Morrison & Foerster : Legal Updates & News : Legal Updates : Corporate Codes of Conduct Under Scrutiny

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Corporate International Privacy and Data Security

Corporate Codes of Conduct Under Scrutiny

August 2003
by Miriam Wugmeister, Karin Retzer, Cynthia Rich

EU Data Protection Authorities examine the Possibility to satisfy Data Protection Requirements by Corporate Rules

The application of EU data protection law presents particular challenges in the context of cross-border transactions. On June 3, 2003, the EU authorities issued a long awaited paper on codes of conduct facilitating the transfers of personal data from EU Member States to other countries. The paper entitled "Working Document on Binding Corporate Rules for International Data Transfer," is a disappointment to many who had hoped for rapid progress towards truly global rules for data processing and a more streamlined approach to data protection.

Introduction

The European Commission recognized in its "Report on the transposition of the Data Protection Directive 95/46/EC" of May 15, 2003[fn1] ("Report") the enormous obstacles companies face when transferring data internationally. EU[fn2] Member State laws governing data transfers out of the EU are complex, and often, contradictory. Compliance can involve considerable time and expense. In its Report, the European Commission therefore encouraged industry and Member State authorities to experiment more widely with voluntary compliance mechanisms that could help to reduce bureaucracy and legal risks and effectively promote privacy rights. Here some Member States, namely the British, Dutch, and the German data protection authorities, have taken a leading role and promoted corporate rules allowing transfers of data out of the EU.

The Working Document on Binding Corporate Rules for International Data Transfer issued by the Working Party on June 3, 2003[fn3] (hereinafter "Working Paper") may have a chilling effect on these efforts. The Working Party was established by Article 29 of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "Directive").[fn4] It is composed of representatives of the data protection authorities of all EU Member States and the data protection unit at the European Commission acts as its secretariat. While the Working Party has no power to investigate or intervene, but merely provides non-binding guidelines on the interpretation of the Directive and Member State implementation, its issuances generally reflect the opinion of European data protection authorities. Given the fact that the decisions of the Working Party are taken by representatives of the same authorities that will enforce the law, the issuances of the Working Party provide imperative guidance on EU data protection legislation.

Apparently there has been little progress towards harmonization, or at least coordination between the EU data protection authorities with respect to codes of conduct. While it may be useful to establish general criteria for the content of international codes, the restrictive criteria set forth may act as a disincentive to global organizations that seek to transfer data out of the EU. The Working Paper establishes very restrictive standards for corporate rules, requiring compliance with the strictest EU national regimes, and going beyond the requirements established in the Standard Clauses approved by the European Commission.[fn5]

The Current Legal Framework For Data Transfers

Article 25 and 26 of the Directive prohibit all transfers of personal data to non-EU countries unless they have been found to ensure an adequate level of data protection. To date, the European Commission has deemed adequate the laws of Argentina, Canada, Hungary, and Switzerland, as well as the U.S. safe harbor principles; adequacy findings with respect to the laws of Guernsey are under way. For those countries that are not covered by an adequacy decision, data transfers can only take place if one of several conditions is met, of greatest relevance for private businesses are the following:

the individual to whom the data relate (the data subject) has provided unambiguous consent to the transfer;
a contract with the organization receiving the data has been established;
the transfer is necessary for the performance of a contract between the data subject and the organization exporting the data, or concluded in the interest of the data subject; or
the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims.

Unfortunately, the divergent implementation of these exceptions among Member States makes it virtually impossible for companies to select a single safeguard to protect the data they transfer out of the EU. For example, there is discussion in some Member States of whether transfer of human resources data may legitimately be based on consent obtained from employees. Further, the fact that a transfer is "necessary to complete the contract between the controller and data subject" as grounds for legitimize data transfers has been interpreted as meaning "indispensable" for the performance of the contract in some EU Member States, which limits its applicability. Another exception that may facilitate data transfers to affiliates, i.e., the balance of interest exception that weighs the legitimate interest in data processing activities against the interests of the individuals to whom the data relate, has not been transposed in all the EU Member States, and also is not applied generally to international transfers. The end result is that companies must analyze and satisfy very different standards for transferring data in each EU Member State, thus defeating the harmonizing intent of the Directive.

During the 2002 conference on the revision of the Directive, the European Commission was urged to ensure that any proposal it made to revise the Directive included a proposal that facilitated international transfers in a streamlined manner. In this respect, corporate codes could serve as very useful tools to fulfill the adequacy requirements as they relate to the transfer of data out of the EU. The Working Party uses the term "binding corporate rules" to describe codes of conduct that may be used to ensure the adequate safeguards required by Article 25 and 26 of the Directive, and to distinguish then from other codes of conduct which set forth best practices as provided in Article 27. Given the growing number of cross border data transfers, the idea of relying on global rules for all data processing and data transfers is attractive. Under the code of conduct approach, related companies doing business in multiple jurisdictions would apply just one set of rules to govern their data transfers from within the EU to outside the EU, rather than multiple different national requirements. Companies could also draft these codes so that they comply with privacy rules in non-EU countries.

