The application of European data protection law presents particular challenges in the context of cross-border transactions. The E.U. [fn1] data protection authorities are finally making some progress towards pan-European rules for data processing and a more streamlined approach to data protection.
While establishing a free zone for data sharing within the European Union, the European data protection regime imposes strict conditions for the transfer of personal data outside the E.U. The basic rule under the Data Protection Directive 95/46/EC[fn2] ("Directive") is that all transfers outside the European Union are prohibited, unless the destination country provides for an "adequate level of data protection." The question of whether such adequate protection is provided is generally decided by the European Commission or national authorities. Very few adequacy decisions have occurred, however, since the regime was put in place in 1995. So far, only the laws of Argentina, Canada, Guernsey, Hungary, the Isle of Man, Switzerland, the U.S. Safe Harbor Principles, and the Air Passenger Name Record regime of the United States' Bureau of Customs and Border Protection have been recognised as "adequate".
Alternatively, the data exporter may ensure that "adequate safeguards" are in place when the data are to be transferred. For this, traditionally, contracts have been established between the entity exporting the data and the importing entity.
Contracts tailored to the parties' needs (ad hoc contracts) must generally be approved by all the data protection authorities in all the countries from which data are transferred. Alternatively, the parties may follow the model contract clauses adopted by the European Commission.
The model contract clauses were intended to streamline the process, as the approval of the different authorities is not required. There are substantive drawbacks, however, to the model contract clauses. Besides entailing burdensome compliance requirements, the model contract clauses impose joint and several liability on both the exporting entity and the importing entity and provide individuals to whom the data relate with a direct cause of action. Further, an entity importing E.U. data may only provide the data to third parties if those third parties either are subject to an adequacy finding or execute model contract clauses, or if consent is obtained by each and every individual to whom the data relate. Only in environments where the data flow is stable and fairly limited would such limitations work. Also, any changes to the model would need to be approved by all the data protection authorities in all the countries from which data are transferred, just as they are for ad hoc contracts.
In addition, both ad hoc and model contracts can be very difficult to administer. Data flows do not follow neat or well-established paths, but move along multiple paths through a multitude of channels, through e-mail exchange, access to databases, and intranets. Global organisations have complex organisational structures that can change frequently. Unless regularly revised--at considerable expense--contracts will not be able to reflect the changes in usage of information in organisations, as required under the contract regime.
If neither an adequacy decision nor adequate safeguards are in place, the Directive provides for certain exceptions under which data may be transferred, but these are very narrow in scope and do not cover the broad range of uses for data.
To date no truly viable solution has existed for organisations operating globally that wished to comply with all the applicable data protection regimes when exchanging data.
To remedy the inadequacies of the current regime for data transfers, some European authorities, namely the data protection commissioners in Austria, France, Germany, Hungary, Ireland, the Netherlands, Poland, and the United Kingdom, have recently begun to work together to advance the usage of codes of conduct or, as the European data protection authorities prefer to call them, "binding corporate rules", to enable E.U. data transfers.
Binding corporate rules may allow companies to establish "adequate safeguards" without the administrative, legal, and organisational complexities of contracts. Corporate rules could cover all data processing activities of an organisation without the need to constantly reflect specific processes via the execution of contracts. Also, the rules may be tailored to the specific needs of each organisation, taking account of the organisational structure, corporate culture, internal procedures, legal and commercial requirements, and other particular challenges and sensitivities. For this reason, the rules are evoking a fair amount of interest, especially from multi-nationals. To establish binding corporate rules as a viable alternative, several obstacles still remain.
Currently, there is no streamlined mechanism for obtaining regulatory approval of organisation-wide binding corporate rules, with the result that an organisation wishing to use binding corporate rules across the European Union presently needs to seek separate approval of the rules from the data protection authority in each Member State from which data are transferred to any location outside the European Union. All these authorities can request changes to the binding corporate rules, thereby reducing the likelihood that a single set of rules can be implemented. Further, many Member States have adopted differing views on binding rules. To achieve widespread practical usage, E.U. data protection authorities will need to harmonise their individual approaches to binding corporate rules. Some of the issues they need to address include:
The Article 29 Working Party, an assembly of representatives of all 25 privacy regulators in the European Union, produced a working paper in June 2003 [fn3] which imposed very restrictive standards on binding corporate rules requiring compliance with the strictest E.U. national regimes.
These discussions between data protection authorities recently culminated in a hearing in The Hague on November 24, 2004, under the auspices of the new head of the Article 29 Working Party, Peter Schaar. The hearing focused on greater co-operation between the Member State authorities. A draft paper produced by seven authorities was distributed for discussion purposes. The draft paper proposes a co-operative mechanism that would alleviate the need for organisations to seek approval from every data protection authority from which data are exported. Rather, an organisation seeking to establish pan-European corporate rules would select and contact a "lead authority" that would act for all the relevant data protection authorities. The organisation would present the draft corporate rules in English as well as the language of the lead authority, together with sufficiently detailed information on the organisation's structure, data flows, etc.
The lead authority would generally be the data protection regulator in the jurisdiction where the organisation is headquartered, or where the person with overall responsibility for the definition and implementation of the data processing is located, or the jurisdiction from which most data are transferred or from which most processes are controlled. This authority would work with the other regulators in other relevant Member States. The draft paper suggests that the consultation period with the other authorities would generally not exceed one month.
One Member State does not, however, have the ability to approve the rules without consultation with other Member States. Also, the mechanism, as proposed, is purely voluntary, and national authorities may refuse to co-operate either generally or even with respect to the approval of a particular set of rules.
