A Short Guide to Binding Corporate Rules (BCRs) for EU Privacy. by Maggie Gloeckle & Daniel J. Solove

Transcription

1 A Short Guide to Binding Corporate Rules (BCRs) for EU Privacy by Maggie Gloeckle & Daniel J. Solove

2 2 Table of Contents Preface Introduction Why Binding Corporate Rules? Step 1: Get Your House in Order Step 2: Make Key Logistical Decisions Type of Entity Enforceability of the BCR Ensuring Compliance Planning for How to Deal with Incidents Step 3: Figuring Out Where to File and Selecting a Lead DPA The Functions of a Lead DPA Choosing a Lead DPA Appointing a Member Step 4: Drafting the BCRs Bindingness Effectiveness Cooperation with Data Protection Authorities Description of Data Processing and Data Flows Process to Notify Data Protection Authorities Data Protection Safeguards Step 5: Submitting the Draft Application Step 6: Review Process Selection of a DPA Circulation of Application to Interested DPAs Lead DPA Review Regarding Working Paper 153 Checklist Distribution of Consolidated Draft to All DPAs Step 7: Submitting the Final Application Step 8: Approval and Requests for Authorization of Transfer Conclusion: The Key to a Smooth and Successful BCR Process Glossary References About the Authors Preface Obtaining BCRs might seem like climbing Mount Everest, but this is a short guide will hopefully clear up points of confusion and provide a useful roadmap for how to obtain BCRs. I have written this guide with Maggie Gloeckle who has been the primary researcher and author. I m happy to help make this guide available for all who might find it to be of use. -- Daniel j. Solove

3 3 Introduction You have thought about filing a Binding Corporate Rules (BCRs) application but are not sure where to begin. You have heard that it can take an eternity and is quite complex. But don t let these things stop you. Applying for BCRs takes work but is manageable. In the recently released EU General Data Protection Regulation, Chapter 5 (Transfer of Personal Data to Third Countries or International Organizations) Article 47 identifies Binding Corporate Rules as an appropriate safeguard to transfer personal information. This guide will provide an overview of the BCR process and the journey to filing BCRs. The guidance here comes from working papers issued by the Article 29 Working Party, which provides the EU Commission with independent advice on data protection matters and helps in the development of harmonized policies for data protection in the EU countries. Why Binding Corporate Rules? Data can only be transferred to countries outside the EU and the European Economic Area (EEA) when an adequate level of protection is guaranteed. Adequacy is determined by the European Commission. Outside of the 28 EU Countries and the three EEA countries of Norway, Liechtenstein and Iceland, there are only a handful of countries the commission has deemed to have an adequate level of protection. These locations include Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay, among others. When transferring data outside of the EEA that do not meet the EU data protection standard, special precautions must be taken. Especially after the demise of the US-EU Safe Harbor Arrangement, BCRs are a great option for multinational companies that need to transfer personal data internally to offices and affiliates located in countries where there isn t an adequate level of protection. About 80 companies have gone through this process, The list can be found on the EU data protection site. A primary advantage of BCRs is that there is no longer the need for individual contracts (standard contractual clauses) each time it needs to transfer data between companies that are part of the same multinational company. In addition, BCRs provide a consistent methodical approach to protecting personal data within the group, which benefits not only the organization but also employees on protecting and managing personal data as well as preventing the risk of transferring data to third countries.

