Archive for the ‘Binding Corporate Rules’ Category

What data protection reform would look like if it were up to me.

Posted on September 16th, 2015 by

Earlier today I attended a superb session of the Churchill Club in Palo Alto, at which the European Data Protection Supervisor was speaking on data protection and innovation.  As he spoke about the progress of the EU General Data Protection Regulation and what its impacts would be upon business, I found myself given to thinking about what EU data protection reform would be like if it were up to me.

Of course, this is by definition somewhat of a navel gazing exercise because EU data protection reform is not up to me.  Nevertheless, I thought I would at least share some of my thoughts to see to what extent they strike a chord with readers of our blog – and, perhaps, even reach the ears of those who do make the law.

So, if you’ll allow me this indulgence, here’s what my reforms would do:

1.  They would strike a balance between supporting privacy rights, economic and social well-being and innovation.  Fundamentally, I support the overarching goals of the GDPR described in its recitals – namely that “the principles and rules on the protection of individuals with regard to the processing of their personal data should …. respect their fundamental rights and freedoms, notably their right to protection of personal data” and that those rules should “contribute to an area of freedom, security and justice …, to economic and social progress, … and the well-being of individuals.”  Yet, sometimes within the draft texts of the GDPR, this balance has been lost, with provisions swinging so far towards conservatism and restrictiveness, that promotion of economic progress – including, critically for any economy, innovation – gets lost.  If it were up to me, my reforms would endeavour to restore this balance through some of the measures described below.

2.  They would recognize that over-prescription drives bad behaviours.  A problem with overly-prescriptive legislation is that it becomes inherently inflexible.  Yet data protection rules need to apply across all types of personal data, across all types of technologies and across all sectors.  Inevitably, the more prescriptive the legislation, the less well it flexes to adapt to ‘real world’ situations and the more it discourages innovation – pushing otherwise would-be good actors into non-compliance.  And, when those actors perceive compliance as unobtainable, their privacy programs become driven by concerns to avoid risk rather than to achieve compliance – a poor result for regulators, businesses and data subjects alike.  For this reason, my data protection reforms would focus on the goals to be achieved (data stays protected) rather than on the means of their achievement (e.g. specifying internal documentation needs).  This is precisely why the current Data Protection Directive has survived as long as it has.

3.  They would provide incentives for pseudonymisation.  Absent a few stray references to pseudonymisation here and there across the various drafts of the GDPR, there really is very little to incentivise adoption of pseudonymisation by controllers – psuedonymised data are protected to exactly the same standard as ‘ordinary’ personal data.  Every privacy professional recognizes the dangers of re-identification inherent in pseudonymised data, but treating it identically to ordinary personal data drives the wrong behaviour by controllers – perceiving little to no regulatory benefit to pseudonymisation, controllers decline to adopt pseudonymisaion for cost or other implementation reasons.  My reforms would explore whether pseudonymisation could be incentivised to encourage its adoption, for example by relaxing data minimization, purpose limitation or data export rules for pseudonymised data, in addition to existing proposals for relaxed data breach notification rules.

4.  They would recognize the distinct role of platforms.  European data protection professionals still operate in a binary world – businesses are either ‘data controllers’ or ‘data processors’.  Yet, increasingly, this binary division of responsibility and liability doesn’t reflect how things operate in reality – and especially in an app-centric world operating over third party cloud or mobile platforms.  The operators of these platforms don’t always sit neatly within a ‘controller’ or a ‘processor’ mold yet, vitally, are the gatekeepers through which the controllers of apps have access to the highly sensitive information we store on their platforms – our contact lists, our address books, our health data and so on.  We need an informed debate as to the role of platforms under revised data protection rules.

5.  They would abandon outdated data export restrictions.  It’s time to have a grown up conversation about data exports, and recognize that current data export rules simply do not work.  Who honestly believes that a model contract protects data?  And how can European regulators promote Binding Corporate Rules as a best practice standard for data export compliance, but then insist on reviewing each and every BCR applicant when they are too poorly resourced to do so within any kind of commercially acceptable timescale?  And how can we possibly complain about the US having poor Safe Harbor enforcement when we have little to no enforcement of data export breaches at home in the EU?  Any business of scale collects data internationally, operates internationally, and transfers data internationally; we should not prohibit this, but should instead have a regulatory framework that acknowledges this reality and requires businesses to self-assess and maintain protection of data wherever it goes in the world.  And, yes, we should hold businesses fully accountable when they fail to do so.

6.  They would recognise that consent is not a panacea.  There’s been a strong narrative in Europe for some time now that more data processing needs to be conditioned on individuals’ consent.  The consensus (and it’s not a wholly unfair one) is that individuals have lost control of their data and consent would somehow restore the balance.  It’s easy to have sympathy for this view, but consent is not all it’s cracked up to be.  Think about it, if consent were a requirement of processing, how would businesses be forced to respond?  Particularly within the European legislative environment that considers almost all types of data to be ‘personal’ and therefore regulated?  The answer would be a plurality of consent boxes, windows and buttons layered across every product and service you interact with.  And, to make matters worse, the language accompanying these consents would invariably become excessively detailed and drafted using ‘catch-all’ language to avoid any suggestion that the business failed to collect a sufficiently broad consent.  Clearly, there are places where consent is merited (collection and use of sensitive data being a prime example) but for other uses of data, a well-structured data protection regime would instead promote the use of legitimate interests and other non-consent based grounds for data processing – backed, of course, by effective regulatory audit and sanctions in order to provide the necessary checks and balances.

So there you have it.  Those are just a few of my views – I have others, but I’ll spare you them for now, and no doubt you’ll have views of your own.  If you agree with the views above, then share them; if you don’t, then share them anyway and continue the debate.  We’ll only ever achieve an appropriate regulatory framework that balances the needs of everyone if we all make our voices heard, debate hard, and strive to reach consensus on the right data protection regime fit for the future!

