Expert Meeting on Binding Corporate Rules | Presentations

Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations

De Brauw Blackstone Westbroek, Amsterdam
15 March 2012

HiiL Expert Meeting
BCR Case Study
Lokke Moerel
Partner ICT De Brauw Blackstone Westbroek

Regulatory landscape

• Data protection qualifies as a fundamental
right under ECHR and Treaty on the
Functioning of the EU
• Data protection is regulated by EU legislators
in the Data Protection Directive

Regulatory landscape

• Some countries no laws at all
• Long arm reach
• Overlapping and Conflicting
– Germany requires registration church employees,
forbidden in the Netherlands
• Data transfer rules

Enforcement
• Enforcement is not left to the market (protection individuals)
• Data Protection Authority (DPA) supervising and enforcing its
national data protection law
• Individuals may file complaint with DPA (appeal to the courts)
or enforce through courts
• The Working Party 29 is the advisory body to the Commission
on data protection
• Members of the WP 29 are the chairs of the DPAs, the
European Data Protection Supervisor and the Commission

– Issues opinions on how to apply the Directive
– No enforcement powers
– Coordinates cross-border enforcement actions DPAs

What
• Binding Corporate Rules
• Global corporate privacy policy
• Rules how to process personal data within the
group
• Creates a “safe haven” for personal data
• Facilitates the intra-group data transfers

Companies process data
• Employees
– Past
• Personnel file in cupboard
– Now
• Data of use handheld device, email, internet, social media

• Customers (consumers)
– Past
• Guarantuee voucher for vacuum cleaner
– Now
• All online orders, all surfing tracks

How

• With software

• Past
– Each group company its own system (e.g. SAP)
• Now
– 1 central system

Central IT system
• 100% compliance not possible
– 82 omnibus data protection laws, 7 sectoral laws
– Conflicting
• Italy and Spain have specific data security rules
– Can implement security only once
– Company must make choices when implementing
central system

Why

1. Strategic decisions as to data processing and
security
• One set global instructions
• Centrally imposed by parent on all group companies

2. Cost perspective:
• Cheaper to implement compliance top down than
bottom up
• Budgetary retraints

Why
3. EU data transfer rules are outdated
• prohibit data transfers outside of the EU, unless a
company has “adduced adequate safeguards” for data
protection
• The Commission has acknowledged specific tools for
companies to adduce adequate safeguards
• model contractual clauses to be entered in between
data exporter and data importer

Next step
• If multinationals have corporate privacy policy…
• And all group companies are bound…
• And policies provide adequate protection…
• Can policies be alternative to EU model contracts?
• Various multinationals filed request with DPA of their
EU headquarters…
• DPAs negotiated draft BCR…
• Based on drafts the WP 29 issued 7 opinions on BCR…
• The national DPAs followed and approved …
• 19 national DPAs agreed on Mutual Recognition
Procedure…

BCR requirements

• Authorised by DPA of EU headquarters (Lead DPA)
• Must be internally binding within the organisation
• Must be externally binding for the benefit of the beneficiaries (employees,
consumers)
• Incorporate the material data processing principles of the Directive
• Privacy governance (global network of privacy officers)
• Internal complaints procedure
• Auditing programme
• Training programme for employees who process the data
• Be enforceable against EU headquarters before Lead DPA and its courts
• EU headquarters should accept liability for paying compensation and
remedying breaches
• Group companies should have a duty to cooperate with the DPAs and to
submit to their audits

Assessment
• Self-regulation has to apply EU wide
• Lack of regulatory capacity at EU level
• WP 29 as de facto regulator set rules
• Authorisation BCR at national level by Lead
DPA
• By mutual recognition of national approvals
EU wide application is achieved
• Circumvention of EU regulators (and unwilling
Member States)
• Transnational supervision and enforcement
achieved not at EU level, but by DPA of EU
headquarters

Case study
• Evaluation of BCR as form of Transnational Private
Regulation (TPR)
• Evaluation criteria for public law
– Legitimacy
– Monitoring, evaluation and enforcement
– Quality
– Effectiveness
• “Transposed” for evaluating TPR
– More actors and accountability forums involved
– Problem of the many hands and the many eyes
• Often: self-regulation is trade off between legitimacy
and effectiveness

Legitimacy
• Self-regulation of data protection (being a
fundamental right)?

