Post on 18-Nov-2014
description
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
De Brauw Blackstone Westbroek, Amsterdam
15 March 2012
HiiL Expert Meeting BCR Case Study
Lokke Moerel Partner ICT De Brauw Blackstone Westbroek
Thanks
Regulatory landscape
• Data protection qualifies as a fundamental right under ECHR and Treaty on the Functioning of the EU
• Data protection is regulated by EU legislators in the Data Protection Directive
10 28/03/2012
Regulatory landscape
• Some countries no laws at all
• Long arm reach
• Overlapping and Conflicting
– Germany requires registration church employees, forbidden in the Netherlands
• Data transfer rules
Enforcement
• Enforcement is not left to the market (protection individuals) • Data Protection Authority (DPA) supervising and enforcing its
national data protection law • Individuals may file complaint with DPA (appeal to the courts)
or enforce through courts • The Working Party 29 is the advisory body to the Commission
on data protection • Members of the WP 29 are the chairs of the DPAs, the
European Data Protection Supervisor and the Commission
– Issues opinions on how to apply the Directive – No enforcement powers – Coordinates cross-border enforcement actions DPAs
What
• Binding Corporate Rules
• Global corporate privacy policy
• Rules how to process personal data within the group
• Creates a “safe haven” for personal data
• Facilitates the intra-group data transfers
Companies process data
• Employees – Past
• Personnel file in cupboard
– Now • Data of use handheld device, email, internet, social media
• Customers (consumers)
– Past • Guarantuee voucher for vacuum cleaner
– Now • All online orders, all surfing tracks
How
• With software
• Past – Each group company its own system (e.g. SAP)
• Now – 1 central system
Example
Central IT system
• 100% compliance not possible
– 82 omnibus data protection laws, 7 sectoral laws – Conflicting
• Italy and Spain have specific data security rules
– Can implement security only once – Company must make choices when implementing
central system
Why
1. Strategic decisions as to data processing and security
• One set global instructions • Centrally imposed by parent on all group companies
2. Cost perspective: • Cheaper to implement compliance top down than
bottom up
• Budgetary retraints
Why
3. EU data transfer rules are outdated • prohibit data transfers outside of the EU, unless a
company has “adduced adequate safeguards” for data protection
• The Commission has acknowledged specific tools for companies to adduce adequate safeguards
• model contractual clauses to be entered in between data exporter and data importer
Example
Not only EU
Next step
• If multinationals have corporate privacy policy… • And all group companies are bound… • And policies provide adequate protection… • Can policies be alternative to EU model contracts? • Various multinationals filed request with DPA of their
EU headquarters… • DPAs negotiated draft BCR… • Based on drafts the WP 29 issued 7 opinions on BCR… • The national DPAs followed and approved … • 19 national DPAs agreed on Mutual Recognition
Procedure…
BCR requirements
• Authorised by DPA of EU headquarters (Lead DPA) • Must be internally binding within the organisation • Must be externally binding for the benefit of the beneficiaries (employees,
consumers) • Incorporate the material data processing principles of the Directive • Privacy governance (global network of privacy officers) • Internal complaints procedure • Auditing programme • Training programme for employees who process the data • Be enforceable against EU headquarters before Lead DPA and its courts • EU headquarters should accept liability for paying compensation and
remedying breaches • Group companies should have a duty to cooperate with the DPAs and to
submit to their audits
Assessment
• Self-regulation has to apply EU wide • Lack of regulatory capacity at EU level • WP 29 as de facto regulator set rules • Authorisation BCR at national level by Lead
DPA • By mutual recognition of national approvals
EU wide application is achieved • Circumvention of EU regulators (and unwilling
Member States) • Transnational supervision and enforcement
achieved not at EU level, but by DPA of EU headquarters
Case study
• Evaluation of BCR as form of Transnational Private Regulation (TPR)
• Evaluation criteria for public law – Legitimacy – Monitoring, evaluation and enforcement – Quality – Effectiveness
• “Transposed” for evaluating TPR – More actors and accountability forums involved – Problem of the many hands and the many eyes
• Often: self-regulation is trade off between legitimacy and effectiveness
Legitimacy
• Self-regulation of data protection (being a fundamental right)?