Under Article 26(2), the EU Member State authorities may permit transfers to "non-adequate" countries where the conditions listed above are not available, but where adequate safeguards are guaranteed by other means. For example, many businesses traditionally operate with contractual clauses. An organization can put in place safeguards such as contracts, which may be either individually negotiated contracts (commonly referred to as "Ad Hoc contracts") or Standard Clause contracts for transferring data outside the EU. In both cases, the contract is between the data exporter, i.e., the EU entity transferring the personal data outside the EU, and the data importer receiving the data from the EU. Contracts, however, have several disadvantages.

Most Member States require specific approval of Ad Hoc contracts by the authorities in the Member State from which the data are being transferred. The approval process generally takes a minimum of one to two months and may take longer in certain Member States if the authorities have questions about the transfer. Moreover, additional approval may be necessary if operational changes in the use, collection, processing, and/or transfer of personal data are made. Given the numerous countries from which multinationals may wish to transfer data and the amount of time and effort needed to gain approval from each national data protection authority, Ad Hoc contracts are unlikely to provide a quick and simple basis for transfer.

Standard Clauses are intended to provide one set of rules for all EU countries, and provide a more streamlined process than that for Ad Hoc contracts. The Standard Clauses approved by the European Commission allow for three different compliance options permitting transfers of data outside of the EU. A company may elect to comply with (1) the national law of the data exporter, (2) the Mandatory Principles attached to the Standard Clauses, or (3) a European Commission adequacy decision, provided the company is located in the jurisdiction to which the decision applies. Each option has disadvantages. Compliance with the national law of the data exporter implies compliance with the multiple legal requirements of different Member States. The Mandatory Principles of option 2 require adherence to a standard higher than that required by the Directive. The terms of a European Commission adequacy de have to be complemented in certain areas to comply with requirements stricter than those set forth in the "adequacy" determinations.

Standard Clauses also impose other onerous requirements. They require, inter alia that: (i) the data subject be made a third-party beneficiary of the agreement; (ii) the data subject be informed of any transfers of special categories of data (e.g., sensitive data); (iii) the data exporter and data importer be jointly and severally liable for any damages; (iv) the data importer submit to an audit by the data exporter or an inspection body selected by the data exporter; (v) the data importer have security measures in place that are appropriate to the risk; (vi) the governing law of the agreement is the law of the Member State where the data exporter is established; and (vii) the parties submit to the jurisdiction of the Member State courts. Further, transfers to third parties are possible only under limited circumstances. When relying on Standard Clauses, onward transfers to a controller are possible only if: (i) the third party recipient is subject to an equivalent or adequate level of protection, e.g., is situated in the EU or is subject to an adequacy determination (for example safe harbor (discussed below)); (ii) the third party recipient contractually assumes the same obligations as the data importer; or (iii) the data subject's opt-out consent is obtained. In short, Standard Clauses might be a good solution for small companies that transfer data from one EU Member State to a single entity. However, the adoption of Standard Clauses for a global company that transfers data among multiple affiliates and all Member States may be less practical.

In view of such administrative hurdles, and rather onerous provisions, contracts are rather burdensome on multinational companies as the Working Party seems to recognize. It expressly stated in the introductory paragraphs of the Working Paper that the adequate safeguards referred to in Article 26(2) can be achieved through means other than contracts, for example through binding corporate rules. It considers corporate rules as a suitable basis for granting authorizations for the transfer of data in the future. Such a statement is helpful because the use of corporate rules as an adequate safeguard is not expressly mentioned in Article 26(2), and not all EU Member State laws provide that a corporate code or corporate rules can satisfy the adequacy requirement under the Directive.

Greater Flexibility Through Corporate Codes

In theory, corporate rules are very attractive to global companies because they could allow for one set of rules for the entire corporation, and the rules can be tailored to the needs of the particular business. The primary obstacle to using binding corporate rules, however, is that there is no streamlined mechanism for approving company-wide codes. In other words, corporate rules or codes may currently only be used to legitimize data transfers if they comply with the national provisions of the country from which the data is to be transferred. Corporate rules currently have to be submitted to the national data protection authorities of each EU Member State from which the company intends to transfer information. The different national authorities would then assess on a case-by-case basis the content of a particular code when deciding whether the transfer to a third country is legitimate. Each EU Member State would also have the authority to require changes to the corporate code to comply with the data protection legislation adopted by each EU Member State from which data are exported.