• Inclusion (key stakeholders have to play an active
role in the decision-making processes and
activities which affect them)
• Procedural transparency (key stakeholders should
have accessible and timely information)
• Independence (also de facto regulator should be
independent)

Legitimacy

• Self-regulation of data protection requires
public framework legislation
– Should have been provided for in Directive
• Current norm-setting by de facto regulator WP
29 in opinions on BCR
– Not inclusive (no civil society stakeholders)
– Not transparent
– Not independent
• Commission is at same time member, secretariat and
addressee of opinions

Legitimacy

• Solved in Proposal for Data Protection
Regulation

– Norm-setting inclusive and transparent
– Direct applicability in all Member States
– BCR acknowledged as valid tool for inter-company
data transfers
– Regulates main substantive requirements
– Detailed norm-setting delegated to Commission
(no longer WP 29)

Legitimacy
• Solved in Proposal for Data Protection Regulation
– Uniform BCR authorisation procedure by the DPA
of the main establishment of the multinational in
the EU
– Still not at EU level (risk of national interest
prevailing)
– However, consistency mechanism: BCR
authorisation requires prior opinion of successor
WP 29
– WP 29 still de facto regulator
• Independency and transparency WP 29 ensured

Chart 1
Norm -set t ing of
BCR
PRESENT FUTURE

BCR
EU legislat or stake EU legislat or
holders

EU EU

WP 29 WP 29

MS Lead DPA Lead DPA MS

EU Mult inat ional EU

Actors involved involved in norm -set t ing

Consult at ion input

Quality
• Precision and predictability
• Consistency
• Conformity with public goals

Conformity
• Prior authorisation by Lead DPA
– very much aligned with public goals
– Much more effective than current public regulation:
public policy even benefits

Quality
Precision and predictability
• BCR are global and general in nature
• Too EU specific and too legalistic
– Solution: practical guidelines

Consistency
• Yes if approved by same Lead DPA
• Not if approved by different Lead DPAs
– Caused by differences in national implementation laws
– Solved by Proposed Regulation
– Detailed norm-setting by Commission
– Consistency mechanism (prior opinion successor WP 29)

Enforcement
• Monitoring
• Enforcement and sanctions
• Information

Main issues
• Can be the strongest point of BCR (next to
effectiveness), but requires additional
measures

Enforcement
Strongest point (legal innovation)
• Internal complaints procedure, which overcomes main obstacles
individuals encounter when enforcing their rights on cross-border basis
– Also if damages are diffuse or too small
– Even if countries do not provide for adequate protection
– Or have insufficient enforcement infrastructure
– Overcomes time zones and language issues
– If individual does not agree outcome, appeal to Lead DPA and courts
Lead DPA (also to be facilitated by local group company)
• Lead DPA is in country of EU headquarters: sanctions can be enforced on
global basis
• Export of rule of law and judiciary enforcement infrastructure

Enforcement
But
• No data yet on effectiveness of enforcement (next study, too early)
• No external accountability to stakeholders
• Monitoring, audit and reporting requirements to internal forums
company only
– CPO
– Board of management
• Reporting on compliance and complaints procedure to external
stakeholders also
– Driver: is reputation
– Deleted from Proposed Regulation
• But what is the quid pro quo?

Chart 2

Monitoring and evaluation of
BCR

PRESENT FUTURE

EU legislator EU legislator

EU EU
BCR
WP 29 stake WP 29
holders

MS Lead DPA Lead DPA MS

Int ernal
EU Multinational Account abilit y Multinational EU
Forum s

Accountability forums involved
Active information duty
Passive information duty

Effectiveness
• First empirical research into effectiveness
• Nymity, Canadian private research firm, recommended
by EDPS
• Nymity Maturity Tool measuring compliance maturity
of 10 multinationals on 73 criteria, adding up to 10
privacy principles
• Nymity tool is based on accountability
• Verified whether complete “match” with BCR
requirements
• Different sequence, but 95% match
• Added some elements

HiiL Expert Meeting

Terry McQuay

HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS

 Study Framework

 Norms

 Results

39

MEASURING ACCOUNTABILITY

 Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.

 Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.

 Defined – procedures and processes are fully documented
and implemented, and cover all relevant aspects.

 Managed – reviews are conducted to assess the
effectiveness of the controls in place.

 Optimized – regular review and feedback are used to
ensure continuous improvement towards optimization
of the given process.
40

NORMS
Norms are Repeatable


relevant aspects.

 Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.

 Managed – reviews are conducted to assess the effectiveness of the controls in
place.

 Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
42

NORMS
 Privacy Awareness and Training 1.2.10 (page 10)
A privacy awareness program about the entity’s privacy policies and related
matters, and specific training for selected personnel depending on their roles
and responsibilities, are provided.

43

NORMS


relevant aspects.


place.


44

HIIL STUDY RESULTS

Before BCR
Repeatable 72.4%
Privacy management procedures or processes exist; however, they are not fully
documented and do not cover all relevant aspects.

After BCR
Managed 22.4%
Privacy management procedures and processes are fully documented and
implemented, and cover all relevant aspects (i.e. Defined) plus 22.4% of the time
reviews are conducted to assess the effectiveness of the controls in place.
Post BCR
Pre BCR

Copyright 2012
Nymity Inc.
45
All rights
reserved.

HIIL STUDY RESULTS


relevant aspects.


 Managed – reviews are conducted to assess the effectiveness of the
controls in place.


46

EXAMPLE 1
Privacy Awareness and Training 1.2.10 (page 10)
A privacy awareness program about the entity’s privacy policies and related
matters, and specific training for selected personnel depending on their roles
and responsibilities, are provided.

Before BCR: Repeatable 60%
The entity has a privacy awareness program, but training is sporadic and
inconsistent.

After BCR: Managed 10%
An enterprise-wide privacy awareness and training program exists and is
monitored by management to ensure compliance with specific training
requirements. The entity has determined which employees require privacy
training and tracks their participation during such training.

47

EXAMPLE 2
Consequences of Denying or Withdrawing Consent 3.1.2 (page 13)
When personal information is collected, individuals are informed of the
consequences of refusing to provide personal information or of denying or
withdrawing consent to use personal information for purposes identified in the
notice.

Before BCR: Repeatable 86%
Consequences may be identified but may not be fully documented or
consistently disclosed to individuals.

After BCR: Managed 14%
Processes are in place to review the stated consequences periodically to
ensure completeness, accuracy and relevance.

48

ANY EXAMPLES OF OPTIMIZED?


relevant aspects.


place.

 Optimized – regular review and feedback are used to ensure
continuous improvement towards optimization of the given process.

49

HIIL STUDY RESULTS

Optimized Criteria

Copyright 2012
Nymity Inc.
50
All rights
reserved.

HIIL STUDY RESULTS

Copyright 2012
Nymity Inc.
51
All rights
reserved.

COMPARE YOUR ORGANIZATION
 Use the study and the Privacy Maturity Model to
compare your organization’s privacy program to
before and after BCR

 Paper or automated – no cost.

52

THANK YOU

 Thank You

53

Rules – Implementing Legal Innovations

Business Perspectives

March 15, 2012

JPMC Binding Corporate Rules

• On 2/26/10 UK ICO authorised the binding corporate rules of
JPMorgan Chase & Co. (JPMC)
• JPMC BCRs apply to any
– processing of Personal Data in one of 12 specified jurisdictions in
JPMC’s Europe, Middle East and Africa (EMEA) region in the
European Economic Area (EEA) by a JPMC data controller
– export of EMEA Personal Data out of the EEA by a JPMC data
controller to another JPMC Affiliate outside the EEA
– processing by a JPMC data controller or JPMC data processor of
EMEA Personal Data exported out of the EEA by a JPMC data
controller
• JPMC BCRs are published on JPM website

Research Results
• Disclaimer
• Unsurprising Results
– Multinationals using BCRs are ones that fundamentally seek to be
compliant as one of their operating values. (Question 5)
– Companies before introduction of BCRs had a basic maturity level of
compliance
– After BCR, disclosure to third parties of personal information 7.2.1, 78%
said repeatable
– After BCR, accuracy and completeness of personal information 9.2.1,
100% said repeatable
• Surprising Results
– After BCR, access communication to individuals 6.1.1, 70% said
repeatable

Largest Issue with Current Regime
• Additional national requirements imposed by various Member
States which apply on top of the requirements set by the Article 29
Working Party
• For example, although JPMC BCRs were authorised in February
2010, the royal decree approving JPMC BCRs was signed by the
Belgian king on February 15, 2012.