Handling government data requests under Processor BCR

Posted on June 2nd, 2015 by

Earlier today, the Article 29 Working Party published some new guidance on Processor BCR. There’s no reason you would have noticed this, unless you happen to be a BCR applicant or regularly visit the Working Party’s website, but the significance of this document cannot be overstated: it has the potential to shape the future of global data transfers for years to come.

That’s a bold statement to make, so what is this document – Working Party Paper WP204 “Explanatory Document on the Processor Binding Corporate Rules” – all about? Well, first off, the name kind of gives it away: it’s a document setting out guidance for applicants considering adopting Processor BCR (that’s the BCR that supply-side companies – particularly cloud-based companies – are all rushing to adopt). Second, it’s not a new document: the Working Party first published it in 2013.

The importance of this document now is that the Working Party have just updated and re-published it to provide guidance on one of the most contentious and important issues facing Processor BCR: namely how Processor BCR companies should respond to government requests for access to data.

Foreign government access to data – the EU view

To address the elephant in the room, ever since Snowden, Europe has expressed very grave concerns about the ‘adequacy’ of protection for European data exported internationally – and particularly to the US. This, in turn, has led to repeated attempts by Europe to whittle away at the few mechanisms that exist for lawfully transferring data internationally, from the European Commission threatening to suspend Safe Harbor through to the European Parliament suggesting that Processor BCR should be dropped from Europe’s forthcoming General Data Protection Regulation (a suggestion that, thankfully, has fallen by the wayside).

By no means the only concern, but certainly the key concern, has been access to data by foreign government authorities. The view of EU regulators is that EU citizens’ data should not be disclosed to foreign governments or law enforcement agencies unless strict mutual legal assistance protocol has been followed. They rightly point out that EU citizens have a fundamental right to protection of their personal data, and that simply handing over data to foreign governments runs contrary to this principle.

By contrast, the US and other foreign governments say that prompt and confidential access to data is often required to prevent crimes of the very worst nature, and that burdensome mutual legal assistance processes often don’t allow access to data within the timescales needed to prevent these crimes. The legitimate but conflicting views of both sides lead to the worst kind of outcome: political stalemate.

The impact of foreign government access to data on BCR

In the meantime, businesses have found themselves trapped in a ‘no man’s land’ of legal uncertainty – the children held responsible for the sins of their parent governments. Applicants wishing to pursue Processor BCR have particularly found themselves struggling to meet its strict rules concerning government access to data: namely that any “request for disclosure should be put on hold and the DPA competent for the controller and the lead DPA for the BCR should be clearly informed about it.” (see criteria 6.3 available here)

You might fairly think: “Why not just do this? If a foreign government asks you to disclose data, why not just tell them you have to put it on hold until a European DPA sanctions – or declines – the disclosure?” The problem is that reality is seldom that straightforward. In many jurisdictions (and, yes, I’m particularly thinking of the US) putting a government data disclosure order “on hold” and discussing it with a European DPA is simply not possible.

This is because companies are typically prohibited under foreign laws from discussing such disclosure orders with ANYONE, whether or not a data protection authority, and the penalties for doing so can be very severe – up to and including jail time for company officers. And let’s not forget that, in some cases, the disclosure order can be necessary to prevent truly awful offences – so whatever the principle to be upheld, sometimes the urgency or severity of a particular situation will simply not allow for considered review and discussion.

But that leaves companies facing the catch-22. If they receive one of these orders, they can be in breach of foreign legal requirements for not complying with it; but if they do comply with it, they risk falling foul of European data protection rules. And, if you’re a Processor BCR applicant, you might rightly be wondering how on earth you can possibly give the kind of commitment that the Working Party expects of you under the Processor BCR requirements.

How the Working Party’s latest guidance helps

To their credit, the Working Party have acknowledged this issue and this is why their latest publication is so important. They have updated their BCR guidance to note that “in specific cases the suspension and/or notification [to DPAs of foreign government data access requests] are prohibited”, including for example “a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation”. In these instances, they expect BCR applicants to use “best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible”.

So far, so good. But here’s the kicker: they then say that BCR applicants must be able to “demonstrate” that they exercised these “best efforts” and, whatever the outcome, provide “general information on the requests it received to the competent DPAs (e.g. number of applications for disclosure, type of data requested, requester if possible, etc.)” on an annual basis.

And therein lies the problem: how does a company “demonstrate” best efforts in a scenario where a couple of NSA agents turn up on its doorstep brandishing a sealed FISA order and requiring immediate access to data? You can imagine that gesticulating wildly probably won’t cut it in the eyes of European regulators.

And what about the requirement to provide “general information” on an annual basis including the “number of applications for disclosure”? In the US, FISA orders may only be reported in buckets of 1,000 orders – so, even if a company received only one or two requests in a year, the most it could disclose is that it received between 0 and 999 requests, making it seem like government access to their data was much more voluminous than in reality it was.

I don’t want problems, I want solutions!!!

So, if you’re a Processor BCR applicant, what do you do? You want to see through your BCR application to show your strong commitment to protecting individuals’ personal data, and you certainly don’t want to use a weaker solution, like Model Clauses or Safe Harbor that won’t carry equivalent protections. But, at the same time, you recognize the reality that there will be circumstances where you are compelled to disclose data and that there will be very little you can do – or tell anyone – in those circumstances.

