Archive for the ‘Binding Corporate Rules’ Category

Towards more harmonization on the EU model clauses

Posted on December 8th, 2014 by



On November 26th, 2014, the Article 29 Working Party (“WP 29″) issued a document setting forth a cooperation procedure regarding the use of the EU model clauses in the context of international data transfers. The aim of this document is to facilitate the use of the EU model clauses across multiple jurisdictions in Europe while ensuring a harmonized and consistent approach to the way these model clauses are approved by the national data protection authorities (“DPAs”).

Context

General rule

As a general rule, organizations who use the standard contractual clauses that were adopted by the European Commission to frame their transfers of data outside the EEA cannot change them unless they seek the prior approval of the DPAs of the Member States from where transfers are taking place. Nonetheless, companies may include the standard contractual clauses in a wider contract and add specific clauses such as commercial clauses (as permitted under paragraph VII of the model clauses 2004/915/EC, clause 10 of the model clauses 2010/87/EC and recital 84 of the proposed Data Protection Regulation) as long as they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the rights or freedoms of the data subjects. For example, it is possible to include additional guarantees or procedural safeguards for the individuals (e.g., on-line procedures or relevant provisions contained in a privacy policy).

Need for authorizations

In many EU Member States, a national authorization is required for the use of ad hoc contracts (e.g., Austria, Belgium, France, Germany (in some Länder), the Netherlands, Poland or Spain) or for transferring data outside the EEA on the basis of the EU model clauses (e.g., Austria, France or Spain). In practice, there has been a discrepancy between some DPAs who have traditionally been opposed to accepting any form of amendment to the model clauses and those who accept certain changes where they do not contradict the requirements under the model clauses.

Purpose: Obtaining an ad hoc approval from those DPAs can be challenging, thus making it complicated for international organizations to implement ad hoc model clauses or intra-group data transfer agreements in the different EEA countries where their affiliates are located. As a consequence, this has created a legal risk for organizations because DPAs in different jursidictions might adopt a different position with regard to an organization’s contractual clauses.

For this reason, the WP29 has created a new cooperation procedure with a view to providing a more harmonized interpretation of the EU model clauses and adopting a common approach when reviewing the contracts used by organizations that are based on the EU model clauses.

Scope: This new cooperation procedure applies to both sets of model clauses that were adopted by the EU Commission covering controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EC) data transfers and is meant to be used where:

  • an organization wants to use a single set of contractual clauses that are based on the EU model clauses (but with some divergences such as additional clauses);
  • in different EEA Member States;
  • in order to frame a same type or similar transfers from different EEA Member States; and
  • this organisation wants to obtain a coordinated position of the competent DPAs regarding its proposed contract, and in particular, to verify whether this contract complies with the EU model clauses.

For example, this would be the case in certain corporate groups, where data systems may be centralized outside the EEA, and subsequently, the same set of contractual clauses are signed by the different EEA subsidiaries (e.g., by means of an intra-group data transfer agreement). The WP 29’s document does not provide any specific examples, but one can expect that the DPAs will review a company’s contractual clauses on the basis of a pre-established list of criteria with a view to approving or rejecting changes that are made to the model clauses. Where such divergences have no impact on whether the contract complies with the EU model clauses, then it is not required to follow this procedure.

It is not entirely clear whether this procedure can be used for transfers between an EEA processor and a non-EEA sub-processor. Earlier this year, the WP29 issued a draft version of its ad hoc model clauses covering such transfers, but these model clauses have yet to be formally drafted and adopted by the EU Commission, which is not yet the case (see our previous blog article).

Procedure: The cooperation procedure is largely inspired by, and based on, the actual approval procedure for Binding Corporate Rules (“BCR”). At the beginning of the procedure, the organization must send a copy of its contract clearly highlighting all the divergences and additional clauses to a lead DPA. Once the lead DPA is approved, a formal review of the organization’s contract is carried out by the lead DPA to verify its conformity with the EU model clauses. For example, the lead DPA will verify whether the proposed contract is:

– based on the EU model clauses;

– diverts from, or contradicts, the EU model clauses; or

– prejudices the rights of the individuals.