Recommendations with Respect to Proposed Regulations
• Since controllers are accountable for each processing operation,
BCRs should be expanded to transfers to third parties (i.e. not
limited to within a corporate group)
• Supervisory authority in accordance with the consistency
mechanism approves binding corporate rules
– Consistency from Member State to Member State needed
– However, process cannot be too bureaucratic
• With inclusion of BCRs in regulation, BCRs may become more
popular and demand for approval could exceed DPA resources;
therefore, further simplification of approval process may be
necessary

Expert meeting BCR

Sylvia van Es
Head of Legal Compliance Philips

March 15, 2012

Philips active in:

•Healthcare
•CL
•Lighting

•BCR for controller:
Consumer database: over 12 mio consumers
Employee data: over 100.000 employees

•Filed for BCR for processor:
Processor of Health data for hospitals

March 15, 2012 60

•Privacy compliance rules are exceptionally prescriptive, to a
large extent justified in light of fundamental rights

New system is an improvement but not all issues resolved:
•Article 26 (2) still requires internal processor agreements
despite BCR;
•Why not EU model contracts by parent company that
adopted BCR? (position of WP29);
•Even worse: Article 34: obligation to perform PIAs and obtain
prior approval; added value BCR?
•Article 28: Extensive documentation obligations
•Administrative burden will not by definition lead to more
material compliance, especially if company has adopted BCR
March 15, 2012 61

Expert Meeting on Binding Corporate Rules, Amsterdam, March 2012

Colin Scott
University College Dublin

Modelling and Evaluating
TPR for BCR Environment
B
Eg boycotts Rules
buycotts Monitoring Legislation
Enforcement Contract
Social/market

D pressures/
contracts
A C
standards
Self-
Regulation

Eg CSR Contract
employment - supply chains
contracts - audit and assurance
A – Firm
B – Government (agency and/or department) OR Trade Association
C – Contracting Party (firm or government)
D – Third parties – eg consumers, employees NGOs, investors

• Legitimacy
• Mirroring of Public Proceduralization
• Transparency
• Inclusiveness, etc
• OR mixing market incentives with public models?
• Effectiveness
• Scope of BCR
• Outcomes
• Quality
• Reflection and Evaluation
• Benchmarking – eg grievance handling processes
• Enforcement
• Providing reassurance /credibility
• Public oversight
• Self-reporting
• Compliance programmes and third party assurance
• Enforceable consumer and employee rights

Binding Corporate Rules for Employee and
Customer Data Protection:
What Makes A Successful Innovation?
Professor Maurits Barendrecht
Tilburg Institute for the Interdisciplinary Studies of Civil Law and Conflict Resolution Systems (TISCO)

Hague Institute for the Internationalisation of Law (HiiL)

www.innovatingjustice.com

Strongest points
• Moerel: Internal complaints procedure
– Simple access in own country, in every country
– Appeal to Lead DPA and its court
• Nymity
– Security for privacy, collection close to optimal
– All dimensions improved
– Including complaints process (subfactor 10.2.1 to 2 partly cover
this)
• JP Morgan and Philips
– Great, but local Kings ask more!
– Great, but danger of new administrative burdens

Dispute system design
Emerging discipline. How to achieve?
A. Fair solutions for problems, optimally serving all interests
B. Just in time/low costs/sustainable for all stakeholders

What makes a dispute system work? Generally:
1. A setting for better communication, win/win negotiation and
zero sum bargaining/decision making
2. Backed up by norms/schedules showing what generally is
paid/done to solve such problems
3. Access to third party who guarantees parties grow towards
decision

Innovation is Hard Work
• Life for innovators is very complex!
• Many factors contribute to innovation:
– 40 determinants of succesful product innovation (meta-analytic
review 108 articles, Becheikh et al. 2006)
– 27 factors associated to successful public sector innovation

Justice Innovation Impossible?
• Sarat and Grossman 1975:
Problems in Mobilization of Adjudication
• Susskind 2008 The End of Lawyers: Predicting commoditization
• Hadfield 2008: Regulation of profession blocks innovation
• Botero et al. 2003 and Cabrillo et al. 2008:
Insufficient incentives on courts to offer better services
• Carothers 2006 and Fukuyama 2011:
Rule of law and accountability very hard to implement
• World Bank World Development Report 2011: Conflict, Security,
and Development: Rule of Law takes 40 years to build

An emotional non-starter?


Law as managing
risk and fear?
Innovation = flow, creativity, taking
risks, breaking rules?