4 4 Step 1: Get Your House in Order Before beginning the BCR journey, be sure to get your house in order. To begin the process, it is important to set a baseline. This means analyzing your organization s current privacy principles policies and procedures. What is in place? How current is everything? To what level have practices and policies been documented? BCRs must contain privacy principles, policies, and procedures, as well as tools of effectiveness (audit, training, complaint handling). Perform the same analysis for audit, training, and complaint handling. You may be asked to provide some examples to the DPA of your training programs with what is currently in place within your organization for colleagues who have permanent or regular access to personal data. Compare everything analyzed above to the requirements of the BCR by conducting a gap analysis. The gap analysis will be a good barometer of what needs to be enhanced or improved, what is missing and what should be put in place. Once completed, assess what resources will be required to review the current state of your organization and what actions need to occur to meet the requirements of BCRs. Determine whether getting everything in order can be done internally or whether external resources are needed. Step 2: Make Key Logistical Decisions Once you are confident that the privacy principles and documentation are addressed, then you must make some key logistical decisions. To address these questions, you may have sufficient resources in house within your internal departments or you may consider bringing in outside resources. Type of Entity Are you planning to file as a controller, processor or both? Note: This decision will be based on how you conduct business. Do you provide direction on how personal data is processed, or are you taking direction on how to process personal data? A controller is a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

5 5 Enforceability of the BCR How will the BCRs be binding (legally enforceable) on all companies or entities that are part of the same multinational company (referred to as members)? A few examples are listed of how BCRs may be enforceable. Binding corporate or contractual rules that you can enforce against the other members of the group (intra group agreement) Unilateral declarations or undertakings made or given by the parent company which are binding on the other members of the group. Incorporation of other regulatory measures, for example, obligations contained in statutory codes within a defined legal framework; or Incorporation of the rules within the general business principles of an organization backed by appropriate policies, audits and sanctions Seek advice on what method is suitable for your organization based on the corporate structure. This is outlined in Working Paper 74 and Working Paper 108 How will the BCR be legally enforceable on employees? Will it be part of an employment agreement or a company policy or some other method? What recourse will be in place if employees violate the BCRs? Ensuring Compliance How do you ensure compliance with the BCRs? Who needs to be involved? What internal discussions need to take place? Who needs to sign off? How will you address subcontractors for compliance with your BCR? Planning for How to Deal with Incidents If there is a breach, which member of your group should accept responsibility and remedy the actions of other members of the group? Essentially, who pays? Are there sufficient assets to cover a claim? Can you provide proof that there are sufficient assets to cover a claim? How do you address third party beneficiary rights for a data subject from filing complaints with a DPA to bringing a court action or being sued? Step 3: Figuring Out Where to File and Selecting a Lead DPA How do you determine where to file your application and which DPA should you apply to? The Functions of a Lead DPA DPAs are governmental entities responsible for the protection of personal data. If you want the BCRs to cover several countries, you do not have to apply directly to each and every country. A lead DPA becomes the main point of contact and handles the procedure for review during the BCR review process. Under the mutual recognition process, once the Lead DPA determines that BCRs meet the requirements as set out in the working papers, the DPAs under mutual recognition accept this opinion as sufficient basis for providing their own national permit or authorization for the BCRs. Currently, 21 countries are part of the mutual recognition process

6 6 If you are seeking approval from several DPAs, propose a lead DPA who will be the lead authority. Working Paper 107 provides guidance. The lead DPA acts on your behalf in reviewing the application with all DPAs in the countries where data transfers are to take place. The lead DPA takes the lead in considering whether the BCR meets the requirements set out in the working papers. Through mutual recognition, 21 countries will accept the decision of the lead DPA that the requirements have been met. Countries not part of mutual recognition will conduct their own review and ensure that the BCR complies with the requirement set out in Working Paper 29. Choosing a Lead DPA Your choice of a lead DPA is based on factors such as: the location of [your corporate group s] European headquarters the location of the company within the group with delegated data protection responsibilities the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the binding corporate rules in the group the place where most decisions in terms of the purposes and the means of the processing are taken; and the member states within the EU from which most transfers outside the EEA will take place. Appointing a Member If the headquarters of the corporate group is not located within the EU or EEA, the group will need to appoint a member (a company or entity within the same multinational corporation) that will have delegated data protection responsibilities. The member will be the key or single point of contact for the leading data protection authorities to communicate with. This member will also have responsibility for paying compensation for any damages if the BCRs are violated by any of the group members. Step 4: Drafting the BCRs Working Paper 153 provides a full checklist of what is to be included in the BCRs. The main items include: Bindingness - internal enforcement - external enforcement - accessibility - liability Effectiveness - training program - complaint handling - audit program - profile of privacy organization Cooperation with DPAs Description of Data Processing and Data Flows Process to Notify DPAs Data Protection Safeguards

