Embed Size (px)
Citation preview
Binding Corporate Rules: We’ve Come a Long Way, Baby!
Hunton & Williams LLP
Bridget Treacy Hunton & Williams Head UK Privacy Practice [email protected]
Christian Pardieu GE EU Privacy Leader and CIL [email protected]
Nuala O’Connor Kelly GE Chief Privacy Leader [email protected]
Context
• Dealing with EU data protection regulatory requirements in a fragmented way is expensive, burdensome and can delay projects
• GE sought to – deal more efficiently and strategically with international data
transfers involving EU data
– reflect the growing importance of personal data in a business context – data is a valuable corporate asset that requires strategic management
• GE’s reputation is as a leader and innovator in approaches to information governance and data protection compliance – eg close cooperation between CIO and CPO
– first company to achieve a BCR
Why Binding Corporate Rules?
• Widely regarded as the most practical data transfer mechanism for complex, international corporate groups. For GE, the other possibilities (Model Clauses, Safe Harbor, Consent) are cumbersome and provide an incomplete solution
• Becoming recognised as the means by which companies may demonstrate strong data governance
• Renewed EU DPA support for BCRs
• Renewed focus on resolving delays in approval – mutual recognition process
• GE has previous experience of BCRs
BCR is a Way to:
• Demonstrate Accountability
• Promote consumer and employee trust
• Satisfy business information needs while minimizing risk, operating compliantly in multiple jurisdictions
• Apply consistent privacy standards globally
• Keep pace with emerging and evolving regulation
Global Framework for Personal Data Processing as BCR
• Concept is “BCR Plus” ie a refined, “next generation”, BCR
• Founded on: – Existing legal framework for BCRs
– International Standards for Data Protection adopted in Madrid 2009 by international data protection regulators which explicitly acknowledges concept of binding “internal privacy rules”
– Growing EU DPA support for accountability principle as a new approach to data protection regulation
– GE’s previous experience of BCR and what has been learned from that process
Enforcement - Key for success
• Create a strong compliance culture, beginning “at the top” of the organization
• Have global privacy standards, with local or business line level implementation plans
• Handle Compliance monitoring and enforcement at local level with reporting up the chain to regional and enterprise level management
• Follow local standards, but be prepared to follow higher standards which will always prevail
• Train, retrain Employees
• Communicate throughout the organization
• Conduct periodic audits to enforce privacy compliance commitments
1
2
3
4
5
6
7
Features of Global Framework for Personal Data Processing
• Intended to cover all data, all processing, subject to specific exemptions
• Based explicitly on International Standards for Data Protection, articulates plain English “Do’s and Don’ts” of handling personal data
• Framework structure, incorporating existing HR BCR and other existing policies and standards
• Binding legal effect
• Comply with WP29 checklist (WP153)
GE’s Privacy Governance Structure
Policy Compliance Review Board (PCRB)
GE General Counsel Regular updates
Chief Privacy Leader
• Policy stewardship
• Business reviews Corporate
• Global Privacy Council
• Employment Data Privacy Committee
• Corp Audit Staff
Business • Chief Privacy Leaders
• Data Protection Review Boards
• Senior HR/IT Leaders
Country • Country Privacy Leader
• Country HR Privacy Leader
Corporate • Europe Privacy Leader
GE: The Spirit & Letter
Policies binding on GE and controlled affiliates:
“Subsidiaries and other controlled affiliates throughout the world must adopt and follow corresponding policies. A controlled affiliate is a subsidiary or other entity in which GE owns, directly or indirectly, more than 50% of the voting rights, or in which the power to control the entity is possessed by or on behalf of GE.”
Policies binding on individuals:
New employees receive a copy and acknowledge that they are required to comply
Employees re-acknowledge every 18 months
Failure to comply can lead to termination of employment
Policies binding on third parties:
GE businesses “must require that others representing GE – such as consultants, agents, sales representatives, distributors and independent contractors – agree to follow applicable GE policies.”
GE’s BCR Diagram
BCR – Binding Corporate Rules • Apply to all GE Group Members and its
employees
• Has legally binding effect on all GE Entities and employees
GE’s Commitment
GE Data Protection Standards • Supplement GE’s Commitment
• Have to comply with GE’s Commitment provisions
GE’s Employment Data Protection Standards
Supplier Data Protection Standards
Customer Data Protection Standards
GE Policies, Guidelines & Working Instructions GE Policies, Guidelines & Working Instructions • Summarize what to know, what to do, what to
look out for
• Give instructions on how to process data
Spirit & Letter GE Policies binding on: • GE and controlled affiliates
• Individuals
• Third Parties
Privacy e-Learning
What is different?
• Explicit characterisation of the BCR as a binding code of conduct at the heart of GE’s data governance strategy
• More efficient approval process?
Role of Outside Counsel
• BCRs are based on standardised requirements but work best when founded on the client’s internal strategy and objectives
• Outside counsel’s role is that of a strategist, guide and co-leader, as well as legal adviser
• May act as a sounding board for believers and non-believers and assist in building consensus
• Contributes experience, expertise and objectivity: – Does not reinvent the wheel – Is aware of what has worked for others – Fosters DPA relationships – Anticipates future direction of travel
Outside Counsel Tasks
• Prepare draft BCR, based on company’s: – Privacy strategy – Privacy programme – Legal requirements
• WP 74: Applying Article 26(2) to BCRs http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf
• WP 108: BCR Checklist http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp108_en.pdf
• WP 153: BCR Table: elements and principles http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp153_en.pdf
• WP 154: BCR Framework Structure http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp154_en.pdf
• WP 155: BCR FAQs http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp155_rev.04_en.pdf
• Facilitate key decisions (illustrated by GE Commitment) – Scope (geographic and material) – “Binding” – Lead DPA
• Assess any compliance gaps and remediate – BCR assumes compliance with EU DP law
Future of BCRs?
• Explicit legal recognition of BCRs in proposed EU Regulation, but – Prior authorisation still required
– Still characterised as a transfer tool
• Viviane Reding, Commissioner for Justice Fundamental Rights and Citizenship, has specifically hailed BCRs: – “they offer legal certainty and a lot of flexibility”
– “compatible with any corporate culture”
– “a very smart data protection tool”
– “based on one single law, the European law”
– “can also be used by processors”
– “cloud computing can be covered by them…Code provides a consistent and near comprehensive compliance framework in a cost effective way, building on existing substantive programme”
• GE’s Binding Global Code embraces this vision
Questions?
