Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.
While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.
After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world. Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.
When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: "My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved."
And in her concluding remarks she stressed: "Indeed, I encourage companies of all sizes to start working on their own binding corporate rules!"
Ms. Reding recognized that the current regime is cumbersome, and announced that in the new regime, the rules for BCR approval will be significantly streamlined.
The approval of one single DPA will be required. Thus, it is expected that the current "mutual recognition regime", which is in effect in only a little more than half of the EU countries, will be replaced with a mandatory regime where one of the DPAs – probably that of the country where the entity is having its EU headquarters – will be responsible for making all decisions related to the approval of the proposed BCRs.
After Ms Reding left the IAPP conference, there was a discussion on what these BCRs would or should contain. I.e., whether it would be a free form based on specific instructions, or a template that companies would have to follow, or a form (like the current model contracts) with little possible changes. At this point, it is not clear what the upcoming regulation will allow or require. There was also a discussion on how to choose the country where the BCR would be filed. One question raised was whether this would lead to forum shopping.
There is no reason to think that, at this point, the Safe Harbor program is in jeopardy or would become obsolete or irrelevant. It remains useful for certain categories of companies that have streamlined data flows. However, for entities with more complex data flows, it is clear that the new expectation from EU regulatory authorities will be for these companies to adopt binding corporate rules.
Ms. Reding’s prepared remarks are available at http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/817&format=HTML&aged=0&language=EN&guiLanguage=en, and a summary of her presentation at http://tinyurl.com/7zalu2o.