• Inclusion (key stakeholders have to play an active
role in the decision-making processes and activities which affect them)
• Procedural transparency (key stakeholders should have accessible and timely information)
• Independence (also de facto regulator should be independent)
Legitimacy
• Self-regulation of data protection requires public framework legislation – Should have been provided for in Directive
• Current norm-setting by de facto regulator WP 29 in opinions on BCR – Not inclusive (no civil society stakeholders) – Not transparent – Not independent
• Commission is at same time member, secretariat and addressee of opinions
Legitimacy
• Solved in Proposal for Data Protection Regulation
– Norm-setting inclusive and transparent – Direct applicability in all Member States – BCR acknowledged as valid tool for inter-company
data transfers – Regulates main substantive requirements – Detailed norm-setting delegated to Commission
(no longer WP 29)
Legitimacy
• Solved in Proposal for Data Protection Regulation
– Uniform BCR authorisation procedure by the DPA of the main establishment of the multinational in the EU
– Still not at EU level (risk of national interest prevailing)
– However, consistency mechanism: BCR authorisation requires prior opinion of successor WP 29
– WP 29 still de facto regulator • Independency and transparency WP 29 ensured
Chart 1
WP 29
Lead DPA
EU legislator
EU
EU legislator
Mult inational
MS
EU
WP 29
Lead DPA
EU
MS
EU
BCR
stake
holders
Actors involved involved in norm-sett ing
PRESENT FUTURE
Norm-sett ing of
BCR
Consultation input
Quality
• Precision and predictability
• Consistency
• Conformity with public goals
Conformity
• Prior authorisation by Lead DPA – very much aligned with public goals
– Much more effective than current public regulation: public policy even benefits
Quality
Precision and predictability • BCR are global and general in nature • Too EU specific and too legalistic
– Solution: practical guidelines
Consistency • Yes if approved by same Lead DPA • Not if approved by different Lead DPAs
– Caused by differences in national implementation laws – Solved by Proposed Regulation – Detailed norm-setting by Commission – Consistency mechanism (prior opinion successor WP 29)
Enforcement
• Monitoring
• Enforcement and sanctions
• Information
Main issues
• Can be the strongest point of BCR (next to effectiveness), but requires additional measures
Enforcement
Strongest point (legal innovation) • Internal complaints procedure, which overcomes main obstacles
individuals encounter when enforcing their rights on cross-border basis
– Also if damages are diffuse or too small
– Even if countries do not provide for adequate protection
– Or have insufficient enforcement infrastructure
– Overcomes time zones and language issues
– If individual does not agree outcome, appeal to Lead DPA and courts Lead DPA (also to be facilitated by local group company)
• Lead DPA is in country of EU headquarters: sanctions can be enforced on global basis
• Export of rule of law and judiciary enforcement infrastructure
Enforcement
But • No data yet on effectiveness of enforcement (next study, too early) • No external accountability to stakeholders • Monitoring, audit and reporting requirements to internal forums
company only – CPO – Board of management
• Reporting on compliance and complaints procedure to external stakeholders also – Driver: is reputation – Deleted from Proposed Regulation
• But what is the quid pro quo?
Chart 2
WP 29
Lead DPA
EU legislator
EU
EU legislator
Multinational
MS
EU
WP 29
Lead DPA
Multinational
EU
MS
EU
Accountability forums involved
PRESENT FUTURE
Monitoring and evaluation of
BCR
BCR
stake
holders
Internal
Accountability
Forums
Active information duty
Passive information duty
Effectiveness
• First empirical research into effectiveness
• Nymity, Canadian private research firm, recommended by EDPS
• Nymity Maturity Tool measuring compliance maturity of 10 multinationals on 73 criteria, adding up to 10 privacy principles
• Nymity tool is based on accountability
• Verified whether complete “match” with BCR requirements
• Different sequence, but 95% match
• Added some elements
HiiL Expert Meeting
Terry McQuay
HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
Study Framework
Norms
Results
39
MEASURING ACCOUNTABILITY
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented
and implemented, and cover all relevant aspects.
Managed – reviews are conducted to assess the
effectiveness of the controls in place.
Optimized – regular review and feedback are used to
ensure continuous improvement towards optimization
of the given process.