Where the data are transferred from more than 10 Member States, two other DPAs will be appointed as co-reviewers. In all other situations, only one reviewer will be appointed in addition to the lead DPA. Once the lead DPA is satisfied that the contract complies with the EU model clauses, it issues an opinion in a draft letter and communicates the draft letter, the proposed contract and its analysis to the co-reviewer(s) who has one month to provide its comments. Following that, the draft letter is then sent to the remaining DPAs (in the countries where data are being transferred) who are part of the mutual recognition (they simply acknowledge receipt of the documentation without reviewing in detail) and to those who are part of the cooperation procedure (they have one month to review and provide their comments).

Once all the DPAs have reviewed, the lead DPA signs the letter of opinion on behalf of all DPAs concerned and sends the letter to the organization, indicating whether the proposed contract is compliant with the EU model clauses. From that moment on, the procedure is closed and the organization may then obtain the necessary approval or permit in the different Member States for the transfer of data outside the EEA.

Limitations: A significant difference with the BCR approval procedure is that the purpose of the coordination procedure for model clauses is not for the DPAs to approve an organization’s contract as a whole, but rather to assess whether the proposed contract complies with the requirements under the EU model clauses. In other words, where the proposed contract integrates the EU model clauses within a wider commercial agreement, the lead DPA will review the contractual clauses that relate to data transfers, but will not review or adopt any opinion regarding the broader commercial terms of the agreement.

This was clearly expressed by the CNIL in a press release issued on 24 April 2014 in which the CNIL stated, when referring to Microsoft’s “ad hoc model clauses”, that the WP 29 had considered that the documents provided by Microsoft complied with the data transfer requirements under the EU model clauses, but had not assessed whether Microsoft’s contractual clauses as a whole complied with EU data protection law, nor that Microsoft complied with those rules in practice. In other words, the WP 29 simply agreed that Microsoft had taken the necessary precautions to frame its international data transfers as required by article 26 of the Data Protection Directive.

Furthermore, the lead DPA’s  letter of opinion does not exclude that permits or authorizations at a national level may be legally required and companies may also be required to comply with other national requirements, such as notifications or administrative formalities with the DPAs. In particular, where permits or authorizations are legally required, national DPAs may still analyse the annexes and the description of the transfer in order to assess whether these are lawful under applicable national laws. In practise, this could mean that following the issuance of a letter of opinion, the organization in question may still need to put in place specific contractual terms to address the national requirements that apply to their local affiliates (e.g., specific security provisions to comply with laws in Spain or Poland) and in any case, will need to obtain a formal approval for the transfer of data where required. Nonetheless, this cooperation procedure may facilitate the administrative formalities under national law, and in theory, the DPAs in the countries concerned should comply with the opinion given by the lead DPA when issuing their permits or authorizations under national law.

Advantages: The main advantage of this procedure is that it will provide more clarity and legal certainty for organizations who want to put in place a single set of contractual clauses based on, or incorporating, the EU model clauses and are therefore seeking a common and coordinated position of the DPAs as to whether their contract complies with the EU model clauses. In that sense, the WP 29 has introduced some degree of flexibility by enabling organizations to depart from the EU model clauses and to tailor their contracts to each organization.

It also provides more clarity and a more harmonized interpretation of the EU model clauses by the DPAs, and in particular, makes it easier for organizations to use ad hoc contracts or intragroup agreements in countries where DPAs have traditionally been reluctant to approving such contracts. Consequently, this should enable organizations to adopt a more harmonized and consistent approach when rolling out their data transfer agreements across Europe.

Disadvantages: The downside is that in creating a new review process for model clauses, which previously did not exist, the WP 29 could make it more burdensome in some cases to use the EU model clauses. Depending on the time it takes for the lead DPA to issue its letter of opinion, there is a risk that the overall time needed for an organisation to obtain the necessary premit or approval from the various DPAs before implementing its contractual clauses will be stretched.

