Out-Law News | 16 Jul 2008 | 11:57 am | 3 min. read
The Data Protection Directive prohibits the transfer of personal information to countries outside the European Economic Area (EEA) unless there is adequate data protection in place. Some non-EEA countries are recognised as having adequate data protection, including Switzerland, Canada, Argentina, the Isle of Man and Guernsey, making transfers to these countries lawful.
For transfers elsewhere, adequacy must be ensured by other means. These include the including consent of the data subject and the use of Commission-authored model contractual clauses. Another, less popular means of compliance is the use of binding corporate rules (BCRs).
A multinational company can adopt BCRs, effectively a binding code of corporate conduct, if it wants to transfer personal data outside of the EEA but within its group of companies. Each company must devise its own BCRs and have them approved by the data protection authority of every EU country in which they will be used.
The BCRs proved unpopular so in 2005 the Article 29 Working Party, an independent European advisory body on data protection that comprises data protection officials from EU member states, published a model checklist describung the required contents of an application for BCR approval.
Still they failed to win support. Today, the UK Information Commissioner's website lists just two companies with approved BCRs: General Electric and Philips.
William Malcolm, a data protection law specialist with Pinsent Masons, the law firm behind OUT-LAW.COM, said the main barrier to BCRs has been bureaucracy.
"It's an unpopular way to comply with the Data Protection Act," he said. "The reality is that most companies will use other means to justify transfers because it just takes far too long to get the BCRs in place."
But Malcolm said that BCRs could have advantages over the model clauses.
"If you need to transfer data from one country to one or two others, the model clauses are usually the right way forward. But if you have to transfer data among, say, 50 or 100 countries, and if you're doing that for different purposes, the use of model clauses becomes cumbersome," he said. "That's when the BCRs become more attractive for global companies."
The Article 29 Working Party has now developed what it describes as a toolkit, to encourage the adoption of BCRs. The new set of documents aims to help companies formulate their BCRs. One of those is a framework document which outlines how BCRs should be structured and what should be in them. Another is a table which acts as a checklist for what rules should contain.
"The checklist gathers all elements and conditions required ... and explains the principles one by one," said a Working Party statement. "The checklist defines what must be found in BCRs, and what must be presented to [data protection authorities] in the BCR application. The framework is designed to give a idea to companies of the structure of BCRs."
The Working Party warned, though, that companies must not simply copy the framework document and pretend that it is a full policy.
"[Data protection authorities] will not accept a pure copy and paste of this framework," said the framework document. "This framework for BCRs is not a model BCR it is just a suggestion of the content and how the rules might be structured in a single document which can be made binding on the group of companies. BCRs should be customized to take account of the structure of the group of companies that they apply to, the processing they undertake and the policies and procedures that they have in place to protect personal data."
The Article 29 Working Party said that it had produced the documents to help companies to understand and implement the protections for transferred data.
"While working on BCRs applications, European Data Protection Authorities found out that international companies interested in BCRs do not have an exact understanding of the structure of BCRs expected by them, and that companies are concerned by the length of the approval process of BCRs," it said. "Moreover, most Data Protection Authorities face a lack of staff dedicated to BCRs."
BCRs are designed as an alternative to two existing schemes. Safe Harbor is a scheme which pre-approves US organisations as ones which can accept data from EU based organisations. Model contract clauses can also be used by EU based organisations as a way of ensuring compliance with privacy law.
Malcolm gave the toolkit a cautious welcome.
"My concern is that the main barrier to date has not been the writing of the BCRs themselves -it's the approval process. So it remains to be seen whether these tools will increase take-up," he said.