40
NORMS
Norms are Repeatable
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the controls in
place.
Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
42
NORMS
43
Privacy Awareness and Training 1.2.10 (page 10)
A privacy awareness program about the entity’s privacy policies and related
matters, and specific training for selected personnel depending on their roles
and responsibilities, are provided.
NORMS
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the controls in
place.
Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
44
HIIL STUDY RESULTS NYMITY BCR ACCOUNTABILITY ANALYSIS
45
Copyright 2012 Nymity Inc.
All rights reserved.
Post BCR
Pre BCR
Before BCR Repeatable 72.4% Privacy management procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects.
After BCR Managed 22.4% Privacy management procedures and processes are fully documented and implemented, and cover all relevant aspects (i.e. Defined) plus 22.4% of the time reviews are conducted to assess the effectiveness of the controls in place.
HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the
controls in place.
Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
46
EXAMPLE 1
47
Before BCR: Repeatable 60% The entity has a privacy awareness program, but training is sporadic and inconsistent.
After BCR: Managed 10% An enterprise-wide privacy awareness and training program exists and is monitored by management to ensure compliance with specific training requirements. The entity has determined which employees require privacy training and tracks their participation during such training.
Privacy Awareness and Training 1.2.10 (page 10)
A privacy awareness program about the entity’s privacy policies and related
matters, and specific training for selected personnel depending on their roles
and responsibilities, are provided.
EXAMPLE 2
48
Before BCR: Repeatable 86% Consequences may be identified but may not be fully documented or consistently disclosed to individuals.
After BCR: Managed 14% Processes are in place to review the stated consequences periodically to ensure completeness, accuracy and relevance.
Consequences of Denying or Withdrawing Consent 3.1.2 (page 13)
When personal information is collected, individuals are informed of the
consequences of refusing to provide personal information or of denying or
withdrawing consent to use personal information for purposes identified in the
notice.
ANY EXAMPLES OF OPTIMIZED?
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the controls in
place.
Optimized – regular review and feedback are used to ensure
continuous improvement towards optimization of the given process.
49
HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
50
Optimized Criteria
Copyright 2012 Nymity Inc.
All rights reserved.
HIIL STUDY RESULTS NYMITY BCR ACCOUNTABILITY ANALYSIS
51
Copyright 2012 Nymity Inc.
All rights reserved.
COMPARE YOUR ORGANIZATION
Use the study and the Privacy Maturity Model to
compare your organization’s privacy program to
before and after BCR
Paper or automated – no cost.
52
THANK YOU
Thank You
53
Expert Meeting on Binding Corporate
Rules – Implementing Legal Innovations
Business Perspectives
March 15, 2012
JPMC Binding Corporate Rules
• On 2/26/10 UK ICO authorised the binding corporate rules of
JPMorgan Chase & Co. (JPMC)
• JPMC BCRs apply to any
– processing of Personal Data in one of 12 specified jurisdictions in
JPMC’s Europe, Middle East and Africa (EMEA) region in the
European Economic Area (EEA) by a JPMC data controller
– export of EMEA Personal Data out of the EEA by a JPMC data
controller to another JPMC Affiliate outside the EEA
– processing by a JPMC data controller or JPMC data processor of
EMEA Personal Data exported out of the EEA by a JPMC data
controller
• JPMC BCRs are published on JPM website
Research Results
• Disclaimer
• Unsurprising Results
– Multinationals using BCRs are ones that fundamentally seek to be
compliant as one of their operating values. (Question 5)
– Companies before introduction of BCRs had a basic maturity level of
compliance
– After BCR, disclosure to third parties of personal information 7.2.1, 78%
said repeatable
– After BCR, accuracy and completeness of personal information 9.2.1,
100% said repeatable
• Surprising Results
– After BCR, access communication to individuals 6.1.1, 70% said
repeatable
Largest Issue with Current Regime
• Additional national requirements imposed by various Member
States which apply on top of the requirements set by the Article 29
Working Party
• For example, although JPMC BCRs were authorised in February
2010, the royal decree approving JPMC BCRs was signed by the
Belgian king on February 15, 2012.
