Monday, February 9, 2009

Lead Data Protection Authority

Lead Data Protection Authority:  how EU data protection regulation can catch up with other areas of European law

Being a global company means having employees, partners and users who interact on a worldwide basis without geographical or jurisdictional limitations.  Maximising efficiency is a key driver so most global companies attempt to adopt a consistent way of doing business internationally.  Whilst cultural differences may have an impact on some activities, economic globalisation encourages a uniform and coherent approach to most operations, from sales practices to compliance protocols.  However, global companies still have to comply with diverse laws across jurisdictions and be accountable to many national regulators.  All of these trends become even more pronounced for companies doing business over the Internet. 

In the European Union, some industry sectors can benefit from regulatory regimes which are specifically aimed at simplifying the way in which players within those sectors comply with cross-jurisdictional rules.  For example, pharmaceutical companies may rely on simplified procedures to have their products evaluated and authorised across the EU.  One solution is called the “decentralised procedure”, by which companies can go directly to a national authority to obtain permission to market its products in that member state and then seek to have other member states accept the approval of the first member state.  This procedure is applicable in cases where an authorisation for a pharmaceutical product does not yet exist in any member state.

Alternatively, pharmaceutical companies may in some instances rely on the mutual recognition procedure, by which the assessment and marketing authorisation of one member state should be mutually recognised by other concerned countries within the EU.  Under the mutual recognition procedure, the pharmaceutical company submits its application to the chosen country, which will carry out the assessment work and approve or reject the application.  The other countries then have 90 days to decide whether they approve or reject the decision made by the original country.

Similarly, financial services firms can seek authorisation in one member state and obtain “passport rights” to enable them to carry on financial services in other member states.  When a financial services provider wishes to establish a branch or provide services in several EU countries, notification of such intention is submitted to the regulatory authority in the home member state.  This notification is then forwarded to the regulator in the member states in which the operator intends to open the branch or provide its services. As a result, a particular product licensed in the home member state becomes automatically recognised in all other member states and may therefore be sold across borders free of undue bureaucratic controls.

Some areas of law – such as e-commerce – also follow the “country of origin” principle.  This principle establishes that where an action or service is performed in one country but received in another, the applicable law is the law of the country where the action or service is performed.  For example, if a company sells products online across Europe but it is formally established as a limited company under the laws of one member state, that commercial activity will normally be subject to the law of that country.

Data protection regulatory complexities

The jurisdictional rules under the EU data protection directive do not work like that.  When a company handles personal information about employees, customers, suppliers and others, it will be subject to the different privacy and data protection regimes in force in each EU jurisdiction.  In the European Union, data protection laws will establish a number of very specific requirements and compliance will be overseen by the data protection authorities of each member state.  This means that the use of personal information by that company will be regulated in slightly different ways across the EU.

All European directives pursue the same overriding objective: achieving harmonisation across EU member states whilst respecting the national legislative power of each jurisdiction.  This is normally achieved by establishing a set of principles that each member state incorporates into its own legislation within the parameters of the directive.  When a directive, like the 1995 data protection directive, creates a complex regulatory regime involving an independent regulator, member states devise suitable structures that provide for the establishment and operation of that regulator.

This approach to data protection regulation has caused a number of complexities that diminish the two-fold aim of the directive, namely: protecting the fundamental rights and freedoms of natural persons and facilitating the free flow of personal data between member states.  The fact that laws and regulators are different make pan-European compliance more difficult and hence less effective.  At the same time, the existence of disjointed regulatory approaches creates inefficiencies, business barriers and unnecessary expense for those companies seeking to comply with all applicable laws and regulations.

The lead authority concept

Whilst legislative harmonisation may not be achieved without radical constitutional changes, the experience of simplified oversight in some industry sectors shows that adopting a lead regulator approach is not only possible but desirable.  The most promising step in this direction within the data protection regime is the “lead authority” concept that was created for the purpose of assessing and approving Binding Corporate Rules (“BCR”) applications.  In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities.  This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union.  More recently, a group of data protection authorities within the Article 29 Working Party launched the BCR mutual recognition procedure, so that approval by one authority will automatically lead to approval of the same BCR by the others. 

Whilst for some organisations it may be obvious which data protection authority should act as the lead authority, where it is not clear which authority should become the entry point, the co-ordinated approval mechanism establishes that organisations must consider the following factors to determine the most appropriate data protection authority:

·                     The location of the corporate group’s European headquarters or office with data protection responsibilities.

·                     The location of the company which is best placed to lead the BCR application and, if necessary, enforce compliance.

·                     The place where any key operational decisions in terms of the purposes and means of the data processing are made.

·                     The EU country from which most international transfers originate.

Extending the concept beyond BCR

Both the co-ordinated approval mechanism for BCR and the mutual recognition procedure are contributing to making BCR a much more credible and attractive option for organisations using personal data on a global basis.  The fact that the approval stage itself focuses on meeting one single set of standards and expectations – even when these are high – allows those organisations to concentrate their compliance efforts in a consistent and effective way.  In other words, companies can devote their attention to ensuring that they apply the right standards and achieve a workable level of privacy and data protection, rather than to dealing with the diverse expectations of a plethora of similar regulators.

Given that BCR systems include policies and procedures affecting the whole range of data protection obligations and rights, it should also be possible to take the lead authority concept beyond BCR and apply it to data protection compliance generally.  The criteria to determine the most appropriate data protection authority for BCR applications could also be used to identify the most suitable authority overall.  If the single regulator idea has worked in heavily regulated sectors like health care and banking, it is not inconceivable that the same idea could work very effectively in the area of data protection compliance.

If this were the case, global companies collecting, using and sharing data in the EU could not only benefit from the harmonisation of legal standards but from the simplification of regulatory activities across the EU.  The national regulators themselves would be able to operate in a much more focussed way.  These efficiency gains would ultimately translate into a greater and more realistic level of protection for individuals.  So the case for a lead data protection regulator to oversee the data activities of pan-European organisations is one that the EU data protection authorities themselves, as well as the EU Commission, should be making their own.  




1 comment:

Anonymous said...

I agree with you that the mutual recognition procedure for BCRs is the way forward, but with about half of the Member States still not participating, it is understandable that many global companies are not convinced (yet). We can only hope that those Member States that are currently not participating will find the (political) courage to join the initiative (even if that means adopting specific legislative changes).
The idea of having one lead DPA (beyond BCRs) responsible for data protection compliance generally, is a challenging one. Although the single regulator idea has worked to a certain extent in heavily regulated sectors such as pharma, even in those sectors national regulators sometimes still play a vital role (for example, in pharmacovigilance cases).
An important consideration from an EU data protection perspective is whether or not having a lead (national) DPA for general compliance matters is likely to induce forum shopping. Member State DPAs that have the reputation of taking more lenient or flexible views compared to others (e.g. with regard to the treatment of IP addresses or pseudonymized data), may not have the practical means to handle the flood of (monitoring) work that would come their way if they were to be selected as lead DPA by a large number of “data controllers”. In that scenario, I am not sure there would be any efficiency gains.
Having a centralized EU supervisory authority with enforcement powers (à la DG Comp), on the other hand…