Here’s my view:

  • First off, you need a document government data access policy. It’s unforgivable in this day and age, particularly in light of everything we have learned in the past couple of years, not to have some kind of written policy around how to handle government requests for data. More importantly, having a policy – and sticking to it – is all part and parcel of demonstrating your “best efforts” when handling government data requests.
  • Second, the policy needs to identify who the business stakeholders are that will have responsibility for managing the request – and, as a minimum, this needs to include the General Counsel and, ideally, the Chief Privacy Officer (or equivalent). They will represent the wall of defense that prevents government overreach in data access requests and advise when requests should be challenged for being overly broad or inappropriately addressed to the business, rather than to its customers.
  • Third, don’t make it easy for the government. They want access to your data, then make them work for it. It’s your responsibility as the custodian of the data to protect your data subject’s rights. To that end, ONLY disclose data when LEGALLY COMPELLED to do so – if access to the data really is that important, then governments can typically get a court order in a very short timeframe. Do NOT voluntarily disclose data in response to a mere request, unless there really are very compelling reasons for doing so – and reasons that you fully document and justify.
  • Fourth, even if you are under a disclosure order, be prepared to challenge it. That doesn’t necessarily mean taking the government to court each and every time, but at least question the scope of the order and ask whether – bearing in mind any BCR commitments you have undertaken – the order can be put on hold while you consult with your competent DPAs. The government may not be sympathetic to your request, particularly in instances of national security, but that doesn’t mean you shouldn’t at least ask.
  • Fifth, follow the examples of your peers and consider publishing annual transparency reports, a la Google, Microsoft and Yahoo. While there may be prohibitions against publishing the total numbers of national security requests received, the rules will typically be more relaxed when publishing aggregate numbers of criminal data requests. This, in principle, seems like a good way of fulfilling your annual reporting responsibility to data protection authorities and – in fact – goes one step further: providing transparency to those who matter most in this whole scenario, the data subjects.
  • So why does the Working Party’s latest opinion matter so much? It matters because it’s a vote of confidence in the Processor BCR system and an unprecedented recognition by European regulatory authorities that there are times when international businesses really do face insurmountable legal conflicts.

    Had this opinion not come when it did, the future of Processor BCR would have been dangerously undermined and, faced with the prospect of Safe Harbor’s slow and painful demise and the impracticality of Model Clauses, would have left many without a realistic data export solution and further entrenched a kind of regulatory ‘Fortress Europe’ mentality.

    The Working Party’s guidance, while still leaving challenges for BCR applicants, works hard to strike that hard-to-find balance between protecting individuals’ fundamental rights and the need to recognize the reality of cross-jurisdicational legal constraints – and, for that, they should be commended.

    EU data exports – choosing the least worst option?

    Posted on April 3rd, 2015 by

    Data, as anyone doing privacy on a global scale will tell you, knows no boundaries.  It can be collected in country A, routed through countries B, C, and D, and come to rest on servers in country E.  Those servers are likely then maintained by a third party in country F, with subcontracted support from another third party provider in country G.
    All that is well and good, but what do you do when country A happens to be within Europe, and any one or more of countries B through G are outside of Europe?  Europe’s aging Data Protection Directive tells you that if any of that data is personal in nature, then its transfer outside of the Europe is forbidden.  Forbidden, that is, unless you have an “adequate” data export solution in place.
    So the good news is that you can export data internationally if you have an “adequate” solution in place, and the even better news is that there’s not one solution but three!  Phew!  Your choices are either:
    • sign up to the US-EU Safe Harbor Framework – a voluntary privacy framework for US-based importers of data, 
    • execute so-called EU Model Clauses – also known as Standard Contractual Clauses) – standard form, non-negotiable data export agreements approved by the European Commission, or
    • implement Binding Corporate Rules – a binding organizational data governance policy framework reviewed and approved by European data protection authorities.
    So far, so good.  But then comes the problem: each of these solutions suffers from some serious drawbacks that either makes it commercially infeasible (Model Clauses), mistrusted by European customers and regulators (Safe Harbor), or subject to a lengthy regulatory approval process that  puts off well-intentioned businesses that would otherwise be willing to adopt it (BCR).
    A perilous future for Safe Harbor?
    To illustrate the issue, today roughly 4,000 US businesses rely on Safe Harbor to import personal data from Europe.  However, following the Snowden revelations, European legislators and regulators are increasingly reluctant to recognize the validity of Safe Harbor – believing that it no longer (or perhaps, never) provides “adequate” protection for data and, as such, should be suspended or revoked.  See here and here, for example.
    Indeed, one case currently before the European Court of Justice, may well decide Safe Harbor’s fate once and for all.  In Schrems v the Irish Data Protection Commissioner (Case C-362/14), one of the points the Court has to consider is whether Safe Harbor does in fact provide “adequate” protection for European data exports; if it decides the answer is no, then Safe Harbor could well be over.
    But, frankly, whether or not that happens is largely an academic point.  Many US importers already find EU customers will refuse to contract with them if they rely on Safe Harbor.  And, even if it survives this court case, the European Commission has been threatening for some time to suspend Safe Harbor.  With this level of ongoing uncertainty, it’s inevitable that businesses are looking to other options available to them
    The problem with Model Clauses