This procedure also puts organizations under more scrutiny by the DPAs. Officially, the cooperation procedure for model clauses is not obligatory, but nonetheless organizations will be pressured to follow it if their contracts depart from the EU model clauses. In practice, this means that rolling out ad hoc contracts or intra-group agreements will become less straightforward, and on the contrary, will be more formalized.

Finally, this procedure does not change the fact that, contrary to BCR, the EU model clauses do not constitute, and do not serve the purpose of, a group’s global policy. And so, organizations will inevitably need to have different sets of clauses to frame their data transfers as controller and processor, whereas BCR can be used as a single set of rules to frame all transfers both as a controller and a processor.

 

 

Event alert: The new mechanism for international data transfers – APEC’s CBPRs demystified

Posted on October 2nd, 2014 by



On Friday 3 October, Fieldfisher will host an afternoon event entitled “The new mechanism for international data transfers – APEC’s CBPRs demystified” at our new offices in London.

The event is designed to demonstrate how Cross Border Privacy Rules (“CBPRs”) and Binding Corporate Rules (“BCRs”) can be utilised to facilitate global data protection compliance. Hazel Grant, Fieldfisher’s new Head of Privacy, will chair the event which will also feature presentations from Anick Fortin-Cousens of IBM and Myriam Gufflet of the French data protection regulator (“CNIL”).

  • Ms Fortin-Cousens, leader of IBM’s Corporate Privacy Office and IBM’s CPO for Canada, Latin America and MEA, will provide a practical insight into CBPR. Earlier this year IBM became the first organisation to obtain Asia-Pacific Economic Cooperation’s (“APEC”) CBPR certification.
  • Ms Gufflet, BCR Division Manager at the CNIL, will tell us about the potential interoperability between BCRs and CBPRs. The CNIL have been closely involved in the work of the joint EU-APEC committee on this topic and was appointed as the Article 29 Working Party’s rapporteur in this matter.

This event is aimed at legal counsel and privacy/compliance professionals in organizations with a global reach who would be interested in understanding how CBPR certification may improve their organization’s data protection global compliance

Networking drinks will follow the event and will allow attendees to meet privacy, e-commerce and technology law experts from a number of European countries (Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany Hungary, Italy, the Netherlands, Poland, Portugal, Spain, Sweden, Switzerland and the UK) who form the Ecomlex network (www.ecomlex.com)

A limited number of places remain available for the event. If you would like to attend, please register your interest by clicking on the following linkhttp://www.fieldfisher.com/events/2014/10/the-new-mechanism-for-international-data-transfers-–-apecs-cbprs-demystified#sthash.978Xa0wU.dpbs

 

Challenges in global data residency laws – and how to solve them

Posted on September 13th, 2014 by



Whoever would have thought that, in a world where it seems nearly everything is connected, we would still have laws requiring that data be held within specific territories or regions?  Yet it seems that as more and more data moves online, is stored in the cloud, and gets transmitted all around the world and back in the blink of an eye, governments become ever more determined to introduce territorial restrictions limiting the movement of data.

The best known example of this is the EU’s Data Protection Directive which forbids movement of personal data outside of Europe to territories that do not provide “adequate” data protection – or, in layman’s speak, territories that the EU doesn’t consider to be safe.  This rule can be dated back to a technological world where data sat in a single database on a single server, and legislators sought to guard against businesses moving data outside of the EU in an attempt to circumvent European data protection laws.  Against that backdrop, it was a very sensible rule to introduce.  20 years on from its adoption, it now starts to look a little long in the tooth.

The problem is that legislative and regulatory thinking hasn’t advanced a great deal in that time.  Within those communities, there’s still a perception that data can, somehow, be kept within a single territory or region and not accessed or transmitted beyond those boundaries – or that, if it must, then implementing a standard form data protection agreement (so-called “model clauses”) between the ‘data exporter’ and the ‘data importer’ somehow solves the problem.

