Vice-President of the European Commission, EU Justice Commissioner
Binding Corporate Rules: unleashing the potential of the digital single market and cloud computing
IAPP Europe Data Protection Congress
Paris, 29 November 2011
Ladies and Gentlemen,
It is a privilege to speak with you today and to lift the veil on some of the ideas under consideration for the upcoming reform of the European Union data protection laws.
You are data protection professionals. You know perfectly well how much rapid technological developments over the past 16 years have challenged the current regime of the 1995 Directive on personal data protection in Europe. Our world is no longer defined by physical borders. Data races from Barcelona to Bangalore. It is processed in Dublin, stored in California and accessed in Milan. In the digital age, the transfer of data to third countries has become an important part of daily life. And this affects both businesses and citizens.
In this "brave new digital world", we need efficient and effective tools to ensure that personal information online is properly protected.
One way to adequately protect the processing and transferring of personal data is binding corporate rules. These codes of practices are based on European data protection standards. Businesses adopt them voluntarily and then ensure that there are adequate safeguards for transfers of data between companies that are part of the same corporate group. They become binding on companies once they have been approved by one of our 27 European Union Member States’ data protection authorities. And binding means legally binding. It means that an agreement has been consciously made, and that the parties bound by the rules knowingly understand that they agree to make certain actions either required or prohibited.
As you know the binding corporate rules are not explicitly foreseen in our current Directive but have developed as a matter of practice, with the support of Article 29 Working Party which gathers data protection authorities from all Member States.
They provide European businesses with a very helpful tool for the transfer of data outside the EU. Companies can voluntarily create a set of rules for the transfer of data within their organisation, no matter where in the world they operate.
It is for a company to decide whether to put these rules in place – but once they do, the rules become legally binding and this means enabling citizens to exercise their rights, even when that company is operating outside the EU or in the cloud environment.
From our experience, we know that one of the strengths of binding corporate rules is that they offer legal certainty and a lot of flexibility. They are compatible with any corporate culture: whether a decentralised group of companies such as a hotel chain, a digital auction site or even a centrally managed bank. In any of these cases, binding corporate rules will ensure that all essential principles of data protection are respected.
Binding corporate rules are indeed a very smart data protection tool. But we all know that they could do even better!
I would like to take this opportunity to share with you my reform plans to make binding corporate rules even more effective.
There are three main aspects of how these rules will be improved: simplification, consistent enforcement and innovation.
First of all: We need simpler binding corporate rules.
As some of you might have experienced, when you draft these codes today, you need to get approval from the national authorities of each Member State in which your group is active.
The situation under the current Directive means that your one set of rules must be checked by multiple authorities with different – and at times maybe contradictory – practices in place.
I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.
In my reform proposal, binding corporate rules will be based on one single law, the European law.
I intend to propose a consistent and streamlined approval process with a single point of contact for companies amongst the data protection authorities. And, once the binding corporate rules are approved by one data protection authority, I want them to be recognised by all European data protection authorities. And there should be no need for additional national authorisation in case of further transfers.
Binding corporate rules will no longer be a tool 'for experts only'. They should be compatible with small innovative companies' endeavours to operate on a global scale; companies should be able to transfer their data freely and safely – anywhere and in conformity with the law.
Companies of any size will be able to set up binding corporate rules. And the rules will cover all types of business models: from a paper-based filing system to an intricate internal organisation or the most complex cloud computing system.
These improvements will make life easier for businesses and help improve their reputations.
Secondly, we need consistent enforcement across Europe.
As I said earlier and as their name implies, binding corporate rules have to be legally binding. I want their enforcement to be possible through any data protection authority.
Today, there are still some data protection authorities in Europe that do not have the power to adopt legally binding decisions. In practice, this means that in cases where data protection law is seriously breached, these data protection authorities are unable to do anything but address recommendations to the responsible data controller. We can do better.
As companies operate across borders in Europe, the data protection rules and their enforcement must be more consistent. This is good for both businesses and citizens. Businesses should have the legal certainty that they face similar laws wherever they operate. Citizens should have confidence that their personal data will be protected in a similar way throughout the EU. Increasing consistency helps build confidence, which is good for everyone in the digital world.
How can we achieve more consistent enforcement? I plan to strengthen the powers of data protection authorities so that they can all use administrative sanctions whenever there is a breach of the law. These aligned responsibilities and powers are essential for the credibility and trust between the European data protection authorities.
My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved.
If the rules are infringed to the detriment of an individual, enforcement can then take place either through the data protection authority or through the courts.
Let me now come to my third point: We need innovation!
I believe that for efficient data protection and to ensure effective rights for individuals, we have to push the boundaries of traditional regulatory models. If European businesses are to compete with the rest of the world, we need to encourage innovation. And we need to embrace new technology.
The first area we need to reconsider is the idea of geographical borders. The internet and other technologies have made it just as easy to purchase online from the United States or India, as it is to buy from your local store. Data protection laws that apply only within a given territory just do not work in an era where information flows are global: personal data is stored in one country, effectively processed in another and the data subject is located in a completely different country.
The reformed binding corporate rules will help us to solve this issue in a novel way: binding corporate rules will apply to all internal and extra-EU transfers of any entity in a group of companies. It does not seem logical to say that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America – even if safeguards are put in place.
We will create a win/win situation for both companies and individuals:
And individuals win as they are properly informed and able to exercise their rights, wherever their data is processed.
Transparency and simplicity is increased.
And what is more: so far, data protection authorities have only developed binding corporate rules for data controllers - those who determine the purposes and means of the processing of personal data. I will support the development of binding corporate rules that can also be used by processors – those who process personal data on behalf of the controller. Where binding corporate rules also cover processors, all kinds of business models including any kind of cloud computing can be covered by them.
Binding corporate rules will ensure that fundamental right to data protection is respected by business. Data protection authorities in our Member States, companies and citizens can use these rules to enforce proper personal data protection. Therefore, with the reform, binding corporate rules will be recognised throughout the European Union. They should be seen worldwide as an exemplary tool for better data protection.
Ladies and Gentlemen,
I have put forward today some of the ways in which the reform will make it simpler and less burdensome to transfer data using binding corporate rules. The harmonisation of our core data protection principles will greatly simplify the process of establishing binding corporate rules and having them approved by a data protection authority. They will continue to fit in with the corporate culture of different globally operating companies – even those following very innovative business models.
Indeed, I encourage companies of all size to start working on their own binding corporate rules!
Binding corporate rules are an open instrument: They are open to international interoperability. They are open to your innovations. They are open to improve data protection on a global scale, to foster citizens' trust in the digital economy and unleash the full potential of our Single Market. And more: they are open to go beyond the geographical borders of Europe.
Binding corporate rules will become enforceable in all Member States of the European Union. This is essential for businesses' effort to be credible. This is essential for the respect for fundamental rights of our citizens. And in these times of economic and financial troubles, I will make the utmost to ensure that the reform of data protection becomes a way for changing legal rules respecting the fundamental rights of individuals whilst simultaneously promoting innovation and accelerating economic growth. I hope I can count on your support in this endeavour.