Binding Corporate Rules: The Answer to Global Processing?
Article 25 of the 1995 directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data placed a controversial requirement on the governments of EU member states: to ban the transfer of personal data to any country outside the European Union unless that third country ensures an adequate level of privacy protection.
Implementing this provision while promoting a truly borderless economy posed a real challenge for all EU governments. Nevertheless, in the United Kingdom, for example, this requirement was incorporated as Principle 8 of the Data Protection Act 1998, and similar provisions have been incorporated in most European data protection laws. This measure prompted international concern about the future of global operations involving flows of personal data.
In order to understand the basis for such a radical measure, it is necessary to bear in mind the purpose of the directive as set out in Article 1: member states must protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. In other words, the main aim of the legal regime established by the directive was to create a framework that protected individuals' personal information from misuses and abuse.
However, that framework would be very fragile if the protection afforded by it were to fall apart as soon as the personal information left the boundaries of the countries subject to EU data protection law. Therefore, the European institutions responsible for drafting and adopting the directive tried to preserve the effect of the new regime by blocking any attempts to weaken the protection afforded to individuals. In practice, this has created a situation that effectively imposes EU data protection standards in jurisdictions outside Europe.
Bearing in mind the high standards of privacy protection imposed by the directive, it is difficult to see how countries without the same strict legislative approach to this issue can avoid falling foul of this provision. As a result, the directive has been seen as a serious barrier to international commerce.
The directive's prohibition is particularly problematic in the context of multinational companies that operate under very similar standards in all jurisdictions where they are based. For these companies, geographic location is not a differentiating factor that affects the nature or quality of the products and services they provide. Therefore, regulatory barriers such as Article 25 of the directive are regarded as a direct impediment to achieving their goals.
The Authorization Route
This prohibition is mitigated by a number of derogations that are set out in Article 26(1) of the directive. In addition, Article 26(2) of the directive provides that member states may authorize a transfer, or a set of transfers, of personal data to third countries that do not ensure an adequate level of protection where the organization wishing to transfer the data adduces adequate safeguards with respect to the protection of the privacy rights of individuals.
Some data protection authorities have traditionally been reluctant to encourage potential data exporters to follow this approach. For example, a guidance note of the UK data protection authority on international dataflows of July 1999 says that applications for authorization made by or on behalf of exporting controllers will be considered only in extremely limited circumstances and that the information commissioner would expect other derogations to be relied upon before this derogation.
However, the authorization route gained momentum following the publication of the Article 29 Working Party's Working Document on binding corporate rules for international data transfers of June 3, 2003. The Working Party believes that as long as such corporate rules are binding (both in law and in practice) and incorporate the essential content principles identified in the Working Document (WP12) of July 24, 1998, there is no reason why national data protection authorities should not authorize multinational transfers within a group of companies.
The Binding Nature
By definition, the intragroup corporate rules must apply generally throughout the corporate group irrespective of the place of establishment of the members or the nationality of the individuals whose personal data is being processed or any other criteria or consideration. The Working Party also stresses that there are two elements that must be present in all cases if the rules are to be used to adduce safeguards for data exports: binding nature and legal enforceability.
In practice, the binding nature of the rules implies that the members of the corporate group, as well as each employee within it, must be compelled to comply with the rules. Ideally, the corporate rules should be adopted by the board of directors of the ultimate parent of the group so that the internal binding nature of the rules is good enough to guarantee compliance with the rules across the organization.
Legal enforceability means that the individuals covered by the scope of the binding corporate rules must become third-party beneficiaries either by virtue of the relevant national law or by contractual arrangements between the members of the corporate group. Those individuals should be entitled to enforce compliance with the rules by lodging a complaint before the competent data protection authority and before the courts.
Given the self-regulatory features of the corporate rules, although the possibility for individuals to enforce the rules before the courts is a necessary element, the Working Party attaches more importance to the fact that the rules are complied with in practice by the corporate group. In addition, in respect of those jurisdictions where unilateral declarations cannot be considered as granting legally enforceable third-party beneficiary rights, the corporate groups would have to put in place the necessary contractual arrangements to address that problem.
The Content Principles
The essential content principles identified in the Working Document of July 1998 include these:
- The purpose limitation principle — Data must be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer.
- The data quality and proportionality principle — Data must be accurate and, where necessary, kept up to date. The data must be adequate, relevant, and not excessive in relation to the purposes for which it is transferred or further processed.
- The transparency principle — Individuals must be provided with information as to the purpose of the processing and the identity of the data controller in the third country and any other information that is necessary to ensure fairness.
- The security principle — Technical and organizational security measures must be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.
- The rights of access, rectification, and opposition — Individuals must have a right to obtain a copy of all data relating to them and a right to rectification of such data where it is shown to be inaccurate. In certain situations, individuals must also be able to object to the processing of their personal data.
- Restrictions on onward transfers — Further transfers of the personal data by the recipient of the original data transfer must only be permitted where the second recipient (i.e., the recipient of the onward transfer) is also subject to rules affording an adequate level of protection.
However, as the Working Party points out, these principles need to be developed and detailed in the binding corporate rules so that they practically and realistically fit with the processing activities carried out by the organization and can be understood and effectively applied by those having data protection responsibilities within the organization. In other words, the corporate rules should contain tailor-made provisions dealing with each of the content principles.
The Final Requirements
In addition, the Working Party's document includes the following requirements:
- The rules must set up a system that guarantees awareness and implementation of the rules both inside and outside the European Union. In practice, this will require the adoption of a suitable training program and appointment of appropriate managers with responsibility for ensuring compliance.
- The rules must provide for self-audits and/or external supervision by auditors on a regular basis with direct reporting to the parent's board. The rules may also require the acceptance of audits to be carried out by inspectors of the supervisory authority or independent auditors on behalf of the supervisory authority.
- The rules must set up a system by which individuals' complaints are dealt with by a clearly identified complaint-handling department.
- The rules must contain clear duties of cooperation with data protection authorities so that individuals can benefit from the institutional support.
- The rules must also contain provisions on liability and jurisdiction aimed at facilitating their practical exercise.
- The corporate group must also accept that individuals will be entitled to take action against the group, as well as to choose the jurisdiction.
- Individuals must be made aware that personal data is being communicated to other members of the corporate group outside the EU and the existence and the content of the rules must be readily accessible to those individuals.
The Working Party also proposes the adoption of procedural arrangements to allow companies to go through one process of legitimization via a data protection authority of one member state that will lead to the granting of permits by all the different regulators of the member states where the company operates.
The document on binding corporate rules is therefore good news for global organizations that carry out data transfers on a daily basis as it significantly widens their ability to do that in accordance with the data protection laws in force in the EU.
Eduardo Ustaran is the head of the Data Protection and E-privacy Unit at Berwin Leighton Paisner, an international law firm based in London. He can be reached at +44 20 7760 1000 or at firstname.lastname@example.org.