Expert Meeting on Binding Corporate Rules | Presentations

Expert Meeting on Binding Corporate

Rules - Implementing Legal Innovations

De Brauw Blackstone Westbroek, Amsterdam

15 March 2012

HiiL Expert Meeting BCR Case Study

Lokke Moerel Partner ICT De Brauw Blackstone Westbroek

Thanks

Regulatory landscape

• Data protection qualifies as a fundamental right under ECHR and Treaty on the Functioning of the EU

• Data protection is regulated by EU legislators in the Data Protection Directive

10 28/03/2012

Regulatory landscape

• Some countries no laws at all

• Long arm reach

• Overlapping and Conflicting

– Germany requires registration church employees, forbidden in the Netherlands

• Data transfer rules

Enforcement

• Enforcement is not left to the market (protection individuals) • Data Protection Authority (DPA) supervising and enforcing its

national data protection law • Individuals may file complaint with DPA (appeal to the courts)

or enforce through courts • The Working Party 29 is the advisory body to the Commission

on data protection • Members of the WP 29 are the chairs of the DPAs, the

European Data Protection Supervisor and the Commission

– Issues opinions on how to apply the Directive – No enforcement powers – Coordinates cross-border enforcement actions DPAs

What

• Binding Corporate Rules

• Global corporate privacy policy

• Rules how to process personal data within the group

• Creates a “safe haven” for personal data

• Facilitates the intra-group data transfers

Companies process data

• Employees – Past

• Personnel file in cupboard

– Now • Data of use handheld device, email, internet, social media

• Customers (consumers)

– Past • Guarantuee voucher for vacuum cleaner

– Now • All online orders, all surfing tracks

How

• With software

• Past – Each group company its own system (e.g. SAP)

• Now – 1 central system

Example

Central IT system

• 100% compliance not possible

– 82 omnibus data protection laws, 7 sectoral laws – Conflicting

• Italy and Spain have specific data security rules

– Can implement security only once – Company must make choices when implementing

central system

Why

1. Strategic decisions as to data processing and security

• One set global instructions • Centrally imposed by parent on all group companies

2. Cost perspective: • Cheaper to implement compliance top down than

bottom up

• Budgetary retraints

Why

3. EU data transfer rules are outdated • prohibit data transfers outside of the EU, unless a

company has “adduced adequate safeguards” for data protection

• The Commission has acknowledged specific tools for companies to adduce adequate safeguards

• model contractual clauses to be entered in between data exporter and data importer

Example

Not only EU

Next step

• If multinationals have corporate privacy policy… • And all group companies are bound… • And policies provide adequate protection… • Can policies be alternative to EU model contracts? • Various multinationals filed request with DPA of their

EU headquarters… • DPAs negotiated draft BCR… • Based on drafts the WP 29 issued 7 opinions on BCR… • The national DPAs followed and approved … • 19 national DPAs agreed on Mutual Recognition

Procedure…

BCR requirements

• Authorised by DPA of EU headquarters (Lead DPA) • Must be internally binding within the organisation • Must be externally binding for the benefit of the beneficiaries (employees,

consumers) • Incorporate the material data processing principles of the Directive • Privacy governance (global network of privacy officers) • Internal complaints procedure • Auditing programme • Training programme for employees who process the data • Be enforceable against EU headquarters before Lead DPA and its courts • EU headquarters should accept liability for paying compensation and

remedying breaches • Group companies should have a duty to cooperate with the DPAs and to

submit to their audits

Assessment

• Self-regulation has to apply EU wide • Lack of regulatory capacity at EU level • WP 29 as de facto regulator set rules • Authorisation BCR at national level by Lead

DPA • By mutual recognition of national approvals

EU wide application is achieved • Circumvention of EU regulators (and unwilling

Member States) • Transnational supervision and enforcement

achieved not at EU level, but by DPA of EU headquarters

Case study

• Evaluation of BCR as form of Transnational Private Regulation (TPR)

• Evaluation criteria for public law – Legitimacy – Monitoring, evaluation and enforcement – Quality – Effectiveness

• “Transposed” for evaluating TPR – More actors and accountability forums involved – Problem of the many hands and the many eyes

• Often: self-regulation is trade off between legitimacy and effectiveness

Legitimacy

• Self-regulation of data protection (being a fundamental right)?

