DPI16_Banner_300x250 WITH COPY

Eduardo Ustaran

Article 25 of the 1995 directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data placed a controversial requirement on the governments of EU member states: to ban the transfer of personal data to any country outside the European Union unless that third country ensures an adequate level of privacy protection.

Implementing this provision while promoting a truly borderless economy posed a real challenge for all EU governments. Nevertheless, in the United Kingdom, for example, this requirement was incorporated as Principle 8 of the Data Protection Act 1998, and similar provisions have been incorporated in most European data protection laws. This measure prompted international concern about the future of global operations involving flows of personal data.

The Reasons

In order to understand the basis for such a radical measure, it is necessary to bear in mind the purpose of the directive as set out in Article 1: member states must protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. In other words, the main aim of the legal regime established by the directive was to create a framework that protected individuals' personal information from misuses and abuse.

However, that framework would be very fragile if the protection afforded by it were to fall apart as soon as the personal information left the boundaries of the countries subject to EU data protection law. Therefore, the European institutions responsible for drafting and adopting the directive tried to preserve the effect of the new regime by blocking any attempts to weaken the protection afforded to individuals. In practice, this has created a situation that effectively imposes EU data protection standards in jurisdictions outside Europe.

The Impact

Bearing in mind the high standards of privacy protection imposed by the directive, it is difficult to see how countries without the same strict legislative approach to this issue can avoid falling foul of this provision. As a result, the directive has been seen as a serious barrier to international commerce.

The directive's prohibition is particularly problematic in the context of multinational companies that operate under very similar standards in all jurisdictions where they are based. For these companies, geographic location is not a differentiating factor that affects the nature or quality of the products and services they provide. Therefore, regulatory barriers such as Article 25 of the directive are regarded as a direct impediment to achieving their goals.

The Authorization Route

This prohibition is mitigated by a number of derogations that are set out in Article 26(1) of the directive. In addition, Article 26(2) of the directive provides that member states may authorize a transfer, or a set of transfers, of personal data to third countries that do not ensure an adequate level of protection where the organization wishing to transfer the data adduces adequate safeguards with respect to the protection of the privacy rights of individuals.

Some data protection authorities have traditionally been reluctant to encourage potential data exporters to follow this approach. For example, a guidance note of the UK data protection authority on international dataflows of July 1999 says that applications for authorization made by or on behalf of exporting controllers will be considered only in extremely limited circumstances and that the information commissioner would expect other derogations to be relied upon before this derogation.

However, the authorization route gained momentum following the publication of the Article 29 Working Party's Working Document on binding corporate rules for international data transfers of June 3, 2003. The Working Party believes that as long as such corporate rules are binding (both in law and in practice) and incorporate the essential content principles identified in the Working Document (WP12) of July 24, 1998, there is no reason why national data protection authorities should not authorize multinational transfers within a group of companies.

The Binding Nature

By definition, the intragroup corporate rules must apply generally throughout the corporate group irrespective of the place of establishment of the members or the nationality of the individuals whose personal data is being processed or any other criteria or consideration. The Working Party also stresses that there are two elements that must be present in all cases if the rules are to be used to adduce safeguards for data exports: binding nature and legal enforceability.

In practice, the binding nature of the rules implies that the members of the corporate group, as well as each employee within it, must be compelled to comply with the rules. Ideally, the corporate rules should be adopted by the board of directors of the ultimate parent of the group so that the internal binding nature of the rules is good enough to guarantee compliance with the rules across the organization.

Legal enforceability means that the individuals covered by the scope of the binding corporate rules must become third-party beneficiaries either by virtue of the relevant national law or by contractual arrangements between the members of the corporate group. Those individuals should be entitled to enforce compliance with the rules by lodging a complaint before the competent data protection authority and before the courts.

Given the self-regulatory features of the corporate rules, although the possibility for individuals to enforce the rules before the courts is a necessary element, the Working Party attaches more importance to the fact that the rules are complied with in practice by the corporate group. In addition, in respect of those jurisdictions where unilateral declarations cannot be considered as granting legally enforceable third-party beneficiary rights, the corporate groups would have to put in place the necessary contractual arrangements to address that problem.

The Content Principles

The essential content principles identified in the Working Document of July 1998 include these:

  • The purpose limitation principle — Data must be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer.
  • The data quality and proportionality principle — Data must be accurate and, where necessary, kept up to date. The data must be adequate, relevant, and not excessive in relation to the purposes for which it is transferred or further processed.
  • The transparency principle — Individuals must be provided with information as to the purpose of the processing and the identity of the data controller in the third country and any other information that is necessary to ensure fairness.
  • The security principle — Technical and organizational security measures must be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.
  • The rights of access, rectification, and opposition — Individuals must have a right to obtain a copy of all data relating to them and a right to rectification of such data where it is shown to be inaccurate. In certain situations, individuals must also be able to object to the processing of their personal data.
  • Restrictions on onward transfers — Further transfers of the personal data by the recipient of the original data transfer must only be permitted where the second recipient (i.e., the recipient of the onward transfer) is also subject to rules affording an adequate level of protection.

However, as the Working Party points out, these principles need to be developed and detailed in the binding corporate rules so that they practically and realistically fit with the processing activities carried out by the organization and can be understood and effectively applied by those having data protection responsibilities within the organization. In other words, the corporate rules should contain tailor-made provisions dealing with each of the content principles.

The Final Requirements

In addition, the Working Party's document includes the following requirements:

  • The rules must set up a system that guarantees awareness and implementation of the rules both inside and outside the European Union. In practice, this will require the adoption of a suitable training program and appointment of appropriate managers with responsibility for ensuring compliance.
  • The rules must provide for self-audits and/or external supervision by auditors on a regular basis with direct reporting to the parent's board. The rules may also require the acceptance of audits to be carried out by inspectors of the supervisory authority or independent auditors on behalf of the supervisory authority.
  • The rules must set up a system by which individuals' complaints are dealt with by a clearly identified complaint-handling department.
  • The rules must contain clear duties of cooperation with data protection authorities so that individuals can benefit from the institutional support.
  • The rules must also contain provisions on liability and jurisdiction aimed at facilitating their practical exercise.
  • The corporate group must also accept that individuals will be entitled to take action against the group, as well as to choose the jurisdiction.
  • Individuals must be made aware that personal data is being communicated to other members of the corporate group outside the EU and the existence and the content of the rules must be readily accessible to those individuals.

The Working Party also proposes the adoption of procedural arrangements to allow companies to go through one process of legitimization via a data protection authority of one member state that will lead to the granting of permits by all the different regulators of the member states where the company operates.

The document on binding corporate rules is therefore good news for global organizations that carry out data transfers on a daily basis as it significantly widens their ability to do that in accordance with the data protection laws in force in the EU.

Eduardo Ustaran is the head of the Data Protection and E-privacy Unit at Berwin Leighton Paisner, an international law firm based in London. He can be reached at +44 20 7760 1000 or at



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»