The Data Protection Directive prohibits the transfer of personal
information to countries outside the European Economic Area (EEA)
unless there is adequate data protection in place. Some non-EEA
countries are recognised as having adequate data protection,
including Switzerland, Canada, Argentina, the Isle of Man and
Guernsey, making transfers to these countries lawful.
For transfers elsewhere, adequacy must be ensured by other
means. These include the including consent of the data subject and
the use of Commission-authored model contractual clauses. Another,
less popular means of compliance is the use of binding corporate
rules (BCRs).
A multinational company can adopt BCRs, effectively a binding
code of corporate conduct, if it wants to transfer personal data
outside of the EEA but within its group of companies. Each company
must devise its own BCRs and have them approved by the data
protection authority of every EU country in which they will be
used.
The BCRs proved unpopular so in 2005 the Article 29 Working
Party, an independent European advisory body on data protection
that comprises data protection officials from EU member states,
published a model checklist describung the required contents of an
application for BCR approval.
Still they failed to win support. Today, the UK Information
Commissioner's website lists just two companies with approved BCRs:
General Electric and Philips.
William Malcolm, a data protection law specialist with Pinsent
Masons, the law firm behind OUT-LAW.COM, said the main barrier to
BCRs has been bureaucracy.
"It's an unpopular way to comply with the Data Protection Act,"
he said. "The reality is that most companies will use other means
to justify transfers because it just takes far too long to get the
BCRs in place."
But Malcolm said that BCRs could have advantages over the model
clauses.
"If you need to transfer data from one country to one or two
others, the model clauses are usually the right way forward. But if
you have to transfer data among, say, 50 or 100 countries, and if
you're doing that for different purposes, the use of model clauses
becomes cumbersome," he said. "That's when the BCRs become more
attractive for global companies."
The Article 29 Working Party has now developed what it describes
as a toolkit, to encourage the adoption of BCRs. The new set of
documents aims to help companies formulate their BCRs. One of those
is a framework document which outlines how BCRs should be
structured and what should be in them. Another is a table which
acts as a checklist for what rules should contain.
"The checklist gathers all elements and conditions required ...
and explains the principles one by one," said a Working Party
statement. "The checklist defines what must be found in BCRs, and
what must be presented to [data protection authorities] in the BCR
application. The framework is designed to give a idea to companies
of the structure of BCRs."
The Working Party warned, though, that companies must not simply
copy the framework document and pretend that it is a full
policy.
"[Data protection authorities] will not accept a pure copy and
paste of this framework," said the framework document. "This
framework for BCRs is not a model BCR it is just a suggestion of
the content and how the rules might be structured in a single
document which can be made binding on the group of companies. BCRs
should be customized to take account of the structure of the group
of companies that they apply to, the processing they undertake and
the policies and procedures that they have in place to protect
personal data."
The Article 29 Working Party said that it had produced the
documents to help companies to understand and implement the
protections for transferred data.
"While working on BCRs applications, European Data Protection
Authorities found out that international companies interested in
BCRs do not have an exact understanding of the structure of BCRs
expected by them, and that companies are concerned by the length of
the approval process of BCRs," it said. "Moreover, most Data
Protection Authorities face a lack of staff dedicated to BCRs."
BCRs are designed as an alternative to two existing schemes.
Safe Harbor is a scheme which pre-approves US organisations as ones
which can accept data from EU based organisations. Model contract
clauses can also be used by EU based organisations as a way of
ensuring compliance with privacy law.
Malcolm gave the toolkit a cautious welcome.
"My concern is that the main barrier to date has not been the
writing of the BCRs themselves -it's the approval process. So it
remains to be seen whether these tools will increase take-up," he
said.