7 7 Bindingness The BCRs must be binding (enforceable) internally and externally. Effectiveness Internal Enforcement. Internally, BCRs must be enforceable (bind) against group members, employees, and subcontractors. External Enforcement. Externally, BCRs must provide rights to data subjects who want to file a complaint with the data protection authority and or initiate a court action. Accessibility. The BCRs must also be easily accessible for all data subjects including third party beneficiaries. For example, the BCRs can be made available publically via the internet or internally via intranet for employees. Liability. The BCRs must also address liability. Who pays in the event of a violation? Does the company have sufficient assets for compensation of damages in the event of a breach? The BCRs must provide mechanisms to ensure effectiveness, such as training, complaint handling procedures, audit program, and a profile of your privacy organization. Training. There must be a training program for those who have permanent or regular access to personal data. The BCR must describe the awareness training that is in place. The DPAs who are reviewing the application may ask for some examples of your current training programs. Complaint Handling. For complaint handling, describe how complaints are handled both internally and externally. Where do data subjects complain? Is there a form? Who handles complaints? How are responses handled? How do you address situations when the data subject is not satisfied with the response? Auditing. For auditing, provide a description of your audit program Data protection audits are required to take place on a regular basis. Audits should cover all aspects of the BCRs. Audits can be performed by an internal audit team, by an external auditor, or by a combination of both. You should also describe the method to ensure that corrective actions are performed in response to audit results. Audit results should be made available to the privacy officer and the Board of Directors. Audit results must also be provided to DPAs upon their request. Profile of Privacy Organization. For the profile of your privacy organization, this is not part of the application, but it is a document that must be included in the overall submission. Is there a network of privacy officers? How is the internal structure set up? What are the roles and responsibilities of the member of the privacy team? How do they ensure compliance with global privacy laws and at a local level? How are major privacy issues reported?

8 8 Cooperation with Data Protection Authorities The BCRs must address the structure is in place for cooperation (including auditing) with DPAs. How will your organization ensure that advice provided by the DPA is followed? Description of Data Processing and Data Flows The BCRs must provide a general description of the transfers (type of data -- for example, human resource data) so that the DPAs can determine if the processing carried out in third countries is adequate. More specifically, what is the nature and purpose of data processed and transferred? What is the geographic area covered, where are the data importers and exporters? Are they in the EU or outside of the EU? The DPA will need to assess whether or not all countries where the data will be transferred to have an adequate level of protection either by their domestic laws or international commitments they have entered into. What is the scope of the BCR? Does it apply to employees, customers, suppliers or other third parties as part of regular business activities? The BCRs must provide mechanisms to ensure effectiveness, such as training, complaint handling procedures, audit program, and a profile of your privacy organization. Process to Notify Data Protection Authorities BCRs must include a process to provide updates to data protection authorities of material changes (such as changes to group members). Substantial changes to the BCRs or changes in membership should be reported once a year along with an explanation and sent to the DPAs who granted the BCRs. Data Protection Safeguards The BCRs must explain how the data protection principles are carried out in the organization. These principles include fairness, transparency, purpose limitation, data quality, security measures, and rights of access, rectification and objection to processing, and restrictions of data transfers. The BCRs should also include the list of entities that will be bound by the BCR