But here’s the thing: it doesn’t.  Denying that international data movements are an integral and necessary part of the global data economy is like denying that the earth moves round the sun.  Spend any time dealing with cloud vendors, or social media platforms, or interest based advertising providers, and you’ll quickly learn that data gets stored in multiple geographic locations, often through chains of different subcontractors, and tens, hundreds and perhaps even thousands of different databases.  With that knowledge, legislating that data should be kept in-territory or in-region is at best pointless.  At worst, it’s economically disastrous.

More than that, thinking that a ‘one size fits all’ set of model clause terms will somehow prove relevant across the multiplicity of different online business models that exist out there – or (and let’s be honest) that businesses executing those terms can and will actually comply with them – is nothing but a bad case of denial.

But despite this, these so-called ‘data residency’ laws only seem to be growing in favour – inevitably spurred in part through both post-Snowden mistrust of other countries’ data protection regimes and in part through misguided economic self-interest.  Other than the 31 countries in the European Economic Area that have adopted data residency requirements, other countries including Israel, Russia, Switzerland and South Africa (in EMEA), Argentina, Canada, Mexico and Uruguay (in the Americas), and Australia, India, Malaysia, Singapore and South Korea (in APAC) all have there own data residency rules.

The great irony here is that these rules will not prevent international movements of data.  They won’t even hamper them to the slightest degree.  Data will move beyond boundaries just as it always has, only at an ever quicker and more voluminous rate.  All of which begs the question: if data residency rules are to have this head on collision with increasingly globalised use of data, what can businesses do to comply?

For any large multinational organisation, there really in only one solution: Binding Corporate Rules.  Model clauses contain too many stiff and unworkable provisions that any commercial organisation would be very hesitant to sign – and, once the business reaches any sort of global scale, the prospect of regularly signing exponential numbers of model clauses becomes quickly very unattractive indeed.  Safe harbor is a fine solution, but only for transfers of data from Europe and Switzerland to the US and, with the future of safe harbor currently in doubt, doesn’t offer the longevity on which to build a robust compliance platform.

So that leave Binding Corporate Rules, which are specifically designed for large multinationals moving large volumes of data and for whom safe harbor and model clauses are not options.  More than that, Binding Corporate Rules have a regulatory recognition that extends beyond Europe – being expressly recognised in many non-EU countries as a valid solution for overcoming strict national data residency rules (Canada, Israel, South Africa, Singapore and Switzerland all being good examples).  And even in territories where Binding Corporate Rules don’t have express regulatory recognition, they’re at least generally tolerated as compliant with local data export regimes.

In the current political climate, it’s highly unlikely that data residency rules will relax in the short- to mid-term.  At the same time, data protection rules are only set to get stricter and carry greater risk (interesting fact: in 2011 there were 76 countries with data protection laws; by 2013 there were 101; and there are currently another 24 countries with new incoming privacy laws). Businesses with any kind of global footprint need to prepare for this and build out their data governance programs accordingly, with Binding Corporate Rules offering the most widely recognised and future-proofed solution.

Processor BCR have a bright future

Posted on July 8th, 2014 by



Last month, the Article 29 Working Party sent a letter to the President of the European Parliament about the future of Binding Corporate Rules for processors (BCR-P) in the context of the EU’s ongoing data privacy legislative reform.

The letter illustrates the clear support that BCR-P have – and will continue to have – from the Working Party.  Whilst perhaps not surprising, given that the Working Party originally “invented” BCR-P in 2012 (having initially invented controller BCR way back in 2003), the letter affirms the importance of BCR-P in today’s global data economy.

