Multinational businesses will in future find it easier to set up privacy rules that apply across Europe, justice commissioner Viviane Reding has said.
EU commissioner Viviane Reding is aiming to harmonise Europe's approach to data protection laws. Photo credit: European Commission
Reding is leading a major
review of the EU's data protection laws, and has this week given
several speeches on the subject. One
of those talks, to the International Association of Privacy
Professionals (IAPP), detailed the changes she hopes to make to the
system of binding corporate rules.
"Binding corporate rules are indeed a very smart data protection
tool, but we all know that they could do even better," Reding said,
explaining changes intended to strengthen and simplify the system
while also ensuring that it covers modern forms of data processing,
such as cloud computing.
Binding corporate rules are codes of practice that are set up and
adopted by multinational corporations or groups of companies that want
to operate both within and outside the EU, as a way of showing they
comply with EU legislation covering the transfer of personal data
outside the union.
For example, the document may demonstrate how those handling data
outside the EU will comply with the standards expected within the
union. The rules are voluntary to establish but, once adopted, are
At the moment, a group wanting to set up binding corporate rules
will choose a national data protection authority (DPA), such as the
UK's Information Commissioner's Office (ICO), to approve the rules.
Once it has given its own approval, that DPA will circulate the
document around the DPAs of every other EU member state where the
group is active, for the approval of every one of those DPAs.
"The situation under the current [1995 Data Protection] Directive
means that your one set of rules must be checked by multiple
authorities with different — and at times maybe contradictory
— practices in place," Reding said on Tuesday. "I see this legal
fragmentation as a costly administrative burden. It wastes time and
money. It is detrimental to the credibility and efficiency of data
protection authorities and data protection tools."
Reding, who is on a mission to harmonise EU data protection
legislation, said there should be just one point of contact for
companies among the various DPAs. She added that, once one DPA had
approved a set of binding corporate rules, all European DPAs will have
to recognise them.
Smaller companies that operate on a global scale should also be
encouraged to adopt binding corporate rules, the commissioner
"Binding corporate rules will no longer be a tool 'for experts
only'. They should be compatible with small innovative companies'
endeavours to operate on a global scale; companies should be able to
transfer their data freely and safely — anywhere and in
conformity with the law," Reding said, explaining that the rules will
cover everything from paper-based filing systems to complex cloud
Reding also said she would strengthen the powers of DPAs across
Europe, as some still do not have the ability to levy administrative
sanctions on companies that flout the rules. "These aligned
responsibilities and powers are essential for the credibility and
trust between the European data protection authorities," she said.
"My reform will make binding corporate rules binding within
companies, but also with respect to third parties," Reding continued.
"This implies that the rules provide for the necessary legal
mechanisms to apply to all entities involved. If the rules are
infringed to the detriment of an individual, enforcement can then take
place either through the data protection authority or through the
Crucially, Reding also said that the reformed binding corporate
rules would apply to all internal and extra-EU transfers of "any
entity in a group of companies". The rules, which currently apply only
to data controllers, will also apply to data processors.
"Where binding corporate rules also cover processors, all kinds of
business models including any kind of cloud computing can be covered
by them," Reding said.
Get the latest technology news and analysis, blogs and reviewsdelivered directly to your inbox with ="http:>ZDNet UK'snewsletters.