    In nearly all cases, they next turn to Model Clauses as the solution to their data export woes.  On one level, doing so makes a lot of sense: Model Clauses are the darling of the regulatory community (after all, they created them), contain robust data protection terms, and so are often considered a ‘guaranteed compliant’ solution for the customers that use them.
    The reality, though, is something different.  Model Clauses neither provide the protection for data that customers and regulators think they do, nor are they actually complied with in practice – more often than not, they’re signed, put in a drawer and forgotten about.  For data importing vendors, they are also woefully impractical – containing subcontracting controls that are unrealistic, excessive audit rights, and no liability limitations.  And, to add to all this, where lengthy international subcontracting chains are involved, exporters and importers will often be looking an an extremely complicated web of Model Clause contracts to prepare and sign.
    Taking that all into account, what right-minded person would really want to entrust any transfer of data to something so complicated and unworkable in practice?
    Which leaves BCRs
    With Safe Harbor on its last legs, and model clauses suffering from all manner of problems, then the final remaining solution available to data importers is Binding Corporate Rules.  In themselves, BCRs are a fine solution and often thought of (rightly) as the gold standard for data exports from the EU – after all, they have to get reviewed and signed off by European regulators.  
    Further, the business adopting BCRs gets to draft them in a way that reflects the particular characteristics and needs of their organization and, once in place, BCRs can be self-managed by the business with minimal ongoing maintenance and regulatory oversight. The consequence of this is that they significantly reduce administrative burden and, for large organizations, even cost as compared with model clauses.
    But their single biggest drawback is the lack of any simple approval or self-certification process.  Adopting BCR, as anyone who’s been through the process knows, is not quick or straightforward.  While the end result is undoubtedly positive, the regulatory approval process typically takes around 18 months from start to finish.  Many organizations, faced with pressing data export needs, simply don’t have the time to hang around and so turn to quicker, off-the-shelf solutions.  
    So what do you do?
    The simple reality right now is that Europe has no good solution for facilitating international data exports, which is in stark contrast to increasingly globalized movements and storage of data.  Yet, be that as it may, data export compliance is an important component of European privacy law, and one that will not get any simpler in the short- to mid-term.
    Businesses are therefore left to consider what will be the most appropriate solution for their needs.  For US businesses, that will still often be Safe Harbor, but on the understanding that this cannot be relied upon as an “exclusive” solution for all their data exports needs and that, in many cases, they still need to be prepared to sign Model Clauses with important customers who insist on them.
    What is the most appropriate data export strategy for an international business then?  Here’s my suggestion:
    1. If you’re a US business, rely on Safe Harbor to the extent you can.
    1. Where you can’t, or if you are sending data to other non-EU countries, use Model Clauses (there’s really very little alternative).
    1. But, to provide a more effective longer term solution, start the process now of preparing for and adopting BCR.  Once implemented, these will ultimately be a far more efficient solution that can replace the awkward pairing of Safe Harbor and Model Clause solutions.
    So while there’s no good solution, with some careful strategizing and forward thinking, you may at least get to a place that is – for want of a better word – adequate.

    Towards more harmonization on the EU model clauses

    Posted on December 8th, 2014 by

    On November 26th, 2014, the Article 29 Working Party (“WP 29”) issued a document setting forth a cooperation procedure regarding the use of the EU model clauses in the context of international data transfers. The aim of this document is to facilitate the use of the EU model clauses across multiple jurisdictions in Europe while ensuring a harmonized and consistent approach to the way these model clauses are approved by the national data protection authorities (“DPAs”).


    General rule

    As a general rule, organizations who use the standard contractual clauses that were adopted by the European Commission to frame their transfers of data outside the EEA cannot change them unless they seek the prior approval of the DPAs of the Member States from where transfers are taking place. Nonetheless, companies may include the standard contractual clauses in a wider contract and add specific clauses such as commercial clauses (as permitted under paragraph VII of the model clauses 2004/915/EC, clause 10 of the model clauses 2010/87/EC and recital 84 of the proposed Data Protection Regulation) as long as they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the rights or freedoms of the data subjects. For example, it is possible to include additional guarantees or procedural safeguards for the individuals (e.g., on-line procedures or relevant provisions contained in a privacy policy).

    Need for authorizations

    In many EU Member States, a national authorization is required for the use of ad hoc contracts (e.g., Austria, Belgium, France, Germany (in some Länder), the Netherlands, Poland or Spain) or for transferring data outside the EEA on the basis of the EU model clauses (e.g., Austria, France or Spain). In practice, there has been a discrepancy between some DPAs who have traditionally been opposed to accepting any form of amendment to the model clauses and those who accept certain changes where they do not contradict the requirements under the model clauses.

    Purpose: Obtaining an ad hoc approval from those DPAs can be challenging, thus making it complicated for international organizations to implement ad hoc model clauses or intra-group data transfer agreements in the different EEA countries where their affiliates are located. As a consequence, this has created a legal risk for organizations because DPAs in different jursidictions might adopt a different position with regard to an organization’s contractual clauses.

    For this reason, the WP29 has created a new cooperation procedure with a view to providing a more harmonized interpretation of the EU model clauses and adopting a common approach when reviewing the contracts used by organizations that are based on the EU model clauses.

    Scope: This new cooperation procedure applies to both sets of model clauses that were adopted by the EU Commission covering controller-to-controller (2004/915/EC) and controller-to-processor (2010/87/EC) data transfers and is meant to be used where:

    • an organization wants to use a single set of contractual clauses that are based on the EU model clauses (but with some divergences such as additional clauses);
    • in different EEA Member States;
    • in order to frame a same type or similar transfers from different EEA Member States; and
    • this organisation wants to obtain a coordinated position of the competent DPAs regarding its proposed contract, and in particular, to verify whether this contract complies with the EU model clauses.

    For example, this would be the case in certain corporate groups, where data systems may be centralized outside the EEA, and subsequently, the same set of contractual clauses are signed by the different EEA subsidiaries (e.g., by means of an intra-group data transfer agreement). The WP 29’s document does not provide any specific examples, but one can expect that the DPAs will review a company’s contractual clauses on the basis of a pre-established list of criteria with a view to approving or rejecting changes that are made to the model clauses. Where such divergences have no impact on whether the contract complies with the EU model clauses, then it is not required to follow this procedure.

    It is not entirely clear whether this procedure can be used for transfers between an EEA processor and a non-EEA sub-processor. Earlier this year, the WP29 issued a draft version of its ad hoc model clauses covering such transfers, but these model clauses have yet to be formally drafted and adopted by the EU Commission, which is not yet the case (see our previous blog article).

    Procedure: The cooperation procedure is largely inspired by, and based on, the actual approval procedure for Binding Corporate Rules (“BCR”). At the beginning of the procedure, the organization must send a copy of its contract clearly highlighting all the divergences and additional clauses to a lead DPA. Once the lead DPA is approved, a formal review of the organization’s contract is carried out by the lead DPA to verify its conformity with the EU model clauses. For example, the lead DPA will verify whether the proposed contract is:

    – based on the EU model clauses;

    – diverts from, or contradicts, the EU model clauses; or

    – prejudices the rights of the individuals.

