Archive for the ‘Binding Corporate Rules’ Category

« Older Entries

BCR for processors get EU regulators’ vital endorsement

avatar Posted on May 1st, 2013 by Eduardo Ustaran

The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules

What will happen to Safe Harbor?

avatar Posted on April 27th, 2013 by Eduardo Ustaran

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.

 

Posted in Article 29 Working Party, Binding Corporate Rules, Cloud computing, Legislative reform

BCR – addressing post-approval challenges

avatar Posted on April 23rd, 2013 by Brian Davidson

Everybody who has been paying attention to what is happening to the evolving European data protection framework knows that BCR will become the default mechanism to deal with international data transfers within global corporate groups. However one of the regulatory considerations that BCR applicants may not be aware of is the requirement to complete the various administrative formalities in all relevant EU Member States in order to confirm that data transfers can take place under the BCR. These formalities vary from one member state to another and derive from the fact that in some jurisdictions, the DPAs still have to provide a permit for transfers based on the safeguards provided for in the BCR.

The European Commission has recognised the challenges for applicants that are attempting to comply with these requirements in different member states by publishing a helpful ‘table of national administrative requirements’, however in practice the information provided for each member state can be insufficient for the purposes of making an application, either because it does not provide the full legal, administrative and practical requirements for making an application in a particular jurisdiction (for example does the documentation have to be submitted via postal mail or will electronic copies via email suffice?) or unfortunately does not contain any information at all (at the time of writing the table did not contain any applicable requirements for Cyprus, Finland, Latvia, Lithuania, Romania and Slovenia).

Our work with clients in this area has highlighted the broad range of requirements between member states. For example in Ireland, Norway and the UK, a simple email seeking a request for approval of the BCR and attaching a copy of the BCR authorisation granted by the ‘lead’ DPA in the initial cooperation/mutual recognition procedure as a courtesy will normally suffice. However, in Italy for example, the requirements are more comprehensive. This requires a Letter of Application in Italian and signed by an individual who can legally represent the applicable local Italian applicant entities. In addition, ‘sworn translations’ of all documents comprising the applicant BCR are required (‘sworn translations’ are a requirement under Italian administrative law and refer to translations executed by either an Italian law firm or from a translator approved by an Italian tribunal) to be sent via postal mail to the Italian Data Protection Authority, together with a fee of €1,000 for each applicant Italian entity (for an equivalent application in Poland the fees tend to be much lower; covering the small cost of stamp duty and submitting an applicable Power of Attorney).

The mutual recognition procedure, created in 2009 and to which 21 of the 27 EU Member States have signed up (to date), is designed to facilitate a speedier approval process of an applicant’s BCR. To recap, once the ‘lead’ DPA has approved the BCR, it then appoints two additional DPAs to further review and comment on the application to verify that it meets the requisite standard. It is then circulated to the remaining signatory DPAs in order to automatically approve the BCR, without further comment.

Although the mutual recognition procedure is designed to further streamline the overall BCR approval process, our recent experience with clients indicates that it can present challenges when dealing with DPAs – as the latter have to ensure that a BCR is in compliance with their own national interpretation of the EU Data Protection Directive before providing their approval – something which DPAs feel they may not have been able to achieve during the initial mutual-recognition process. As a result, DPAs may seek further information from applicants at the ‘post administrative’ permit stage – in spite of the mutual recognition procedure already having been brought to a close.

In spite of such challenges for both DPAs and applicants alike, we have found that any such issues can be overcome. Having a valid set of BCR approved by a lead DPA is a strong factor in being able to answer applicable questions from other DPAs; and because they will already be familiar with the BCR during the initial approval process, issues can be quickly settled.

Despite BCR being a big feature of the proposed General Data Protection Regulation, the approval process is set to become tougher under the proposed ‘consistency mechanism’ (see our earlier blog for an explanation why) therefore data controllers thinking of implementing BCR should do so now, and not later. Despite current post-approval challenges, the process for achieving BCR today is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.

Tags:
Posted in 95 directive, Binding Corporate Rules

How to solve BCR conflicts with local law

avatar Posted on March 13th, 2013 by Phil Lee

A frequently asked question by many clients considering BCR is “How can we apply BCR on a global basis?  What if non-EU laws conflict with our BCR requirements?”  Normally, this question is raised during an early-stage stakeholder review – typically, by local in-house counsel or a country manager who points out, quite reasonably, that BCR are designed to meet EU data protection standards, not their own local laws.

It’s a very good, and perfectly valid, question to ask – but one that can very quickly be laid to rest.  BCR are a voluntary set of self-regulatory standards that can readily be designed to flex to non-EU local law requirements.  Global businesses necessarily have to comply with the myriad of different laws applicable to them, and the BCR policy can address this need in the following way:

(*)  where local law standards are lower than those in the BCR, then the BCR policy should specify that its standards will apply.  In this way, the local controller not only achieves, but exceeds, local law requirements and continues to meet its commitments under its BCR; and

(*)  where local law standards are higher than those in the BCR, then the BCR policy should specify that the local law standards will apply.  In this way, the local controller achieves local law compliance and exceeds its commitments under the BCR.

