Proskauer Rose International Practice Guide Proskauer Rose LLP |
      Proskauer on International Litigation and Arbitration:
       Managing, Resolving, and Avoiding Cross-Border Business or Regulatory Disputes
Text Size:  A  A  A
Print Print
  1. Overview. Passed in 1995, the EU Data Privacy Directive is the world’s most important and comprehensive data protection legislation. It requires each EU member state (of which there are now twenty-five) to enact its own local law adopting (or “transposing”) the thrust of the directive. The data Directive mandated that the member states pass their local data laws by October 25, 1998, but in fact full implementation took several years more.
    1. The EU data Directive requires each member state to pass a privacy law, called a “data protection” law, that reaches both government and private entities, including businesses that process employee and consumer data.
      1. The Directive is not anchored to electronic (computerized) data, and therefore reaches written, Internet, and even oral communications. Plus, the Directive’s sweep goes well beyond business data.
      2. Read broadly, the EU data Directive could reach, for example, even private and mundane communications like a love letter or a gossipy chat between best friends.
    2. Extraterritorial reach: An important aspect of the Directive for businesses based outside of Europe, such as in the United States, is the Directive’s extraterritorial reach. Because it would otherwise be easy to circumvent the Directive by transmitting regulated data outside of Europe for processing offshore, the Directive specifically prohibits sending personal data to any country without a “level of [data] protection” considered “adequate” by EU standards.
    3. The EU data Directive creates its own terminology, which is essential to master before discussing any EU privacy law issues.
      1. Personal data” means information about any “identified or identifiable natural person,” who is known as the “data subject.”
        1. Note: “personal data” in the EU is generally viewed much more broadly than what would commonly be understood in the U.S. For example, most EU data protection authorities (including the French French Data Protection Authority (known by the French acronym CNIL) have determined that a computer’s Internet protocol (IP)address (a computer’s address that is used to communicate with other devices on the Internet) is personal data even when it is not linked to any other individual identifier. That view was considered fairly well established until a couple of French lower court decisions in 2007 ruled that IP addresses not connected to other identifiers are not personal data. Cour d’Appel de Paris, 27 April and 15 May 2007. A different lower court subsequently held IP addresses are personal data so at least in France, whether IP addresses standing alone are personal data, remains in flux. Tribunal de Grande Instance of Saint-Brieux, 6 September 2007, “Plumet” case.

      2. Identified or identifiable natural person” means anyone who “can be identified, directly or indirectly, in particular by reference to an identification number or by one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.” Accordingly, in the business context, a photo of someone on an identification badge or on a video monitor is “personal data,” as is a listing of employee salaries designated either by employee name or some identification number (company ID number, social security system/tax ID number). However, a truly “anonymized” list of data such as a list of employee compensation rates at a worksite not designated by name or number, would not be “personal data.” As such, genuinely “anonymizing” personal data is always a way to sidestep the application of the Directive.
      3. Processing of personal data” means “any operation or set of operations . . . performed upon personal data,” automatically or otherwise. This definition is wide open, because it includes “collection, recording, organization, storage . . . retrieval . . . use, disclosure by transmission,” and “dissemination.” By expressly including “storage” in the definition of “processing,” the mere act of holding personal data is, under EU law, a regulated activity.
        1. A data “controller” is anyone who determines the “purposes and means of processing of the personal data.”
        2. A data “processor” is anyone who processes personal data for a controller.
        3. A “third party” is anyone who processes data under “the direct authority” of a controller or processor.
      4. Within Europe the rules break down into three categories:
        1. Complying with data quality principles and rules;
        2. Disclosing to data subjects and addressing their concerns; and
        3. Reporting to state agencies.
  2. EU Data Quality Principles.The EU Directive, as worded, prohibits all personal data “processing” except for processing that is fair, lawful, and legitimate. Specifically, the Directive states seven “data quality principles” that must be met when processing personal data.

