Transferring Personal Data from the E.U.: Are Binding Corporate Rules the Answer?

This article was first published in International Data Transfer, a Special Report by BNA International

The restrictions imposed by Article 25 of the Data Protection Directive (95/46/EC) on organisations transferring personal data out of the European Economic Area aren’t new. Indeed, few, if any, data protection issues have attracted as much attention as those presented by Article 25. Its provisions needn’t be set out again here; suffice to say, nearly ten years after its restrictions first appeared, transferring personal data out of the EEA is not a straightforward matter; far from it.

The organisations most affected by Article 25 are probably the multinationals. Today’s trend towards globalisation makes it increasingly common for multinationals to have processes, management-lines, and internal information systems – and so too data transfers – that cross country borders, both inside and outside the EEA. The impact of restrictions on such transfers can be acute, as potentially they represent powerful limitations on the deployment of internal technological solutions, restrictions on the cost savings that can result from consolidating standalone country IT systems and restrictions on pan-global (or "dotted") management lines. Most multinationals understand and appreciate the importance of safeguarding individuals’ personal data overseas, yet desire a simple but robust, effective but low-formality solution, something that enables lawful transfers of personal data but also fits the complexity of their corporate structures.

Until recently, a multinational seeking to transfer personal data around the world, broadly speaking, had three options available to it, namely, acquiring the fully-informed and freely‑given consent of everyone about whom it transferred personal data, implementing a network of contractual arrangements between its various country legal entities, or, in respect of transfers to the United States (only), entering the EU-US Safe Harbor. No one "solution" is perfect. (Please note that whilst there are other exceptions under the Directive that allow personal data to be transferred, these are generally considered to be too narrow in scope to meet the day-to-day needs of a typical multinational).

With regard to a solution based on individual consent – the most popular solution according to some industry surveys – the drawbacks are significant. "Business-to-business" multinationals, for example, are likely to acquire personal data about thousands of individuals, such as business "contacts" and yet not deal with the individuals directly, so preventing their consent being obtained or requiring it to be collected only "indirectly" via the individual’s colleagues or his employer, which is unlikely to be effective. In relation to personal data a multinational processes about its employees, consent is also problematic. Depending on the nature and scope of the consent sought, some employees – perhaps many – may refuse their consent. The multinational must then either ignore their refusal of consent and transfer their data anyway, a risky strategy, or provide an alternative means of processing that does not involve transferring their data out of the EEA – expensive or perhaps impracticable. And even if all employees everywhere did miraculously consent, much has been made of the validity of consent from existing (as opposed to a prospective) employees. It’s argued that an employee who is asked to consent to the transfer of his personnel record to, for example, the United States is unlikely to say no to his employer, even though experience has shown that some do. Is consent really "freely-given" in these circumstances? Also, to be valid, shouldn’t consent be capable of being withdrawn? A consent-based solution seems to be the one least favoured by Data Protection Regulators too, as unlike other solutions, it does not require data protection measures to be applied in the destination country, nor does it require continuing liability for the multinational in respect of the personal data transferred.

A contractual solution also has its problems. A multinational may implement a contractual solution using its own terms and conduct a "Tour of Europe" to acquire (hopefully) the authorisation of each of the various EEA Data Protection Authorities. Alternatively, to avoid this exercise, it can adopt the European Commission Model Contracts, which first appeared in 2001. The original EU Controller-to-Controller Model Contracts did not prove popular with industry. The EU Controller-to-Processor Contract fared better but much has been said about their contents – the onerous level of detail required in both, "joint and several" liability between the data exporter and data importer under the Controller-to-Controller Contract, and the vagaries of certain key terms, such as "factually disappeared" under the Controller-to-Processor version. Many of the substantive problems associated with the 2001 version of Controller-to-Controller Contract have been lessened by the approval of the "ICC Clauses", which finally saw light of day in December 2004. In particular, the joint and several liability provisions have been replaced by a "due diligence" obligation on the data exporter, which business should prefer, particularly in an "arms length" transaction.

