Binding corporate rules are codes of practice that are set up and adopted by multinational corporations or groups of companies that want to operate both within and outside the EU, as a way of showing they comply with EU legislation covering the transfer of personal data outside the union.
ZDNet.uk writes that “EU promises harmony on corporate data law”.
Viviane Reding is leading a major review of the EU’s data protection laws, and has this week given several speeches on the subject. One of those talks, to the International Association of Privacy Professionals (IAPP), detailed the changes she hopes to make to the system of binding corporate rules.
“Binding corporate rules are indeed a very smart data protection tool, but we all know that they could do even better,” Reding said, explaining changes intended to strengthen and simplify the system while also ensuring that it covers modern forms of data processing, such as cloud computing.
For example, the document may demonstrate how those handling data outside the EU will comply with the standards expected within the union. The rules are voluntary to establish but, once adopted, are legally binding.
At the moment, a group wanting to set up binding corporate rules will choose a national data protection authority (DPA), such as the UK’s Information Commissioner’s Office (ICO), to approve the rules. Once it has given its own approval, that DPA will circulate the document around the DPAs of every other EU member state where the group is active, for the approval of every one of those DPAs.
The situation under the current [1995 Data Protection] Directive means that your one set of rules must be checked by multiple authorities with different — and at times maybe contradictory — practices in place,
Reding said on Tuesday. “I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.”
Reding, who is on a mission to harmonise EU data protection legislation, said there should be just one point of contact for companies among the various DPAs. She added that, once one DPA had approved a set of binding corporate rules, all European DPAs will have to recognise them.
Smaller companies that operate on a global scale should also be encouraged to adopt binding corporate rules, the commissioner added.
“Binding corporate rules will no longer be a tool ‘for experts only’. They should be compatible with small innovative companies’ endeavours to operate on a global scale; companies should be able to transfer their data freely and safely — anywhere and in conformity with the law,” Reding said, explaining that the rules will cover everything from paper-based filing systems to complex cloud computing systems.