    1. Fairness: process data “fairly and lawfully”;
    2. Specific purpose: process and store data “for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes”;
    3. Restricted: ensure data are “adequate and relevant, and not excessive in relation to” the purposes they are for which they are collected;
    4. Accurate: ensure data are “accurate and, where necessary, kept up-to-date,” so that “every reasonable step [is] taken to ensure” errors are “erased or rectified”;
    5. Destroyed when obsolete: maintain personal data “no longer than necessary” for the purposes for which the data were collected and processed.
    6. Security: data must be processed with adequate “security” (a “controller must implement appropriate technical and organizational measures to protect personal data against . . . destruction or . . . loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network. . . .”)
    7. Automated processing: “decision[s]” from data processing cannot be “based solely on automated processing of data” that “evaluate[s] personal aspects.”
    8. Practice Tip: Here are examples of the types of conduct that should be carefully reviewed with counsel when processing personal data subject to the Directive:
      1. A magazine sells its subscriber list to a direct-mail advertiser (violates “fairness” principle # 1).
      2. A bank reviews its own customer files for leads in marketing estate-planning services (violates “specific purpose” principle # 2).
      3. A job application for a high-level position asks applicants for information about their primary education and military experience (violates “restricted” principle # 3).
      4. A credit bureau customer complains about a claimed error in her account, but no one at the credit bureau does anything about it (violates “accurate” principle # 4).
      5. An employer retains computer backup files, attendance records, and other business information going back many years (violates “destroyed when obsolete” principle # 5).
      6. An accounting firm’s night janitors straighten up piles of client files (violates “security” principle # 6).
      7. A company’s website allows applicants to apply for a job; résumés are screened with software that searches for key words (violates “automated processing” principle # 7).
  3. Additional Requirements. Compliance with the seven data quality principles is not enough to comply with the Directive. In addition, data processing is illegal unless:

    1. the data subject consents, or the processing is “necessary” (not merely convenient) to accomplish one of five objectives:
      1. “perfor[m] a contract to which the data subject is a party;”
      2. “compl[y]” with a law;
      3. “protect” the data subject’s “vital interests;”
      4. advance the “public interest” or facilitate “the exercise of official authority;”
      5. further the controller’s (or some other “disclosed” party’s) “legitimate interests” without infringing the data subject’s “fundamental rights and freedoms.”
    2. Therefore, in Europe, processing ordinary personal data is presumed illegal, unless the processing both complies with all seven data quality principles and is either consented-to or “necessary.”
  4. Sensitive Data. In addition, the Directive adds an extra layer of rules for a few classes of information now known as “sensitive” data: personal data that discloses “racial or ethnic origin, political opinions, religious and philosophical beliefs, trade-union membership, [or] . . . health or sex life.” The Directive flatly prohibits processing all sensitive data unless an express exception applies—including, notably, an “explicit consent,” “freely given.”
  5. Certain Exceptions. Member countries have some leeway in carving out exceptions, such as:

    1. Exceptions exist for national security, defense, criminal investigations, and the like.
    2. Limited exception for “journalistic” and “artistic or literary expression,” but only to the extent “necessary” to balance data privacy rights with “the rules governing freedom of expression.”
    3. The Directive allows an exception for processing certain “historical, statistical, or scientific” data.
    4. Further, some authorities claim that European controllers can freely process data for personal or household use, and that non-profit organizations may process “sensitive” data about their members.
  6. Disclosing to Data Subjects

    1. The EU data Directive prohibits processing personal data in secret: European data subjects enjoy a legal right to see what information others have on file about them, and to learn what is being done with it.
    2. The Directive requires informing individuals what data are on file about them. The notice must say why the information was collected; who collected it; and who can access it.
    3. The data subject must have access to the information itself “without constraint at reasonable intervals and without excessive delay or expense.”
    4. A data subject who claims some error in his data can offer corrections or ask the controller to purge the incorrect information.
    5. A data subject may object “on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties . . . and to be expressly offered the right to object free of charge to such disclosures or uses.”
    6. If a dispute about the data arises, the Directive sets out complex dispute-resolution mechanisms that kick in.
  7. Reporting to State Agencies