The draft paper was the subject of further discussions between the members of the Article 29 Working Party at the non-public meeting of the Working Party in Brussels on the following days. Apparently, the Working Party was unable to agree on the final version, due to differences of opinion relating to the approach to be taken. According to the Dutch authority that hosted the Hague hearing, there is, however, "sufficient support" for co-operation on binding rules among those authorities that attended the hearing. Discussions on co-operation are to continue in early 2005.
The Article 29 Working Party members were, however, able to agree on a less controversial second draft paper, i.e., to set up a checklist of requirements for organisations to fulfil when seeking approval of binding corporate rules. It remains to be seen how these rules will be fleshed out, and it is hoped that they are less prescriptive and more reasonable than the requirements proposed in the Article 29 working paper produced in 2003.
Need for One-Stop Shop in Europe
The primary obstacle to using binding corporate rules remains that there is no streamlined procedure in the European Union for approving and recognising them. Instituting a co-operation procedure between national authorities as suggested by the authorities solves only part of the problem. It helps with the logistics of getting the rules approved across multiple E.U. jurisdictions. The different national authorities, however, each have the opportunity to assess the content of a particular set of rules when deciding whether the transfer to a third country is legitimate. Consequently, an organisation could end up with highly burdensome requirements that combine the strictest regimes of all 25 Member States.
If an organisation must comply with the strictest obligations in each Member State in which it operates, any "balancing" mechanisms within national legislation may be lost. For example, quite often different national regimes have a different focus, e.g., strict surveillance may be compensated for by less strict internal audit requirements, or broad statutory exemption under which data may be processed may be complemented by a very narrow interpretation of what constitutes valid consent. The end result of a consultation procedure may very well be a combination of the strictest regimes, which may deter organisations from adopting binding corporate rules.
Even though the Directive was intended to bring about "total harmonization" in the area, as confirmed by a recent European Court of Justice ruling [fn4] there are still significant divergences among the national data protection regimes of the 25 Member States. As the Commission itself notes, "stakeholders are right to demand more convergence in legislation and in the way it is applied by the Member States and the national supervisory authorities in particular". [fn5] The Commission also noted that divergences result from "incorrect implementation" of the Directive by certain Member States. The Commission has so far not taken legal action against these Member States in order to remedy this situation.
The end result, therefore, should be for each Member State to recognise and give full effect to a set of binding corporate rules approved by another Member State data protection authority (which could be the authority of the country in which the data controller has its "centre of activities"). For this, the Member State authorities would need to agree to recognise the regulatory authority of the country where a transaction takes place, as well as the country from which a product, a person, or a service originates. This, in turn, embodies the principle that if a service can be provided lawfully in one jurisdiction, it can be provided freely in any other participating jurisdiction, without having to comply with the regulations of the other jurisdictions. The European Court of Justice, responsible for upholding liberalisation commitments embodied in the Treaty establishing the European Community (EC Treaty), has recognised the concept of mutual recognition in several decisions. Alternatively, the European Commission itself could propose amendments to the current Article 26 of the Directive in order to introduce a one-stop-shopping mechanism that would allow one organisation to deal with only one Member State authority.
In this respect, it is important to bear in mind the common denominator of binding corporate rules, i.e., to ensure that the data are adequately protected. The goal is not to afford protection equivalent to every Member State's privacy regime. The Directive does not require that binding corporate rules provide more protection than that offered by other adequacy mechanisms established in the Directive, rather it only requires that binding corporate rules provide adequate protection.
Reach Across Multiple Privacy Regimes
When establishing criteria for the "binding nature" of corporate rules, flexible solutions and varied enforcement methods that can bridge both regulatory and self-regulatory frameworks should be provided. In any event, requiring organisations to put in place contractual arrangements to make a unilateral undertaking legally enforceable, as suggested by the Article 29 Working Party June 2003 working paper, defeats one of the central purposes of binding corporate rules, which is to reduce the massive administrative burden associated with multiple contracts. There are methods of making a set of corporate rules "binding" other than through a unilateral promise or contract. Unfair trade practices laws as well as general rules on misrepresentation and misleading advertisement could provide sufficient legal guarantees such that corporate rules could be considered binding. Competitors, trade associations, and consumer associations may, for example, be able to seek remedies under unfair trade practices law. Binding corporate rules published on an organisation's website may be actionable under various statutes within and outside of the European Union.
Usage Across Organisations
Provided flexible enforcement mechanisms are adopted, there is no reason why binding corporate rules should be restricted to usage within one organisation only. Rather, provided unrelated entities adhere to binding corporate rules, transfers should be possible between them as well, and multi-national groups could frequently share data with third parties.
All in all, binding corporate rules could offer a new approach for regulators, enforcement authorities, individuals, and businesses, to promote a broader culture of privacy. However, approval and recognition of binding corporate rules so that an authorisation by one Member State's data protection authority is recognised as a valid basis for transfer by other Member States is crucial. Moreover, alternative methods for implementing binding corporate rules internationally must be explored further.
Despite these remaining issues, the authorities involved in the process and the European Commission must be applauded for their efforts and the co-ordination mechanism is already one step in the right direction. There is overall agreement on the need for greater co-operation, and most authorities appear to view the concept of corporate rules more positively and now support the concept.
1: Any reference to the European Union (E.U.) should be understood as referring to the territory of the European Union--the Member States currently are: Austria; Belgium; Cyprus; the Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Ireland; Italy; Latvia; Lithuania; Luxembourg; Malta; the Netherlands; Poland; Portugal; Slovakia; Slovenia; Spain; Sweden; and the United Kingdom.
2:Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (1995) O.J. L 281.