But the main difficulty arises not from the contents of the agreements but the sheer numbers and complexity involved in implementing a comprehensive contractual solution in a multinational. Take, for example, a multinational with 200 companies worldwide, each in a different country, each sharing personal data with its counterparts, perhaps via a shared IT infrastructure. Contractual arrangements need be put in place between each and every pair of companies. The administration involved soon becomes unwieldy – 19,900 contracts here. And whilst legal tricks can be used to minimise the number of actual bits of paper signed to create this "web" of contracts, the admin headache for a multinational implementing the web should not be underestimated. At some point in the future, the multinational is bound to acquire another company, requiring the whole web to be updated; more bits of paper, more headaches.

What of the EU-US Safe Harbor? Viewed in terms of formality alone, the EU-US Safe Harbor is perhaps the most attractive of the solutions available, although it is only available in respect of transfers of personal data to the United States. It also excludes certain important categories of personal data, such as that processed within the financial services sector. Moreover, many multinationals, particularly those with a US-based parent, have been put off joining for fear of increased scrutiny of their parent company by the US Federal Trade Commission. Also, being a politically "negotiated" document, many of the Safe Harbor Principles (and accompanying FAQs) include language that arose out of political comprise rather than a quest for legal certainty and clarity. Different interpretations are possible. Whilst the number of multinationals signed up to Safe Harbor continues to increase, progress is slow and steady. There’s no gold rush, largely for the reasons outlined.

All of these options fall short of providing a real and workable solution for a multinational struggling to do the right thing.

So it was with the aim of overcoming many of these difficulties that the Article 29 Data Protection Working Party (the body set up under the Data Protection Directive, comprising representatives from each of the Member State Data Protection Authorities) adopted a paper on June 3, 2003, discussing another means of "adducing adequate safeguards" under Article 26(2), a means that has become known as "Binding Corporate Rules". Binding Corporate Rules refers to the sorts of internal codes of conduct, policies, directives and the like that multinationals use to govern themselves internally on matters such as handling confidential information, business ethics and other similarly important corporate affairs. Such policies, directives, codes and similar unilateral undertakings can be thought of as internal "law" within the multinational (occasionally, one even hears the word "lore" used). Can such documents deliver "adequate safeguards" under Article 26(2)? Yes, according to the Working Party Paper, subject to meeting certain stringent requirements.

Much of the content required of Binding Corporate Rules is as would be expected. The Working Party Paper reaffirms that the "usual" data protection principles need to be included, much as under EEA data protection legislation, the EU-US Safe Harbor and both sets of EU Controller-to-Controller Model Contracts. More detail and explanation is required to ensure compliance under Binding Corporate Rules though, particularly by parts of the multinational that operate in countries without a data protection law or culture. The principles should be tailor-made so that they practically and realistically fit with the processing activities that the multinational actually carries out.

Perhaps most importantly, the Binding Corporate Rules must be binding both "inside and out", referring to the requirement that the multinational must be bound both in practice (compliance) and in law (legal enforceability). They must deliver a real and ensured legal effect throughout the multinational.

Here, "binding in practice" or compliance means that all companies of the multinational, as well as their employees, feel compelled to comply with the Binding Corporate Rules; that is, they must respect this internal "law". The Working Party Paper does not stipulate how multinationals should guarantee compliance but states that the binding nature of the rules must be clear and good enough to be able to guarantee compliance with the rules outside the EEA. A multinational must be able to demonstrate, for example, that the rules are known, understood and effectively complied with wherever they apply by employees who have received appropriate training. Disciplinary measures should be in place for non-compliance. Executive-management must be involved to oversee and ensure compliance.

As with other every other transborder dataflow solution (except consent, strictly speaking), auditing compliance has an important role to play. Binding Corporate Rules must provide for self-audit (i.e. internal audit) and/or external supervision by accredited auditors on a regular basis, with the results being directly reported at board level. The Data Protection Authorities may become involved in this aspect too, as part of a broader commitment by the multinational to co-operate with them.

The Working Party Paper also recognises that even with fully-enforceable legal rights, as described below, litigation can be disproportionately expensive and burdensome for an individual, particularly if it has to be conducted overseas. Multinationals are encouraged to incorporate other means of compliant handling, and the use of alternative dispute resolution mechanisms is promoted.