    1. The Directive requires each member state to set up its own “Supervisory Authority” or Data Protection Authority (DPA), which is a government agency dedicated to privacy and the administration of its data protection law.
    2. Member states can, and some do, require controllers to file annual summaries of all personal data processing they are doing. The summary needs to include the following: controller’s name; purpose and description of the processing; recipients; and any proposed transfers of data to third countries.
    3. In practice, however, different member states handle the disclosure requirement in very different ways. France and the United Kingdom are two member states with proactive DPAs that require controllers to file fairly comprehensive annual disclosures. In fact, France’s DPA even retains a right to affirmatively approve certain proposed data processing operations, which in France are illegal until the French Supervisory Authority (known by the French acronym CNIL) issues a specific approval.
      1. The French CNIL procedure was widely publicized in the summer and fall of 2005, when France denied McDonald’s and a unit of Exide Technologies permission to operate Sarbanes-Oxley whistleblower hotlines, and then issued regulations on this topic.
      2. At issue was the data privacy rights of the accused wrongdoer subject to a whistleblower’s complaint;
      3. the issue blossomed into a serious dispute between the United States and EU as to the propriety of Sarbanes-Oxley section 301 hotlines in Europe.
    4. Once a DPA receives required disclosures, it assesses how controllers’ processing procedures present specific “risks to the rights and freedoms of the data subjects.”
    5. The DPA then publicizes the data processing “operations” it learns about.
    6. DPAs also have enforcement powers, in addition to data subjects’ private rights of action.
  8. Transfers of Data to Countries Outside Europe

    As soon as the EU decided to regulate personal data, as a practical matter it had to impose tight limits on transmitting personal information abroad. By imposing the tight data restrictions on European data controllers (data quality principles, disclosures to data subjects, reports to state agencies), the EU faced a huge risk that, rather than comply, certain European data controllers might simply transmit and process European data subjects’ personal data somewhere offshore, be it in Nigeria, Haiti, Mexico, Japan, the United States, or any other country without domestic data protection laws like Europe’s. The risk was that European data controllers could easily do an end-run around the EU data privacy superstructure, eluding the Directive entirely, simply by processing European data offshore.

    The EU limits have profound effects on many U.S.-based multinationals’ worldwide operations. And these EU data protection rules merit the most attention from multinationals headquartered outside Europe.

