Binding Corporate Rules - well, almost

It is just over a year since the UK Information Commissioner’s Office issued a Binding Corporate Rules (BCR) Authorisation in favour of the General Electric Company (GE) making it one of the few multinationals to have obtained approval of a BCR within the EU.

BCR’s are a set of rules adopted within a particular company or corporate group that provide legally-binding protections for data processing within the company or group. They offer a more holistic approach to providing a legal basis for global data transfers.

In the past year I have led the work of the International Chamber of Commerce in drafting a Single BCR Application form which is expected to be formally adopted by the European Commission in the Spring of 2007. This will kick-start the use of BCR as a solution to the legal transfer of personal data from Europe to elsewhere in the world.

In order to understand the role of a BCR it is worthwhile revisiting the background to the legal and regulatory issues concerned.

Data Protection Directive (the Directive)

The Directive required all Member States to enact comprehensive data protection laws and each Member State now has its own law, administered by its own data protection authority. Although each of these data protection laws is based on the Directive, there are important differences from country to country.

Eight Principles govern the “processing” of “personal data” within the EU. Simply stated, personal data must be:

  1. processed fairly and lawfully
  2. processed only for specific, limited purposes and not in any manner inconsistent with those purposes
  3. adequate, relevant and not excessive in relation to those purposes
  4. accurate, complete and kept up-to-date
  5. not kept in personally identifiable form longer than necessary
  6. processed in accordance with the rights of the data subject under applicable law
  7. kept secure
  8. not transferred to countries that do not have “adequate” data protection laws unless the “data exporter” takes certain specific steps to ensure that the data is “adequately protected.”

Restrictions on transfers of data outside the European Economic Area (EEA)

The Eighth Principle prohibits the “export” of “personal data” to countries outside the EEA, unless

  • the receiving country has adopted laws that, in the opinion of the European Commission, provide “adequate protection” for personal data
  • one of several very limited exceptions applies; or
  • the data exporter has taken steps to ensure to the satisfaction of the local data protection authorities that the data will be “adequately protected” after it leaves the EU.

The European Commission maintains a list of countries that have “adequate” data protection laws to which personal data may be transferred but only Switzerland, Canada, Argentina, Guernsey and the Isle of Man have been deemed “adequate”.

Article 26.1 of the Directive requires Member States to provide several exceptions to the general rule prohibiting the transfer of personal data to a country that does not provide “an adequate level of protection.”

Although multinational companies should take full advantage of every exception, the exceptions are too narrow to provide a full solution. If none of the exceptions apply, then personal data may not be exported from the EEA to a third country unless the data exporter has taken steps to ensure to the satisfaction of the local data protection authorities that the data will be “adequately protected”. The solution adopted by the data exporter must be acceptable to the national, regional and local data protection authorities in the country in which the data exporter is established.

To provide some degree of certainty and predictability, the European Commission has issued decisions that require the data protection authorities in each of the Member States to approve transfers to U.S. entities that have joined the U.S. Safe Harbor, and transfers made pursuant to a private contract between the parties (a “transborder data flow agreement” or “TBDF agreement”) that incorporates certain “model clauses” promulgated by the European Commission, transfers made pursuant to an approved industry sector “code of conduct” or approved business code known as “binding corporate rules”.

Most multinational businesses have dealt with trans border transfers by either (1) having their U.S. entities join the U.S. Safe Harbor or (2) having their EU entities and non-EU entities enter into TBDF agreements.

For many businesses with numerous subsidiaries around the world it can be a daunting task to have to enter into a multiplicity of TBDF agreements. It is for this reason that multinationals have looked towards BCR as a viable solution to transborder data flows.

Conclusion

For many businesses with limited global data transfers it may be sufficient to contemplate the use of either Safe Harbor or the EU Model Clauses, but for others with complex corporate structures and a web of cross border data transfers BCR seems the holy grail if not the reality!

GE, Philips, Daimler Chrysler and others are leading the crusade and with many DPA's embracing BCR as a more than acceptable demonstration of a company's commitment to good data handling practices it is inevitable that 2007 will see significant increases in the adoption of Binding Corporate Rules.

For more information contact robert.bond@speechlys.com