First Data Corp. Becomes the First Payment Processor to Have “Binding Corporate Rules” for Data Transfer Approved by EU Regulators
First Data Corp. announced on November 14, 2011 that the UK Information Commissioner’s Office (“ICO”) approved its Binding Corporate Rules (“BCRs”) for data-sharing outside the EU. First Data went through a rigorous four-year process to obtain approval, but BCR reforms may streamline the procedure for other applicants going forward. First Data is the first payment processor, and only one of eleven companies to have obtained approval of its BCRs by the ICO. Generally, the European Union’s Data Protection Directive (Directive 95/46/EC) prohibits the transfer of personal data from the European Economic Area (“EEA”) to countries that do not “ensure an adequate level of protection” of personal data, such as the United States. Multi-national corporations therefore cannot share personal data with affiliates outside the EEA, unless the company puts in place adequate safeguards.
BCRs (along with the US/EU Safe Harbor and EU standard contract clauses) offer one means of satisfying the requirement for an “adequate level of protection.” BCRs are internal company policies that govern data transfers between affiliated companies in the same corporate group, particularly transfers from affiliates within the EEA to affiliates in countries that do not provide an “adequate level of protection.” BCRs become “binding,” and are thus enforceable by third parties, when the first data protection regulator approves them. First Data’s BCRs therefore commit the company to the EU’s privacy principles and to accountability measures such as audits and training. Although the UK Information Commissioner’s Office approved First Data’s BCRs, First Data must still obtain approval from all other EU Member State data protection regulators. Under a relatively recent reform, 19 EEA countries mutually recognize BCRs approved by other EEA Member State regulators. European countries that do not participate in “mutual recognition” must separately approve the BCRs.
But “mutual recognition” still leaves an onerous process to obtain approval. And after approval by EU Member States, under some Member States’ national laws, the company must still obtain approval for each international transfer under the BCR. In addition, BCRs only legitimize transfers among the affiliates of a single corporate group and transfers to any third parties, such as outsourcing companies and other contractual partners must be authorized by means of other mechanisms. Accordingly, the EU is considering further reforms. For example, Vice-President of the European Commission and EU Justice Commissioner Vivianne Reding recently proposed to (1) simplify approval by requiring only one regulator – rather than all Member States’ data-protection regulators – to approve BCRs; (2) consistently enforce BCRs across Members States; and (3) make BCRs available to more companies that provide innovative solutions, such as cloud computing. Whether these proposed reforms will make BCRs a viable option for more businesses remains an open question. For now, only larger companies will have the financial and organizational resources to create a comprehensive code of conduct for internal data protection and navigate the multi-year BCR approval process.