Binding Corporate Rules System under Review

Hot on the heels of the UK Information Commissioner’s approval of First Data’s binding corporate rules (BCRs), Viviane Reding, the Vice President of the European Commission and EU Justice Commissioner has signalled reform of the BCR scheme aimed at making BCRs even more effective. BCRs are a way of ensuring compliance with the complexities of European data protection law – they are particularly relevant to multinationals with business operations located in the EEA who need to transfer personal data to affiliates in jurisdictions outside of the EEA.

In a speech given to the International Association of Privacy Professionals’ (IAPP) inaugural Europe Data Protection Congress in Paris on 29 November 2011, Reding announced her plans as part of upcoming revisions to the EU data protection framework. Reding’s proposed reforms will be built around on 3 principles: simplification; consistent enforcement; and innovation. Above all, Reding proposes reform “compatible with small innovative companies’ endeavours to operate on a global scale” so that companies of all sizes and operating across all business models will be able to take advantage of BCRs.

Simplification. Under Reding’s proposal the BCR approval process would be streamlined with approval by one Data Protection Authority (DPA) resulting in automatic recognition by DPAs in all other member states without the need for consultation which currently operates across the 19 participating DPAs. This should help to speed up the approval process and reduce the burden on the applicant. Further, once BCRs are approved by a DPA, there would be no need for additional national authorisation prior to transfer, as is currently required in some member states (but not others, such as the UK).

Consistent Enforcement. Reding outlines a vision of a more consistent approach to data protection and enforcement across Europe. DPAs can expect a levelling of regulations and enforcement powers on a consistent basis, putting companies which operate across European borders on a level playing field. Some DPAs will see an increase in their enforcement powers as a consequence. And BCRs would become directly binding within companies and with respect to third parties, meaning that they could be enforced through DPAs or directly by data subjects through the courts (as she says, there’s a clue in the name – binding means legally binding).

Innovation. The subtitle to Reding’s speech “unleashing the potential of the digital single market and cloud computing” is a signpost for what is perhaps the most interesting and forward thinking part of her speech, where she states that the boundaries of traditional methods of regulation need to be pushed to enable European business to compete globally, including by embracing new technology (such as the cloud). Key here is Reding’s critique of the geographic restrictions of current regulation: “Data protection laws that apply only within a given territory just do not work in an era where information flows are global: personal data is stored in one country, effectively processed in another and the data subject is located in a completely different country.” The new BCRs will instead apply to “all internal and extra-EU transfers of any entity in a group of companies”. Establishment of BCRs by a corporate group will enable “one single document that governs the privacy policy of the whole group instead of a variety of different – and not always consistent – contracts.” The rules would also extend the use of BCRs to data processors – indeed all kinds of business models including cloud computing – whereas currently only data controllers may use them.

Of course, this is all fairly blue sky stuff and it will be interesting to see whether the implemented BCRs match the aim of a simpler and less burdensome set of rules governing the transfer data. It is encouraging to see a regulator thinking in such an enlightened manner and, although the detail remains to be worked out, Reding has clearly signalled her intention to make the adoption and use of BCRs significantly less complex and a more cost efficient way of facilitating intra-group transfers of personal data. “I encourage companies of all size to start working on their own binding corporate rules!”, she says. That said, companies considering embarking on the BCR journey might take a moment to pause for breadth whilst the detail of these reforms unfolds; for those already embarked, it will be interesting to see if and how the lead DPAs and the Article 29 Working Party decide to respond to the proposed reforms.