Multi-nationals have long complained that there is no one-stop shop under the existing EU data protection regulations, to facilitate EU wide compliance with data protection rules. The existing data protection regulations set minimum thresholds, which can and have been applied in different ways in different countries.
It is in the light of hopes for that elusive one-stop shop, that the prospect of a new and more integrated General Data Protection Regulation for Europe has resulted in widespread interest from the multi-national business community. Now (finally) the text of that new General Protection Regulation has been agreed (albeit informally) by the European Commission, the European Parliament, the EU Council of Ministers, and even the Civil Liberties, Justice and Home Affairs (LIBE) committee of the European Parliament. Other things being equal and a fair wind, it looks set to come into force early in 2018.
Three challenges I hear about most frequently from multi-nationals with the existing data protection regulations for Europe might be characterized as follows:
1. “There is no EU wide co-ordination for multi-nationals with a presence in multiple EU countries. We want a one-stop shop in the EU for our data privacy compliance”;
2. “We want to implement Binding Corporate Rules to ensure compliance with international data transfer rules, but the procedure for getting these approved is ridiculous. Herding cats for a living would be easier”; and
3. “We never know whether we need to have a dedicated data protection officer in any particular country. Sometimes it seems crazy to have to appoint one when we such have a tiny operation there”.
So how does the new draft Data Protection Regulation for Europe respond to these challenges?
1. One-Stop Shop for Multi-nationals?
The European Commission Press Release on the new Data Protection Regulation trumpets “One continent; one law” and yet whilst regulations 51 through 54 of the new Regulation talk about a one-stop shop for multi-nationals in the country in which they have their largest establishment in the EU, the small print still tells a less cohesive story. Rules about whether or not a company needs a local data protection officer, for instance, can still be stronger in any individual EU country than the standard required by the EU wide Regulation.
We also expect to see some un-seemly fights between data protection authorities, arguing about the ground rules for determining the country in which a multi-national is deemed to have its largest EU establishment. Will it be determined by the numbers of employees in a particular country, or will revenue or profit be more critical determining factors? The chances of internecine warfare will be even higher if too many multi-nationals try to deem themselves “principally established” in UK or Ireland, where data protection authorities in other EU jurisdictions, are inclined to see the UK and Ireland as “softer” on big business.
2. International Data Transfers.
Since the European Court of Justice decision of 8th April 2014 in the case brought by Digital Rights Ireland, heralded the death knell of the US Safe Harbour method for transferring data lawfully from the EU to the USA, the thoughts of many multi-nationals have turned to Binding Corporate Rules, as a good alternative to using the rather unwieldy and awkwardly drafted Model Clauses.
The good news is that the new Data Protection Regulation gives statutory recognition to Binding Corporate Rules for the first time, and in theory, approval by the data protection authority in a multi-national’s key country of EU establishment will be sufficient to approve Binding Corporate Rules for the whole of the EU.
We really hope this works in practice but given the current lead-time of two years to get Binding Corporate Rules approved across the EU, we are in “wait and see” mode on this one. For the time being, we will recommend that our clients continue using the Model Clauses approach, until more multi-nationals with deep pockets have tested the water on getting their Binding Corporate Rules authorized on an EU wide basis by one data protection regulator. The Model Clauses may be unwieldy and awkwardly drafted but at least they do a job for you, with a minimum investment of management effort and no lead-time for approval.
3. Data Protection Officers in each Country?
Article 35 of the new Data Protection Regulation addresses the question of data protection officers. Predictably there is a requirement for a data protection officer if a company is in the business of processing data, or where the processing of data by an organization is regular and systematic and/or on a large scale. At the other end of the spectrum, there is an exemption from the need to appoint a data protection officer for small and medium sized enterprises, which do not qualify under the requirements of the preceding sentence. Concerningly for multi-nationals though, there is still the option for individual countries to mandate a requirement for a data protection officer, even if one would not otherwise be required on the basis of the text of the new EU wide Data Protection Regulation. The situation looks to be no worse under the new Data Protection Regulation than it already is today under the existing rules, but it does seem a shame that a decent opportunity for harmonization has been missed.
If your business would like advice about how the new Data Protection Regulation will affect you going forward or about the existing EU data protection regime, please contact firstname.lastname@example.org