The buzz right now in Europe centers on the business and data protection community’s anticipation of the upcoming release of proposed changes to the EU Data Protection Directive. As one professional put it, “we are on pins and needles in anticipation.” Another expressed hope that the changes, which are expected in January, will provide some legal certainty around challenging data protection issues.
So, in introducing European Commission Vice-President Viviane Reding at Tuesday’s IAPP Europe Data Protection Congress, and with a nod to the holiday season, former UK Information Commissioner Richard Thomas speculated that perhaps she might “give the gift of a preview” of what to expect among the changes.
The vice president fulfilled that wish to an extent, offering a glimpse of the commission’s thoughts. Specifically, Reding discussed her views on binding corporate rules (BCRs), describing them as a “smart tool” for businesses to gain legal certainty in an uncertain data protection landscape. But, she said, as an instrument, BCRs could be made more effective and more available to a broader range of businesses.
Three modes to improvements
Binding corporate rules emerged as an alternative means to enable cross-border data transfers to those countries deemed not to have “adequate” data protection standards by the European Commission. No more than 30 companies have gained approval for BCRs since their inception. The approval-seeking process is considered laborious and expensive, which causes some companies to forgo applying.
Reding's speech hinted at a possible change to this paradigm.
In her speech, Vice-President Reding said the administrative burdens associated with seeking BCRs must be lifted. Binding corporate rules, she said, should no longer be a tool only for experts. “Companies of any size should be able to take advantage of BCRs.”
Reding also proposed three strategies to improve BCRs’ effectiveness—simplification, consistent enforcement and innovation.
Currently, approximately 19 data protection authorities (DPAs) participate in a mutual-recognition pact that allows for speedier BCR review and approval.
In her address, Reding hinted that more mutual recognition is needed, saying, “I propose BCRs be based on one single law—European law,” where, once approved by one data protection authority, BCRs are approved by all DPAs in the bloc.
Consistent enforcement, Reding said, is also needed in order to improve BCRs’ effectiveness. Currently, some DPAs cannot enforce the rules beyond offering recommendations. But any DPA should be able to enforce BCRs, Reding said, adding that she will strengthen DPAs’ sanctioning powers to address this.
Innovation is also needed to improve BCRs’ effectiveness, Reding said.
“We need to push the boundaries of traditional regulatory models” in order to encourage innovation.
In a session after the address, Eduardo Ustaran, a partner at Field Fisher Waterhouse LLP, described Vice-President Reding’s remarks as “important,” saying, “It means the European Commission has been receptive to the feedback it has received from stakeholders…and understands that BCRs should not be about paperwork.”
There is no “stronger recognition for BCRs than the vice president of the European Commission giving them her full support. We can now assume that the commission will walk the talk, and BCRs will get that recognition in the black letter of the law.”
The IAPP’s Daily Dashboard newsletter is tweeting from the event. Follow @DailyDashboard.