    1. Many U.S.-based companies have been surprised to learn that EU data law reaches even information about company customers and employees transmitted to U.S. headquarters. A typical U.S. response is that the Europeans are overreaching when they impose their data protection rules on intra-company data housed at U.S. headquarters or on a U.S.-based server. But from a European standpoint, these data transfers, even though intra-company, nevertheless transmit personal data about European data subjects outside Europe’s jurisdictional reach. To a European who takes comfort in the EU’s tough data protections, transfers of personal data outside Europe, even intra-company transfers, raise a real risk that personal data offshore becomes susceptible to abuse.
    2. The EU Directive’s extraterritorial provisions do not regulate overseas personal data. Rather, they merely imposes restrictions on transmitting domestic European data abroad, and it attaches some restrictions onto European information that migrates abroad. The concept is similar to tax laws that prohibit taxpayers from earning income domestically but paid directly into offshore accounts.
    3. “Third Countries” that “ensure an adequate level of protection.”
      1. No data can leave Europe unless the transmission goes to some “third country” that “ensures an adequate level of protection.” In other words, data about European individuals can only go into countries with data protection laws that the European Commission considers adequately safeguard Europeans’ personal data.
      2. That bar is high. To date, the EU Commission has formally designated only Argentina, Canada, Guernsey, Isle of Man and Switzerland as “third countries” offering this “adequate level of protection.” This formal Commission designation means that now, transmitting personal information from Latvia to Argentina is legally no different from sending data from Austria to Germany. For most legal purposes, this club of countries, together with the European Economic Area (EEA—Iceland, Norway, Liechtenstein), forms a sort of “EU data zone.”
      3. The problem is the rest of the world—that is, sending personal data out of Europe to the United States or to any other non-EU/EEA jurisdiction other than those identified as having “an adequate level of protection.” Under a strict reading of the Directive’s article 25(1), personal data transmissions to any other country would appear flatly illegal, because the text of the Directive’s article 25 consistently talks in terms of whether a “third country” offers an “adequate level of protection.” This would seem an all-or-nothing proposition of comparative law. Either a “third country” has enacted a generally applicable privacy law that the EU Commission deems “adequate” (therefore making the county eligible to receive personal data from Europe), or it has not (therefore keeping it ineligible).
      4. In practice, this all-or-nothing analysis quickly devolved to mean something very different from what article 25’s many references to “third countr[ies]” would seem to imply. After a couple of years futilely trying through diplomatic discussions to convince the United States and other “third countries” to pass omnibus, European-style data laws offering “adequate . . . protections,” the EU Commission loosened up and began promulgating ways for individual overseas data processors to bind their institutions adequately to EU-style data “protections,” empowering them to receive data from Europe, not country-by-country, but company-by-company.
    4. There are now three such methods, or tools, for a non-European entity to become unto itself its own island nation (“third country”) of article 25 adequate protection: safe harbor, binding/model contractual clauses, and binding corporate rules. These methods are discussed in detail in Sections 8 through 10 below.
      1. Although traditionally enforcement of cross-border data transfers without using accepted methods has historically been very limited, the EU has increasingly been expressing greater concern about such violations and EU DPAs may be increasing enforcement activity. Just last year the CNIL in France announced its first fine of a subsidiary of a U.S. based-multinational, Tyco for failing to be forthright in its disclosures about it human resources database and cross border transfer of employee data. The CNIL fined the company approximately $40,000
    5. Further, the Directive’s article 26(1) authorizes a number of other exceptions, or yet other ways legally to transmit personal data outside of Europe even to a “third country” that fails to offer an “adequate level of protection.” A data controller or processor can legally send personal daates, or any other country, if:
      1. the data subject has [freely] given his consent unambiguously to the proposed transfer [to be enforceable, a consent must indeed be unambiguous and freely given. EU data authorities take the position that a consent must specifically list the categories of data and the purposes for the processing outside the EU; in the employment context, consents may be deemed presumptively not freely-given, merely because of the imbalance in bargaining power between employer and employee]; or
      2. the transfer is necessary [not merely convenient] for the performance of a contract between the data subject and the controller or [for] the implementation of precontractual measures taken in response to the data subject’s request; or
      3. the transfer is necessary [not merely convenient] for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
      4. the transfer is necessary [not merely convenient] or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims; or
      5. the transfer is necessary [not merely convenient] in order to protect the vital interests of the data subject; or
      6. the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
    6. Also, there is no prohibition against transmitting genuinely anonymized data out of the EU. Where the identity of the data subject is impossible to determine, the data transmission falls outside the scope of the directive.
    7. Therefore, even a business (or other data processor) in a country that is not a member of Europe’s club of data-law countries can legally receive information about identifiable individual Europeans (including the business’s own customers and employees), but only if the transmission meets one of these narrow article 26(1) exceptions, or only if the transmission is sheltered under one of three individualized methods, or tools, for transferring data: safe harbor; binding/model contractual clauses; binding corporate rules. Each tool is complex.
  9. Safe Harbor