Recommendations with Respect to Proposed Regulations
• Since controllers are accountable for each processing operation,
BCRs should be expanded to transfers to third parties (i.e. not
limited to within a corporate group)
• Supervisory authority in accordance with the consistency
mechanism approves binding corporate rules
– Consistency from Member State to Member State needed
– However, process cannot be too bureaucratic
• With inclusion of BCRs in regulation, BCRs may become more
popular and demand for approval could exceed DPA resources;
therefore, further simplification of approval process may be
necessary
March 15, 2012
Expert meeting BCR
Sylvia van Es
Head of Legal Compliance Philips
March 15, 2012 60
Philips active in:
•Healthcare
•CL
•Lighting
•BCR for controller:
Consumer database: over 12 mio consumers
Employee data: over 100.000 employees
•Filed for BCR for processor:
Processor of Health data for hospitals
March 15, 2012 61
•Privacy compliance rules are exceptionally prescriptive, to a
large extent justified in light of fundamental rights
New system is an improvement but not all issues resolved:
•Article 26 (2) still requires internal processor agreements
despite BCR;
•Why not EU model contracts by parent company that
adopted BCR? (position of WP29);
•Even worse: Article 34: obligation to perform PIAs and obtain
prior approval; added value BCR?
•Article 28: Extensive documentation obligations
•Administrative burden will not by definition lead to more
material compliance, especially if company has adopted BCR
Expert Meeting on Binding Corporate Rules, Amsterdam, March 2012
Colin Scott
University College Dublin
A
B
A – Firm B – Government (agency and/or department) OR Trade Association C – Contracting Party (firm or government) D – Third parties – eg consumers, employees NGOs, investors
Rules Monitoring Enforcement
Legislation Contract
C standards
Contract - supply chains - audit and assurance
Self- Regulation Eg CSR employment contracts
D Social/market pressures/ contracts
Eg boycotts buycotts
Modelling and Evaluating TPR for BCR Environment
• Legitimacy • Mirroring of Public Proceduralization
• Transparency
• Inclusiveness, etc
• OR mixing market incentives with public models?
• Effectiveness • Scope of BCR
• Outcomes
• Quality • Reflection and Evaluation
• Benchmarking – eg grievance handling processes
• Enforcement • Providing reassurance /credibility
• Public oversight
• Self-reporting
• Compliance programmes and third party assurance
• Enforceable consumer and employee rights
www.innovatingjustice.com
Binding Corporate Rules for Employee and
Customer Data Protection:
What Makes A Successful Innovation?
Professor Maurits Barendrecht
Tilburg Institute for the Interdisciplinary Studies of Civil Law and Conflict Resolution Systems (TISCO)
Hague Institute for the Internationalisation of Law (HiiL)
Strongest points
• Moerel: Internal complaints procedure
– Simple access in own country, in every country
– Appeal to Lead DPA and its court
• Nymity
– Security for privacy, collection close to optimal
– All dimensions improved
– Including complaints process (subfactor 10.2.1 to 2 partly cover
this)
• JP Morgan and Philips
– Great, but local Kings ask more!
– Great, but danger of new administrative burdens
Dispute system design
Emerging discipline. How to achieve?
A. Fair solutions for problems, optimally serving all interests
B. Just in time/low costs/sustainable for all stakeholders
What makes a dispute system work? Generally:
1. A setting for better communication, win/win negotiation and
zero sum bargaining/decision making
2. Backed up by norms/schedules showing what generally is
paid/done to solve such problems
3. Access to third party who guarantees parties grow towards
decision
Innovation is Hard Work
• Life for innovators is very complex!
• Many factors contribute to innovation:
– 40 determinants of succesful product innovation (meta-analytic
review 108 articles, Becheikh et al. 2006)
– 27 factors associated to successful public sector innovation
Justice Innovation Impossible?
• Sarat and Grossman 1975:
Problems in Mobilization of Adjudication
• Susskind 2008 The End of Lawyers: Predicting commoditization
• Hadfield 2008: Regulation of profession blocks innovation
• Botero et al. 2003 and Cabrillo et al. 2008:
Insufficient incentives on courts to offer better services
• Carothers 2006 and Fukuyama 2011:
Rule of law and accountability very hard to implement
• World Bank World Development Report 2011: Conflict, Security,
and Development: Rule of Law takes 40 years to build
www.innovatingjustice.com
An emotional non-starter?
www.innovatingjustice.com
Law as managing risk and fear?
