To make it simpler for businesses to comply with the multiplicity of data protection regimes across Europe, Viviane Reding envisages letting European Union companies set their own privacy rules — as long as they agree with one national data protection authority (DPA) to make them legally binding on all business units within the same group, wherever they may be.
Reding, vice president of the European Commission, hopes to make it much simpler to negotiate such binding corporate rules (BCRs) under new data protection regulations she plans to present early next year, she said Tuesday at a conference in Paris organized by the International Association of Privacy Professionals.
Such BCRs are not provided for in the current E.U. data protection directive, which dates back to 1995. However, companies including Bristol-Myers Squibb and General Electric (GE) have already negotiated them on a piecemeal basis over the last decade for many of the countries where they operate, working with individual DPAs or through mutual recognition agreements that cover 19 of the 27 E.U. member states.
Based on European data protection standards, the BCRs Reding would like to introduce are codes of practice ensuring “adequate safeguards” for data transfers between parts of the same corporate group, she said. Adopted voluntarily by businesses, they will become legally binding wherever the company operates once approved by a data protection authority in just one of the 27 E.U. countries.
BCRs developed as a way for European businesses to transfer data outside the E.U., perhaps into a cloud service where the precise location of data cannot be ascertained, and are compatible with any corporate culture, whether decentralized such as a hotel chain or centralized such as a bank, Reding said.
She wants to improve on them by making them simpler to create, more consistent in their enforcement and more accommodating of innovation.
Such changes are necessary because our world is no longer defined by physical borders, she said. “Data races from Barcelona to Bangalore. It is processed in Dublin, stored in California and accessed in Milan. The transfer of data to third countries has become an important part of daily life, and this affects businesses and citizens.”
BCRs today need approval from a DPA in each E.U. country where a group is active, so one set of rules must satisfy multiple authorities with different, perhaps contradictory, practices or legislation. “That wastes time and money,” said Reding.
Instead, she wants to see BCRs based on one law, defined in a new European regulation.
This change in legislative instrument, from the existing directive to a new regulation, is key to Reding’s plan, said Wojciech Rafal Wiewiórowski, Poland’s inspector general for the protection of personal data.
In legal disputes, parties can only refer to the directive if they are suing the state: in all other cases, it is the national law transposing the directive that governs disputes, Wiewiórowski said. “But if the legal basis is set in a regulation, it is binding not just for DPAs and state authorities but also for every entity in the market,” he said in a later panel session on the topic of BCRs. “That means companies can sue each other according to the BCRs.”
Reding plans to have the new BCRs ratified by a single DPA, but Wiewiórowski wondered whether E.U. countries are ready to hand over such powers to a single authority. “Probably not,” was his verdict.
He raised other problems with compliance monitoring.
“Who will say whether a company is fulfilling its responsibilities under a BCR?” he asked. “Let’s assume it’s the DPAs: that works in Europe, but that’s not really the problem. The problem is those companies moving data outside Europe.”
In the U.S., we can count on the support of the Federal Trade Commission, and Mexico too has a strong data protection authority, he said. “But what about Laos? Who will check what is going on in a data center in Laos?”
Despite these reservations, other panelists have already implemented BCRs, and urged audience members to move ahead with their own without waiting for Reding to introduce the new regulation.
When Bristol-Myers Squibb negotiated its BCR with the French National Commission on Computing and Liberty (CNIL) the approval process took over eight months, said Caroline Cavaillier, the company’s E.U. data protection officer. DPAs in Germany and Spain also vetted the first draft, she said. The BCR has simplified data transfers for the company, she said.
At GE, work on the first BCR started in 2001, with the company getting approvals in Germany in July 2003 and in France in October 2005, said Christian Pardieu, the company’s E.U. data protection officer. With the help of the U.K. Information Commissioner’s Office, it subsequently negotiated 10 others with the countries with which the ICO had mutual recognition agreements.
“But that’s still only 12 out of 27 countries,” Pardieu said. “We have so many entities in so many countries that signing data transfer clauses and seeking legal certainty is a nightmare,” he said.
For him, a single BCR recognized in all 27 E.U. countries can’t come too soon — although there’s no reason to wait for the new regulation, he said: “Start right now, don’t wait for new regulations. It’s costly, but you build trust with the customer and with employees. That’s the meaning of these privacy principles.”
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.