    Where the data are transferred from more than 10 Member States, two other DPAs will be appointed as co-reviewers. In all other situations, only one reviewer will be appointed in addition to the lead DPA. Once the lead DPA is satisfied that the contract complies with the EU model clauses, it issues an opinion in a draft letter and communicates the draft letter, the proposed contract and its analysis to the co-reviewer(s) who has one month to provide its comments. Following that, the draft letter is then sent to the remaining DPAs (in the countries where data are being transferred) who are part of the mutual recognition (they simply acknowledge receipt of the documentation without reviewing in detail) and to those who are part of the cooperation procedure (they have one month to review and provide their comments).

    Once all the DPAs have reviewed, the lead DPA signs the letter of opinion on behalf of all DPAs concerned and sends the letter to the organization, indicating whether the proposed contract is compliant with the EU model clauses. From that moment on, the procedure is closed and the organization may then obtain the necessary approval or permit in the different Member States for the transfer of data outside the EEA.

    Limitations: A significant difference with the BCR approval procedure is that the purpose of the coordination procedure for model clauses is not for the DPAs to approve an organization’s contract as a whole, but rather to assess whether the proposed contract complies with the requirements under the EU model clauses. In other words, where the proposed contract integrates the EU model clauses within a wider commercial agreement, the lead DPA will review the contractual clauses that relate to data transfers, but will not review or adopt any opinion regarding the broader commercial terms of the agreement.

    This was clearly expressed by the CNIL in a press release issued on 24 April 2014 in which the CNIL stated, when referring to Microsoft’s “ad hoc model clauses”, that the WP 29 had considered that the documents provided by Microsoft complied with the data transfer requirements under the EU model clauses, but had not assessed whether Microsoft’s contractual clauses as a whole complied with EU data protection law, nor that Microsoft complied with those rules in practice. In other words, the WP 29 simply agreed that Microsoft had taken the necessary precautions to frame its international data transfers as required by article 26 of the Data Protection Directive.

    Furthermore, the lead DPA’s  letter of opinion does not exclude that permits or authorizations at a national level may be legally required and companies may also be required to comply with other national requirements, such as notifications or administrative formalities with the DPAs. In particular, where permits or authorizations are legally required, national DPAs may still analyse the annexes and the description of the transfer in order to assess whether these are lawful under applicable national laws. In practise, this could mean that following the issuance of a letter of opinion, the organization in question may still need to put in place specific contractual terms to address the national requirements that apply to their local affiliates (e.g., specific security provisions to comply with laws in Spain or Poland) and in any case, will need to obtain a formal approval for the transfer of data where required. Nonetheless, this cooperation procedure may facilitate the administrative formalities under national law, and in theory, the DPAs in the countries concerned should comply with the opinion given by the lead DPA when issuing their permits or authorizations under national law.

    Advantages: The main advantage of this procedure is that it will provide more clarity and legal certainty for organizations who want to put in place a single set of contractual clauses based on, or incorporating, the EU model clauses and are therefore seeking a common and coordinated position of the DPAs as to whether their contract complies with the EU model clauses. In that sense, the WP 29 has introduced some degree of flexibility by enabling organizations to depart from the EU model clauses and to tailor their contracts to each organization.

    It also provides more clarity and a more harmonized interpretation of the EU model clauses by the DPAs, and in particular, makes it easier for organizations to use ad hoc contracts or intragroup agreements in countries where DPAs have traditionally been reluctant to approving such contracts. Consequently, this should enable organizations to adopt a more harmonized and consistent approach when rolling out their data transfer agreements across Europe.

    Disadvantages: The downside is that in creating a new review process for model clauses, which previously did not exist, the WP 29 could make it more burdensome in some cases to use the EU model clauses. Depending on the time it takes for the lead DPA to issue its letter of opinion, there is a risk that the overall time needed for an organisation to obtain the necessary premit or approval from the various DPAs before implementing its contractual clauses will be stretched.

    This procedure also puts organizations under more scrutiny by the DPAs. Officially, the cooperation procedure for model clauses is not obligatory, but nonetheless organizations will be pressured to follow it if their contracts depart from the EU model clauses. In practice, this means that rolling out ad hoc contracts or intra-group agreements will become less straightforward, and on the contrary, will be more formalized.

    Finally, this procedure does not change the fact that, contrary to BCR, the EU model clauses do not constitute, and do not serve the purpose of, a group’s global policy. And so, organizations will inevitably need to have different sets of clauses to frame their data transfers as controller and processor, whereas BCR can be used as a single set of rules to frame all transfers both as a controller and a processor.



    Event alert: The new mechanism for international data transfers – APEC’s CBPRs demystified

    Posted on October 2nd, 2014 by

    On Friday 3 October, Fieldfisher will host an afternoon event entitled “The new mechanism for international data transfers – APEC’s CBPRs demystified” at our new offices in London.

    The event is designed to demonstrate how Cross Border Privacy Rules (“CBPRs”) and Binding Corporate Rules (“BCRs”) can be utilised to facilitate global data protection compliance. Hazel Grant, Fieldfisher’s new Head of Privacy, will chair the event which will also feature presentations from Anick Fortin-Cousens of IBM and Myriam Gufflet of the French data protection regulator (“CNIL”).

    • Ms Fortin-Cousens, leader of IBM’s Corporate Privacy Office and IBM’s CPO for Canada, Latin America and MEA, will provide a practical insight into CBPR. Earlier this year IBM became the first organisation to obtain Asia-Pacific Economic Cooperation’s (“APEC”) CBPR certification.
    • Ms Gufflet, BCR Division Manager at the CNIL, will tell us about the potential interoperability between BCRs and CBPRs. The CNIL have been closely involved in the work of the joint EU-APEC committee on this topic and was appointed as the Article 29 Working Party’s rapporteur in this matter.

