By Lokke Moerel
Have you appointed your Privacy Officer yet? And how is your privacy compliance program coming along?
The European Commission’s proposal for a new Data Protection Regulation represents a landslide in data protection law since the 1995 Privacy Directive came into force. Regulations, other than Directives, are directly applicable in the member states and will not require national implementation. The Commission announced its intention to finalise the legislative process before the end of 2012, after which the Proposed Regulation will take a further two years to come into effect.
One of the key innovations of the Proposed Regulation is “accountability.” The Commission recognises that the current Privacy Directive has not been successful in delivering real protection to individuals. To improve this situation the Commission is introducing an accountability provision requiring companies to adopt policies and implement appropriate measures to ensure data protection compliance and to demonstrate these measures to the data protection authorities of the member states when requested. The Proposed Regulation clearly expects companies to implement a comprehensive privacy compliance program. But what does a comprehensive privacy program actually look like?
Guidance is given by the advisory committee on privacy to the Commission (the Working Party 29) which issued an opinion on the concept of accountability. The Working Party 29 indicates that the regime for Binding Corporate Rules can be used as a general template for corporate data protection compliance programs.
But what are Binding Corporate Rules, or BCR?
BCR are a form of corporate self-regulation introduced by multinationals to facilitate their global inter-company data transfers. Review of the accountability requirements identified by the Working Party 29 as now reflected in the Proposed Regulation, indeed shows a nearly complete overlap with the requirements set for BCR. In the words of the Working Party 29: “Indeed BCR are codes of practice, which multinational organisations draw up and follow, containing internal measures designed to put data protection principles into effect (such as audit, training programmes, network of privacy officers, complaint handling system).”
Reviewing the accountability requirements, it seems to have been rather the other way around. The work on BCR by the Working Party 29 seems to have been the basis for the listing of the accountability measures as now reflected in the Proposed Regulation. As practice shows that introduction of a BCR compliance program in most cases takes a period of at least two years, companies are well advised to embark on their privacy compliance project to ensure compliance before the Proposed Regulation comes into force. With proposed fines of up to 2% of your company’s global annual turnover, you may even get the required budget from management to do so.
Lokke Moerel is a Partner at the international law firm De Brauw Blackstone Westbroek, and chairs its global data privacy and security practice. She provides strategic advice to multinationals on their global ICT compliance. Her book, Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers, publishes in the UK this month.