    1. After the EU Directive enactment, maintaining EU-to-United States data flows under the Directive materialized as a key business issue on even the diplomatic radar screen. In the late 1990s, the EU Commission and the U.S. government, led by the Department of Commerce, launched formal discussions to come up with a solution tailored for U.S. businesses.
    2. The European Commission and the U.S. Department of Commerce turned to tailoring a bespoke U.S. solution that became a “safe harbor.” As soon as the Europeans and Americans hammered out a safe harbor compromise, the EU Commission ratified it via a special “decision.” (A decision is a form of EU legislation that, unlike a directive, applies directly across Europe without member state ratification.)
    3. Safe harbor, which is unique to the United States and completely unavailable elsewhere, is a voluntary self-certification system for transmitting data from the EU to the United States, but not beyond. Under it, U.S. data processors can receive personal data from Europe if they agree to accept restrictions requiring them to treat the data as if still physically in Europe and subject to the Directive.
    4. In EU Directive parlance, a safe harbor entity essentially becomes an autonomous third country free to receive personal data from Europe as a full-fledged member of the club of countries offering “an adequate level of protection.” Contrary to a widespread misconception, safe harbor restrictions need apply only to personal data about European data subjects. A safe harbor company remains free to deny EU-style data protections to, say, American data subjects.
    5. Because the safe harbor structure wraps personal data from Europe in a blanket of EU data Directive compliance, the substantive safe harbor requirements essentially track the Directive’s data quality principles and rules. Self-certifying under safe harbor requires publicly committing, on the U.S. side, to comply with seven safe harbor principles that mostly track the Directive’s seven data quality principles and rules. In addition, self-certifiers have to:
      1. disclose their privacy policies publicly;
      2. accept jurisdiction of the U.S. Federal Trade Commission (FTC) under section 5 of the Federal Trade Commission Act (which prohibits unfair or deceptive practices affecting commerce), or of the U.S. Department of Transportation under section 41712 of title 49 of the U.S. Code);
      3. notify the U.S. Department of Commerce of the self-certification.
      4. Procedurally, self-certifying merely entails filling out a short form on the Department of Commerce’s website, but that form certifies the entity already has in place fully compliant data processing systems and protections.
    6. Organizations qualify for the safe harbor in three ways.
      1. The standard route is to develop an in-house privacy policy (covering at least personal data received from Europe) that complies with the safe harbor principles.
      2. A less-traveled route is to join a self-regulatory privacy program that complies.
      3. In addition, an organization subject to a statutory, regulatory, administrative or other body of law (or rules) that effectively protects personal privacy might also, in theory, qualify.
    7. Seven Safe Harbor Principles: Safe harbor sets out its own seven safe harbor principles, which track the similar requirements already imposed on domestic EU data processors and controllers but which are tailored to the context of processing EU data inside the United States.
      1. Notice: A self-certifier must ensure European data subjects are told why a U.S. entity is processing their data. European data subjects must be told the American processor’s identity and contact information (for inquiries or complaints). They must be told about their right to limit use, disclosure, and transmission of their data, and how to exercise that right. These communications need to be clear, conspicuous, and communicated as soon as European data subjects are asked to disclose the information that will be sent stateside.
      2. Choice: A safe harbor processor must give European data subjects a chance to opt out of having their personal information disclosed to an independent third party (as opposed to an agent) or used for some reason other than why originally collected. This opt-out choice must be clear, conspicuous, readily available, and affordable, and the choice must remain open continuously. Further, Europeans affirmatively must opt in to safe harbor transfers of sensitive information—data about medical/health conditions, racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, and sex life. However, exceptions to this “opt in” requirement for sensitive data exist, if the processing is: in the vital interests of the data subject or another person; necessary to establish legal claims or defenses; required to provide medical care or diagnosis; carried out in the course of legitimate activities by a foundation, association or any other non-profit body in pursuit of political, philosophical, religious or trade-union purposes, and under the condition that the data not be disclosed to third parties without consent; necessary to carry out an organization's employment law obligations; or related to data manifestly made public by the individual.
      3. Onward Transfer: A safe harbor processor wanting to transfer personal data on to some third party agent in the United States or abroad (this is called an “onward transfer”) must first verify that the third party agent: subscribes to safe harbor principles; is subject to the Directive or another adequacy finding; or signs a “written agreement” binding the agent to the level of privacy protections under safe harbor. If the third party clears one of these hurdles, the safe harbor party gets a defense, even if the third party ends up violating safe harbor rules, unless the safe harbor party should have known of the problem but failed to take reasonable steps to fix it.
      4. Security: Safe harbor processors must take reasonable steps to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction.
      5. Data Integrity: Personal information on file must be limited to the purposes for which an organization intends to use it. Processed data should be reliable for their intended use, accurate, complete, and current.
      6. Access: European data subjects must be offered access to their personal information housed in the United States under safe harbor, and they must have a way to correct, amend, or delete inaccurate information. A safe harbor company can, however, charge a reasonable fee to cover the cost of providing access, and can set reasonable limits on access. There are exceptions to the access requirement based on things such as, among others, undue burden and expense or where disclosure would compromise others’ privacy rights.
      7. Enforcement: Each European data subject must have ready access to affordable procedures for safeguarding his rights under safe harbor. Therefore, safe harbor companies must build dispute-resolution machinery, and offer it to European data subjects with grievances. At a minimum, this machinery must include: channels for data subjects to post complaints, which the safe harbor company then actually investigates and resolves, awarding damages or other real remedy if there was a violation; follow-up procedures, conducted either by self-assessment or outside compliance review, verifying that what the safe harbor company claims about its privacy practices is accurate and in place; and methods to fix problems—and, for violations, sanctions with teeth.