• Inclusion (key stakeholders have to play an active

role in the decision-making processes and activities which affect them)

• Procedural transparency (key stakeholders should have accessible and timely information)

• Independence (also de facto regulator should be independent)

Legitimacy

• Self-regulation of data protection requires public framework legislation – Should have been provided for in Directive

• Current norm-setting by de facto regulator WP 29 in opinions on BCR – Not inclusive (no civil society stakeholders) – Not transparent – Not independent

• Commission is at same time member, secretariat and addressee of opinions

Legitimacy

• Solved in Proposal for Data Protection Regulation

– Norm-setting inclusive and transparent – Direct applicability in all Member States – BCR acknowledged as valid tool for inter-company

data transfers – Regulates main substantive requirements – Detailed norm-setting delegated to Commission

(no longer WP 29)

Legitimacy

• Solved in Proposal for Data Protection Regulation

– Uniform BCR authorisation procedure by the DPA of the main establishment of the multinational in the EU

– Still not at EU level (risk of national interest prevailing)

– However, consistency mechanism: BCR authorisation requires prior opinion of successor WP 29

– WP 29 still de facto regulator • Independency and transparency WP 29 ensured

Chart 1

WP 29

Lead DPA

EU legislator

EU

EU legislator

Mult inational

MS

EU

WP 29

Lead DPA

EU

MS

EU

BCR

stake

holders

Actors involved involved in norm-sett ing

PRESENT FUTURE

Norm-sett ing of

BCR

Consultation input

Quality

• Precision and predictability

• Consistency

• Conformity with public goals

Conformity

• Prior authorisation by Lead DPA – very much aligned with public goals

– Much more effective than current public regulation: public policy even benefits

Quality

Precision and predictability • BCR are global and general in nature • Too EU specific and too legalistic

– Solution: practical guidelines

Consistency • Yes if approved by same Lead DPA • Not if approved by different Lead DPAs

– Caused by differences in national implementation laws – Solved by Proposed Regulation – Detailed norm-setting by Commission – Consistency mechanism (prior opinion successor WP 29)

Enforcement

• Monitoring

• Enforcement and sanctions

• Information

Main issues

• Can be the strongest point of BCR (next to effectiveness), but requires additional measures

Enforcement

Strongest point (legal innovation) • Internal complaints procedure, which overcomes main obstacles

individuals encounter when enforcing their rights on cross-border basis

– Also if damages are diffuse or too small

– Even if countries do not provide for adequate protection

– Or have insufficient enforcement infrastructure

– Overcomes time zones and language issues

– If individual does not agree outcome, appeal to Lead DPA and courts Lead DPA (also to be facilitated by local group company)

• Lead DPA is in country of EU headquarters: sanctions can be enforced on global basis

• Export of rule of law and judiciary enforcement infrastructure

Enforcement

But • No data yet on effectiveness of enforcement (next study, too early) • No external accountability to stakeholders • Monitoring, audit and reporting requirements to internal forums

company only – CPO – Board of management

• Reporting on compliance and complaints procedure to external stakeholders also – Driver: is reputation – Deleted from Proposed Regulation

• But what is the quid pro quo?

Chart 2

WP 29

Lead DPA

EU legislator

EU

EU legislator

Multinational

MS

EU

WP 29

Lead DPA

Multinational

EU

MS

EU

Accountability forums involved

PRESENT FUTURE

Monitoring and evaluation of

BCR

BCR

stake

holders

Internal

Accountability

Forums

Active information duty

Passive information duty

Effectiveness

• First empirical research into effectiveness

• Nymity, Canadian private research firm, recommended by EDPS

• Nymity Maturity Tool measuring compliance maturity of 10 multinationals on 73 criteria, adding up to 10 privacy principles

• Nymity tool is based on accountability

• Verified whether complete “match” with BCR requirements

• Different sequence, but 95% match

• Added some elements

HiiL Expert Meeting

Terry McQuay

HIIL STUDY RESULTS

NYMITY BCR ACCOUNTABILITY ANALYSIS

Study Framework

Norms

Results

39

MEASURING ACCOUNTABILITY

Ad hoc – procedures or processes are generally informal,

incomplete, and inconsistently applied.

Repeatable – procedures or processes exist; however,

they are not fully documented and do not cover all

relevant aspects.

Defined – procedures and processes are fully documented

and implemented, and cover all relevant aspects.

