’s determination that SWIFT was more than merely a processor and, more accurately, a joint controller together with individual financial institutions with respect to the personal data of banks’ customers was that SWIFT does more than just act on behalf of its clients— "SWIFT has taken on specific responsibilities which go beyond the set of instructions and duties incumbent on a processor and cannot be considered compatible with its claim to be just a ‘processor.’”22 Also, the Working Party found that “SWIFT management is able to determine the purposes and means of the processing by developing, marketing and changing the existing or new SWIFT services and processing of data . . ..”23 It also was found that SWIFT “provides added value for the processing of personal data, such as the storage and validation of personal data and the protection of personal data with a high security standard.”24 Finally, the Working Party stated that “SWIFT management negotiates and terminates with full autonomy its service agreements and drafts and changes its various contractual documents and policies.”25 It was the combination of these factors and the evolution of the relationship that speakers at the conference thought to be particularly important in this case.
The full impact of this decision is thought to be as yet unknown. It is, however, thought to be another reminder about how the roles of parties to an agreement change and the importance of setting out specific duties between the parties and avoiding “mission creep.” There are important consequences in terms of EU data protection compliance obligations of being characterized as a controller rather than a processor, and parties need to be mindful of those consequences when entering into arrangements.