Transfer Troubles
U.S. companies turn to new tool to comply with EU's data protection laws.
August 31, 2007 at 08:00 PM
18 minute read
As one of the largest electronics companies in the world, Philips Electronics has a reputation for being ahead of the curve. It was one of the first companies to mass-produce light bulbs, it invented the wildly successful compact audiocassette tape and it's one of the leaders in global semiconductor sales.
Now the technology giant can chalk up yet another innovation. In May Philips made history by becoming one of the first companies to get approval for binding corporate rules (BCRs). BCRs are internal codes of conduct that comply with strict EU data protection requirements and allow a company to freely transfer electronic data from one of its entities to another, regardless of jurisdiction. General Electric and DaimlerChrysler also have had some success in this area.
BCRs are a much-needed solution to a major problem companies operating in Europe face. When the European Commission implemented Directive 95/46/EC in 1998, it made the protection of personal data, including electronic data, a human right and required employers to obtain workers' consent before processing or transferring personal data. Historically getting consent hasn't been easy.
The law also broadly defines personal data as “any information relating to an identified or identifiable natural person.” In the workplace context, much employee-generated content falls under this definition. For example, any e-mail, whether created for business or personal use, is considered personal data.
This poses a challenge for companies trying to produce documents from the EU during litigation. In the past both the U.S. government and the European Commission devised ways for American companies to transfer data across the pond. However both methods had major drawbacks.
By getting EU approval for its BCR, Philips–which declined to comment for this article–is on its way out of the tangled thick of data protection laws that many other companies will likely find themselves up against over the next several years.
“BCRs are probably the Holy Grail of international data transfers,” says Robert Bond, partner at Speechly Bircham in London. “Like the Holy Grail though, they're not easy to obtain.”
Drafting Rules
The concept of BCRs has been around since 2003 when the Article 29 Working Party–an independent European advisory body on data protection–drafted recommendations for creating a new means to transfer personal data to nations outside the EU. Specifically, BCRs allow companies to transfer data internally after they adopt binding codes of corporate conduct.
This can be a huge benefit for large, multinational companies that face regular litigation. By relying on BCRs, any company affiliate can freely transfer data to the U.S., an act that typically requires the data owner's consent.
For example, if Philips is involved in a suit in the U.S. that requires it to produce e-mails from its Paris office, the company can simply transfer that data to its U.S. office, rather than wasting valuable time vying for employee consent.
Also, unlike the old methods of conducting data transfer, BCRs empower a company to self-police rather than yield to the oversight of a government agency. This means that if Philips were to run afoul of its own code of conduct, it may open itself up to an employee claim but won't necessarily suffer government sanctions.
To create BCRs a company must draft comprehensive rules that detail how it collects, processes and stores information; what information it plans to collect; and who will have access to the information. In addition the company must commit to taking legal action against entities and employees that disobey the corporate code. The company also must establish a process to verify that the rules comply with EU data protection laws.
All this work in drafting and planning is one reason why few companies have been able to make much progress with implementing BCRs.
“Drafting BCRs can take a couple of years and cost millions of dollars in time and outside counsel fees,” says Mark Schreiber, partner and chair of Edwards Angell Palmer & Dodge's privacy group. “As good as they sound, they're really only a legitimate avenue for the largest corporate players.”
Seeking Approval
Indeed, devising the BCRs is only half of the work. Once a company believes its rules are compliant, it must begin the arduous task of seeking EU-wide approval. To do this a company must file its BCR with the Data Protection Authority (DPA) in the member state in which its European headquarters is located. A DPA is a governmental body that oversees data protection laws. The DPA then reviews the submission. If it deems it to be noncompliant with its data protection laws, it works with the company to revise the BCR. When the BCR meets the DPA's requirements, that DPA sends it to the other member states for approval. These member states then can each request further redrafting.
“This is why BCRs are torture, institutionally and politically,” Schreiber says. “But they're still in their infancy, so this may change over time.”
No one is sure exactly how long this process takes. None of the three companies that have achieved initial approval from a DPA have even come close to getting EU-wide approval.
This also means it's unknown how much scrutiny some member states will apply to BCRs. Because the interpretation of the EU data protection directive varies from member state to member state, it's likely that some nations with reputations for strict data policies, such as Italy and Greece, will be less likely to grant approval than others.
“The problem is that there are a number of DPAs that still have, in principle, difficulties with the concept of binding corporate rules,” Bond says. “They're concerned that companies won't ensure the codes of conduct are actually binding.”
But this may soon change.
Easier Importing
In January the Article 29 Working Party adopted a model application for the submission of BCRs. This application provides companies wishing to seek approval of their BCRs with a single, standardized form that they can submit to any DPA throughout the EU.
“The goal of the single application form is to eliminate the problem of having to spend all this time submitting to one DPA just to start all over again with every other country in Europe,” Bond says.
This standardized form, however, may not speed up the approval process fast enough for in-house lawyers in the U.S. Thanks to the amended Federal Rules of Civil Procedure, which went into effect last December, the time frame companies have to develop a plan to produce documents has drastically shrunk. Whereas in the past parties wouldn't even begin discussing the terms of discovery until well into the case, the amended rules set a strict window of 99 days after the case filing.