Managed – reviews are conducted to assess the

effectiveness of the controls in place.

Optimized – regular review and feedback are used to

ensure continuous improvement towards optimization

of the given process.

40

NORMS

Norms are Repeatable





relevant aspects.

Defined – procedures and processes are fully documented and implemented,

and cover all relevant aspects.

Managed – reviews are conducted to assess the effectiveness of the controls in

place.

Optimized – regular review and feedback are used to ensure continuous

improvement towards optimization of the given process.

42

NORMS

43

Privacy Awareness and Training 1.2.10 (page 10)

A privacy awareness program about the entity’s privacy policies and related

matters, and specific training for selected personnel depending on their roles

and responsibilities, are provided.

NORMS





relevant aspects.




place.



44

HIIL STUDY RESULTS NYMITY BCR ACCOUNTABILITY ANALYSIS

45

Copyright 2012 Nymity Inc.

All rights reserved.

Post BCR

Pre BCR

Before BCR Repeatable 72.4% Privacy management procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.

After BCR Managed 22.4% Privacy management procedures and processes are fully documented and implemented, and cover all relevant aspects (i.e. Defined) plus 22.4% of the time reviews are conducted to assess the effectiveness of the controls in place.

HIIL STUDY RESULTS






relevant aspects.



Managed – reviews are conducted to assess the effectiveness of the

controls in place.



46

EXAMPLE 1

47

Before BCR: Repeatable 60% The entity has a privacy awareness program, but training is sporadic and inconsistent.

After BCR: Managed 10% An enterprise-wide privacy awareness and training program exists and is monitored by management to ensure compliance with specific training requirements. The entity has determined which employees require privacy training and tracks their participation during such training.

Privacy Awareness and Training 1.2.10 (page 10)

A privacy awareness program about the entity’s privacy policies and related

matters, and specific training for selected personnel depending on their roles

and responsibilities, are provided.

EXAMPLE 2

48

Before BCR: Repeatable 86% Consequences may be identified but may not be fully documented or consistently disclosed to individuals.

After BCR: Managed 14% Processes are in place to review the stated consequences periodically to ensure completeness, accuracy and relevance.

Consequences of Denying or Withdrawing Consent 3.1.2 (page 13)

When personal information is collected, individuals are informed of the

consequences of refusing to provide personal information or of denying or

withdrawing consent to use personal information for purposes identified in the

notice.

ANY EXAMPLES OF OPTIMIZED?





relevant aspects.




place.

Optimized – regular review and feedback are used to ensure

continuous improvement towards optimization of the given process.

49

HIIL STUDY RESULTS


50

Optimized Criteria



HIIL STUDY RESULTS NYMITY BCR ACCOUNTABILITY ANALYSIS

51



COMPARE YOUR ORGANIZATION

Use the study and the Privacy Maturity Model to

compare your organization’s privacy program to

before and after BCR

Paper or automated – no cost.

52

THANK YOU

Thank You

53


Rules – Implementing Legal Innovations

Business Perspectives

March 15, 2012

JPMC Binding Corporate Rules

• On 2/26/10 UK ICO authorised the binding corporate rules of

JPMorgan Chase & Co. (JPMC)

• JPMC BCRs apply to any

– processing of Personal Data in one of 12 specified jurisdictions in

JPMC’s Europe, Middle East and Africa (EMEA) region in the

European Economic Area (EEA) by a JPMC data controller

– export of EMEA Personal Data out of the EEA by a JPMC data

controller to another JPMC Affiliate outside the EEA

– processing by a JPMC data controller or JPMC data processor of

EMEA Personal Data exported out of the EEA by a JPMC data

controller

• JPMC BCRs are published on JPM website

Research Results

• Disclaimer

• Unsurprising Results

– Multinationals using BCRs are ones that fundamentally seek to be

compliant as one of their operating values. (Question 5)

– Companies before introduction of BCRs had a basic maturity level of

compliance

– After BCR, disclosure to third parties of personal information 7.2.1, 78%

said repeatable

– After BCR, accuracy and completeness of personal information 9.2.1,

100% said repeatable

• Surprising Results

– After BCR, access communication to individuals 6.1.1, 70% said

repeatable

Largest Issue with Current Regime

• Additional national requirements imposed by various Member

States which apply on top of the requirements set by the Article 29

Working Party

• For example, although JPMC BCRs were authorised in February

2010, the royal decree approving JPMC BCRs was signed by the

Belgian king on February 15, 2012.

