News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Binding Corporate Rules: The Answer to Global Processing? Related reading: Navigating Thailand's Digital Platform Services Law

rss_feed

""

Eduardo Ustaran

Article 25 of the 1995 directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data placed a controversial requirement on the governments of EU member states: to ban the transfer of personal data to any country outside the European Union unless that third country ensures an adequate level of privacy protection.

Implementing this provision while promoting a truly borderless economy posed a real challenge for all EU governments. Nevertheless, in the United Kingdom, for example, this requirement was incorporated as Principle 8 of the Data Protection Act 1998, and similar provisions have been incorporated in most European data protection laws. This measure prompted international concern about the future of global operations involving flows of personal data.

The Reasons

In order to understand the basis for such a radical measure, it is necessary to bear in mind the purpose of the directive as set out in Article 1: member states must protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. In other words, the main aim of the legal regime established by the directive was to create a framework that protected individuals' personal information from misuses and abuse.

However, that framework would be very fragile if the protection afforded by it were to fall apart as soon as the personal information left the boundaries of the countries subject to EU data protection law. Therefore, the European institutions responsible for drafting and adopting the directive tried to preserve the effect of the new regime by blocking any attempts to weaken the protection afforded to individuals. In practice, this has created a situation that effectively imposes EU data protection standards in jurisdictions outside Europe.

The Impact

Bearing in mind the high standards of privacy protection imposed by the directive, it is difficult to see how countries without the same strict legislative approach to this issue can avoid falling foul of this provision. As a result, the directive has been seen as a serious barrier to international commerce.

The directive's prohibition is particularly problematic in the context of multinational companies that operate under very similar standards in all jurisdictions where they are based. For these companies, geographic location is not a differentiating factor that affects the nature or quality of the products and services they provide. Therefore, regulatory barriers such as Article 25 of the directive are regarded as a direct impediment to achieving their goals.

The Authorization Route

This prohibition is mitigated by a number of derogations that are set out in Article 26(1) of the directive. In addition, Article 26(2) of the directive provides that member states may authorize a transfer, or a set of transfers, of personal data to third countries that do not ensure an adequate level of protection where the organization wishing to transfer the data adduces adequate safeguards with respect to the protection of the privacy rights of individuals.

Some data protection authorities have traditionally been reluctant to encourage potential data exporters to follow this approach. For example, a guidance note of the UK data protection authority on international dataflows of July 1999 says that applications for authorization made by or on behalf of exporting controllers will be considered only in extremely limited circumstances and that the information commissioner would expect other derogations to be relied upon before this derogation.

However, the authorization route gained momentum following the publication of the Article 29 Working Party's Working Document on binding corporate rules for international data transfers of June 3, 2003. The Working Party believes that as long as such corporate rules are binding (both in law and in practice) and incorporate the essential content principles identified in the Working Document (WP12) of July 24, 1998, there is no reason why national data protection authorities should not authorize multinational transfers within a group of companies.

The Binding Nature

By definition, the intragroup corporate rules must apply generally throughout the corporate group irrespective of the place of establishment of the members or the nationality of the individuals whose personal data is being processed or any other criteria or consideration. The Working Party also stresses that there are two elements that must be present in all cases if the rules are to be used to adduce safeguards for data exports: binding nature and legal enforceability.

In practice, the binding nature of the rules implies that the members of the corporate group, as well as each employee within it, must be compelled to comply with the rules. Ideally, the corporate rules should be adopted by the board of directors of the ultimate parent of the group so that the internal binding nature of the rules is good enough to guarantee compliance with the rules across the organization.

Legal enforceability means that the individuals covered by the scope of the binding corporate rules must become third-party beneficiaries either by virtue of the relevant national law or by contractual arrangements between the members of the corporate group. Those individuals should be entitled to enforce compliance with the rules by lodging a complaint before the competent data protection authority and before the courts.

Given the self-regulatory features of the corporate rules, although the possibility for individuals to enforce the rules before the courts is a necessary element, the Working Party attaches more importance to the fact that the rules are complied with in practice by the corporate group. In addition, in respect of those jurisdictions where unilateral declarations cannot be considered as granting legally enforceable third-party beneficiary rights, the corporate groups would have to put in place the necessary contractual arrangements to address that problem.

The Content Principles

The essential content principles identified in the Working Document of July 1998 include these:

  • The purpose limitation principle — Data must be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer.
  • The data quality and proportionality principle — Data must be accurate and, where necessary, kept up to date. The data must be adequate, relevant, and not excessive in relation to the purposes for which it is transferred or further processed.
  • The transparency principle — Individuals must be provided with information as to the purpose of the processing and the identity of the data controller in the third country and any other information that is necessary to ensure fairness.
  • The security principle — Technical and organizational security measures must be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.
  • The rights of access, rectification, and opposition — Individuals must have a right to obtain a copy of all data relating to them and a right to rectification of such data where it is shown to be inaccurate. In certain situations, individuals must also be able to object to the processing of their personal data.
  • Restrictions on onward transfers — Further transfers of the personal data by the recipient of the original data transfer must only be permitted where the second recipient (i.e., the recipient of the onward transfer) is also subject to rules affording an adequate level of protection.

However, as the Working Party points out, these principles need to be developed and detailed in the binding corporate rules so that they practically and realistically fit with the processing activities carried out by the organization and can be understood and effectively applied by those having data protection responsibilities within the organization. In other words, the corporate rules should contain tailor-made provisions dealing with each of the content principles.

The Final Requirements

In addition, the Working Party's document includes the following requirements:

  • The rules must set up a system that guarantees awareness and implementation of the rules both inside and outside the European Union. In practice, this will require the adoption of a suitable training program and appointment of appropriate managers with responsibility for ensuring compliance.
  • The rules must provide for self-audits and/or external supervision by auditors on a regular basis with direct reporting to the parent's board. The rules may also require the acceptance of audits to be carried out by inspectors of the supervisory authority or independent auditors on behalf of the supervisory authority.
  • The rules must set up a system by which individuals' complaints are dealt with by a clearly identified complaint-handling department.
  • The rules must contain clear duties of cooperation with data protection authorities so that individuals can benefit from the institutional support.
  • The rules must also contain provisions on liability and jurisdiction aimed at facilitating their practical exercise.
  • The corporate group must also accept that individuals will be entitled to take action against the group, as well as to choose the jurisdiction.
  • Individuals must be made aware that personal data is being communicated to other members of the corporate group outside the EU and the existence and the content of the rules must be readily accessible to those individuals.

The Working Party also proposes the adoption of procedural arrangements to allow companies to go through one process of legitimization via a data protection authority of one member state that will lead to the granting of permits by all the different regulators of the member states where the company operates.

The document on binding corporate rules is therefore good news for global organizations that carry out data transfers on a daily basis as it significantly widens their ability to do that in accordance with the data protection laws in force in the EU.

Eduardo Ustaran is the head of the Data Protection and E-privacy Unit at Berwin Leighton Paisner, an international law firm based in London. He can be reached at +44 20 7760 1000 or at

eduardo.ustaran@blplaw.com.

Comments

If you want to comment on this post, you need to login.

Related Stories
Navigating Thailand's Digital Platform Services Law
In today's digital age, digital platforms have gained immense popularity and are expected to continue their growth across various industries. End users appreciate the convenience these platforms offer for searching, purchasing and comparing products, and accessing user reviews, as well as the flexib...
Read More queue Save This
Related Stories
Recent Comments