1 Model Contracts & Binding Corporate Rules: Reflections from Working with Global Organizations Conference on Cross Border Data Flows, Data Protection and Privacy October 16, 2007 James Koenig, Co-Leader Privacy & Data Protection Practice
2 Agenda Part I Evolution and Drivers for Large Companies in Designing Global Approaches Part II Key Operational Considerations and Success Factors What Other Companies Are Doing Questions
3 Part I Evolution and Drivers for Large Companies in Designing Global Approaches
4 The global picture: Data protection laws around the world Argentina, Armenia, Australia, Austria, Bahrain, Belgium, Botswana, Brazil, Bulgaria, Cameroon, Canada, Canada - Northwest Territories and Nunavut, Chile, Cote d'ivoire, Croatia, Cyprus, Czech Republic, Denmark, Dubai, Egypt, Ethiopia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kenya, Kuwait, Lebanon, Lithuania, Mauritius, Mexico, Morocco, Netherlands, New Zealand, Nigeria, Norway, Peru, Poland, Portugal, Qatar, Romania, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Tanzania, Thailand, Tunisia, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Zambia Many countries with Privacy Laws
5 Evolution of Compliance Methods Used & Key Drivers Wait and See Approach. Companies often want to see what actions industry and regulators take. Safe Harbor Had a Slow Start. Once other companies had experience and regulatory considerations better know, elections under the Safe Harbor increased. Model Contracts and Binding Corporate Rules. - Initial Uses. Model Contract were initially considered on a transactional or single purpose, while Binding Corporate Rules were considered, but pursued in the context of enforcements. - Both Now Increasingly Considered by Large Global Companies as Viable Options. Recent changes have made both more attractive to companies. - Increasingly Companies Appreciate the Importance of Developing a Compliance Approach. Business is increasingly conducted on a global basis with global operations, workforce and vendors, and companies are increasing activities in this area. EU Investigations Activity. Recently, data protection authorities have increased investigations and recommendations for criminal prosecution. Strength in Numbers. Trends by industry and certainty important.
6 Part II Key Operational Considerations and Success Factors What Other Companies Are Doing
7 Key Operational Considerations and Success Factors Context and Timing for Decision May Be Determinative. A business transaction, system or business launch often drive the timing and solution to be used. Speed and Certainty. - Model Contracts. Model Contracts provide a quick solution if the provisions can be maintained. Businesses often view these as a high bar and difficult (if not expensive) to maintain. - BCR. Data Protection Authority review and approval of Binding Corporate Rules viewed as a timing consideration as well as a potential legal uncertainty given there is less of a track record. Flexibility and the Ability to Adapt to Changes. - Model Contracts. Model Contracts are detailed and specific as to transfers and uses. Companies often are concerned about retaining flexibility for their business and data usage and handling to change over time. - BCRs. Binding Corporate Rules are viewed by most companies as a flexible tool.
8 Key Operational Considerations and Success Factors Defining Standards. Both Model Contracts and BCRs do not have detailed requirements around technical standards and specific security safeguards. - In preparing the Model Contracts and BCRs documents, companies often are not detailed or select aspiration standards. - Consistency in practices and compliance become challenges when operationalized or raise interpretational issues during assessments and audits. Basis for Standards. Model Contracts and supporting documentation explicitly provide the obligations, and for BCRs, there are three documents from the Article 29 Working Party that are key in determining the process for pursuing BCR. - WP 74. WP 74 provides that BCRs would be a viable alternative for cross-border transfers, but many companies viewed the approach as one that would be burdensome (and potentially expensive). - WP 107 & WP 108. WP 107 (application and coordination procedures) and WP 108 (application and checklist for seeking approval) significantly clarify much of what was set out in WP 74. WP 108 is largely a checklist for seeking approval of BCRs and concentrates on the matters that a DPA needs to consider in the assessment of adequacy.
9 Key Operational Considerations and Success Factors Trend #1 Is to Use Data Element Inventories to Data Classifications to: - Identify scope systems, business processes and countries - Provide specific standards for internal security assessments and audits - Detail obligations of vendors and to identify risks. Trend #2 Is to Take Advantage Where Appropriate More than One Compliance Method Trend # 3 Is to Use Data Architecture to Simplify Obligations - Reduce the number of service providers and others touching and accessing information - Reducing the countries involved
10 Key Operational Considerations and Success Factors Global Scope Considerations. There can be multiple compliance mechanisms. - Model Contracts. Companies often consider whether to include all affiliates/subsidiaries in the network or just the ones involved in EU trans-border data flows. Data Protection practices and laws vary vastly around the world, so developing a policy will result in raising the bar in some parts of the world, while falling short of local laws in others. If there are different contracts for different arrangements and different parts of the world, compliance becomes inconsistent and audit becomes challenging. Also, depending on how country operations are managed by the enterprise, there may be a challenge to stick as closely to EU model clauses while also producing some benefit/value to non-eu entities in the network. Issues arise as to who should be responsible for assessments and local nuances in standards and governance. - BCRs. While designed with the EU in mind, Binding Corporate Rule can be as flexible as your policy/rules are drafted, and increasingly viewed by global regulators as a viable approach.
11 Key Operational Considerations and Success Factors Assessment & Compliance Trend #1. Companies have varying approaches as to the extent of assessment required before entering into model contracts/intra-group agreements and Binding Corporate Rules. Trend #2. Connections to other key compliance areas are increasing due to common frameworks and pressure for efficiency in internal audit. Global ongoing compliance responsibilities are an important consideration. - Model Contracts. Often a contract compliance and audit approach can be leveraged, but often a full data protection program is necessary the larger and more diverse the organization. Large companies often believe that model contract complexity (due to basing on model clauses) raised interpretive questions related to assessment and remediation. - BCRs. BCRs can be rolled-out and monitored consistent with overall approach to company policies and procedures. Issues arise where there is an immature compliance function. This is where senior management support and leveraging key other compliance mechanisms and approaches are beneficial.
12 Closing Thoughts As Companies mature their global privacy and data protection programs, points of leverage and consistency across regulations can be developed and novel approaches developed. As leaders in industries move, the rest of the industry will move. As more companies have positive experience with Binding Corporate Rules, experiences will be shared and others will follow.
13 Please direct questions/inquires to: James Koenig, Co-Leader Privacy & Data Protection Practice PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, other member firms of PricewaterhouseCoopers International Ltd., each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.