As well as being binding internally, Binding Corporate Rules must be binding "outside", that is, legally enforceable between the multinational and the outside world – the outside world being the EEA’s Data Protection Authorities and data subjects (the individuals about whom personal data is processed). A Data Protection Authority should be able to achieve legal enforceability of its rights and powers under the Binding Corporate Rules fairly simply, for example, via the process of granting an authorisation under Article 26(2) (and its national law equivalent). It will require an unambiguous undertaking that the multinational as a whole and each of the companies within it will abide by the "advice" of the Data Protection Authority. Some multinationals have expressed concern about the meaning of "advice" in this context. For example, the same language is used in connection the EU-US Safe Harbor, where it may include a requirement to compensate individuals affected. The Working Party Paper also states that their "advice" may be made public.

For the data subject, legal enforceability will require them to become "third party beneficiaries" via some means, either through the legal effect of the Binding Corporate Rules themselves (where possible) or the Binding Corporate Rules in combination with other contractual arrangements within the multinational. Data subjects need to be able to enforce compliance both by lodging a complaint before the competent Data Protection Authority and/or by commencing legal proceedings before a competent court.

The remedies available to data subject under Binding Corporate Rules should be broadly the same as under the EU Controller-Controller Model Contracts. Giving individuals such broad legal rights is regarded as undesirable by some multinationals. They argue that provided sufficiently high levels of internal compliance are achieved, together with a commitment to co-operate with the Data Protection Authorities, there should be no need for legal enforcement measures quite so far reaching. But legal enforceability is clearly an area to which the Working Party attaches great importance, and there’s nothing new there (see, for example, the similar remarks it made about "appropriate redress" in its 1997 paper, "First Orientations on Transfers of Personal Data to Third Countries"). Giving data subjects the right to seek judicial remedies is justified in two ways in the Working Party Paper. Firstly, because even the firm commitment required from multinationals to co-operate with the Data Protection Authorities cannot guarantee 100 percent compliance and the individuals concerned may not always agree with the views of the Data Protection Authority. Secondly, because the views of the Data Protection Authorities may vary from country to country and none of them are able to award damages as a remedy; only courts can do that. Given these remarks, it’s hard to see how Binding Corporate Rules that don’t provide individuals with judicial remedies could now be approved by an EEA Data Protection Authority. And here’s the rub. The laws of some EEA countries do not enable third party beneficiary rights or binding obligations to be created by unilateral undertakings alone. In other words, the legal theories required for Binding Corporate Rules acceptable to the Working Party may not apply EEA-wide or perhaps even exist at all in some EEA countries. A patchwork of legal theories tailored to various country laws seems more likely, possibilities including theories based on unfair trade practices, the law of trusts, the law of misrepresentation and misleading advertisement, employment and consumer protection laws. From a legal point of view, finding a sufficiently good means of "legally-bindingness" unilaterally in all EEA countries is probably the biggest obstacle to the widespread adoption of the Binding Corporate Rules. Many multinationals are using hybrid BCR/contractual approaches, which, of course, isn’t going to free them of the admin headaches described above.

The Working Party Paper also deals with some of the "structural" issues unique to multinationals. It recognises them as mutating groups of entities whose members and practices change from time to time and acknowledges that updates to both the Binding Corporate Rules and the list of entities they apply to will need to be made over time. Updates are allowed under a Binding Corporate Rules solution (without the multinational having to reapply for a new authorisation) under the following conditions:

• no transfer of personal data is made to a new group member until it is effectively bound by the rules and can deliver compliance;

• a fully updated list of members is maintained by the multinational along with a record of any updates to the rules, which should be made available to individuals or Data Protection Authorities upon their request;

• changes to the list of members and/or the rules are reported annually to the relevant Data Protection Authority, together with a brief explanation of the reason for the change.

For larger multinationals, even maintaining such a length list may be problematic, although it should be easier than constantly updating an entire contractual solution.

