Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Regulatory approval of data transfers to apply EU-wide, Commissioner says


Plans to enable global businesses to obtain easier EU-wide approval for the way they transfer personal data have been announced by the EU's Justice Commissioner.

Viviane Reding said that companies should be able to agree legally-binding corporate rules (BCRs) with any national data protection authority within the EU and for those rules to be "recognised" by the other data protection authorities across the trading bloc. She said BCRs would be assessed on the basis of compliance with EU data protection laws and that national data protection authorities would be given consistent powers to hand out "administrative sanctions" for breaches of those laws.

The measures will be included as part of formal proposals to revise the EU's Data Protection Directive in January, she said.

"In my reform proposal, binding corporate rules will be based on one single law, the European law," Reding said in a speech to privacy professionals on Tuesday

"I intend to propose a consistent and streamlined approval process with a single point of contact for companies amongst the data protection authorities. And, once the binding corporate rules are approved by one data protection authority, I want them to be recognised by all European data protection authorities. And there should be no need for additional national authorisation in case of further transfers," Reding said.

Current EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.

When companies want to send personal data to other non-EEA countries, that data transfer must be governed by adequate protection, even when the transfer is from one part of a company to another part of the same firm. One way in which that is possible is by using BCRs. This involves a company submitting its data protection processes to a data protection watchdog and having them approved for use. Currently BCRs must be approved by an authority in each EU member state before they are considered effective there. Most companies prefer to legalise overseas transfers for limited defined transfers by using model contractual clauses. These pre-written clauses are supplied by the European Commission.

"The situation under the current Directive means that your one set of rules must be checked by multiple authorities with different – and at times maybe contradictory – practices in place," Reding said in her speech.

"I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools," she said.

Under the revised plans approved BCRs "will apply to all internal and extra-EU transfers of any entity in a group of companies," Reding said. She said it would enable businesses to use consistent data protection practices without the need for setting out differing policies in contracts.

Companies will be able to draw up BCRs that also cover the activities of data processors authorised by them and will mean that "all kinds of business models including any kind of cloud computing can be covered by them," Reding said.

EU-wide approval for BCRs would also enable individuals to be "exercise their rights" over their data, "wherever their data is processed", she said.

"Binding corporate rules will ensure that fundamental right to data protection is respected by business. Data protection authorities in our member states, companies and citizens can use these rules to enforce proper personal data protection. Therefore, with the reform, binding corporate rules will be recognised throughout the European Union. They should be seen worldwide as an exemplary tool for better data protection," Reding said.

The Justice Commissioner said that under the reforms BCRs could be drafted by companies of any size and any business model.

"Binding corporate rules will no longer be a tool 'for experts only'. They should be compatible with small innovative companies' endeavours to operate on a global scale; companies should be able to transfer their data freely and safely – anywhere and in conformity with the law. Companies of any size will be able to set up binding corporate rules. And the rules will cover all types of business models: from a paper-based filing system to an intricate internal organisation or the most complex cloud computing system. These improvements will make life easier for businesses and help improve their reputations," Reding said.

Kathryn Wynn, data protection law specialist at Pinsent Masons, the law firm behind Out-Law.com, said the proposed reforms would be welcomed by businesses.

“It is a good thing that the Commission is looking to simplify the process for implementing binding corporate rules," Wynn said.

"The cost and complexity of this process has put a lot of organisations off from using BCRs and instead use model contract clauses, which are generally much easier and cheaper to put in place. The benefit of BCRs over model contract clauses is that they provide businesses with the freedom to carry out international transfers of data without having to provide for it in numerous contracts," she said.

"However, one downside to the proposals may be that businesses start ‘regulator shopping’ whereby they seek approval for their BCRs from authorities they consider to be more lenient than others across the EU,” Wynn said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.