Out-Law / Your Daily Need-To-Know

New checklist issued for complying with rules on personal data transfers from EU and within APEC area

Out-Law News | 11 Mar 2014 | 12:23 pm | 3 min. read

An EU privacy watchdog has issued new guidance to help businesses meet their obligations to data protection when transferring personal data (62-page / 657KB PDF) outside of the EU as well as across the Asia Pacific Economic Cooperation (APEC) area.

The Article 29 Working Party, a committee made up of representatives from each national data protection authority within the EU, has published the results of joint work undertaken by its own experts and those from APEC countries. APEC is a group of 21 countries that includes Australia, China, Japan, Singapore and the US. The Working Party and APEC members announced last year that they were seeking to develop new "tools" to make it easier for businesses to transfer personal data overseas.

The new document contains an "informal pragmatic checklist" that businesses can refer to where they are seeking to obtain regulatory approval for binding corporate rules (BCRs) within the EU and also the certification of their compliance with APEC's cross-border privacy rules (CBPR).

"This referential lists in a single document the main elements generally required by national data protection authorities (DPAs) in the EU on the one hand, and by the relevant bodies in APEC economies on the other hand, in privacy policies submitted for authorisation as a BCR by the national DPAs in the EU in accordance with data protection laws applicable in EU member states, and/or as a CBPR in accordance with rules applicable in APEC economies," the Working Party's document said.

"[The checklist] facilitates the design and adoption of personal data protection policies compliant with each of the systems. This referential does not aim at achieving mutual recognition of both systems. However, it could serve as a basis for double certification," it added.

Hong Kong-based data protection law expert Paul Haswell of Pinsent Masons, the law firm behind Out-Law.com, said that the guidelines would be useful for companies that operate across the globe.

"The majority of multinationals have processes in systems in place that require or involve the transmission of personal data across jurisdictions covering the EU and Asia Pacific," Haswell said. "A common theme is how to facilitate such transmission without breach of local data protection legislation, which generally involves limiting transfer or else imposing the highest level of protection, which is usually derived from EU law, across all transfers."

"Whilst these recommendations do not seek to harmonise data protection rules across the EU and Asia, this would perhaps be too much to ask for and difficult to achieve at this stage. This is, if not a giant leap, then at least a step in the right direction," he added.

EU data protection laws place restrictions on the transfer of personal data by organisations to locations outside of the European Economic Area (EEA). The European Commission has identified a number of countries in which it is legitimate to transfer the data to. However, for data transfers to other countries, organisations must ensure there is adequate protection for that data.

To assist organisations in obtaining adequate protection around data transfers, a number of legal mechanisms have been put in place by the EU, amongst which is a system for developing BCRs. Businesses that use BCRs agree legally-binding commitments with regulators over the transfer and processing of personal data outside of the EEA, enabling them to transfer data between offices located within the EU and in third countries, for example.

Similarly, APEC countries operate a voluntary certified system that is aimed at ensuring data protection standards are consistent when personal data is transferred out of one of the member economies to another.

Under the CBPR scheme, businesses submit their plans for governing data transfers to 'accountability agents'. Those agents are responsible for assessing and ultimately certifying whether businesses meet the standards set out in the CBPRs. Those rules contain base requirements that relate to how personal data is collected and used and how secure the information is, among other things.

French data protection watchdog the Commission Nationale de l’information et des Liberties (CNIL) said the new guidance issued by the Working Party was a "practical tool for multinational organisations".

"The WP29 analysed the CBPR system in order to identify their similarities and differences with the BCR system," CNIL said. "On the basis of such comparison, the WP29 and APEC member economies developed a referential on the personal data protection and privacy requirements of BCR and CBPR. This practical tool is aimed at helping multi-national organisations that operate both in Europe and the Asia-Pacific and identifies in a single document the elements both required in the BCR and CBPR systems."