The Article 29 Working Party has published more detailed “guidance” on the Binding Corporate Rules (BCRs) that goes some way to making the role of Data Protection Officer in a multinational organisation one of the most challenging back office roles of any industry.
The guidance comprises a Working Document setting up a framework for the structure of BCRs (WP154). The framework sets out what a set of BCRs might look like when incorporating all the necessary elements identified in previous guidance, including the Working Party’s model checklist application for approval of BCRs adopted in April 2005 (WP108). Additionally, a Working Document on frequently asked questions (FAQs) related to BCRs (WP155) stresses the main points about the construction and use of BCRs that the Working Party thinks should be driven home. There is also a Working Document setting up a table with the elements and principles to be found in BCRs (WP153), through which the Working Party provides further clarification and distinguishes between what must be included in BCRs and what must be presented to data protection authorities (DPAs) in the BCRs application.
Under current European legislation, personal data cannot be transferred to countries or territories outside the European Economic Area (EEA) unless there is adequate protection forthe rights and freedoms of individuals in relation to the process of information about them. Transfers can still be made to countries that do not have equivalent data protection legislation where adequacy is ensured by other means, in particular the circumstances of the transfer. It is also possible for multinational organisations to transfer personal data outside the EEA but within their group of companies in a manner that ensures adequacy through the adoption of binding codes of corporation conduct by the organisation, i.e., binding corporate rules. The UK Information Commissioner’s Office has published guidance on international transfers of personal data and the use of model contracts for transfer to other organisations and to data processors processing personal information on their behalf.
The use of BCRs requires approval from the DPAs in the countries in which the group is processing personal data. The Article 29 Working Party’s model checklist described the required contents of an application to a DPA for approval of a set of BCRs. In February 2007, the Working Party adopted a standard application form based on that checklist and adapted from a standard form put together by the International Chamber of Commerce (ICC), which has also issued detailed guidance on the drafting and implementation of BCRs. The latest set of documents from the Working Party adds even more flesh to the bones of an already meaty process. The intended purpose is to clarify particular requirements in order to assist applicants in gaining approval for their BCRs.
WORKING DOCUMENT ON FAQS
Whilst the BCRs do not have to apply to personal data processed by a group that does not actually enter the European Union, the Working Party nevertheless makes a strong recommendation that multinational groups using BCRs have a single set of global policies or rules in place to protect all personal data that they process. It is of course possible for the group to have a single set of rules, while at the same time limiting the third party beneficiary rights required in the BCRs only to personal data transferred from the European Union.
Processors that are not part of the group are obviously not bound by the BCRs, but where they act on behalf of a group member they should always act under the instructions of the controller and should be bound by contract or otherwise as required by Articles 16 and 17 of the Data Protection Directive (95/46/EC). If the processors are not part of a group and are based outside the European Union, the members of the group will also have to comply with Articles 25 and 26 of the Directive on transborder data flows and ensure an adequate level of protection through the use, for example, of the standard contractual clauses adopted by the Commission. In any event, the BCRs will need to address the situation.
BCRs must nominate an entity within the European Union to accept liability for any breaches of the rules by any member of the group outside the European Union in relation to data transferred from the European Union under the rules. It is envisaged that in most cases this will be the headquarters of the group, if EU based. However, where the headquarters of the group is based outside the European Union, the group is allowed to nominate a suitable member in the European Union to accept responsibility for breaches including liability for damages resulting from the violation of the BCRs by any member outside the European Union bound by the rules.
The Working Party acknowledges that certain group structures will not always allow for a specific entity to take all the responsibility and, in such cases, accepts that where the group can demonstrate why it is not possible to nominate a single entity in the European Union, it can propose other and more suitable mechanisms of liability such as those set out in the Standard Contractual Clauses. These could include joint liability between data importers and exporters, a liabilities scheme based on due diligence obligations, or the mechanism specifically dedicated to transfers from controllers to processors.
DPAs will consider the alternative solutions on a case by case basis and it will be important to show that data subjects will be assisted in exercising their rights and not disadvantaged or unduly inhibited in any way.
The Working Party also stresses that the BCRs should always contain a right for the data subject to lodge a complaint before the DPA for breach of the rules. It says that, even where the rules or the third party beneficiary rights are limited to data originating from the European Union and individuals already have a right in their national law to make a complaint about the exporting entity to the DPA, it is nevertheless important to have a right to lodge a complaint “on the face of the BCRs for a breach of the rules as a whole by any member of the group”. BCRs and the way to complain and seek redress should be easily accessible for the data subject. Where third party beneficiary rights are excluded from the core document of the BCRs and set out in a separate document for legitimate reasons, theses should be made transparent and easily accessible to any data subject benefiting from those rights.
Finally, the purposes for which the group processes personal data must be set out and sufficiently detailed in the BCRs to enable DPAs to assess whether the level of protection in the group is adequate. The description must be clear and precise and specify the main purposes in a detailed manner and, in particular, whether the personal data are processed for direct marketing purposes.
The BCRs are very much the preserve of large multinational groups and, so far, despite the Article 29 Working Party’s best efforts to encourage take up, only two have had BCRs authorised by the Information Commissioner. In theory, where it is intended that data transfer will be made through multiplejurisdictions, the BCRs appear an attractive proposition, preferable to model contractual clauses. Unfortunately, the construction and approval of BCRs have, to date, proved too challenging to become the compliance tool of choice. Without decrying the need for detailed safeguards set out in the Working Party’s model framework, this latest set of guidance documents arguably demonstrates why.