    This event is aimed at legal counsel and privacy/compliance professionals in organizations with a global reach who would be interested in understanding how CBPR certification may improve their organization’s data protection global compliance

    Networking drinks will follow the event and will allow attendees to meet privacy, e-commerce and technology law experts from a number of European countries (Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany Hungary, Italy, the Netherlands, Poland, Portugal, Spain, Sweden, Switzerland and the UK) who form the Ecomlex network (

    A limited number of places remain available for the event. If you would like to attend, please register your interest by clicking on the following link–-apecs-cbprs-demystified#sthash.978Xa0wU.dpbs


    Challenges in global data residency laws – and how to solve them

    Posted on September 13th, 2014 by

    Whoever would have thought that, in a world where it seems nearly everything is connected, we would still have laws requiring that data be held within specific territories or regions?  Yet it seems that as more and more data moves online, is stored in the cloud, and gets transmitted all around the world and back in the blink of an eye, governments become ever more determined to introduce territorial restrictions limiting the movement of data.

    The best known example of this is the EU’s Data Protection Directive which forbids movement of personal data outside of Europe to territories that do not provide “adequate” data protection – or, in layman’s speak, territories that the EU doesn’t consider to be safe.  This rule can be dated back to a technological world where data sat in a single database on a single server, and legislators sought to guard against businesses moving data outside of the EU in an attempt to circumvent European data protection laws.  Against that backdrop, it was a very sensible rule to introduce.  20 years on from its adoption, it now starts to look a little long in the tooth.

    The problem is that legislative and regulatory thinking hasn’t advanced a great deal in that time.  Within those communities, there’s still a perception that data can, somehow, be kept within a single territory or region and not accessed or transmitted beyond those boundaries – or that, if it must, then implementing a standard form data protection agreement (so-called “model clauses”) between the ‘data exporter’ and the ‘data importer’ somehow solves the problem.

    But here’s the thing: it doesn’t.  Denying that international data movements are an integral and necessary part of the global data economy is like denying that the earth moves round the sun.  Spend any time dealing with cloud vendors, or social media platforms, or interest based advertising providers, and you’ll quickly learn that data gets stored in multiple geographic locations, often through chains of different subcontractors, and tens, hundreds and perhaps even thousands of different databases.  With that knowledge, legislating that data should be kept in-territory or in-region is at best pointless.  At worst, it’s economically disastrous.

    More than that, thinking that a ‘one size fits all’ set of model clause terms will somehow prove relevant across the multiplicity of different online business models that exist out there – or (and let’s be honest) that businesses executing those terms can and will actually comply with them – is nothing but a bad case of denial.

    But despite this, these so-called ‘data residency’ laws only seem to be growing in favour – inevitably spurred in part through both post-Snowden mistrust of other countries’ data protection regimes and in part through misguided economic self-interest.  Other than the 31 countries in the European Economic Area that have adopted data residency requirements, other countries including Israel, Russia, Switzerland and South Africa (in EMEA), Argentina, Canada, Mexico and Uruguay (in the Americas), and Australia, India, Malaysia, Singapore and South Korea (in APAC) all have there own data residency rules.

    The great irony here is that these rules will not prevent international movements of data.  They won’t even hamper them to the slightest degree.  Data will move beyond boundaries just as it always has, only at an ever quicker and more voluminous rate.  All of which begs the question: if data residency rules are to have this head on collision with increasingly globalised use of data, what can businesses do to comply?

    For any large multinational organisation, there really in only one solution: Binding Corporate Rules.  Model clauses contain too many stiff and unworkable provisions that any commercial organisation would be very hesitant to sign – and, once the business reaches any sort of global scale, the prospect of regularly signing exponential numbers of model clauses becomes quickly very unattractive indeed.  Safe harbor is a fine solution, but only for transfers of data from Europe and Switzerland to the US and, with the future of safe harbor currently in doubt, doesn’t offer the longevity on which to build a robust compliance platform.

    So that leave Binding Corporate Rules, which are specifically designed for large multinationals moving large volumes of data and for whom safe harbor and model clauses are not options.  More than that, Binding Corporate Rules have a regulatory recognition that extends beyond Europe – being expressly recognised in many non-EU countries as a valid solution for overcoming strict national data residency rules (Canada, Israel, South Africa, Singapore and Switzerland all being good examples).  And even in territories where Binding Corporate Rules don’t have express regulatory recognition, they’re at least generally tolerated as compliant with local data export regimes.

    In the current political climate, it’s highly unlikely that data residency rules will relax in the short- to mid-term.  At the same time, data protection rules are only set to get stricter and carry greater risk (interesting fact: in 2011 there were 76 countries with data protection laws; by 2013 there were 101; and there are currently another 24 countries with new incoming privacy laws). Businesses with any kind of global footprint need to prepare for this and build out their data governance programs accordingly, with Binding Corporate Rules offering the most widely recognised and future-proofed solution.

    Processor BCR have a bright future

    Posted on July 8th, 2014 by

    Last month, the Article 29 Working Party sent a letter to the President of the European Parliament about the future of Binding Corporate Rules for processors (BCR-P) in the context of the EU’s ongoing data privacy legislative reform.

    The letter illustrates the clear support that BCR-P have – and will continue to have – from the Working Party.  Whilst perhaps not surprising, given that the Working Party originally “invented” BCR-P in 2012 (having initially invented controller BCR way back in 2003), the letter affirms the importance of BCR-P in today’s global data economy.

    “Currently, BCR-P offer a high level of protection for the international transfers of personal data to processors” writes Isabelle Falque-Pierrotin, Chair of the Working Party, before adding that they are “an optimal solution to promote the European principles of personal data abroad.” (emphasis added)

    As if that weren’t enough, the letter also issues a thinly-veiled warning to the European Parliament, which has previously expressed skepticism about BCR-P: “denying the possibility for BCR-P will limit the choice of organisations to use model clauses or to apply the Safe Harbor if possible, which do not contain such accountability mechanisms to ensure compliance as it is provided for in BCR-P.