In both cases, the controller manages to fulfill its responsibilities under both applicable local law and the BCR, so a head on collision between the two almost never arises.  But for those very exceptional circumstances where mandatory local laws do prohibit the controller from complying with the BCR, then the group’s EU headquarters or privacy function is simply required to take a “responsible decision” on what action to take and consult with EU data protection authorities if in doubt.

The net result?  Carefully designed BCR provide a globally consistent data management framework that set an expected baseline level of compliance throughout the organization – exceeded only if and when required by local law.

Posted in Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules

Do BCR now, not later.

avatar Posted on February 23rd, 2013 by Phil Lee

BCR are a big feature of the Commission’s proposed General Data Protection Regulation.  Previously a regulatory invention (the Article 29 Working Party first established a structure for BCR back in its 2003 paper WP74), the Commission has sought to put BCR on a solid legal footing by expressly recognising them as a solution for data exports under Articles 39 and 40 of the proposed Regulation.  The intent being that, by doing so, all EU Member States will uniformly have to recognise and permit global data transfers using BCR, solving the issue presented today where the national legal or regulatory regimes of one or two Member States inhibit their adoption. 

As if further poof were needed of the Commission’s support for BCR, Commissioner Viviane Reding has even gone so far as to say: “Indeed, I encourage companies of all size to start working on their own binding corporate rules!  Binding corporate rules are an open instrument: They are open to international interoperability. They are open to your innovations. They are open to improve data protection on a global scale, to foster citizens’ trust in the digital economy and unleash the full potential of our Single Market. And more: they are open to go beyond the geographical borders of Europe.

High praise indeed, and certainly Ms. Reding’s description of BCR matches with our own experience helping clients design and implement them.  Clients who implement BCR substantially simplify their global data movemments and embed a culture of respect for privacy that enhances compliance and drives down risk.

What the Regulation will really mean for BCR adoption

But here’s the thing: far from supporting BCR adoption, the Regulation will make authorisation of BCR harder to achieve, and this flies in the face of the Commission’s very express support for BCR.  

Historically, the main barrier to BCR adoption has been the bureacracy, effort and cost entailed in doing so – early BCR adopters tell war stories about their BCR approval process taking years and having to address conflicting requirements of multiple data protection authorities all over Europe.  This burdensome process arose out of a requirement that the BCR applicant needed to have its BCR individually authorised by every data protection authority from whose territory it exported data.

Thankfully, this is an area where huge strides forward have been achieved in recent years, through the implementation of the so-called “mutual recognition” procedure that allows BCR applicants to submit their BCR to a single lead authority;  once the lead authority approves the applicant’s BCR, it then becomes binding across all mutual recognition territories (currently 21 of the 27 EU Member States).  No more trekking around Europe visiting data protection authorities individually then.

Mutual recognition has really lifted BCR out of the dark ages into an age of BCR enlightenment, and has been vital to the upswing in BCR applications all over Europe.  Now, though, the proposed Regulation – despite its intended support for BCR – threatens to actually inhibit their adoption, pushing controllers back to using “check box” solutions like model clauses that provide little in the way of real protection.

Why?  Because under the draft Regulation, any authority wishing to approve BCR must first refer the matter to the European Data Protection Board under the Regulation’s proposed “consistency mechanism” (designed to ensure consistency of decision making by authorities across Europe).  The European Data Protection Board can be thought of as the “Article 29 Working Party Plus”, and comprises the head of each data protection authority across Europe and the Data Protection Supervisor.  In effect, the consistency mechanism necessitates that an applicant’s BCR must once again be tabled before every data protection authority before authoristion can be granted – a step backwards, not forwards.  As the ICO noted in its initial analysis of the Regulation: “It is not entirely clear what would happen if, for example, the UK supervisory authority were to approve a set of binding corporate rules but, once informed of the approval, the EDPB takes issue with it.

To make things worse, it’s not clear how the consistency mechanism will sit with the mutual recognition procedure we have today.  Maybe it will supersede the mutual recognition procedure.  Maybe it will apply in addition.  Or maybe some kind of hybrid process will evolve.  We just don’t know and uncertainty is never a good thing. 

The time for BCR is now

What this means is that while BCR will remain the only realistic solution for multinationals exporting data on a global basis, the process for achieving them once the Regulation comes into effect will become much tougher.  Add to this that the fact that, as a whole, the Regulation will impose stricter data protection standards than exist under the Directive, and BCR applications will attract an even greater level of scrutiny once the Regulation comes into effect than they do today.