      Practice Tip: All these complexities about the ramifications of safe harbor can obscure the fact that, procedurally, safe harbor status is amazingly easy to get. A company need only log onto the Department of Commerce website and fill out a one-page form, or send a letter self-certifying that it has up and running adequate procedures and protections. This self-certification merely needs to disclose:

      • name of organization, mailing address, email address, telephone fax numbers;
      • description of the how the organization will process personal data received from the EU; and
      • summary of EU personal data handling policy, including: where the privacy policy is available for viewing (if publicly available); effective date; contact office for handling complaints, access requests, etc.; which statutory body has jurisdiction to hear claims for unfair or deceptive practices and other legal violations, the FTC or DOT; which privacy programs the organization subscribes to; what is the organization’s method of compliance verification (in-house or third-party); and what independent body will investigate unresolved complaints.
      • Then, every year, the organization actively needs to renew its safe harbor status with a short re-filing. Original self-certifications and annual re-filings get posted on the Department of Commerce website.
    8. Criticisms of Safe Harbor: Because safe harbor emerged as a compromise between the EU Commission and the United States very different from what each party had originally wanted, and because safe harbor is a unique-in-the-world arrangement that applies only to the United States, it should not be surprising that safe harbor has attracted criticisms from the beginning.
      1. Detractors tend to focus on shortcomings in compliance; safe harbor is a self-certification system without mandatory independent verification of what a business actually does (Safe harbor companies can have an independent body check their compliance up front and annually thereafter, but independent-body check-ups are not required, and few companies seem to do them.)
      2. The fact that safe-harbor enforcement tends to be complaint-driven, rather than overseen by regulators, makes Europeans nervous—especially in light of Europeans’ fear that U.S. data processors are less than vigilant about complaints coming in from across the Atlantic.
    9. In October 2004, the EU Commission issued an update on how safe harbor was faring. Besides addressing the compliance issue, the Commission’s two other chief concerns were: Some safe-harbor companies never publish a privacy policy; others publish policies that fall short of complying with safe harbor. The absence of a compliant, publicly available privacy policy essentially divests the FTC of jurisdiction, because the FTC cannot prove unfair or deceptive trade practices against a company that never made a false privacy claim in the first place. The EU Commission document offers several suggestions to the Department of Commerce, asking it to get more engaged and scrutinize organizations that self-certify.
  10. Binding/Standard Contractual Clauses

    1. Safe harbor aside, a completely separate way legally to transmit personal data outside of Europe is under so-called binding or “model contractual clauses.” The text of the Directive itself lets the Commission approve transfers of personal data even to third countries that fail to ensure an “adequate level of protection” if the controller erects “sufficient safeguards” via “certain standard contractual clauses” consistent with a “Commission’s decision.”
    2. In 2001, 2002, and 2004, the Commission issued three separate decisions anointing three different boilerplate contracts as appropriate cover for an EU data controller (“data exporter”) to send personal data to controllers and processors in the United States and elsewhere abroad (“data importers”). The Commission’s three decisions amount to pre-approved adhesion contracts which data importers and exporters can either agree to accept in whole, or not. To negotiate terms within the forms would kill the Commission’s protection, so after a data exporter and importer decide to use a model contract, all there is to negotiate is which of the three forms to use.
    3. Despite the model contracts acting as a type of pre-approved adhesion contract, some DPAs, such as the French CNIL, must approve filed model contracts before they can be relied upon for data transfers.
    4. Speaking very broadly, the Commission’s model contracts act like private safe harbor arrangements, where a U.S. data importer contractually pledges to follow a package of rules that fairly closely tracks the obligations of safe harbor.
    5. Although the model contractual clauses themselves are pure boilerplate, parties must pinpoint in an appendix the precise categories of data and types of processing they will conduct. (General catch-all language like “all human resources data for any and all HR purposes” is not good enough.) Parties must also say whether they will transmit any sensitive data. And parties to model contracts have to promise to respond to reasonable inquiries from data subjects and supervisory authorities, as well as commit to accepting data audits by data exporters or independent inspection bodies.
    6. Liability: If a party breaches a model contract, then data subjects (third party beneficiaries) who suffer injury can win compensation from the data exporter or importer, as could a member state data protection authority.
      1. Under one of the three model contracts, the data exporter and data importer are jointly and severally liable unless they agreed to indemnify one other.
      2. However, one of the other sets of model clauses lays out an alternate liability regime based on due diligence obligations. This model exposes the data exporter and data importer to liability in proportion to their respective breaches of the contract. This alternate is especially attractive to parties at arm’s length (as opposed to parties within a corporate family).
      3. To prevent abuses, under this regime member state data protection authorities get beefed-up powers to cut off data transfers. European data agencies and courts take violations seriously in the out-of-EU context. A number of Spanish judgments have reached the Spanish limit of €300,506 (U.S.$385,700). France, too, can impose €300,000 fines, as well as criminal penalties for illegal out-of-EU transmissions.
  11. Binding Corporate Rules