Recommendations with Respect to Proposed Regulations

• Since controllers are accountable for each processing operation,

BCRs should be expanded to transfers to third parties (i.e. not

limited to within a corporate group)

• Supervisory authority in accordance with the consistency

mechanism approves binding corporate rules

– Consistency from Member State to Member State needed

– However, process cannot be too bureaucratic

• With inclusion of BCRs in regulation, BCRs may become more

popular and demand for approval could exceed DPA resources;

therefore, further simplification of approval process may be

necessary

March 15, 2012

Expert meeting BCR

Sylvia van Es

Head of Legal Compliance Philips

March 15, 2012 60

Philips active in:

•Healthcare

•CL

•Lighting

•BCR for controller:

Consumer database: over 12 mio consumers

Employee data: over 100.000 employees

•Filed for BCR for processor:

Processor of Health data for hospitals

March 15, 2012 61

•Privacy compliance rules are exceptionally prescriptive, to a

large extent justified in light of fundamental rights

New system is an improvement but not all issues resolved:

•Article 26 (2) still requires internal processor agreements

despite BCR;

•Why not EU model contracts by parent company that

adopted BCR? (position of WP29);

•Even worse: Article 34: obligation to perform PIAs and obtain

prior approval; added value BCR?

•Article 28: Extensive documentation obligations

•Administrative burden will not by definition lead to more

material compliance, especially if company has adopted BCR

Expert Meeting on Binding Corporate Rules, Amsterdam, March 2012

Colin Scott

University College Dublin

A

B

A – Firm B – Government (agency and/or department) OR Trade Association C – Contracting Party (firm or government) D – Third parties – eg consumers, employees NGOs, investors

Rules Monitoring Enforcement

Legislation Contract

C standards

Contract - supply chains - audit and assurance

Self- Regulation Eg CSR employment contracts

D Social/market pressures/ contracts

Eg boycotts buycotts

Modelling and Evaluating TPR for BCR Environment

• Legitimacy • Mirroring of Public Proceduralization

• Transparency

• Inclusiveness, etc

• OR mixing market incentives with public models?

• Effectiveness • Scope of BCR

• Outcomes

• Quality • Reflection and Evaluation

• Benchmarking – eg grievance handling processes

• Enforcement • Providing reassurance /credibility

• Public oversight

• Self-reporting

• Compliance programmes and third party assurance

• Enforceable consumer and employee rights

www.innovatingjustice.com

Binding Corporate Rules for Employee and

Customer Data Protection:

What Makes A Successful Innovation?

Professor Maurits Barendrecht

Tilburg Institute for the Interdisciplinary Studies of Civil Law and Conflict Resolution Systems (TISCO)

Hague Institute for the Internationalisation of Law (HiiL)

Strongest points

• Moerel: Internal complaints procedure

– Simple access in own country, in every country

– Appeal to Lead DPA and its court

• Nymity

– Security for privacy, collection close to optimal

– All dimensions improved

– Including complaints process (subfactor 10.2.1 to 2 partly cover

this)

• JP Morgan and Philips

– Great, but local Kings ask more!

– Great, but danger of new administrative burdens

Dispute system design

Emerging discipline. How to achieve?

A. Fair solutions for problems, optimally serving all interests

B. Just in time/low costs/sustainable for all stakeholders

What makes a dispute system work? Generally:

1. A setting for better communication, win/win negotiation and

zero sum bargaining/decision making

2. Backed up by norms/schedules showing what generally is

paid/done to solve such problems

3. Access to third party who guarantees parties grow towards

decision

Innovation is Hard Work

• Life for innovators is very complex!

• Many factors contribute to innovation:

– 40 determinants of succesful product innovation (meta-analytic

review 108 articles, Becheikh et al. 2006)

– 27 factors associated to successful public sector innovation

Justice Innovation Impossible?

• Sarat and Grossman 1975:

Problems in Mobilization of Adjudication

• Susskind 2008 The End of Lawyers: Predicting commoditization

• Hadfield 2008: Regulation of profession blocks innovation

• Botero et al. 2003 and Cabrillo et al. 2008:

Insufficient incentives on courts to offer better services

• Carothers 2006 and Fukuyama 2011:

Rule of law and accountability very hard to implement

• World Bank World Development Report 2011: Conflict, Security,

and Development: Rule of Law takes 40 years to build


An emotional non-starter?


