EU Justice Commissioner Viviane Reding recently delivered two speeches. One was on the proposals for reform of EU data protection laws and its impact on businesses, the other was on the benefits of binding intra-group codes of practice based on European data protection standards (binding corporate rules, or BCRs). Ms Reding’s speeches provide insight into the European Commission’s policy and its commitment to reform.

DATA PROTECTION REFORM

In her speech, “Building trust in the Digital Single Market: Reforming the EU's data protection rules”, delivered on 28 November 2011, Ms Reding said that reforming data protection laws would serve to increase trust and confidence in consumers, encourage use of digital services, and ensure economic growth.

To address the problems faced currently by the data protection regime, the Commission is proposing a number of reforms. It notes that businesses need consistency and coherence. Accordingly, the Commission argues that there should be a “one-stop-shop” when it comes to data protection matters: one law and one data protection authority for each business. Authorities responsible for data protection must be provided with sufficient powers and resources to enforce the law.

The Commission suggests that coordination and cooperation between national data protection authorities must be strengthened to ensure rules are enforced consistently. Cutting red tape by eliminating unnecessary costs and administrative burdens to create a more business-friendly regulatory environment is seen to be essential.

Industry self-regulation also has a complementary role to play in reform, with businesses being expected to comply with data protection rules, ensuring transparency for individuals, who must be provided with appropriate information about the processing of their data and must be informed swiftly when their personal data is lost, stolen, or breached. Users must know their rights, and which authority to address if those rights are violated.

Ms Reding reiterated that she wants to create a “right to be forgotten”. If an individual no longer wants their personal data to be processed or stored by a data controller, and there is no legitimate reason for keeping it, the data should be removed from that system. In addition, reform will include easier access to individuals’ own data.

BINDING CORPORATE RULES

On 29 November 2011, in a speech entitled “Binding Corporate Rules: unleashing the potential of the digital single market and cloud computing”, Ms Reding said that BCRs constitute one way of protecting the processing and transferring of personal data outside the European Union. Once formally approved by one of the EU Member States’ data protection authorities, they become legally binding on companies, offering legal certainty and flexibility, and ensuring that all essential data protection principles are respected. However, Ms Reding said that BCRs could be improved.

Instead of obtaining approval from each national authority of each Member State in which the company might be active, Ms Reding wants BCRs to be based on one single law: European law. Ms Reding stressed that once BCRs are approved by one data protection authority, they should be enforceable through any data protection authority and enforcement must be consistent. At the moment, not all authorities have the power to adopt legally binding decisions. Ms Reding therefore plans to strengthen the powers of data protection authorities so that they can all use administrative sanctions whenever there is a breach of the law. Moreover, BCRs will be binding within companies and on third parties.

Ms Reding said that, “If European businesses are to compete with the rest of the world, we need to encourage innovation.” In an era where information flows globally, data protection laws that apply only within a given territory do not work. Ms Reding wants to make BCRs applicable to all internal and extra-EU transfers of any entity in a group of companies.

COMMENT

Currently, the BCRs remain the preserve of larger multinational groups with their construction and approval proving challenging for smaller entities and those with particularly complex group structures. Thus, the process of streamlining the approval of BCRs will be of great benefit to smaller entities seeking to use BCRs.