14 November 2011 saw First Data Corporation become the 11th entity to have binding corporate rules (BCRs) approved by the UK’s Information Commissioner’s Office (ICO).
First Data Corporation is a global electronic commerce and payment processing company. As a payment processor, secure handling of data is at the heart of First Data’s business. First Data has business operations in 35 countries and serves more than 6 million merchant locations, thousands of card issuers and millions of consumers worldwide. First Data is the first payment processor to have achieved BCR approval. Time will tell, but while it maintains this distinction, this may give it a significant advantage over its competitors at a time when data privacy issues, including some recent high profile data breaches and regulatory settlements, are never far from the news and the handling of personally identifiable data continues to be subject to a high level of scrutiny by regulators across the globe.
According to First Data’s Chief Executive Officer Jonathan J. Judge: “Data privacy is fundamental to the success of our business, and we’re deeply committed to protecting the information entrusted to us by our clients and employees alike. We have high standards for data privacy, and this recognition from exacting European regulators demonstrates our global leadership in data protection compliance.”
BCRs allow a data controller to transfer personal data from the European Economic Area (EEA) to affiliates located outside the EEA in compliance with the eighth data protection principle and Article 25 of the Data Protection Directive (95/46/EC). BCRs are particularly relevant to multinational companies with operations located within the EEA who regularly need to transfer personal data (whether customer data, employee data or otherwise) to diverse affiliates located outside the EEA. BCRs do not provide a basis for transfers made outside a company’s corporate group (e.g., in connection with outsourced data processing or under a data sharing agreement).
Approval given by one of the data protection authorities (DPAs) of the 19 participating EEA countries (the lead authority – in First Data’s case, the UK’s ICO) binds the other DPAs under the principle of mutual recognition – if the lead authority is satisfied that the BCRs put in place adequate safeguards within the meaning of Article 26(2) of the Directive, the other participating Data Protection Authorities (DPAs) should have confidence in their decision and accept their findings without further scrutiny or comment. Each application will have already been circulated to the other DPAs for comments under what is referred to as the co-operation procedure.
Seeking BCR approval is no light matter. As First Data found out, it requires a significant commitment of resource and time; however for some organisations, BCRs may offer a better solution than the use of the European Commission approved model contract clauses. This is particularly true for multinational companies with complex structures, where hundreds of contracts can be required to cover transfers between all affiliates resulting in a significant administrative burden in terms of making sure that contracts are kept up to date and kept on pace with changes to the corporate structure. The US Safe Harbor regime also has its limits. For example, businesses in some sectors not subject to jurisdiction of the Federal Trade Commission or the Department of Transportation cannot use the Safe Harbor. This includes banks and other financial service providers, and telecom providers. And Safe Harbor only works where the transfer of personal data is from an EU-based data controller to a data controller in the US.
The Article 29 Working Party has published papers on Binding Corporate Rules including a model application form, a BCR framework and BCR FAQs. Making use of these materials will help to speed up the process. However, it may still take up to 12 months from the start of the co-operation procedure. The key to a successful application is in demonstrating that adequate safeguards within the meaning of Article 26(2) of the Directive are in place. Although the application form drives this result, there is a significant undertaking in terms of providing supporting information, including details of the organisation’s privacy function, confirmation of the binding nature of the BCRs throughout its group, and provision of supporting privacy principles, data security and related policies, training plans, etc. Organisations without the necessary privacy infrastructure in place will struggle to meet the Working Party’s requirements.
The ICO reports a great deal of interest in BCR applications to date, including requests made under the UK’s Freedom of Information Act. The ICO recommends that, since an application will likely contain confidential information, such information be clearly identified and marked as commercially sensitive. Other entities that have had BCRs approved include General Electric, Koninklijke Philips Electronics, the Hyatt Hotel Corporation, Accenture, JPMorgan Chase and BP. First Data’s BCR approval is the 3rd in 2011 – Spencer Stuart Management Consultants and CareFusion Inc. also achieved recognition this year, which may suggest the start of an upward trend in their adoption.
Viviane Reding, Vice President of the European Commission and EU Justice Commissioner has just announced plans to reform the system of binding corporate rules (BCRs) as part of the upcoming revision of the EU data protection framework. Expect a SourcingSpeak blog post on this shortly.