Hot on the heels of the UK Information Commissioner’s approval of First Data’s binding corporate rules (BCRs), Viviane Reding, the Vice President of the European Commission and EU Justice Commissioner has signalled reform of the BCR scheme aimed at making BCRs even more effective. BCRs are a way of ensuring compliance with the complexities of European data protection law – they are particularly relevant to multinationals with business operations located in the EEA who need to transfer personal data to affiliates in jurisdictions outside of the EEA.
In a speech given to the International Association of Privacy Professionals’ (IAPP) inaugural Europe Data Protection Congress in Paris on 29 November 2011, Reding announced her plans as part of upcoming revisions to the EU data protection framework. Reding’s proposed reforms will be built around on 3 principles: simplification; consistent enforcement; and innovation. Above all, Reding proposes reform “compatible with small innovative companies’ endeavours to operate on a global scale” so that companies of all sizes and operating across all business models will be able to take advantage of BCRs.
Simplification. Under Reding’s proposal the BCR approval process would be streamlined with approval by one Data Protection Authority (DPA) resulting in automatic recognition by DPAs in all other member states without the need for consultation which currently operates across the 19 participating DPAs. This should help to speed up the approval process and reduce the burden on the applicant. Further, once BCRs are approved by a DPA, there would be no need for additional national authorisation prior to transfer, as is currently required in some member states (but not others, such as the UK).
Consistent Enforcement. Reding outlines a vision of a more consistent approach to data protection and enforcement across Europe. DPAs can expect a levelling of regulations and enforcement powers on a consistent basis, putting companies which operate across European borders on a level playing field. Some DPAs will see an increase in their enforcement powers as a consequence. And BCRs would become directly binding within companies and with respect to third parties, meaning that they could be enforced through DPAs or directly by data subjects through the courts (as she says, there’s a clue in the name – binding means legally binding).
Of course, this is all fairly blue sky stuff and it will be interesting to see whether the implemented BCRs match the aim of a simpler and less burdensome set of rules governing the transfer data. It is encouraging to see a regulator thinking in such an enlightened manner and, although the detail remains to be worked out, Reding has clearly signalled her intention to make the adoption and use of BCRs significantly less complex and a more cost efficient way of facilitating intra-group transfers of personal data. “I encourage companies of all size to start working on their own binding corporate rules!”, she says. That said, companies considering embarking on the BCR journey might take a moment to pause for breadth whilst the detail of these reforms unfolds; for those already embarked, it will be interesting to see if and how the lead DPAs and the Article 29 Working Party decide to respond to the proposed reforms.