Innovation = flow, creativity, taking
risks, breaking rules?
The eBay/PayPal Resolution Center
Colin Rule
CEO Modria.com
I Paid A Bribe
Ramesh Ramanathan
Co-founder Janaagraha Centre for Citizenship and Democracy
What was/is crucial for BCR to be/remain sustainable?
… 27 factors … and at least 5
My talk borrows from:
• Project documents
• Short interview with Lokke Moerel
• Innovation in The Justice Sector: What Makes it Happen?
Innovation Model Version 1.5: June 2011
www.innovatingjustice.org
A. Generating Possibilities
1. Vision and commitment from government
2. Focus on users, frontline staff and middle managers
3. Diversity
4. Scanning of horizons and margins: a process need
5. Developing capacity for creative thinking
6. Working backwards from outcome goals: terms of reference
7. Creating time and space
8. Allow breaking the rules
9. Competition: the submission problem and regulation of legal
services
4. Scanning of horizons and margins:
a process need
• Peter Drucker: Innovations often supply the missing link
between processes. They start from an incongruity between
how things are and how they ought to work.
• Here:
– Cross border data transfers within companies
– A need for privacy protection of employees and customers
– National regulation and enforcement
– ‘Networks of intragroup contracts’ as ‘red tape’ with high
administrative costs, and doubtful access to remedies
8. Allow breaking the rules
• Innovation often involves organizational rule breaking
(Markides 1997). Implicit or explicit ways of thinking, practices
or norms are a barrier (Johnson, Christensen et al. 2008).
• Public sector best practice: Give innovative projects space for
breaking the rules (suspension) ….. If it can be shown that
better results can be reached by not following the rule.
• In a legal environment, where practices tend to become norms
and norms tend to become sacred, it is more difficult to
overcome such barriers.
Data protection authorities
• Allowed to proceed although clear that not all 80+ regimes can
be observed
• Putting burden of proof that it can be done in a ‘better way’ on
innovators and companies
• Took risks
B. Developing Innovations
1. Appropriate selection of fruitful ideas: simplifying procedures
2. Adequate risk management
3. Fostering innovation champions
4. Creating incubating space
5. Involving incubators and public-private partnerships
6. Introduce modeling
7. Better funding for early development
8. Involving end users at all stages
5. Public private partnership
• Regulators work with companies
• Working party 29
• 19 DPA’s want to cooperate
C. Replicating and Scaling Up
1. Improved incentives for individuals and teams
2. Improved incentives for organizations
3. Scaling up and disruptive innovation
4. Specialize and beware of early standardization
5. Change management
Incentives (following Colin Scott)
Every stakeholder should continue to gain from BCR:
• Reputation for companies that they are careful with data
• Employees and customers get more protection and better
remedies
• Legal profession
• Administrative costs for companies
• Data Protection Authorities show they create good protection
• DPA show they are necessary and need budgets
• DPA have lower administrative costs
Rather unstable equilibrium
Challenges for BCR
• Legal, formal challenges < ??? Continue to show it works in
the real world
• Major scandal < ??? Risk management
• DPA’s create new administrative burdens < ???
• Competition by even better system < ???
• Covering the less compliant guys < ???
Continuous improvement and further innovation is essential
D. Analyzing and Learning
1. Metrics for success
2. Real time learning
3. Peer and user involvement
4. Double loop learning
5. Variety of perspectives
1. Metrics for success
• Nimity tool accountability 73 criteria > further development?
• Before BCR and After BCR > next phase?
• Many procedural requirements > more indicators for what
happens in real world?
• Independent from particular procedure > innovation means
standards have to renew all the time and indicators get new
weights
Innovators in Justice Sector
• Have to work on many factors, probably 27 of them
• Are essential for serving legal needs, for making
the system work and for building the law of the future
• Deserve our deep respect
• Need our continuous support
HiiL Expert Meeting Evaluation
Colin Scott
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
Peter Hustinx
HiiL Expert Meeting Evaluation
Colin Scott
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
Open forum discussion
HiiL Expert Meeting Evaluation
Colin Scott
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
Conclusion and recommendations