EU seeks to simplify cross-border data protection compliance

Companies will be able to negotiate pan-European agreements with a single authority, rather than country by country as now

To make it simpler for businesses to comply with the multiplicity of data protection regimes across Europe, Viviane Reding envisages letting European Union companies set their own privacy rules -- as long as they agree with one national data protection authority (DPA) to make them legally binding on all business units within the same group, wherever they may be.

Reding, vice president of the European Commission, hopes to make it much simpler to negotiate such binding corporate rules (BCRs) under new data protection regulations she plans to present early next year, she said Tuesday at a conference in Paris organized by the International Association of Privacy Professionals.

Such BCRs are not provided for in the current E.U. data protection directive, which dates back to 1995. However, companies including Bristol-Myers Squibb and General Electric (GE) have already negotiated them on a piecemeal basis over the last decade for many of the countries where they operate, working with individual DPAs or through mutual recognition agreements that cover 19 of the 27 E.U. member states.

Based on European data protection standards, the BCRs Reding would like to introduce are codes of practice ensuring "adequate safeguards" for data transfers between parts of the same corporate group, she said. Adopted voluntarily by businesses, they will become legally binding wherever the company operates once approved by a data protection authority in just one of the 27 E.U. countries.

BCRs developed as a way for European businesses to transfer data outside the E.U., perhaps into a cloud service where the precise location of data cannot be ascertained, and are compatible with any corporate culture, whether decentralized such as a hotel chain or centralized such as a bank, Reding said.

She wants to improve on them by making them simpler to create, more consistent in their enforcement and more accommodating of innovation.

Such changes are necessary because our world is no longer defined by physical borders, she said. "Data races from Barcelona to Bangalore. It is processed in Dublin, stored in California and accessed in Milan. The transfer of data to third countries has become an important part of daily life, and this affects businesses and citizens."

BCRs today need approval from a DPA in each E.U. country where a group is active, so one set of rules must satisfy multiple authorities with different, perhaps contradictory, practices or legislation. "That wastes time and money," said Reding.

Instead, she wants to see BCRs based on one law, defined in a new European regulation.

This change in legislative instrument, from the existing directive to a new regulation, is key to Reding's plan, said Wojciech Rafal Wiewiórowski, Poland's inspector general for the protection of personal data.

In legal disputes, parties can only refer to the directive if they are suing the state: in all other cases, it is the national law transposing the directive that governs disputes, Wiewiórowski said. "But if the legal basis is set in a regulation, it is binding not just for DPAs and state authorities but also for every entity in the market," he said in a later panel session on the topic of BCRs. "That means companies can sue each other according to the BCRs."

Reding plans to have the new BCRs ratified by a single DPA, but Wiewiórowski wondered whether E.U. countries are ready to hand over such powers to a single authority. "Probably not," was his verdict.

He raised other problems with compliance monitoring.

"Who will say whether a company is fulfilling its responsibilities under a BCR?" he asked. "Let's assume it's the DPAs: that works in Europe, but that's not really the problem. The problem is those companies moving data outside Europe."

In the U.S., we can count on the support of the Federal Trade Commission, and Mexico too has a strong data protection authority, he said. "But what about Laos? Who will check what is going on in a data center in Laos?"

Despite these reservations, other panelists have already implemented BCRs, and urged audience members to move ahead with their own without waiting for Reding to introduce the new regulation.

When Bristol-Myers Squibb negotiated its BCR with the French National Commission on Computing and Liberty (CNIL) the approval process took over eight months, said Caroline Cavaillier, the company's E.U. data protection officer. DPAs in Germany and Spain also vetted the first draft, she said. The BCR has simplified data transfers for the company, she said.

At GE, work on the first BCR started in 2001, with the company getting approvals in Germany in July 2003 and in France in October 2005, said Christian Pardieu, the company's E.U. data protection officer. With the help of the U.K. Information Commissioner's Office, it subsequently negotiated 10 others with the countries with which the ICO had mutual recognition agreements.

"But that's still only 12 out of 27 countries," Pardieu said. "We have so many entities in so many countries that signing data transfer clauses and seeking legal certainty is a nightmare," he said.

For him, a single BCR recognized in all 27 E.U. countries can't come too soon -- although there's no reason to wait for the new regulation, he said: "Start right now, don't wait for new regulations. It's costly, but you build trust with the customer and with employees. That's the meaning of these privacy principles."

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Bristol-Myers Squibbregulationsecurityeuropean commissiongeneral electriclegislationgovernmentdata protectionprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?