    The Working Party’s letter notes that 3 companies have so far achieved BCR-P (and we successfully acted on one of those – see here) with a further 10 applications on the go (and, yes, we’re acting on a few of those too).

    Taking the helicopter view, the Working Party’s letter is representative of a growing trend for global organizations to seek BCR approval in preference over other data export solutions: back in 2012, just 19 organizations had secured controller BCR approval; two years later, and today that figure stands at 53 (both controller and processor BCR).

    There are several reasons why this is the case:

    1.  BCR are getting express legislative recognition:  The Commission’s draft General Data Protection Regulation expressly acknowledges the validity of BCR, including BCR-P, as a valid legal solution to EU’s strict data export rules.  To date, BCR have had only regulatory recognition, and then not consistently across all Member States, casting a slight shadow over their longer term future.  Express legislative recognition ensures the future of BCR – they’re here to stay.

    2.  Safe harbor is under increasing strain:  The ongoing US/EU safe harbor reform discussions, while inching towards a slow conclusion, have arguably stained its reputation irreparably.  US service providers that rely on safe harbor to export customer data to the US (and sometimes beyond) find themselves stuck in deal negotiations with customers who refuse to contract with them unless they implement a different data export solution.  Faced with the prospect of endless model clauses or a one-off BCR-P approval, many opt for BCR-P.

    3.  BCRs have entered the customer lexicon:  If you’d said the letters “B C R” even a couple of years ago, then outside of the privacy community only a handful of well-educated organizations would have known what you were talking about.  Today, customers are much better informed about BCR and increasingly view BCR as a form of trust mark (which, of course, they are), encouraging the service sector to adopt BCR-P as a competitive measure.

    4.  BCRs are simpler than ever before:  Gone are the days when a BCR application took 4 years and involved traveling all over Europe to visit data protection authorities.  Today, a well-planned and executed BCR application can be achieved in a period of 12 – 18 months, all managed through a single lead data protection authority.  The simplification of the BCR approval process has been instrumental in increasing BCR adoption.

    So if you’re weighing up the pros and cons of BCR against other data export solutions, then deliberate no longer: BCR, and especially BCR-P, will only grow in importance as the EU’s data export regime gets ever tougher.


    FTC in largest-ever Safe Harbor enforcement action

    Posted on January 22nd, 2014 by

    Yesterday, the Federal Trade Commission (“FTC“) announced that it had agreed to settle with 12 US businesses for alleged breaches of the US Safe Harbor framework. The companies involved were from a variety of industries and each handled a large amount of consumer data. But aside from the surprise of the large number of companies involved, what does this announcement really tell us about the state of Safe Harbor?

    This latest action suggests that the FTC is ramping up its Safe Harbor enforcement in response to recent criticisms from the European Commission and European Parliament about the integrity of Safe Harbor (see here and here) – particularly given that one of the main criticisms about the framework was its historic lack of rigorous enforcement.

    Background to the current enforcement

    So what did the companies in question do? The FTC’s complaints allege that the companies involved ‘deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework‘. Although participation in the framework is voluntary, if you publicise that you are Safe Harbor certified then you must, of course, maintain an up-to-date Safe Harbor registration with the US Department of Commerce and comply with your Safe Harbor commitments 

    Key compliance takeaways

    In this instance, the FTC alleges that the businesses involved had claimed to be Safe Harbor certified when, in fact, they weren’t. The obvious message here is don’t claim to be Safe Harbor certified if you’re not!  

    The slightly more subtle compliance takeaway for businesses who are correctly Safe Harbor certified is that they should have in place processes to ensure:

    • that they keep their self-certifications up-to-date by filing timely annual re-certifications;
    • that their privacy policies accurately reflect the status of their self-certification – and if their certifications lapse, that there are processes to adjust those policies accordingly; and
    • that the business is fully meeting all of its Safe Harbor commitments in practice – there must be actual compliance, not just paper compliance.

    The “Bigger Picture” for European data exports

    Despite this decisive action by the FTC, European concerns about the integrity of Safe Harbor are likely to persist.  If anything, this latest action may serve only to reinforce concerns that some US businesses are either falsely claiming to be Safe Harbor certified when they are not or are not fully living up to their Safe Harbor commitments. 

    The service provider community, and especially cloud businesses, will likely feel this pressure most acutely.  Many customers already perceive Safe Harbor to be “unsafe” for data exports and are insisting that their service providers adopt other EU data export compliance solutions.  So what other solutions are available?

    While model contract have the benefit of being a ‘tried and tested’ solution, the suite of contracts required for global data exports is simply unpalatable to many businesses.  The better solution is, of course, Binding Corporate Rules (BCR) – a voluntary set of self-regulatory policies adopted by the businesses that satisfy EU data protection standards and which are submitted to, and authorised by, European DPAs.  Since 2012, service providers have been able to adopt processor BCR, and those that do find that this provides them with a greater degree of flexibility to manage their internal data processing arrangements while, at the same time, continuing to afford a high degree of protection for the data they process.       

    It’s unlikely that Safe Harbor will be suspended or disappear – far too many US businesses are dependent upon it for their EU/CH to US data flows.  However, the Safe Harbor regime will likely change in response to EU concerns and, over time, will come under increasing amounts of regulatory and customer pressure.  So better to consider alternative data export solutions now and start planning accordingly rather than find yourself caught short!


    Legislative realism needed

    Posted on November 25th, 2013 by

    One thing that is clear in the context of the ongoing EU data protection reform is that speculation is rife. Everyone seems to have a view on what will happen. Most people seem to think that the chances of agreeing a new framework before the end of the current Parliament in April 2014 are pretty much nil. A few others are more hopeful and believe that the political will of those involved and the relentless enthusiasm of the European Commission may just be powerful enough to achieve a little miracle. At a more granular level, speculation about the future of Safe Harbor or BCR for processors, and about the outcome of the interlinked debates on the concept of personal data, consent, legitimate interests, profiling, one-stop-shop and a hundred other micro-issues is only creating more questions than answers.

