Multinational businesses will in future find it easier to set up privacy rules that apply across Europe, justice commissioner Viviane Reding has said.
EU commissioner Viviane Reding is aiming to harmonise Europe's approach to data protection laws. Photo credit: European Commission
Reding is leading a major review of the EU's data protection laws, and has this week given several speeches on the subject. One of those talks, to the International Association of Privacy Professionals (IAPP), detailed the changes she hopes to make to the system of binding corporate rules.
"Binding corporate rules are indeed a very smart data protection tool, but we all know that they could do even better," Reding said, explaining changes intended to strengthen and simplify the system while also ensuring that it covers modern forms of data processing, such as cloud computing.
Binding corporate rules are codes of practice that are set up and adopted by multinational corporations or groups of companies that want to operate both within and outside the EU, as a way of showing they comply with EU legislation covering the transfer of personal data outside the union.
For example, the document may demonstrate how those handling data outside the EU will comply with the standards expected within the union. The rules are voluntary to establish but, once adopted, are legally binding.
At the moment, a group wanting to set up binding corporate rules will choose a national data protection authority (DPA), such as the UK's Information Commissioner's Office (ICO), to approve the rules. Once it has given its own approval, that DPA will circulate the document around the DPAs of every other EU member state where the group is active, for the approval of every one of those DPAs.
"The situation under the current [1995 Data Protection] Directive means that your one set of rules must be checked by multiple authorities with different — and at times maybe contradictory — practices in place," Reding said on Tuesday. "I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools."
Reding, who is on a mission to harmonise EU data protection legislation, said there should be just one point of contact for companies among the various DPAs. She added that, once one DPA had approved a set of binding corporate rules, all European DPAs will have to recognise them.
Smaller companies that operate on a global scale should also be encouraged to adopt binding corporate rules, the commissioner added.
"Binding corporate rules will no longer be a tool 'for experts only'. They should be compatible with small innovative companies' endeavours to operate on a global scale; companies should be able to transfer their data freely and safely — anywhere and in conformity with the law," Reding said, explaining that the rules will cover everything from paper-based filing systems to complex cloud computing systems.
Reding also said she would strengthen the powers of DPAs across Europe, as some still do not have the ability to levy administrative sanctions on companies that flout the rules. "These aligned responsibilities and powers are essential for the credibility and trust between the European data protection authorities," she said.
"My reform will make binding corporate rules binding within companies, but also with respect to third parties," Reding continued. "This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved. If the rules are infringed to the detriment of an individual, enforcement can then take place either through the data protection authority or through the courts."
Crucially, Reding also said that the reformed binding corporate rules would apply to all internal and extra-EU transfers of "any entity in a group of companies". The rules, which currently apply only to data controllers, will also apply to data processors.
"Where binding corporate rules also cover processors, all kinds of business models including any kind of cloud computing can be covered by them," Reding said.
Get the latest technology news and analysis, blogs and reviewsdelivered directly to your inbox with