Apparently, in its recent Working Paper the national authorities assembled in the Working Party were not yet able to agree in the Working Paper on the benefit of greater co-ordination to facilitate the use of corporate rules. Such a proposal could have allowed EU Member State authorities to institute co-operation mechanisms to facilitate the needs of multinational companies with a single set of corporate rules that were binding in several jurisdictions. Specifically, there is only a reference in the Working Paper to the possibility of further guidance "as soon as possible" with respect to greater coordination for approval of binding corporate rules. This lack of consensus may be due, in part, to the fact that under some laws (e.g., in Italy and Spain) unilateral acts are not generally enforceable.

The Working Party paper also does not mention the concept of European Commission approved "standard codes" similar to the Standard Clauses. Article 26(4) is silent about whether the European Commission has the right to approve "standard codes of conduct" similar to its right to approve Standard Clauses. The content and the workings of Standard Codes are, however, unclear.

Moreover, the criteria laid out in the Working Party paper as to the minimum requirements that should be in a set of binding corporate rules is very restrictive, and more onerous than the Standard Clauses. While it is useful to establish general criteria for the content of international codes, the restrictive criteria set forth may act as a disincentive to global organizations that seek to transfer data out of the EU.

Required Elements of Binding Corporate Rules

According to the Working Party, some of the key elements that would need to be part of the binding corporate rules include the following:

Single Entity Responsible for Compliance, Remedies, and Compensation. An entity established within the EU would be responsible for compliance with EU data protection laws. For non-EU headquartered entities, an EU affiliate would need to be designated as the entity responsible for compliance with the rules, for remedying acts of affiliates including entities established outside the EU, and for paying compensation for damages resulting from any violation of the rules by other corporate entities bound by the codes. The corporation would need to give evidence that the delegated EU affiliate has sufficient assets to cover payments of compensation for breaches of the rules, or that other measures have been taken to ensure it would be able to meet such claims, e.g. by obtaining sufficient insurance coverage.
Compliance with EU Member State Regimes. The Working Party states that principles set forth in corporate rules would need to comply to a large extent with the principles of data protection of the Directive, as well as with the strictest EU Member State implementation of the Directive. Corporate rules would have to apply throughout the entire corporation. This means that the entire organization would have to comply with the most restrictive rules in the EU. The only difference between data collected in the United States and data relating to EU data subjects is that EU courts and authorities would not have jurisdiction over US data. Thus, the most restrictive EU data protection rules would be applicable to all data collected or used through out the world.
Detailed Descriptions of Processing Activities. The corporate rules must describe in detail the processing of personal data and the overall economic activities of all entities to whom data is transferred. The amount of detail to be included in the corporate rules must be equivalent to that required in the registration forms used for registering data processing with the data protection authorities in the countries where the data subjects are based. The rules and restrictions for processing must be sufficiently detailed so that they are "practically and realistically fit" for the activities carried out by the affiliates receiving data.
Binding Nature of the Rules. The rules must be legally binding, that is, enforceable vis-à-vis the corporate group and the respective affiliate. Unilateral declarations or contractual arrangements are needed. The rules must also be binding in practice. Disciplinary actions for infringement of the rules must exist, sufficient information must be provided to employees, and educational programs should be deployed. The fact that the rules are effectively enforced, and are known and understood throughout the group, must be proved by the data exporter requesting the permission to transfer. The rules must also provide for self-audits and/or external audits by accredited auditors on a regular basis with direct reporting to the ultimate parent.
Third Party Beneficiary Rights. EU data subjects must become third party beneficiaries, either by the legal effects of unilateral declarations, or by contractual arrangement between affiliates. As a result, employees could, e.g., assert rights resulting from corporate rules established by their employer. In other words, data subjects would have a direct right of action resulting from codes. The Working Paper states that the scope of such third party rights should "at least match the rights granted to data subjects by the Commission standard clauses." The data subjects must be able to seek judicial remedies and compensation for damages resulting from non-compliance with the corporate rules.
Jurisdiction. Provisions on jurisdiction "aimed at facilitating the practical exercise of provisions on liability" are required. As a result, the company must either accept the jurisdiction of the place of establishment of the data exporter, or the jurisdiction of the EU headquarters or of the EU affiliate with delegated data protection responsibilities.
Filing and Handling of Complaints. In addition to being able to file a complaint with EU authorities or courts, data subjects should also be able to complain to a clearly identified complaints handling department. The data subject would be entitled to damages should he or she not be satisfied with the remedies resulting from recourse to the internal complaints procedure.
Audits. There also has to be a duty of co-operation with EU authorities, including auditing by the authorities of both the entire corporate group and any individual member of the group separately. The corporate group and any of its affiliates will need to agree to abide by the advice of EU authorities. Such advice, e.g., "recommendations either in response to a questionnaire, as a result of a complaint lodged by a data subject or at the initiative of any competent data protection authority," may be made public. A serious and persistent refusal to cooperate by the company may result in the suspension or withdrawal of the transfer authorization.
Other Reporting Responsibilities. The EU headquarters or the EU affiliate with delegated data protection responsibilities must contact the data protection authority in a given Member State if mandatory requirements such as internationally recognized sanctions, tax reporting requirements, anti-money laundering legislation, etc. require the personal data to be revealed to other entities.
Onward Transfer Notices. Finally, data subjects have to be informed of any onward transfer to third parties, the purpose thereof, the identification of the data exporter, the categories of further recipients, and an explanation that the third party recipient is not bound by the corporate rules and is established in a country where no adequate level of protection of the privacy of the individual exists. The corporate rules may not facilitate transfers outside the corporate umbrella, thus other legitimate grounds for transfers under Article 26 must be employed.
Loose Conglomerates. For loose conglomerates without a close-knit, highly hierarchical structure, the Working Party stated that corporate rules "are very unlikely to be a suitable tool" unless severe limitations and conditions for the exchange of information are set forth or the rules are complemented by contracts.
Experimenting with Codes of Conduct