“Currently, BCR-P offer a high level of protection for the international transfers of personal data to processors” writes Isabelle Falque-Pierrotin, Chair of the Working Party, before adding that they are “an optimal solution to promote the European principles of personal data abroad.” (emphasis added)

As if that weren’t enough, the letter also issues a thinly-veiled warning to the European Parliament, which has previously expressed skepticism about BCR-P: “denying the possibility for BCR-P will limit the choice of organisations to use model clauses or to apply the Safe Harbor if possible, which do not contain such accountability mechanisms to ensure compliance as it is provided for in BCR-P.

The Working Party’s letter notes that 3 companies have so far achieved BCR-P (and we successfully acted on one of those – see here) with a further 10 applications on the go (and, yes, we’re acting on a few of those too).

Taking the helicopter view, the Working Party’s letter is representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions: back in 2012, just 19 organizations had secured controller BCR approval; two years later, and today that figure stands at 53 (both controller and processor BCR).

There are several reasons why this is the case:

1.  BCR are getting express legislative recognition:  The Commission’s draft General Data Protection Regulation expressly acknowledges the validity of BCR, including BCR-P, as a valid legal solution to EU’s strict data export rules.  To date, BCR have had only regulatory recognition, and then not consistently across all Member States, casting a slight shadow over their longer term future.  Express legislative recognition ensures the future of BCR – they’re here to stay.

2.  Safe harbor is under increasing strain:  The ongoing US/EU safe harbor reform discussions, while inching towards a slow conclusion, have arguably stained its reputation irreparably.  US service providers that rely on safe harbor to export customer data to the US (and sometimes beyond) find themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different data export solution.  Faced with the prospect of endless model clauses or a one-off BCR-P approval, many opt for BCR-P.

3.  BCRs have entered the customer lexicon:  If you’d said the letters “B C R” even a couple of years ago, then outside of the privacy community only a handful of well-educated organizations would have known what you were talking about.  Today, customers are much better informed about BCR and increasingly view BCR as a form of trust mark (which, of course, they are), encouraging the service sector to adopt BCR-P as a competitive measure.

4.  BCRs are simpler than ever before:  Gone are the days when a BCR application took 4 years and involved traveling all over Europe to visit data protection authorities.  Today, a well-planned and executed BCR application can be achieved in a period of 12 – 18 months, all managed through a single lead data protection authority.  The simplification of the BCR approval process has been instrumental in increasing BCR adoption.

So if you’re weighing up the pros and cons of BCR against other data export solutions, then deliberate no longer: BCR, and especially BCR-P, will only grow in importance as the EU’s data export regime gets ever tougher.

 

FTC in largest-ever Safe Harbor enforcement action

Posted on January 22nd, 2014 by



Yesterday, the Federal Trade Commission (“FTC“) announced that it had agreed to settle with 12 US businesses for alleged breaches of the US Safe Harbor framework. The companies involved were from a variety of industries and each handled a large amount of consumer data. But aside from the surprise of the large number of companies involved, what does this announcement really tell us about the state of Safe Harbor?

This latest action suggests that the FTC is ramping up its Safe Harbor enforcement in response to recent criticisms from the European Commission and European Parliament about the integrity of Safe Harbor (see here and here) – particularly given that one of the main criticisms about the framework was its historic lack of rigorous enforcement.

Background to the current enforcement

So what did the companies in question do? The FTC’s complaints allege that the companies involved ‘deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework‘. Although participation in the framework is voluntary, if you publicise that you are Safe Harbor certified then you must, of course, maintain an up-to-date Safe Harbor registration with the US Department of Commerce and comply with your Safe Harbor commitments 

Key compliance takeaways

In this instance, the FTC alleges that the businesses involved had claimed to be Safe Harbor certified when, in fact, they weren’t. The obvious message here is don’t claim to be Safe Harbor certified if you’re not!  

The slightly more subtle compliance takeaway for businesses who are correctly Safe Harbor certified is that they should have in place processes to ensure:

  • that they keep their self-certifications up-to-date by filing timely annual re-certifications;
  • that their privacy policies accurately reflect the status of their self-certification – and if their certifications lapse, that there are processes to adjust those policies accordingly; and
  • that the business is fully meeting all of its Safe Harbor commitments in practice – there must be actual compliance, not just paper compliance.