9 9 The application process begins with the submission of a draft application. After a review process, a final application will need to be submitted. When submitting the applications (draft and final), submit both a paper version and electronic version. The electronic version will be forwarded to interested DPAs. The submission (draft and final) should be in the language of the lead DPA in addition to submitting an English version. Selection of a DPA Circulation of Application to Interested DPAs Step 5: Submitting the Draft Application Step 6: Review Process Select a DPA or Lead DPA if looking for approval by several DPAs. The lead DPA chosen will review the draft application and determine if they are the appropriate DPA to review the application. If the Lead DPA agrees, the application is circulated to other interested DPAs. Interested DPAs are all the DPAs in the countries from where the transfers are to take place as specified by the applicant. Interested DPAs may make objections to the selection for the Lead DPA. If the Lead DPA disagrees with its selection as the Lead DPA, it will provide an explanation for its decision and provide a recommendation as to which DPA would be more appropriate to review the application. Interested DPAs have two weeks to object that can extend an additional two weeks -- one month from the time the papers were first circulated. Lead DPA Review Regarding Working Paper 153 Checklist The Lead DPA will review the draft application submitted to make sure that the Working Paper 153 checklist has been followed. The Lead DPA may have comments on the draft application submitted and provide the applicant an opportunity to update before the draft is distributed. Once satisfied that the requirements of Working Paper 153 are met, the applicant will be asked to submit a consolidated draft. Distribution of Consolidated Draft to All DPAs Once the draft is updated with comments from the lead DPA, the consolidated draft is distributed to all DPAs in the countries from where the transfers are to take place. The countries are included as part of the application process. The DPAs will review and provide comments back to the lead authority who will in turn send to the applicant. Further discussions may take place with the applicant to address the comments received. In normal circumstances, the period for comments on the consolidated draft will not exceed one month. The lead authority will consolidate any comments and send them back to the applicant. There may be additional discussions with the Lead DPA.

10 10 Step 7: Submitting the Final Application Once the lead authority is satisfied that the applicant can address comments provided by all DPAs, the applicant will be asked to submit a final application for approval. The final application will be sent to all the DPAs for confirmation that they are satisfied with the adequacy of the safeguards proposed. To speed up the review process, for the BCR review, a mutual recognition procedure is in place. One the lead authority considers that the BCR meets the requirements set forth in the working papers the DPAs who are under mutual recognition, 21 countries in total accept the opinion of the lead authority as a basis to provide their own authorization of the BCR. The 21 countries are Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain and the United Kingdom. Step 8: Approval and Requests for Authorization of Transfer Once the BCRs are approved by all DPAs, the company can now request authorization of transfer on the basis of the adopted BCRs. Note that each DPA may have its own requirements for authorizing transfers so check with the DPA. The Chairman of the Article 29 Working Party is notified of the confirmation from the DPAs that they are satisfied with the adequacy of the safeguards proposed by the applicant who will then inform other EA/EEA DPAs immediately. Conclusion: The Key to a Smooth and Successful BCR Process The most important tip to ensure that the journey to establishing BCRs will be smooth and successful is to get your house in order before beginning the process. Communication and collaboration are essential. Identify an executive sponsor who will act as your champion. Your champion will serve as a liaison for decision making, escalations and communicating with your Board. Identify a key resource within your organization familiar with internal processes, who will be responsible for managing your BCR plan, making sure key dates and deliverables are met. Educate your executive teams about the value of BCRs. Ensure that internal departments are cooperating that they are in alignment, that there will be a consistency of processes and procedures for key areas covered in the BCRs. Identify what it will take to go from preparation to submitting the BCRs. Can you do it on your own? Will you need outside resources? Will it be a combination of both internal and external resources?

