EU seeks to simplify cross-border data protection compliance

Companies will be able to negotiate pan-European agreements with a single authority, rather than country by country as now

To make it simpler for businesses to comply with the multiplicity of data protection regimes across Europe, Viviane Reding envisages letting European Union companies set their own privacy rules -- as long as they agree with one national data protection authority (DPA) to make them legally binding on all business units within the same group, wherever they may be.

Reding, vice president of the European Commission, hopes to make it much simpler to negotiate such binding corporate rules (BCRs) under new data protection regulations she plans to present early next year, she said Tuesday at a conference in Paris organized by the International Association of Privacy Professionals.

Such BCRs are not provided for in the current E.U. data protection directive, which dates back to 1995. However, companies including Bristol-Myers Squibb and General Electric (GE) have already negotiated them on a piecemeal basis over the last decade for many of the countries where they operate, working with individual DPAs or through mutual recognition agreements that cover 19 of the 27 E.U. member states.

Based on European data protection standards, the BCRs Reding would like to introduce are codes of practice ensuring "adequate safeguards" for data transfers between parts of the same corporate group, she said. Adopted voluntarily by businesses, they will become legally binding wherever the company operates once approved by a data protection authority in just one of the 27 E.U. countries.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

To make it simpler for businesses to comply with the multiplicity of data protection regimes across Europe, Viviane Reding envisages letting European Union companies set their own privacy rules -- as long as they agree with one national data protection authority (DPA) to make them legally binding on all business units within the same group, wherever they may be.

Reding, vice president of the European Commission, hopes to make it much simpler to negotiate such binding corporate rules (BCRs) under new data protection regulations she plans to present early next year, she said Tuesday at a conference in Paris organized by the International Association of Privacy Professionals.

Such BCRs are not provided for in the current E.U. data protection directive, which dates back to 1995. However, companies including Bristol-Myers Squibb and General Electric (GE) have already negotiated them on a piecemeal basis over the last decade for many of the countries where they operate, working with individual DPAs or through mutual recognition agreements that cover 19 of the 27 E.U. member states.

Based on European data protection standards, the BCRs Reding would like to introduce are codes of practice ensuring "adequate safeguards" for data transfers between parts of the same corporate group, she said. Adopted voluntarily by businesses, they will become legally binding wherever the company operates once approved by a data protection authority in just one of the 27 E.U. countries.

BCRs developed as a way for European businesses to transfer data outside the E.U., perhaps into a cloud service where the precise location of data cannot be ascertained, and are compatible with any corporate culture, whether decentralized such as a hotel chain or centralized such as a bank, Reding said.

She wants to improve on them by making them simpler to create, more consistent in their enforcement and more accommodating of innovation.

Such changes are necessary because our world is no longer defined by physical borders, she said. "Data races from Barcelona to Bangalore. It is processed in Dublin, stored in California and accessed in Milan. The transfer of data to third countries has become an important part of daily life, and this affects businesses and citizens."

BCRs today need approval from a DPA in each E.U. country where a group is active, so one set of rules must satisfy multiple authorities with different, perhaps contradictory, practices or legislation. "That wastes time and money," said Reding.

Instead, she wants to see BCRs based on one law, defined in a new European regulation.

This change in legislative instrument, from the existing directive to a new regulation, is key to Reding's plan, said Wojciech Rafal Wiewirowski, Poland's inspector general for the protection of personal data.

In legal disputes, parties can only refer to the directive if they are suing the state: in all other cases, it is the national law transposing the directive that governs disputes, Wiewirowski said. "But if the legal basis is set in a regulation, it is binding not just for DPAs and state authorities but also for every entity in the market," he said in a later panel session on the topic of BCRs. "That means companies can sue each other according to the BCRs."

The IDG News Service is a Network World affiliate.