An Insider Look at the EU’s Binding Corporate Rules

Companies that move personal data across the European market are subject to a multitude of privacy requirements. To streamline those demands, companies have the option of submitting Binding Corporate Rules—that is, a pledge to follow a specific set of privacy policies and procedures across Europe—for approval by the data protection authorities in EU member states. To get a sense of the process, we spoke to those involved with the crafting and approval of BCRs for First Data, a payment technology company headquartered in Atlanta that does business throughout Europe.

Binding Corporate Rules, a company’s data compliance framework and governance policies for privacy protection, are drafted for two types of operations: data controller and data processor. The former pertains to information a company holds on its own behalf, such as employee data; the latter covers information processed on behalf of a customer.

First Data is the first business to win regulatory approval for BCRs covering both types of data.

The European Union bars companies from transferring customer or employee personal data outside one country without proof that adequate data protection measures are in place at the destination. While some countries, including Canada and Switzerland, are deemed to have adequate protection, countries that aren’t—including the United States—need to provide that assurance to regulators before they start shifting data across borders. Approved BCRs, with legally binding data privacy obligations, are one way to overcome the data transfer restriction.

First Data’s road to securing BCR approval for both types of data operation was a long one. The preliminary work to achieve those approvals goes back to 2006, when the company developed internal privacy principles based on European standards that focused on employee data retained by HR departments. The Article 29 Working party (the policy body that advises the European Commission on data protection) did not even establish a process for data controller BCRs until 2007.

Despite hopes that the Article 29 Working Party’s plans for BCRs would cover all personal information handled by a company, the scope remained limited to the transfer of employee data. “So we started with that, but we wrote [our] BCR in such a way that it pertained to all the data we had in our possession, irrespective of whether it existed as a controller or a processor,” says John Atkins, First Data’s chief privacy officer.

First Data began crafting its data controller BCRs in 2007; final approval came four years later. The company started the process by selecting a lead data protection authority: Britain’s Information Commissioner’s Office. To avoid having companies seek approval on a country-by-country basis, applicants must select one agency to manage the review. The lead authority then works with secondary DPAs in the European Union to obtain feedback and ultimate approval.

“Any data privacy program has to start with the fact that the data is protected in the first place, before you move to that secondary piece—which is, now that you have it, are you using it for the purpose for which it was intended, and only in a lawful way.”
John Atkins, Chief Privacy Officer, First Data Corp.

That first BCR established standards for how controlled data would be used and protected. Protection responsibilities were assigned to a First Data subsidiary, FDR Limited—including liability for breaches of the company’s data protection standards by entities outside of the European Union and taking any action necessary to remedy them. First Data also detailed protocols for personal data in the employee Code of Conduct and its information security policy. Both were reviewed as part of the BCR submission.

In 2013 the Article 29 Working Party approved the use of BCRs for data processors, and the company “jumped right in,” Atkins says. Once again the ICO was selected at the lead DPA. The work put into the earlier, more narrowly focused controller BCRs helped a lot. “First Data, with the ICO’s support, sought to establish as much common ground between the two [packages of BCRs] as made practical sense,” says Scott Singer, a partner with the law firm Dentons that worked with the company.

The review was fairly straightforward. First Data had to produce all policies, procedures, and training materials related to First Data’s information security program. The ICO focused on how these policies were enforced. “On some matters they didn’t feel we were responsive enough, so we worked with them to satisfy the concerns they wanted addressed,” Atkins says.

“The main challenge was managing timelines,” Singer adds. “The ICO is incredibly busy, and it’s very important to maximize progress when they have windows of availability. The key thing is to ensure that a clear timetable is agreed with the lead regulator and that everyone is committed to it. Timing is always a challenge in BCR projects.” Unlike the lengthy data controller BCR application, the data processor BCR review, which concluded on Feb. 4, took just over a year.

With more than 200 affiliates and subsidiaries in 34 countries, First Data had to build flexibility into both BCRs. Subsidiaries may adopt their own privacy standards if the nature of their services or clients requires it. Those policies, however, must meet or exceed the company’s requirements.

Common to both BCRs are assurances that data privacy training will be provided for its 24,000 employees. To ensure compliance, First Data created a “security and data privacy hotline,” where questions, complaints, or tips can be reported. Complaints must be addressed by the company within 28 days.

FOLLOWING THE RULES

The following is a selection from the Binding Corporate Rules prepared by First Data.
Applicable Law
We will handle Personal Data (including Sensitive Personal Data) in accordance with the BCRs and all applicable local data protection and privacy laws and regulations including, but not limited to, the European Union Data Protection Directive (Directive 95/46/EC), the Privacy in Electronic Communications Directive (Directive 2002/58/EC), and the United States Gramm-Leach-Bliley Act. The BCRs must be interpreted in accordance with the Directives, GLBA and all applicable data protection and privacy laws and regulations.
Where applicable data protection and privacy laws provide less protection than those granted by the BCRs, the BCRs will apply. Where applicable data protection and privacy laws provide a higher protection, they will take precedence over the BCRs.
As a general rule First Data does not assume any responsibility for compliance requirements that apply to its clients. Similarly, when First Data is acting as a data processor and not as a data controller, First Data is not responsible for interpreting, complying with, advising on, or ensuring its client complies with laws that apply to the client’s business but do not apply to First Data’s. In this circumstance, generally First Data acts in accordance with the client’s instructions and the applicable contract provisions. Nothing in the Binding Corporate Rules or in this summary should be interpreted in any way to the contrary.
Source: First Data Corp.

There were some key differences between the two BCRs. Among them was a demand for service-level agreements for the data processor BCRs, a requirement not in place for controller BCRs, Singer says.

First Data’s processor BCRs includes assurances that personal data will only be transferred when all applicable legal requirements are met, when the business need is clear, and when the receiving party has appropriate security. In the case of transfers to third parties or to entities not bound by the BCRs, a written contract will spell out security and confidentiality obligations. “Any data privacy program has to start with the fact that the data is protected in the first place, before you move to that secondary piece—which is, now that you have it, are you using it for the purpose for which it was intended, and only in a lawful way,” Atkins says.

An important decision for a U.S. company doing business in Europe is whether the added scrutiny of the voluntary BCR process is better than sticking to the traditional safe harbor agreement, where companies pledge to honor the rights of EU citizens. Given the hugely sensitive information First Data possesses, Atkins says the choice was easy. “We don’t make tennis shoes,” he says. “We wanted to give our customers complete confidence that if they trust their data to us we will protect it like it was our own.”

Other companies may have a dilemma. “The principal disadvantage is time, cost, and effort of BCRs compared to safe harbor,” Singer says. The safe harbor, however, “is viewed with some degree of skepticism by many European data privacy experts because it is a self-certified system, which can be implemented quickly and where consequences of breach are rarely tested,” he adds. “BCRs by contrast are the gold standard for privacy compliance.”

Stringer’s advice for companies that decide to commit to the processor BCR process:

Consider doing controller and processor projects together to benefit from economies of scale.

Think carefully about which jurisdictions to apply for.

Agree to a clear timetable with the lead authority, and be prepared to live by it.

The process doesn’t end with BCR approval. “The ICO or any other data protection authority could come in and ask to take a look at any time, just like we are already examined by U.S. regulators,” Atkins says. “We need to be fully prepared and transparent for anybody with the authority to come in and look at our program and its execution. We have a tangible record that is updated every year that any data protection authority, or even our own internal audit organization, can look at to support the notion that we are doing what we said we would do.”