The “Bigger Picture” for European data exports

Despite this decisive action by the FTC, European concerns about the integrity of Safe Harbor are likely to persist.  If anything, this latest action may serve only to reinforce concerns that some US businesses are either falsely claiming to be Safe Harbor certified when they are not or are not fully living up to their Safe Harbor commitments. 

The service provider community, and especially cloud businesses, will likely feel this pressure most acutely.  Many customers already perceive Safe Harbor to be “unsafe” for data exports and are insisting that their service providers adopt other EU data export compliance solutions.  So what other solutions are available?

While model contract have the benefit of being a ‘tried and tested’ solution, the suite of contracts required for global data exports is simply unpalatable to many businesses.  The better solution is, of course, Binding Corporate Rules (BCR) – a voluntary set of self-regulatory policies adopted by the businesses that satisfy EU data protection standards and which are submitted to, and authorised by, European DPAs.  Since 2012, service providers have been able to adopt processor BCR, and those that do find that this provides them with a greater degree of flexibility to manage their internal data processing arrangements while, at the same time, continuing to afford a high degree of protection for the data they process.       

It’s unlikely that Safe Harbor will be suspended or disappear – far too many US businesses are dependent upon it for their EU/CH to US data flows.  However, the Safe Harbor regime will likely change in response to EU concerns and, over time, will come under increasing amounts of regulatory and customer pressure.  So better to consider alternative data export solutions now and start planning accordingly rather than find yourself caught short!

 

Legislative realism needed

Posted on November 25th, 2013 by



One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.

So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in ‘Internet time’! But the reality is that the drafts we have on the table today still follow relatively closely the Commission’s vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.

Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:

Personal data – It is quite outrageous that we are still trying to figure out whether someone’s name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let’s therefore define personal data by reference to the impact that information about someone may have on that individual.

Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word ‘explicit’ in it or not, everybody is going to interpret it in whichever way they want. Let’s focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.

International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.

One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission’s proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn’t it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let’s make it happen and also apply this concept to cases where the data controllership is outside Europe.

Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.

This article was first published in Data Protection Law & Policy in November 2013.

The conflicting realities of data globalisation

Posted on June 17th, 2013 by



The current data globalisation phenomenon is largely due to the close integration of borderless communications with our everyday comings and goings. Global communications are so embedded in the way we go about our lives that we are hardly aware of how far our data is travelling every second that goes by. But data is always on the move and we don’t even need to leave home to be contributing to this. Ordinary technology right at our fingertips is doing the job for us leaving behind an international trail of data – some more public than other.

The Internet is global by definition. Or more accurately, by design. The original idea behind the Internet was to rely on geographically dispersed computers to transmit packets of information that would be correctly assembled at destination. That concept developed very quickly into a borderless network and today we take it for granted that the Internet is unequivocally global. This effect has been maximised by our ability to communicate whilst on the move. Mobile communications have penetrated our lives at an even greater speed and in a more significant way than the Internet itself.

This trend has led visionaries like Google’s Eric Schmidt to affirm that thanks to mobile technology, the amount of digitally connected people will more than triple – going from the current 2 billion to 7 billion people – very soon. That is more than three times the amount of data generated today. Similarly, the global leader in professional networking, LinkedIn, which has just celebrated its 10th anniversary, is banking on mobile communications as one of the pillars for achieving its mission of connecting the world’s professionals.

As a result, everyone is global – every business, every consumer and every citizen. One of the realities of this situation has been exposed by the recent PRISM revelations, which highlight very clearly the global availability of digital communications data. Perversely, the news about the NSA programme is set to have a direct impact on the current and forthcoming legislative restrictions on international data flows, which is precisely one of the factors disrupting the globalisation of data. In fact, PRISM is already being referred to as a key justification for a tight EU data protection framework and strong jurisdictional limitations on data exports, no matter how non-sensical those limitations may otherwise be.