The Working Party Paper recognises that even if EEA-based data subjects are provided with legally enforceable rights against, say, a multinational’s Venezuelan operating, in practice, exercising such rights is likely to be prohibitively complicated and/or expensive. It recommends that the EU headquarters (if an EU-owned multinational) or an EU member of the multinational with delegated data protection responsibilities should accept responsibility for the acts of all other companies of the multinational outside the EEA. This would include, where appropriate, making a commitment to pay compensation for any damages resulting from the relevant violation anywhere outside the EEA. Intriguing, and not present in either the Model Contracts or the EU-US Safe Harbor, is the requirement that the burden of proof falls on the EU headquarters or delegate in such circumstances to establish that the individual’s loss was not a result of the multinational’s company overseas. In its initial request for an authorisation of the Binding Corporate Rules under Article 26(2), the multinational must include evidence that the EU headquarters (or its EU delegate, as the case may be) has sufficient assets within the EEA to cover payment of compensation for breaches of the Binding Corporate Rules, or that it has taken measures to ensure that it would be able to meet such claims, such as, for example, taking out appropriate insurance.

The most recent development regarding BCRs is the Article 29 Working Party’s adoption on 14^th April 2005 of two papers dealing with the procedural aspects of obtaining approvals for a BCRs approach from all of the Data Protection Authorities across the EEA.

The first paper, entitled "Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules", describes the features of the BCRs approach that should be included in any application to a Data Protection Authority. It also lists the factors to be considered by a multinational when deciding which country’s Data Protection Authority to apply to. For multinationals whose ultimate parent or operational headquarters is located in a member state of the European Union then the "lead authority" should be the authority in that member state. Multinationals having their ultimate parent or operational headquarters outside the EU should apply various factors in determining who is the lead authority. Priority is given to the Data Protection Authority of the member state where the multinational’s European Headquarters is located.

In setting out the detail of the application the checklist requires certain specifics of the arrangements described above to be included. In particular, details of the "internal bindingness" of the BCRs need to be set out. Unfortunately, some of the thrust of the June 2003 Working Party Paper – that, internally, what matters is practical compliance rather than giving wholly-owned subsidiaries a legally-enforceable right to sue each other – appears to have been lost, or at least diluted. The checklist refers to unilateral declarations not being regarded as binding in some member states, which suggests that subsidiaries actually need to be legally bound, notwithstanding that wholly owned subsidiaries are hardly going to sue each other. (By contrast, creating third party beneficiary rights that are legally enforceable externally is a clear requirement of the original Working Party Paper). The problem is that while creating enforceable third party rights in favour of the outside world – Data Protection Authorities and data subjects – is relatively straightforward, even using unilateral declarations, imposing legally-binding (as opposed to practically-binding) obligations on group companies unilaterally is far more difficult. It is this that has led some multinationals to bolster their BCRs with a contractual framework. Back to those admin headaches…

The second, shorter Working Party Paper describes the cooperation procedure to be followed by Data Protection Authorities upon receiving a request for BCRs approval. The first part of the procedure, which may take up to a month, focuses on establishing that the Data Protection Authority to which the request for an authorisation was made is the most appropriate to handle it. Once that’s established, the applicant holds discussions with that lead authority, which result in a "consolidated draft", which is then circulated to all Data Protection Authorities in countries from which transfers may take place. Their comments are subsequently fed into a "final draft", which is resubmitted by the multinational, leading to confirmation from each of the Data Protection Authorities that they are satisfied as the adequacy of the safeguards proposed. Simple. Well, hopefully.

The possibility of relying on Binding Corporate Rules and avoiding many of the drawbacks of other approaches, has been met with excitement by data protection practitioners and warmly welcomed in principle by many multinationals. Several are already a long way down the road towards developing and implementing a BCRs solution. Concerns remain, however, that the approach may still be to formalistic and that many of provisions required are too onerous or simply "too difficult", particularly in terms of using unilateral declarations to create enforceable legal rights and obligations internally. The early signs are promising however. Many multinationals are adopting the approach. Some have already had local "approvals" and are in discussions with Data Protection Authorities across the EEA using the procedure described above. It is to be hoped that, finally, after so many years, a realistic and "multinational friendly" approach to Article 25 of the Data Protection Directive will be available before too much longer.