So given that there is strong regulatory support for BCR, but that the Regulation will create barriers to adoption, what strategy should multinational conrtollers adopt? 

The answer is simple: do BCR now, not later. 

The process for achieving today BCR is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.   When you look at it like that, why not do BCR now?

Posted in Accountability, Binding Corporate Rules, Legislative reform, Model clauses

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

Article 29 Working Party pushes for Binding Safe Processor Rules

avatar Posted on December 9th, 2012 by Eduardo Ustaran

 

The Article 29 Working Party has taken another crucial step towards the full recognition of BCR for processors or ‘Binding Safe Processor Rules’. Following the unqualified backing by the European Commission in the proposal for a Data Protection Regulation early in 2012 and the publication of the criteria for approval by the Working Party itself last summer, an agreement has now been reached by the European data protection authorities on the application and approval process.

The official announcement of a mutual recognition and cooperation procedure-type approach will take place in January 2013 and shortly after, the Working Party will issue the appropriate application form. This is the strongest indication to date that applications for BCR for processors will be dealt with in the same way as the traditional BCR, opening the door for hybrid BCRs for those organisations with global data protection programmes that apply to their dual role as controllers (in respect of their own data) and processors (in respect of their clients’ data, as in the case of cloud service providers).

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules, Cloud computing

Privacy in the global village

avatar Posted on September 4th, 2012 by Eduardo Ustaran

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.

Posted in Accountability, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Direct marketing, Financial penalties, Privacy professionals, Sanctions

Binding Safe Processor Rules are Go

avatar Posted on July 7th, 2012 by Eduardo Ustaran

It was exactly four years ago when the term Binding Safe Processor Rules was coined. Nobody had heard about this concept before and the idea of allowing a humble data processor to take responsibility for adopting and implementing its own set of rules based on European privacy standards from which its clients could benefit to legitimise any international processing of personal data seemed ill conceived. Regulators and data protection lawyers were sceptical about the prospect of a service provider taking such a primary compliance role. However, the idea was not ill conceived and fortunately for the future of data protection, that scepticism has turned into pragmatism as the Article 29 Working Party has proved.

For those involved in international data protection, the publication by the Article 29 Working Party of a document with the elements to be found in a set of BCR for processors or Binding Safe Processor Rules (BSPR) will not have come as a complete surprise. For starters, it is patently obvious that many of those who play the role of data processors make key operational decisions about the way in which personal data is handled at a global scale. That justifies from both a public policy and a practical compliance point of view giving those processors a bigger part in relation to compliance with data protection obligations. It is precisely for that reason that the European Commission envisaged the possibility of BSPR in the draft Data Protection Regulation currently being debated in Brussels. So it was only a matter of time before the EU data protection authorities got their act together to rally behind a concept that is set to revolutionise international data protection.

The document issued by the Working Party had been in the making for quite some time and a fair amount of thinking has gone into the process of replicating the complex BCR requirements in a data processor context. The regulators knew that for BSPR to work, the requirements had to be realistic in terms of compliance responsibilities and, above all, suited to the those who do not normally have a direct relationship with the individuals whose data they process. Part of the early criticism about BSPR was due to the fact that in traditional terms, data controllers should always be responsible for complying with the law and for ensuring that the information for which they are primarily accountable is adequately protected. Therefore, the process of crafting a viable set of criteria for BSPR has involved detailed legal work and considerable imagination.

The result is a near perfect balance between what is possible and what is desirable. A key point of reference to determine whether a framework such as BSPR is ever going to fly is the potential liability of the safe processor. Aim for a zero liability approach and no controller in the land will trust you with their data. Impose an unqualified direct level of responsibility and only the bravest (or foolish) service providers will swallow it. The Working Party has gone for a tried and tested level of liability, the same one that appears in the model clauses for international data transfers approved by the European Commission. The effect is that processors will be no worse off under BSPR than under the model clauses.

An equally important measure to determine the viability of BSPR is the scope of the substantive data protection safeguards that apply to safe processors. BSPR was never going to be just about ensuring an appropriate level of security. BSPR, like BCR, are about adopting a holistic approach to responsible personal data processing and the regulators’ expectations reflect that. But the good news is that, unlike in the case of Safe Harbor, each of the privacy principles at the core of BSPR have been thought out with the processor role in mind. So safe processors will be expected to do things like being cooperative with controllers, comply with their instructions and help them honour individuals’ rights. Clearly, achieving practical data protection is very much the aim.

As the first applications for BSPR status start rolling, we will see how the data protection authorities live up to their own criteria. The work is by no means over but what four years ago was a dream, tomorrow will be the way to go for responsible global data services providers.

This article was first published in Data Protection Law & Policy in June 2012.

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules

Deconstructing the privacy macaron

avatar Posted on December 7th, 2011 by Eduardo Ustaran

Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Data minimisation, Financial penalties, Privacy by design, Profiling

« Older Entries