The eBay/PayPal Resolution Center

Colin Rule
CEO Modria.com

I Paid A Bribe

Ramesh Ramanathan
Co-founder Janaagraha Centre for Citizenship and Democracy

What was/is crucial for BCR to
be/remain sustainable?

… 27 factors … and at least 5

My talk borrows from:
• Project documents
• Short interview with Lokke Moerel
• Innovation in The Justice Sector: What Makes it Happen?
Innovation Model Version 1.5: June 2011
www.innovatingjustice.org

A. Generating Possibilities
1. Vision and commitment from government
2. Focus on users, frontline staff and middle managers
3. Diversity
4. Scanning of horizons and margins: a process need
5. Developing capacity for creative thinking
6. Working backwards from outcome goals: terms of reference
7. Creating time and space
8. Allow breaking the rules
9. Competition: the submission problem and regulation of legal
services

4. Scanning of horizons and margins:
a process need
• Peter Drucker: Innovations often supply the missing link
between processes. They start from an incongruity between
how things are and how they ought to work.

• Here:
– Cross border data transfers within companies
– A need for privacy protection of employees and customers
– National regulation and enforcement
– ‘Networks of intragroup contracts’ as ‘red tape’ with high
administrative costs, and doubtful access to remedies

8. Allow breaking the rules
• Innovation often involves organizational rule breaking
(Markides 1997). Implicit or explicit ways of thinking, practices
or norms are a barrier (Johnson, Christensen et al. 2008).
• Public sector best practice: Give innovative projects space for
breaking the rules (suspension) ….. If it can be shown that
better results can be reached by not following the rule.
• In a legal environment, where practices tend to become norms
and norms tend to become sacred, it is more difficult to
overcome such barriers.

Data protection authorities
• Allowed to proceed although clear that not all 80+ regimes can
be observed
• Putting burden of proof that it can be done in a ‘better way’ on
innovators and companies
• Took risks

B. Developing Innovations
1. Appropriate selection of fruitful ideas: simplifying procedures
2. Adequate risk management
3. Fostering innovation champions
4. Creating incubating space
5. Involving incubators and public-private partnerships
6. Introduce modeling
7. Better funding for early development
8. Involving end users at all stages

5. Public private partnership
• Regulators work with companies
• Working party 29
• 19 DPA’s want to cooperate

C. Replicating and Scaling Up
1. Improved incentives for individuals and teams
2. Improved incentives for organizations
3. Scaling up and disruptive innovation
4. Specialize and beware of early standardization
5. Change management

Incentives (following Colin Scott)
Every stakeholder should continue to gain from BCR:
• Reputation for companies that they are careful with data
• Employees and customers get more protection and better
remedies
• Legal profession
• Administrative costs for companies
• Data Protection Authorities show they create good protection
• DPA show they are necessary and need budgets
• DPA have lower administrative costs

Rather unstable equilibrium

Challenges for BCR
• Legal, formal challenges < ??? Continue to show it works in
the real world
• Major scandal < ??? Risk management
• DPA’s create new administrative burdens < ???
• Competition by even better system < ???
• Covering the less compliant guys < ???

Continuous improvement and further innovation is essential

D. Analyzing and Learning
1. Metrics for success
2. Real time learning
3. Peer and user involvement
4. Double loop learning
5. Variety of perspectives

1. Metrics for success
• Nimity tool accountability 73 criteria > further development?
• Before BCR and After BCR > next phase?
• Many procedural requirements > more indicators for what
happens in real world?
• Independent from particular procedure > innovation means
standards have to renew all the time and indicators get new
weights

Innovators in Justice Sector
• Have to work on many factors, probably 27 of them
• Are essential for serving legal needs, for making
the system work and for building the law of the future
• Deserve our deep respect
• Need our continuous support

HiiL Expert Meeting
Evaluation
Peter Hustinx
Colin Scott

HiiL Expert Meeting
Evaluation
Open forum discussion
Colin Scott

HiiL Expert Meeting
Evaluation
Conclusion Colin Scott
and recommendations

Expert Meeting on Binding Corporate Rules | Presentations

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (14)

Similar a Expert Meeting on Binding Corporate Rules | Presentations

Similar a Expert Meeting on Binding Corporate Rules | Presentations (20)

Más de HiiL

Más de HiiL (17)

Último

Último (14)

Expert Meeting on Binding Corporate Rules | Presentations