    So whilst we wait for the Council of the EU to make its move and give us a clearer idea of how big the gap may be between its own position and those of the Commission and the Parliament, it is perhaps time to take stock of where we are at the moment. The legislative process has progressed at a steady pace since the European Commission revealed its blueprint for a new framework in November 2010 – it seems like a decade ago in ‘Internet time’! But the reality is that the drafts we have on the table today still follow relatively closely the Commission’s vision of three years ago: an ambitious, harmonised regime with strong rights and tight data protection standards. Whether we like it or not, and in the absence of some really catchy radical thinking, the resulting legal framework – whenever it happens, in 5 months or 15 months – will most likely follow this pattern.

    Since a radical new approach is unlikely to steal the show at this stage, here are some suggestions for some modest tweaks to the current drafts that might contribute to make the forthcoming regime a bit more realistic and workable:

    Personal data – It is quite outrageous that we are still trying to figure out whether someone’s name is personal data, as the UK courts are currently doing. If we cannot nail that one down, how are we ever going to decide whether the knowledge derived from the fact that one can turn on a toaster with an iPhone is personal data? Let’s therefore define personal data by reference to the impact that information about someone may have on that individual.

    Consent – There is no point in playing around with the definition. Irrespective of whether we leave the word ‘explicit’ in it or not, everybody is going to interpret it in whichever way they want. Let’s focus instead on accepting that the role of consent as the essence of privacy is massively overrated. We as individuals simply cannot control every possible use of our information. Therefore, consent should have a limited role as a ground for processing, and be reserved for uses of data where the level of intrusion is potentially high and we may actually have a meaningful degree of control. Very few cases indeed.

    International data transfers – Until now, UK controllers have been priviledged enough to operate under a regime which effectively allows them to carry out a risk-based assessment of the appropriate measures to protect data internationally. Whilst this may have been possible under the Directive, no matter how hard the UK Government may try to preserve this approach, this is unlikely to continue to be an option under the Regulation – particularly in the current post-Snowden climate. A more palatable alternative across Member States would be to allow data flows on the basis of agreements between parties within and outside the EU but without the need for specific authorisation by national regulators. Hardly an earth shattering move, but one that would help minimise useless paperwork.

    One-stop-shop – This is one of the most promising features of the forthcoming law and possibly the flagship of the Commission’s proposals for a harmonised regime. Unfortunately and due to unhelpful political rivalries, we seem to have got ourselves into a mess of shared competences between national regulators – both individually and collectively. Isn’t it time to be brave and accept the leadership of an exclusively competent regulator who will at the same time endeavour to cooperate with their European counterparts? If so, let’s make it happen and also apply this concept to cases where the data controllership is outside Europe.

    Some will see these suggestions as idealistic and some will see them as biased. In fact, they are simply meant to be effective.

    This article was first published in Data Protection Law & Policy in November 2013.

    The conflicting realities of data globalisation

    Posted on June 17th, 2013 by

    The current data globalisation phenomenon is largely due to the close integration of borderless communications with our everyday comings and goings. Global communications are so embedded in the way we go about our lives that we are hardly aware of how far our data is travelling every second that goes by. But data is always on the move and we don’t even need to leave home to be contributing to this. Ordinary technology right at our fingertips is doing the job for us leaving behind an international trail of data – some more public than other.

    The Internet is global by definition. Or more accurately, by design. The original idea behind the Internet was to rely on geographically dispersed computers to transmit packets of information that would be correctly assembled at destination. That concept developed very quickly into a borderless network and today we take it for granted that the Internet is unequivocally global. This effect has been maximised by our ability to communicate whilst on the move. Mobile communications have penetrated our lives at an even greater speed and in a more significant way than the Internet itself.

    This trend has led visionaries like Google’s Eric Schmidt to affirm that thanks to mobile technology, the amount of digitally connected people will more than triple – going from the current 2 billion to 7 billion people – very soon. That is more than three times the amount of data generated today. Similarly, the global leader in professional networking, LinkedIn, which has just celebrated its 10th anniversary, is banking on mobile communications as one of the pillars for achieving its mission of connecting the world’s professionals.

    As a result, everyone is global – every business, every consumer and every citizen. One of the realities of this situation has been exposed by the recent PRISM revelations, which highlight very clearly the global availability of digital communications data. Perversely, the news about the NSA programme is set to have a direct impact on the current and forthcoming legislative restrictions on international data flows, which is precisely one of the factors disrupting the globalisation of data. In fact, PRISM is already being referred to as a key justification for a tight EU data protection framework and strong jurisdictional limitations on data exports, no matter how non-sensical those limitations may otherwise be.

    The public policy and regulatory consequences of the PRISM affair for international data flows are pretty predictable. Future ‘adequacy findings’ by the European Commission as well as Safe Harbor will be negatively affected. We can assume that if the European Commission decides to have a go at seeking a re-negotiation of Safe Harbor, this will be cited as a justification. Things will not end there. Both contractual safeguards and binding corporate rules will be expected to address possible conflicts of law involving data requests for law enforcement or national security reasons in a way that no blanket disclosures are allowed. And of course, the derogations from the prohibition on international data transfers will be narrowly interpreted, particularly when they refer to transfers that are necessary on grounds of public interest.

    The conflicting realities of data globalisation could not be more striking. On the one hand, every day practice shows that data is geographically neutral and simply flows across global networks to make itself available to those with access to it. On the other, it is going to take a fair amount of convincing to show that any restrictions on international data flows should be both measured and realistic. To address these conflicting realities we must therefore acknowledge the global nature of the web and Internet communications, the borderless fluidity of the mobile ecosystem and our human ability to embrace the most ambitious innovations and make them ordinary. So since we cannot stop the technological evolution of our time and the increasing value of data, perhaps it is time to accept that regulating data flows should not be about putting up barriers but about applying globally recognised safeguards.

    This article was first published in Data Protection Law & Policy in June 2013.