11 11 Glossary Article 29 Working Party: The Data Protection Working Party was set up under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It provides the Commission with independent advice on data protection matters, and helps in the development of harmonized policies for data protection in the EU countries. The Article 29 Data Protection Working Party is composed of: a representative of the supervisory authority (ies) designated by each EU country; a representative of the authority (ies) established for the EU institutions and bodies; a representative of the European Commission. The Working Party elects its chairman and vice-chairmen. The chairman's and vice-chairmen's term of office is two years. Their appointment is renewable. The Working Party's secretariat is provided by the Commission. The Working Party has adopted its own rules of procedure and its tasks are laid down in: Article 30 of the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data Article 15 of the Directive on privacy and electronic communications Working Paper : The Article 29 Working Party adopted several documents which aim at clarifying the commitments companies shall implement when adopting BCR Data Protection Authorities (DPAs): The bodies responsible for protection personal data. Lead Data Protection Authority (Lead DPA): Data Protection Authority who takes the lead(main point of contact) and who handles the procedure for the review of the BCR by all DPAs Members: Companies or entities that are part of the same multinational company. Mutual Recognition: In order to speed up the EU procedure of cooperation for the BCR review by data protection authorities, a mutual recognition procedure has been agreed. Under this procedure, once the lead authority considers that BCR meet the requirements as set out in the working papers, the DPAs under mutual recognition accept this opinion as sufficient basis for providing their own national permit or authorization for the BCR, or for giving positive advice to the body that provides that authorization. Currently, 21 countries are part of the mutual recognition process The list of companies who have participated in the BCR process and whose applications are now complete can be found here.

12 12 References All documents can be found at this special European Commission website about BCRs. Application Working Party 133 Part I & II Adopted on 10 January 2007 Working Party 195 Part I & II Adopted on 17 September 2012 Standard Application for Approval of Binding Corporate Rules for the Transfer of Personal Data Controller Standard Application form for Approval of Binding Corporate Rules for the Transfer of Personal Data for Processing Activities Drafting Explanatory Founding Administration Requirements Working Party 153 Adopted on 24 June 2008 Working Party 154 Adopted on 24 June 2008 Working Party 155 Adopted on 24 June 2008 As last Revised and adopted on 8 April 2009 Working Party 204 Adopted 19 April As last revised and adopted on 22 May 2015 Working Party 74 Adopted on 3 June 2003 Working Party 107 Adopted on 14 April 2005 Working Party 108 Adopted on 14 April 2005 Table of national administrative requirements Checklist of requirements for the BCRclarifies the content WP74& WP108 in one document. It details what is included in the application and what is presented to the Data Protection Authorities. Structure of the BCR BCR FAQs Explanatory Document on the Processor Binding Corporate Rules Working document Transfer of personal data to third countries. Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers. Cooperation Procedure between DPAs Checklist Application for Approval of Binding Corporate Rules. Authorization requirements by member states

13 13 About the Authors Maggie Gloeckle, CIPP/US, CIPM PMP, is Senior Privacy Officer in the financial services industry. Previously she has worked as Global Privacy Program Manager and held positions in Operations and Service Delivery Organizations. She holds a JD as well as Masters degrees in business and technology. Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. One of the world s leading experts in privacy law, Solove has taught privacy and security law for 15 years, has published 10 books and more than 50 articles, including the leading textbook on privacy law and a short guidebook on the subject. His LinkedIn blog has more than 990,000 followers: Professor Solove organizes many events per year, including the Privacy + Security Forum, Oct , 2016 in Washington, DC:

14 About TeachPrivacy TeachPrivacy was founded by Professor Daniel J. Solove. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience. TeachPrivacy has a library of nearly 100 training courses that cover a wide array of privacy and security topics including global privacy, EU privacy, the life cycle of personal data, PII, Privacy by Design, HIPAA, FERPA, PCI, phishing, social engineering, and many others. GLOBAL PRIVACY TRAINING Professor Solove s knowledge of domestic and global privacy issues... is unmatched. His ability to take complex privacy issues and reduce them to simple, teachable concepts is exceptional. Steve Worster, Chief Compliance Officer and HIPAA Privacy Officer, StoneGate Senior Living w w w. t e a c h p r i v a c y. c o m