DEROGATIONS AND BINDING CORPORATE RULES

As mentioned earlier, Article 26 of the Data Protection Directive contains derogations from the prohibition within Article 25 against the transfer of personal data from the EEA to a non-adequate country. The full list of derogations is contained in Article 26.1. They are:

  1. the data subject has given his consent unambiguously to the proposed transfer; or

  2. the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject's request; or

  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party; or

  4. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

  5. the transfer is necessary in order to protect the vital interests of the data subject; or

  6. the transfer is made from a register that according to laws or regulations is intended to provide information to the public and is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided that that the conditions laid down in law for consultation of the register are fulfilled in the particular case.


In addition to the list of derogations in Article 25.1., Article 26.2. contains a very important power for Member States to authorize transfers to non-adequate countries. Article 26.2. says:

a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.


The National Supervisory Authorities (NSAs) established pursuant to Article 28 of the Data Protection Directive, coordinated by the Article 29 Working Party, have taken advantage of the powers within Article 26.2. to develop a scheme for multinational groups of companies under which they can obtain fast-track approvals for a self-regulatory scheme allowing inter-group transfers of personal data that involve transfers to non-adequate countries. This scheme is called Binding Corporate Rules.

Binding Corporate Rules

On 3 June 2003 the Article 29 Working Party adopted Working Document 74, entitled ‘Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfer’.143 Binding Corporate Rules (BCR) provide multinational groups of companies with a solution to the problem of how to overcome the prohibition against the transfer of personal data to non-adequate countries outside the EEA. This solution provides an alternative to the multi-contract approach (discussed below in the section ‘Derogations and contractual clauses’).

BCR have been introduced to address the very real problems faced by the multinational group of companies whose need to process personal data across jurisdictions is a fundamental part of their legitimate activities. Moreover, the law recognizes that such transfers are a necessary ingredient of successful economic functioning and are vital to the health of the global economy as well as for social enrichment. BCR approach this issue in a very pragmatic fashion, effectively allowing a new kind of self-regulation approved under the cooperation procedure described in Article 26.3. of the Directive, which says:

The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31(2).

Member States shall take the necessary measures to comply with the Commission's decision.


Multinational groups of companies are invited by the Working Party, whose members include all the NSAs, to present a case of special interest that essentially provides a fast-track route to pan-European compliance, but before describing the detail and mechanics of BCR it is necessary to understand the disadvantages that BCR are intended to resolve.

The multinational group is required to identify a mechanism that will guarantee the lawfulness of transfers from all of the Member States in which it is established to all of the third countries in which it is established. Prior to the European Commission’s approval of BCR the main mechanism was multiple, inter-group contracts supported, if applicable, by reliance upon any relevant European Commission decisions on white list countries and safe harbor. This approach can sometimes be cumbersome, slow, confusing and inelegant, however.

BCR provides an alternative solution, with the added attraction of a fast-track route to officially approved self-regulation. In return for involving the NSAs through a negotiation and approval process, the multinational group gains the seal of approval of the NSAs, is spared the burdens and disadvantages of the current approach and it takes charge of complaints about its behaviour received by the NSAs. There are many powerful advantages in self-regulation and the NSAs are committed to making the scheme work, so it is expected that BCRs will increase in number as the benefits become more widely appreciated. The NSAs are pleased to participate because it boosts their profile and increases their influence, for example, through increased powers of audit.

Applying for BCR approval

In April 2005 the Article 29 Working Party issued a working document144 on the procedure to be followed for getting NSA approval for a BCR scheme.

  1. The applicant group of companies identifies the ‘lead authority’ for the cooperation procedure, with priority being given to the place of the group's European headquarters. The NSAs may accept, decline or assert jurisdiction and they reserve for themselves the right to decide the question of jurisdiction between themselves, but ultimately they are supervised by the courts.

  2. The group submits an application to the lead NSA, the contents of which are prescribed in an official checklist. The submission of the application then triggers a process of discussion and negotiation between the lead NSA and the applicant group, which concludes with the creation of a ‘consolidated draft’.

  3. The lead NSA distributes the consolidated draft to all concerned NSAs for their comments, which should be provided within one month.

  4. If comments are received, the lead NSA incorporates these into the consolidated draft, which then triggers a second process of discussion and negotiation with the applicant. If at the end of this second process of discussion and negotiation the lead NSA is of the view that the applicant is able to satisfactorily address the comments of the other NSAs it will invite the applicant to submit a ‘final draft’.

  5. The lead NSA submits the final draft to the other concerned NSAs inviting them to confirm that they are satisfied with the adequacy safeguards described. If the concerned NSAs confirm that they are satisfied, this constitutes an agreement between them and the applicant to provide the necessary permits or authorizations at national level for transfer of personal data from their jurisdiction to companies within the applicant group established in non-adequate countries. The NSAs’ confirmation does not, however, absolve the companies within the group from their obligations to notify in accordance with the national laws of the Member States in which they are established.

The BCR checklist

On 14 April 2005 the Article 29 Working Party adopted Working Document 108,145 which contains a checklist for prospective applicants for BCR approval. The checklist describes the documentation that must be submitted to the lead NSA and the issues that the documentation needs to address. According to this, the applicant must:

  • provide evidence that its BCR are legally binding within the group and externally for the benefit of individuals;

  • explain how compliance with its BCR will be verified;

  • describe its processing operations and the flows of information;

  • describe its data protection safeguards, which must address transparency, the processing purpose, data quality, security, the right of access and the right to object and the restrictions placed on onward transfers out of the group;

  • explain its mechanism for reporting and recording changes.

