As one of the largest electronics companies in the world, Philips Electronics has a reputation for being ahead of the curve. It was one of the first companies to mass-produce light bulbs, it invented the wildly successful compact audiocassette tape and it's one of the leaders in global semiconductor sales.

Now the technology giant can chalk up yet another innovation. In May Philips made history by becoming one of the first companies to get approval for binding corporate rules (BCRs). BCRs are internal codes of conduct that comply with strict EU data protection requirements and allow a company to freely transfer electronic data from one of its entities to another, regardless of jurisdiction. General Electric and DaimlerChrysler also have had some success in this area.

BCRs are a much-needed solution to a major problem companies operating in Europe face. When the European Commission implemented Directive 95/46/EC in 1998, it made the protection of personal data, including electronic data, a human right and required employers to obtain workers' consent before processing or transferring personal data. Historically getting consent hasn't been easy.

The law also broadly defines personal data as “any information relating to an identified or identifiable natural person.” In the workplace context, much employee-generated content falls under this definition. For example, any e-mail, whether created for business or personal use, is considered personal data.

This poses a challenge for companies trying to produce documents from the EU during litigation. In the past both the U.S. government and the European Commission devised ways for American companies to transfer data across the pond. However both methods had major drawbacks.

By getting EU approval for its BCR, Philips–which declined to comment for this article–is on its way out of the tangled thick of data protection laws that many other companies will likely find themselves up against over the next several years.

“BCRs are probably the Holy Grail of international data transfers,” says Robert Bond, partner at Speechly Bircham in London. “Like the Holy Grail though, they're not easy to obtain.”

Drafting Rules

The concept of BCRs has been around since 2003 when the Article 29 Working Party–an independent European advisory body on data protection–drafted recommendations for creating a new means to transfer personal data to nations outside the EU. Specifically, BCRs allow companies to transfer data internally after they adopt binding codes of corporate conduct.

This can be a huge benefit for large, multinational companies that face regular litigation. By relying on BCRs, any company affiliate can freely transfer data to the U.S., an act that typically requires the data owner's consent.

For example, if Philips is involved in a suit in the U.S. that requires it to produce e-mails from its Paris office, the company can simply transfer that data to its U.S. office, rather than wasting valuable time vying for employee consent.

Also, unlike the old methods of conducting data transfer, BCRs empower a company to self-police rather than yield to the oversight of a government agency. This means that if Philips were to run afoul of its own code of conduct, it may open itself up to an employee claim but won't necessarily suffer government sanctions.

To create BCRs a company must draft comprehensive rules that detail how it collects, processes and stores information; what information it plans to collect; and who will have access to the information. In addition the company must commit to taking legal action against entities and employees that disobey the corporate code. The company also must establish a process to verify that the rules comply with EU data protection laws.

All this work in drafting and planning is one reason why few companies have been able to make much progress with implementing BCRs.

“Drafting BCRs can take a couple of years and cost millions of dollars in time and outside counsel fees,” says Mark Schreiber, partner and chair of Edwards Angell Palmer & Dodge's privacy group. “As good as they sound, they're really only a legitimate avenue for the largest corporate players.”

Seeking Approval

Indeed, devising the BCRs is only half of the work. Once a company believes its rules are compliant, it must begin the arduous task of seeking EU-wide approval. To do this a company must file its BCR with the Data Protection Authority (DPA) in the member state in which its European headquarters is located. A DPA is a governmental body that oversees data protection laws. The DPA then reviews the submission. If it deems it to be noncompliant with its data protection laws, it works with the company to revise the BCR. When the BCR meets the DPA's requirements, that DPA sends it to the other member states for approval. These member states then can each request further redrafting.

“This is why BCRs are torture, institutionally and politically,” Schreiber says. “But they're still in their infancy, so this may change over time.”

No one is sure exactly how long this process takes. None of the three companies that have achieved initial approval from a DPA have even come close to getting EU-wide approval.

This also means it's unknown how much scrutiny some member states will apply to BCRs. Because the interpretation of the EU data protection directive varies from member state to member state, it's likely that some nations with reputations for strict data policies, such as Italy and Greece, will be less likely to grant approval than others.

“The problem is that there are a number of DPAs that still have, in principle, difficulties with the concept of binding corporate rules,” Bond says. “They're concerned that companies won't ensure the codes of conduct are actually binding.”

But this may soon change.

Easier Importing

In January the Article 29 Working Party adopted a model application for the submission of BCRs. This application provides companies wishing to seek approval of their BCRs with a single, standardized form that they can submit to any DPA throughout the EU.

“The goal of the single application form is to eliminate the problem of having to spend all this time submitting to one DPA just to start all over again with every other country in Europe,” Bond says.

This standardized form, however, may not speed up the approval process fast enough for in-house lawyers in the U.S. Thanks to the amended Federal Rules of Civil Procedure, which went into effect last December, the time frame companies have to develop a plan to produce documents has drastically shrunk. Whereas in the past parties wouldn't even begin discussing the terms of discovery until well into the case, the amended rules set a strict window of 99 days after the case filing.

“It's too late to look at these approaches once litigation starts,” says David Kessler, partner at Drinker Biddle & Reath in Philadelphia. “You have to think about your strategy now so you have something in place when litigation arises.”