    1. Safe harbor and model contractual clauses each have serious shortcomings. Both regimes envision simple Party-A-to-Party-B data transfers from Europe to a single offshore country. In the real world, though, data transfers get a lot more complex. These days, multinational conglomerates are involved on a daily basis in multi-jurisdictional data transfers.
    2. Neither safe harbor nor model contracts were engineered to accommodate multi-faceted international data transfers. To customize a more effective tool, in June 2003 the EU developed a third way to send data to third countries whose laws fail to offer adequate protections. So-called “Binding Corporate Rules” (BCRs) are corporate codes of conduct that legally bind each entity of a conglomerate to company-specific, EU-compliant data handling systems. That is, under BCRs, a multinational builds its own in-house structure sheltering the data processing of its branches and partners worldwide. Once approved, BCRs empower the multinational freely to transfer personal data on EU data subjects in-house and worldwide.
    3. BCRs are an intriguing but (as of 2007) still largely untested tool. What is certain is that BCRs are neither for the fainthearted nor the tight-budgeted. BCRs demand far more thorough global data protection systems, and attract far more intrusive data protection authority (DPA) bureaucratic approvals, than safe harbor or model contractual clauses. BCRs will appeal most to well-capitalized multinationals that genuinely respect privacy rights and commit to top-down EU data law compliance. A conglomerate opting for BCRs is likely to be in the data-processing business (in one way or another); it will have a robust business case justifying this all-bells-and-whistles approach.
    4. BCR Approval Process:
      1. A BCR applicants must apply to its most “appropriate” DPA.
      2. In January 2007, the EU approved a model BCR application that may simply the application process. The new standard application contains eight sections, and is designed to include all the information that a DPA would require in order to make an approval decision on the company’s BCRs.
      3. The Standard Application is based upon previous EU documents concerning BCRs, including what could be called its rudimentary ancestor, the Working Party’s BCR application “checklist.”
      4. In sum, the BCR application must spell out exactly how the applicant processes and protects EU personal data worldwide and should include the conglomerate’s documents that compose its BCRs, all relevant policies, codes, procedures, notices, contracts, and dispute resolution and other systems.
      5. The application has to prove a BCR program actually is up-and-running, with an auditing feature in place. As with safe harbor and model contractual clauses, BCRs have to specify the types of personal data being transmitted; the methods of (and purposes for) the data processing; data security measures; and a system for how the BCR applicant can amend, and report on, its BCR system.
      6. A BCR application must also prove the applicant’s data protection systems really are binding, both “internally” and “externally.” Showing “internal” BCR compliance requires evidence that the BCRs would bind all the applicant’s subsidiaries and affiliates, even its partners and subcontractors.
      7. A BCR must first be provisionally approved by a company’s lead DPA and then sent to every other member state DPA for approval.
      8. To date, only General Electric’s BCRs have been approved by a lead DPA. General Electric’s BCRs have not been approved by all DPAs.

< Previous Section | Next Section >