“It's too late to look at these approaches once litigation starts,” says David Kessler, partner at Drinker Biddle & Reath in Philadelphia. “You have to think about your strategy now so you have something in place when litigation arises.”
As one of the largest electronics companies in the world, Philips Electronics has a reputation for being ahead of the curve. It was one of the first companies to mass-produce light bulbs, it invented the wildly successful compact audiocassette tape and it's one of the leaders in global semiconductor sales.
Now the technology giant can chalk up yet another innovation. In May Philips made history by becoming one of the first companies to get approval for binding corporate rules (BCRs). BCRs are internal codes of conduct that comply with strict EU data protection requirements and allow a company to freely transfer electronic data from one of its entities to another, regardless of jurisdiction.
BCRs are a much-needed solution to a major problem companies operating in Europe face. When the European Commission implemented Directive 95/46/EC in 1998, it made the protection of personal data, including electronic data, a human right and required employers to obtain workers' consent before processing or transferring personal data. Historically getting consent hasn't been easy.
The law also broadly defines personal data as “any information relating to an identified or identifiable natural person.” In the workplace context, much employee-generated content falls under this definition. For example, any e-mail, whether created for business or personal use, is considered personal data.
This poses a challenge for companies trying to produce documents from the EU during litigation. In the past both the U.S. government and the European Commission devised ways for American companies to transfer data across the pond. However both methods had major drawbacks.
By getting EU approval for its BCR, Philips–which declined to comment for this article–is on its way out of the tangled thick of data protection laws that many other companies will likely find themselves up against over the next several years.
“BCRs are probably the Holy Grail of international data transfers,” says Robert Bond, partner at Speechly Bircham in London. “Like the Holy Grail though, they're not easy to obtain.”
Drafting Rules
The concept of BCRs has been around since 2003 when the Article 29 Working Party–an independent European advisory body on data protection–drafted recommendations for creating a new means to transfer personal data to nations outside the EU. Specifically, BCRs allow companies to transfer data internally after they adopt binding codes of corporate conduct.
This can be a huge benefit for large, multinational companies that face regular litigation. By relying on BCRs, any company affiliate can freely transfer data to the U.S., an act that typically requires the data owner's consent.
For example, if Philips is involved in a suit in the U.S. that requires it to produce e-mails from its Paris office, the company can simply transfer that data to its U.S. office, rather than wasting valuable time vying for employee consent.
Also, unlike the old methods of conducting data transfer, BCRs empower a company to self-police rather than yield to the oversight of a government agency. This means that if Philips were to run afoul of its own code of conduct, it may open itself up to an employee claim but won't necessarily suffer government sanctions.
To create BCRs a company must draft comprehensive rules that detail how it collects, processes and stores information; what information it plans to collect; and who will have access to the information. In addition the company must commit to taking legal action against entities and employees that disobey the corporate code. The company also must establish a process to verify that the rules comply with EU data protection laws.
All this work in drafting and planning is one reason why few companies have been able to make much progress with implementing BCRs.
“Drafting BCRs can take a couple of years and cost millions of dollars in time and outside counsel fees,” says Mark Schreiber, partner and chair of
Seeking Approval
Indeed, devising the BCRs is only half of the work. Once a company believes its rules are compliant, it must begin the arduous task of seeking EU-wide approval. To do this a company must file its BCR with the Data Protection Authority (DPA) in the member state in which its European headquarters is located. A DPA is a governmental body that oversees data protection laws. The DPA then reviews the submission. If it deems it to be noncompliant with its data protection laws, it works with the company to revise the BCR. When the BCR meets the DPA's requirements, that DPA sends it to the other member states for approval. These member states then can each request further redrafting.
“This is why BCRs are torture, institutionally and politically,” Schreiber says. “But they're still in their infancy, so this may change over time.”
No one is sure exactly how long this process takes. None of the three companies that have achieved initial approval from a DPA have even come close to getting EU-wide approval.
This also means it's unknown how much scrutiny some member states will apply to BCRs. Because the interpretation of the EU data protection directive varies from member state to member state, it's likely that some nations with reputations for strict data policies, such as Italy and Greece, will be less likely to grant approval than others.
“The problem is that there are a number of DPAs that still have, in principle, difficulties with the concept of binding corporate rules,” Bond says. “They're concerned that companies won't ensure the codes of conduct are actually binding.”
But this may soon change.
Easier Importing
In January the Article 29 Working Party adopted a model application for the submission of BCRs. This application provides companies wishing to seek approval of their BCRs with a single, standardized form that they can submit to any DPA throughout the EU.
“The goal of the single application form is to eliminate the problem of having to spend all this time submitting to one DPA just to start all over again with every other country in Europe,” Bond says.
This standardized form, however, may not speed up the approval process fast enough for in-house lawyers in the U.S. Thanks to the amended Federal Rules of Civil Procedure, which went into effect last December, the time frame companies have to develop a plan to produce documents has drastically shrunk. Whereas in the past parties wouldn't even begin discussing the terms of discovery until well into the case, the amended rules set a strict window of 99 days after the case filing.
“It's too late to look at these approaches once litigation starts,” says David Kessler, partner at
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCoinbase Hit With Antitrust Suit That Seeks to Change How Crypto Exchanges Operate
3 minute readBaker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250