As one of the largest electronics companies in the world, Philips Electronics has a reputation for being ahead of the curve. It was one of the first companies to mass-produce light bulbs, it invented the wildly successful compact audiocassette tape and it's one of the leaders in global semiconductor sales.

Now the technology giant can chalk up yet another innovation. In May Philips made history by becoming one of the first companies to get approval for binding corporate rules (BCRs). BCRs are internal codes of conduct that comply with strict EU data protection requirements and allow a company to freely transfer electronic data from one of its entities to another, regardless of jurisdiction. General Electric and DaimlerChrysler also have had some success in this area.

BCRs are a much-needed solution to a major problem companies operating in Europe face. When the European Commission implemented Directive 95/46/EC in 1998, it made the protection of personal data, including electronic data, a human right and required employers to obtain workers' consent before processing or transferring personal data. Historically getting consent hasn't been easy.

The law also broadly defines personal data as “any information relating to an identified or identifiable natural person.” In the workplace context, much employee-generated content falls under this definition. For example, any e-mail, whether created for business or personal use, is considered personal data.

This poses a challenge for companies trying to produce documents from the EU during litigation. In the past both the U.S. government and the European Commission devised ways for American companies to transfer data across the pond. However both methods had major drawbacks.

By getting EU approval for its BCR, Philips–which declined to comment for this article–is on its way out of the tangled thick of data protection laws that many other companies will likely find themselves up against over the next several years.

“BCRs are probably the Holy Grail of international data transfers,” says Robert Bond, partner at Speechly Bircham in London. “Like the Holy Grail though, they're not easy to obtain.”

Drafting Rules

The concept of BCRs has been around since 2003 when the Article 29 Working Party–an independent European advisory body on data protection–drafted recommendations for creating a new means to transfer personal data to nations outside the EU. Specifically, BCRs allow companies to transfer data internally after they adopt binding codes of corporate conduct.

This can be a huge benefit for large, multinational companies that face regular litigation. By relying on BCRs, any company affiliate can freely transfer data to the U.S., an act that typically requires the data owner's consent.

For example, if Philips is involved in a suit in the U.S. that requires it to produce e-mails from its Paris office, the company can simply transfer that data to its U.S. office, rather than wasting valuable time vying for employee consent.

Also, unlike the old methods of conducting data transfer, BCRs empower a company to self-police rather than yield to the oversight of a government agency. This means that if Philips were to run afoul of its own code of conduct, it may open itself up to an employee claim but won't necessarily suffer government sanctions.

To create BCRs a company must draft comprehensive rules that detail how it collects, processes and stores information; what information it plans to collect; and who will have access to the information. In addition the company must commit to taking legal action against entities and employees that disobey the corporate code. The company also must establish a process to verify that the rules comply with EU data protection laws.

All this work in drafting and planning is one reason why few companies have been able to make much progress with implementing BCRs.

“Drafting BCRs can take a couple of years and cost millions of dollars in time and outside counsel fees,” says Mark Schreiber, partner and chair of Edwards Angell Palmer & Dodge's privacy group. “As good as they sound, they're really only a legitimate avenue for the largest corporate players.”

Seeking Approval

Indeed, devising the BCRs is only half of the work. Once a company believes its rules are compliant, it must begin the arduous task of seeking EU-wide approval. To do this a company must file its BCR with the Data Protection Authority (DPA) in the member state in which its European headquarters is located. A DPA is a governmental body that oversees data protection laws. The DPA then reviews the submission. If it deems it to be noncompliant with its data protection laws, it works with the company to revise the BCR. When the BCR meets the DPA's requirements, that DPA sends it to the other member states for approval. These member states then can each request further redrafting.

“This is why BCRs are torture, institutionally and politically,” Schreiber says. “But they're still in their infancy, so this may change over time.”

No one is sure exactly how long this process takes. None of the three companies that have achieved initial approval from a DPA have even come close to getting EU-wide approval.

This also means it's unknown how much scrutiny some member states will apply to BCRs. Because the interpretation of the EU data protection directive varies from member state to member state, it's likely that some nations with reputations for strict data policies, such as Italy and Greece, will be less likely to grant approval than others.

“The problem is that there are a number of DPAs that still have, in principle, difficulties with the concept of binding corporate rules,” Bond says. “They're concerned that companies won't ensure the codes of conduct are actually binding.”

But this may soon change.

Easier Importing

In January the Article 29 Working Party adopted a model application for the submission of BCRs. This application provides companies wishing to seek approval of their BCRs with a single, standardized form that they can submit to any DPA throughout the EU.

“The goal of the single application form is to eliminate the problem of having to spend all this time submitting to one DPA just to start all over again with every other country in Europe,” Bond says.

This standardized form, however, may not speed up the approval process fast enough for in-house lawyers in the U.S. Thanks to the amended Federal Rules of Civil Procedure, which went into effect last December, the time frame companies have to develop a plan to produce documents has drastically shrunk. Whereas in the past parties wouldn't even begin discussing the terms of discovery until well into the case, the amended rules set a strict window of 99 days after the case filing.

“It's too late to look at these approaches once litigation starts,” says David Kessler, partner at Drinker Biddle & Reath in Philadelphia. “You have to think about your strategy now so you have something in place when litigation arises.”