While the BCRs approach is achieving some popularity – fashionability! – amongst multinationals, it’s not an approach that lends itself to transfers of personal data amongst groups of entities whose affairs aren’t so closely aligned and hierarchical as those of the multinational. The Working Party Paper states that BCRs "are very unlikely to be a suitable tool for loose conglomerates of legal entities". The diversity between the members of such loose conglomerates and the broad scope of their processing activities would make it very difficult (if not impossible) to meet the requirements for BCRs that the Working Party Paper sets out. Examples of such loose conglomerates would include all manner of commercial and non-commercial arrangements: complex joint ventures; international trade associations; charitable organisations; any grouping of entities that share personal data.

Nor is a BCRs approach appropriate in connection with transfers of personal data in "arms length transactions", such as companies entering into joint marketing arrangements or a party outsourcing its IT operations or another business process that involves data processing. That the providers of outsourcing services are often based in low-cost countries, such as India or China, not regarded as "adequate", has been particularly newsworthy recently. Even in the United States, which remember only has a few sector-specific data protection laws itself, data protection concerns have even been cited by politicians as reasons why data processing should not be "offshored" to India or China.

Perhaps the first thing to consider is in what capacity is the recipient acting? In data protection terms, is the recipient a "Controller", a party that will exercise "control" over the data provided by determining the purposes and means for which it processed, or a "Processor", a party that will only process the data it receives on behalf of, and in accordance with the instructions of, the party providing the data (the "original" Controller). Of course, this issue arises whether or not the recipient is based in a country to which transfers of personal data are restricted by Article 25 and even when the recipient is in the same country as the Controller (or even the same building), but it can influence the parties’ choice of transborder dataflow solution when the proposed transfers are restricted by Article 25.

Take, for example, a joint marketing "partnership" where two parties, one based in the EEA, the other based in the US, collect consumers’ e-mail addresses and other personal data on their websites both to run their own marketing campaigns and to share the data with its "partner" so it can run its own marketing campaigns. As consumer consent is likely to be required anyway to allow use of the data for marketing and its sharing with a third party, wouldn’t also obtaining consent to the transfer of personal data to the US be the preferred solution, provided it is sufficiently unambiguous, fully-informed and freely-given? Although a joint marketing arrangement is likely to involve a contract between the two parties anyway, so consent wouldn’t avoid any contracting formalities, it at least would remove the need to incorporate the EU Model Clauses for Controller-to-Controller transfers, either the original "2001 Clauses" or the recent ICC Model Clauses and the liability-sharing and due-diligence requirements (respectively) that using them would introduce. If consent isn’t possible, say, because an existing marketing list is being shared, then the ICC Model Clauses would probably be the way to go.

By way of contrast, consider the typical "offshoring" situation. In all but a minority of business process outsourcing situations, the service provider (the importer of the personal data) merely acts as a Processor. In order to provide the service provider with the personal data lawfully the Controller must ensure that it has a contract in writing with its Processor that satisfies the requirements of Article 17 of the Directive (as implemented by the various EEA Member States). And if an "Article 17" data protection contract needs to be implemented anyway, wouldn’t it make sense to use a contractual solution to enable the offshore transfers, such as the Model Clauses for Controller-to-Processor transfers?

Another twist that can influence how transborder dataflows are handled is where the exporter and importer are in the pharmaceutical sector, perhaps exchanging clinical trials data collected about patients. While ordinarily, one would consider consent, or a contractual solution, where the importer is located in the US, it may be worth reconsidering the EU-US Safe Harbor, FAQ 14 of which provides assistance with certain pharma-specific data protection issues, such as ensuring that a patient is not able to jeopardise a clinical trial by using their right of subject access to find out whether they are receiving the active drug or the placebo.

It seems inevitable that for large complex multinationals, Binding Corporate Rules will become the preferred approach to handling internal transborder dataflows long term. Where BCRs aren’t appropriate, Consent, Safe Harbor and Contractual Solutions will need to be considered. When choosing which to use, it’s all too easy to let the tail wag the dog. Data exporters should put aside the question of transborder dataflows and consider what they need to do to comply with EU law in any event. In most situations, if consent or a contract is necessary then extending them to cover transfers too – adding more detail about the proposed transfers, or incorporating additional clauses – is likely to be the way to go.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.