The public policy and regulatory consequences of the PRISM affair for international data flows are pretty predictable. Future ‘adequacy findings’ by the European Commission as well as Safe Harbor will be negatively affected. We can assume that if the European Commission decides to have a go at seeking a re-negotiation of Safe Harbor, this will be cited as a justification. Things will not end there. Both contractual safeguards and binding corporate rules will be expected to address possible conflicts of law involving data requests for law enforcement or national security reasons in a way that no blanket disclosures are allowed. And of course, the derogations from the prohibition on international data transfers will be narrowly interpreted, particularly when they refer to transfers that are necessary on grounds of public interest.

The conflicting realities of data globalisation could not be more striking. On the one hand, every day practice shows that data is geographically neutral and simply flows across global networks to make itself available to those with access to it. On the other, it is going to take a fair amount of convincing to show that any restrictions on international data flows should be both measured and realistic. To address these conflicting realities we must therefore acknowledge the global nature of the web and Internet communications, the borderless fluidity of the mobile ecosystem and our human ability to embrace the most ambitious innovations and make them ordinary. So since we cannot stop the technological evolution of our time and the increasing value of data, perhaps it is time to accept that regulating data flows should not be about putting up barriers but about applying globally recognised safeguards.

This article was first published in Data Protection Law & Policy in June 2013.

How PRISM will affect the EU Data Protection Regulation

Posted on June 10th, 2013 by



Politics aside, we can take it for granted that the recent revelations about the PRISM programme are likely to have a direct effect on the EU data protection legislative reform. Details of the programme are still pouring in but according to the reports already in the public domain, under PRISM the US intelligence services have direct access to the content and traffic data available in the servers of all of the leading Internet communications companies. Whether those reports are entirely accurate will now hardly matter from an EU public policy perspective. You can count on the PRISM story being used as a strong argument in favour of a tough stand on the future EU privacy framework.

Apart from the obvious ‘I told you so’ justifications for a strict and wide reaching data protection regime in Europe that will populate much of the political rhetoric from now on, there are specific provisions in the draft Data Protection Regulation that may end up being the perfect recipe for a conflict of international laws. In particular, the PRISM revelations will increase the reluctance of the EU Parliament to allow disclosures of personal data in response to a legal obligation or public interest duties which do not specifically emanate from EU law. Therefore, any hopes of widening the current references in the draft Regulation to “European Union law or the law of the EU Member State to which a controller is subject” as a basis for either justifying data processing operations which are necessary for compliance with a legal obligation or the performance of a task carried out in the public interest are now substantially smaller. What this means in practice is that global organisations operating in the European Union may be left facing a conflict between complying with legally binding non-EU duties or avoiding a breach of EU data protection law.

The other aspect of EU data protection law directly affected by the PRISM story is the restriction on international data transfers. This is indisputably one of the greatest compliance challenges for EU organisations and one that many of us were hoping would be more pragmatically addressed in the new law. What are the chances of that now?? My guess is that this sort of story is the perfect ammunition for those who seek to maintain the pureness of ‘adequacy findings’ and therefore, it will make it more difficult for any country – not least the USA – that wishes to be regarded as providing an adequate level of data protection. In addition to that, all of the other mechanisms and exemptions to overcome the restrictions on international data transfers – Safe Harbor, contractual arrangements, BCR, transfers made on the grounds of public interest – will be much more closely scrutinised, so global data flows will remain a focus of regulatory attention.

At times like this, it becomes more essential than ever to keep a clear head and get the facts right, because achieving a realistic and balanced legislative outcome with the appropriate safeguards and a degree of pragmatism is as important as respecting our privacy.

BCR for processors get EU regulators’ vital endorsement

Posted on May 1st, 2013 by



The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

What will happen to Safe Harbor?

Posted on April 27th, 2013 by



As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.