Cross-border marketing with the EU data protection directive
The problem of exporting personal data from Europe to other countries that do not have adequate data protection continues to haunt multinational companies.
The European Union data protection directive recognizes several methods for exporting data. Consent is one method. Consent works best when few individuals are involved. It doesn't work with a large number of data subjects.
Another method is a contractual agreement between a data exporter and its third country affiliate. Officially approved model contract language has been available for some time. Contracts are widely used, but they can be cumbersome to manage with multiple parties. If the model contracts do not suit your circumstances, seeking approval for new language can be time consuming.
The Safe Harbor agreement between the EU and the United States provides another way to export data. However, Safe Harbor only works for data moving from Europe to the U.S., so multinationals don't find it useful. It appears that a significant number of companies supposedly in the Safe Harbor are not in compliance with the rules, but the EU has chosen to look the other way for now.
The newer kid on the block is something called binding corporate rules (BCRs). Actually, BCRs aren't that new, having been in development for several years. The Data Protection Working Party, an advisory group made up of EU data protection commissioners, first blessed the idea of BCRs in a 2003 document.
I recently attended a two-day conference on BCRs in New York sponsored by the Center on Law and Information Policy at Fordham University. Law professor Joel Reidenberg brought together a mix of international privacy officials, academics and experts, and privacy officers and lawyers representing private companies. I suspect that the Center will be a useful resource for exploring privacy issues.
The basic idea of a BCR is that a corporate group establishes its own binding or legally enforceable rules for international data transfers. Within the group, personal data transfers are permissible under EU law regardless of the law of the importing jurisdiction. The basic idea sounds simple, but when it comes to international data protection, nothing is simple.
Some of the major issues are legal. The standards require that a company with a BCR place itself in legal jeopardy if it violates the privacy rights of an individual. How do you know if rules are truly enforceable? Because different countries have so many different legal regimes, the answer is both variable and complex.
Another important legal issue is the definition of a corporate group? Businesses have many different structures, especially with international operations. Tightly controlled international companies may be candidates for BCR, but looser conglomerates may not be. Even when BCR is a likely alternative, each subsidiary may be a separate company. Making sure that each company in a group has formally adopted the same binding rules is not a simple task.
Then we come to the procedural issues. How does a company obtain approval for its BCR? Remember that there is no central authority in the EU for making these decisions. Approval of BCRs requires action by the data protection authorities in the member states rather than a central authority.
So, which of the 25 data protection authorities will approve a BCR? That's another good question. It's also the first procedural hurdle. The Working Party set out standards for making that decision, but more work needs to be done to establish clear and efficient procedures.
It is a good sign that the data protection regulators recognize the problems and are working with companies and with each other to find solutions. One especially useful feature is that a company can have a BCR for selected activities. A BCR for human resources functions is a priority for some companies.
The regulators also know that streamlining the approval process is important. If a hundred companies sought approval at the same time, the available resources would be overwhelmed.
A lawyer for one large multinational, which has been pursuing approval for its BCR for several years, described a process of overwhelming complexity involving laws and data protection authorities in many EU nations. Some problems resulted from the novelty of the process, but many other difficulties reflect the fundamental legal complexities inherent in making many corporate components fly in the same enforceable privacy formation. The company hopes to obtain a blessing for its BCR soon.
I asked that lawyer whether he regrets the decision to seek a BCR given the difficulty, length and expense of the process. His answer surprised me. He said he would still do it because the alternatives are even messier and more complex. That is a daunting answer, with a damned-if-you-do, damned-if-you-don't flavor.
It will probably take a few years for the BCR process to become more practical. I wouldn't recommend it unless your company has a great need, a lot of lawyers and considerable patience. Still, BCRs have promise, and it is always helpful to have multiple ways to comply with data export restrictions. I expect that we will see other methods developed in the next decade.