To date, the Dutch data protection authority has approved fifteen codes of conduct, mainly in the financial services, pharmaceutical, and direct marketing services sector, that can be used to satisfy national requirements for the processing of personal data. These codes are used to promote compliance with sector specific data protection requirements. To our knowledge, these rules have not been used for the purpose of satisfying requirements imposed on transfers to non-adequate third countries. Discussions about the use of corporate codes of conduct specifically for cross-border data transfers are underway, however. In particular, there are discussions with the Royal Dutch/Shell Group of Companies about the use of a corporate code of conduct to facilitate the transfer of human resources data from Shell's headquarters in the Netherlands to its 2,200 subsidiaries in 140 countries. The project would involve approval of the Shell code, and co-operation between the authorities in the Netherlands and the United Kingdom.

DaimlerChrysler has worked with the German authorities for its corporate rules for the processing of human resources data. The authorities have found that the conditions stipulated in the codes under which personal data can be transmitted between countries provide sufficient protection throughout the group and therefore allow transfers of data outside of the EU without additional safeguards.

There also have been discussions with these authorities about the possibility of greater corporation with respect to mutual recognition of codes that are compliant with the laws of the country in which the data controller has a "centre of activities". Acceptance of this concept is not expected in the short term, however. The more likely approach will be to experiment with co-operation mechanisms between a limited number of data protection authorities.

Conclusion

The conclusions reached by the Working Party establish an exceedingly high hurdle for companies that want to use corporate rules as a solution for handling their global data transfers. Many of the elements proposed by the Working Party for binding corporate rules, such as acceptance of EU jurisdiction, are the same requirements as those found in the European Commission approved Standard Clauses. In some cases, however, the rules envisioned by the Working Party go beyond the requirements established in the Standard Clauses (e.g., the requirement to assume greater liability risks for the entire corporate structure, and to provide evidence that the EU designee for data protection compliance has sufficient assets or insurance coverage to cover damage payments resulting from breaches of EU laws and corporate rules). While it is useful to establish general criteria for the content of international codes, the restrictive criteria set forth may act as a disincentive to global organizations that seek to transfer data out of the EU. It is unclear, therefore, the extent to which the Working Party paper may discourage or impede ongoing initiatives on corporate rules of some EU data protection authorities.

The Working Party has indicated its interest in receiving feedback from interested parties on their experience with binding corporate rules, and it plans to hold a public hearing on this issue in early 2004. Comments need to be filed with the Working Party by September 30, 2003. This might be the time to voice concerns to render corporate codes of conduct a workable tool for international data transfers.

Footnotes
1: Available at http://europa.eu.int/comm/internal_market/privacy/lawreport/data-directive_en.htm.

2: Any reference to the EU should be understood as referring to the territory of the European Economic Area ("EEA"). The EEA Member States currently are: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Italy, Ireland, Liechtenstein, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden, and the United Kingdom.

3: Available at http://europa.eu.int/comm/internal_market/privacy/workingroup/wp2003/wpdocs03_en.htm.

4: See Official Journal L 281, 23/11/1995, p. 0031 - 0050.

5: The Commission Decision of June 15, 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC), published in the Official Journal of the European Communities on July 4, 2001, L 181/19, incorporates the standard terms suggested by the European Commission for transfers to so-called controllers, i.e., persons that determine the purposes and means of data processing ("Standard Clauses").