On January 10, 2007 the Article 29 Data Protection Working Party announced the adoption of a new Model Application for the submission of a company’s Binding Corporate Rules to any European Union Data Protection Authority (DPA). The EU’s approval of the Model Application is long-awaited and a welcome addition to help make Binding Corporate Rules a truly viable alternative to the two other current approved methods of international data protection transfers, safe harbor and model contractual clauses.
The EU Data Protection Directive forbids any personal data (for an employer, this includes any identifiable information relating to its employees) from being sent out of Europe unless the transmission goes to some “third country” with data protection laws that the European Commission considers to “adequately” safeguard Europeans’ personal data.
That sets the bar amazingly high: To date, the EU Commission has formally designated only Argentina, Canada, Guernsey, Isle of Man and Switzerland as “third countries” offering this “adequate level of protection.” Thus, the EU and its members states have developed three methods to transfer data to countries such as the United States, which (according to the EU) do not offer an adequate level of protection. Those three methods are (1) safe harbor; (2) model contractual clauses; and (3) Binding Corporate Rules.
BCRs are corporate codes of conduct that legally bind each entity of a conglomerate to company-specific, EU-compliant data handling systems. Under BCRs, a multinational builds its own in-house structure sheltering the data processing of its partners and subsidiaries. Once approved, BCRs empower the multinational freely to transfer personal data on EU data subjects within the company. In order to get BCRs approved, a company must first apply to a “lead” Data Protection Authority, such as the United Kingdom’s Information Commissioner’s Office. Once the lead DPA approves the BCRs, it is then forwarded on to the other member states’ DPAs for approval.
So far, BCRs are an intriguing but still largely-untested tool. Numerous commentators have excitedly written about their potential as data protection compliance tools—but to date, no company has actually had their BCRs approved by all the DPAs. General Electric was the first company to have its BCRs approved by a DPA, the UK’s ICO. Some other companies, such as Daimler-Chrysler, Phillips, and Shell, have had some early success, but none have yet achieved full approval.
There are three main problems with BCRs. First, actually designing (much less adhering to) a company-wide system of data compliance can be quite complicated. Second, applying to a lead data protection authority is cumbersome and can be confusing. Third, after lead approval, because all DPAs have to sign on for their approval, the process can be time-consuming.
The EU’s approval of a model BCR application has great implications for simplifying the lead application approval process and removing the second obstacle, above.
The Model Application was developed by the International Chamber of Commerce. The ICC is no stranger to making data protection compliance easier—the ICC actually drafted the new “business friendly” model contacts that were approved by the Working Party in late 2004 and became effective in April 2005.
The Standard Application contains eight sections, and is designed to include all the information that a DPA would require in order to make an approval decision on the company’s BCRs. The Standard Application is based upon previous Article 29 Working Party documents concerning BCRs, including what could be called its rudimentary ancestor, the Working Party’s BCR application “checklist.”
Now, instead of having to guess whether a company’s BCR application is in keeping with what is wanted by a DPA, employers can simply download the Model Application. The Working Party’s approval of the Model Application can only be taken as a signal that it is serious about making BCRs a true data protection compliance alternative. Now all that is left is to streamline the rest of the process—the approval of the Model Application is definitely a step in the right direction.