Law as managing risk and fear?

Innovation = flow, creativity, taking

risks, breaking rules?

The eBay/PayPal Resolution Center

Colin Rule

CEO Modria.com

I Paid A Bribe

Ramesh Ramanathan

Co-founder Janaagraha Centre for Citizenship and Democracy

What was/is crucial for BCR to be/remain sustainable?

… 27 factors … and at least 5

My talk borrows from:

• Project documents

• Short interview with Lokke Moerel

• Innovation in The Justice Sector: What Makes it Happen?

Innovation Model Version 1.5: June 2011

www.innovatingjustice.org

http://www.innovatingjustice.org/

A. Generating Possibilities

1. Vision and commitment from government

2. Focus on users, frontline staff and middle managers

3. Diversity

4. Scanning of horizons and margins: a process need

5. Developing capacity for creative thinking

6. Working backwards from outcome goals: terms of reference

7. Creating time and space

8. Allow breaking the rules

9. Competition: the submission problem and regulation of legal

services

4. Scanning of horizons and margins:

a process need

• Peter Drucker: Innovations often supply the missing link

between processes. They start from an incongruity between

how things are and how they ought to work.

• Here:

– Cross border data transfers within companies

– A need for privacy protection of employees and customers

– National regulation and enforcement

– ‘Networks of intragroup contracts’ as ‘red tape’ with high

administrative costs, and doubtful access to remedies

8. Allow breaking the rules

• Innovation often involves organizational rule breaking

(Markides 1997). Implicit or explicit ways of thinking, practices

or norms are a barrier (Johnson, Christensen et al. 2008).

• Public sector best practice: Give innovative projects space for

breaking the rules (suspension) ….. If it can be shown that

better results can be reached by not following the rule.

• In a legal environment, where practices tend to become norms

and norms tend to become sacred, it is more difficult to

overcome such barriers.

Data protection authorities

• Allowed to proceed although clear that not all 80+ regimes can

be observed

• Putting burden of proof that it can be done in a ‘better way’ on

innovators and companies

• Took risks

B. Developing Innovations

1. Appropriate selection of fruitful ideas: simplifying procedures

2. Adequate risk management

3. Fostering innovation champions

4. Creating incubating space

5. Involving incubators and public-private partnerships

6. Introduce modeling

7. Better funding for early development

8. Involving end users at all stages

5. Public private partnership

• Regulators work with companies

• Working party 29

• 19 DPA’s want to cooperate

C. Replicating and Scaling Up

1. Improved incentives for individuals and teams

2. Improved incentives for organizations

3. Scaling up and disruptive innovation

4. Specialize and beware of early standardization

5. Change management

Incentives (following Colin Scott)

Every stakeholder should continue to gain from BCR:

• Reputation for companies that they are careful with data

• Employees and customers get more protection and better

remedies

• Legal profession

• Administrative costs for companies

• Data Protection Authorities show they create good protection

• DPA show they are necessary and need budgets

• DPA have lower administrative costs

Rather unstable equilibrium

Challenges for BCR

• Legal, formal challenges < ??? Continue to show it works in

the real world

• Major scandal < ??? Risk management

• DPA’s create new administrative burdens < ???

• Competition by even better system < ???

• Covering the less compliant guys < ???

Continuous improvement and further innovation is essential

D. Analyzing and Learning

1. Metrics for success

2. Real time learning

3. Peer and user involvement

4. Double loop learning

5. Variety of perspectives

1. Metrics for success

• Nimity tool accountability 73 criteria > further development?

• Before BCR and After BCR > next phase?

• Many procedural requirements > more indicators for what

happens in real world?

• Independent from particular procedure > innovation means

standards have to renew all the time and indicators get new

weights

Innovators in Justice Sector

• Have to work on many factors, probably 27 of them

• Are essential for serving legal needs, for making

the system work and for building the law of the future

• Deserve our deep respect

• Need our continuous support

HiiL Expert Meeting Evaluation

Colin Scott



Peter Hustinx


Colin Scott



Open forum discussion


Colin Scott



Conclusion and recommendations

News & Politics

Expert Meeting on Binding Corporate Rules | Presentations