The BCR documentation

The documentation identified by the checklist falls into three categories:

  • Contact information and choice of lead authority: This is a standalone document that identifies the responsible person within the group to whom the lead NSA may address any queries. Full contact information for this person is required. In addition, this document must explain the applicant’s choice of lead NSA. This explanation must contain all relevant information, including information about the group’s corporate structure, its processing activities within the EEA, the location of its decision making (implying the location of managers and personnel with the power to determine the nature of the processing operations), the places within the EEA from where transfers to third countries take place and the identity of the third countries to which personal data are transferred.

  • Background paper: This document summarizes how the applicant will comply with all of the requirements of BCR. To confirm, these requirements are those identified in the section immediately above (e.g. the BCR must be legally binding, there must be a verification mechanism and the data protection safeguards must be met).

  • BCR documents: These documents form the BCR. They will include group policies, codes, notices, procedures and contracts.

The legally binding nature of BCR

A scheme of self-regulation will only work if it is legally binding, that is, if it can be enforced by the beneficiary against the regulated entity. If the scheme is not legally binding, the scheme will not be able to satisfy the test of adequacy within Article 25 of the Data Protection Directive. There are two elements to this. First, the scheme must be binding within the group. Second, the scheme must be binding for the benefit of external individuals.

The checklist does not extend to providing a ‘to do’ list which, when completed, will leave the applicant with a legally binding scheme. Instead, it explains that there are a number of routes to a legally binding scheme, which depend upon the structure and size of the group. Also, it cautions that the national laws and any applicable regulatory requirements of each place of establishment must be considered.

The checklist poses four questions for the applicant, which must be answered within the background paper. These questions are:

  • How are the rules binding between the component parts of the organisation?

  • How are the rules binding on employees?

  • How are the rules made binding on subcontractors handling the data?

  • How are the rules binding externally for the benefit of individuals?


In respect of the first question, the checklist makes four suggestions for making BCR binding within the component parts of the organization. The first suggestion is that binding corporate or contractual rules can be implemented that the responsible person can enforce against other members of the group. Second, the parent company in the group can make unilateral declarations or undertakings that are binding on others in the group. Third, the group can incorporate regulatory measures into its legal framework. Fourth, the group can incorporate its BCR within its general business principles, supported by appropriate policies, audits and sanctions. Of course, these suggestions must be checked against the national laws in place in each Member State of establishment.

In respect of the second question, how the BCR are binding on employees, the checklist suggests that this might be achieved ‘by way of specific obligations contained in a contract of employment and by linking observance of the rules with disciplinary procedures’. The checklist also highlights the requirement for ‘adequate training programmes and senior staff commitment’. The sanctions for breach of the BCR by employees must also be explained.

In respect of the third question, how the BCR are binding on subcontractors, the checklist identifies the only solution, contracts between the group and its subcontractors. These contracts will be submitted as part of the BCR documents.

The fourth question, how the BCR are binding externally for the benefit of individuals, requires the applicant to address the following matters:

  • The BCR must be enforceable by the NSAs and in the courts.

  • The individual must have the choice of commencing claims in the jurisdiction of the group member at the origin of the data transfer, or in the jurisdiction of the group’s EU headquarters, if different.

  • The practical steps that the data subject needs to take to obtain a remedy must be defined.

  • The group’s complaint handling procedure must be defined as must the practical steps that the data subject needs to take to use it.

  • The group must have sufficient assets within the EU or have made sufficient arrangements to enable payment of compensation for any breaches of its BCR.

  • The burden of proof in respect of any breaches of the BCR will rest with the member of the group at the origin of the transfer or the European headquarters, if different.

  • The data subject’s rights under the Data Protection Directive must be acknowledged.

  • The applicant must cooperate with the NSAs with regard to any decisions made by them or advice given.

Verifying compliance with BCR

It is fundamental to the approval process that the applicant provides an explanation as to how its compliance with its BCR will be verified. This requires an audit programme and an audit plan, with the audits being performed by external or internal auditors, or a combination of both. The audit plan must make provision for auditing by the NSAs if they so require. The NSAs’ auditing power is of major significance, as currently the Information Commissioner, the NSA for the UK, does not have standalone powers of audit.

The processing and information flows covered by BCR

The applicant must provide a detailed explanation of the processing and information flows covered by the BCR. This is very important because BCR can be limited to particular categories of data and particular categories of information flow; the applicant is not obliged to extend its BCR to all its processing operations or to all of its transborder flows of information. The purposes of all processing and all information flows covered by the BCR must be explained.

The data protection safeguards within BCR

The data protection safeguards essentially require the applicant to explain how it will comply with the key aspects of data protection laws. These key aspects are the transparency safeguards, the general rules on lawfulness (including security), the right to object and onwards transfers. The checklist requires the applicant to ‘provide a summary of how this has been addressed in the binding corporate rules adopted by your organisation with supporting documentation e.g., relevant policies’.

Mechanisms for reporting and recording changes to BCR

The applicant needs to provide a description of how changes to its BCR will be communicated to all of the companies within the group. From time to time some of these changes will need to be reported to the concerned NSAs, but the checklist envisages that the lead NSA will provide the applicant with advice on this matter.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.202.61