Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

EU seeks to simplify cross-border data protection compliance

Companies will be able to negotiate pan-European agreements with a single authority, rather than country by country as now

To make it simpler for businesses to comply with the multiplicity of data protection regimes across Europe, Viviane Reding envisages letting European Union companies set their own privacy rules -- as long as they agree with one national data protection authority (DPA) to make them legally binding on all business units within the same group, wherever they may be.

Reding, vice president of the European Commission, hopes to make it much simpler to negotiate such binding corporate rules (BCRs) under new data protection regulations she plans to present early next year, she said Tuesday at a conference in Paris organized by the International Association of Privacy Professionals.

Such BCRs are not provided for in the current E.U. data protection directive, which dates back to 1995. However, companies including Bristol-Myers Squibb and General Electric (GE) have already negotiated them on a piecemeal basis over the last decade for many of the countries where they operate, working with individual DPAs or through mutual recognition agreements that cover 19 of the 27 E.U. member states.

Based on European data protection standards, the BCRs Reding would like to introduce are codes of practice ensuring "adequate safeguards" for data transfers between parts of the same corporate group, she said. Adopted voluntarily by businesses, they will become legally binding wherever the company operates once approved by a data protection authority in just one of the 27 E.U. countries.

BCRs developed as a way for European businesses to transfer data outside the E.U., perhaps into a cloud service where the precise location of data cannot be ascertained, and are compatible with any corporate culture, whether decentralized such as a hotel chain or centralized such as a bank, Reding said.

She wants to improve on them by making them simpler to create, more consistent in their enforcement and more accommodating of innovation.

Such changes are necessary because our world is no longer defined by physical borders, she said. "Data races from Barcelona to Bangalore. It is processed in Dublin, stored in California and accessed in Milan. The transfer of data to third countries has become an important part of daily life, and this affects businesses and citizens."

BCRs today need approval from a DPA in each E.U. country where a group is active, so one set of rules must satisfy multiple authorities with different, perhaps contradictory, practices or legislation. "That wastes time and money," said Reding.

Instead, she wants to see BCRs based on one law, defined in a new European regulation.

This change in legislative instrument, from the existing directive to a new regulation, is key to Reding's plan, said Wojciech Rafal Wiewiórowski, Poland's inspector general for the protection of personal data.

In legal disputes, parties can only refer to the directive if they are suing the state: in all other cases, it is the national law transposing the directive that governs disputes, Wiewiórowski said. "But if the legal basis is set in a regulation, it is binding not just for DPAs and state authorities but also for every entity in the market," he said in a later panel session on the topic of BCRs. "That means companies can sue each other according to the BCRs."

Reding plans to have the new BCRs ratified by a single DPA, but Wiewiórowski wondered whether E.U. countries are ready to hand over such powers to a single authority. "Probably not," was his verdict.

He raised other problems with compliance monitoring.

"Who will say whether a company is fulfilling its responsibilities under a BCR?" he asked. "Let's assume it's the DPAs: that works in Europe, but that's not really the problem. The problem is those companies moving data outside Europe."

In the U.S., we can count on the support of the Federal Trade Commission, and Mexico too has a strong data protection authority, he said. "But what about Laos? Who will check what is going on in a data center in Laos?"

Despite these reservations, other panelists have already implemented BCRs, and urged audience members to move ahead with their own without waiting for Reding to introduce the new regulation.

When Bristol-Myers Squibb negotiated its BCR with the French National Commission on Computing and Liberty (CNIL) the approval process took over eight months, said Caroline Cavaillier, the company's E.U. data protection officer. DPAs in Germany and Spain also vetted the first draft, she said. The BCR has simplified data transfers for the company, she said.

At GE, work on the first BCR started in 2001, with the company getting approvals in Germany in July 2003 and in France in October 2005, said Christian Pardieu, the company's E.U. data protection officer. With the help of the U.K. Information Commissioner's Office, it subsequently negotiated 10 others with the countries with which the ICO had mutual recognition agreements.

"But that's still only 12 out of 27 countries," Pardieu said. "We have so many entities in so many countries that signing data transfer clauses and seeking legal certainty is a nightmare," he said.

For him, a single BCR recognized in all 27 E.U. countries can't come too soon -- although there's no reason to wait for the new regulation, he said: "Start right now, don't wait for new regulations. It's costly, but you build trust with the customer and with employees. That's the meaning of these privacy principles."

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: EU, European Commission, Federal Trade Commission, GE, General Electric, ICO, IDG
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Bristol-Myers Squibb, data protection, european commission, general electric, government, legislation, privacy, Regulation, security
Latest Blog Posts
Whitepapers
  • Enabling Agile and Intelligent Businesses
    In the last 3 to 5 years there has been widespread adoption of SOA with businesses making significant economic investments in service-enabling their IT systems. Looking to enable your business for efficient IT execution? Read this white paper now.
    Learn more »
  • Simplifying branch office security
    Securing your business network is more important than ever. Malware, botnets and other malicious programs threaten your network—at your central offices and your branch offices alike. Yet enforcing consistent network security throughout your enterprise can be challenging—especially for those of you with branch offices with few users and no IT expertise. This paper introduces a new standard—an innovative, unified, cost-effective solution for managing branch office security, with centralised reporting and a clear process for determining return on investment (ROI).
    Learn more »
  • IBM agility@scale™: Become as Agile as You Can Be
    In this eBook, Scott Ambler, IBM Rational software's Chief Methodologist for Agile and Lean discusses how IT organisations are finding that agile project teams, as compared to traditional project teams, enjoy higher success rates, deliver higher quality projects, have greater levels of stakeholder satisfaction, provide better return on investment (ROI) and deliver systems to market sooner.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.