Last week, First Data Corporation, an electronic commerce and
payment services company, announced that its binding corporate
rules ("BCRs") for data privacy had been authorised by
the Information Commissioner's Office ("ICO"). First
Data is the eleventh company, and the first payment processor, to
have received such authorisation.
First Data's BCRs were authorised through the mutual
recognition procedure, which is an accelerated approval process.
Under this procedure, once the lead authority (in this case the
ICO) considers that BCRs meet the relevant requirements, other EU
data protection authorities can accept this opinion as sufficient
basis for providing their own authorisations. This procedure
resulted in the approval of First Data's BCRs across 18 EU
member states. The entire process took approximately four years to
complete.
BCRs are used to allow multi-national organisations to transfer
personal data from the European Economic Area ("EEA") to
their affiliates situated outside the EEA in compliance with the
8th data protection principle of the Data Protection Act 1998 and
Article 25 of Directive 95/46/EC, which provide that personal data
cannot be transferred to a country or territory outside the EEA
unless that country or territory ensures an adequate level of
protection for the rights and freedoms of individuals in relation
to the processing of personal data.
The main advantage of BCRs over other means of ensuring adequate
safeguards is that once implemented, they can provide an effective
framework for a variety of intra-group transfers. The authorisation
process also helps to raise awareness of privacy concerns within an
organisation as it requires consideration of the types of personal
data that are transferred outside of the EEA and the introduction
of staff training programmes.
The application process for obtaining authorisation for BCRs is
rigorous and lengthy. ICO guidance states that companies should
realistically allow 12 months for a straightforward application
from initiation of the mutual recognition procedure, to approval.
However, proposed changes to the EU legal framework for data
protection may soon resolve this issue.
The European Commission has acknowledged that international data
transfers are essential for doing business in today's global
economy and has suggested that, as part of the package for reform,
it will streamline current procedures. In particular the Commission
has recognised the need to look further at the BCRs model.
Proposals for reform are due to be published by the end of January
2012.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 24/11/2011.