Jump to ContentJump to Main Navigation
Binding Corporate RulesCorporate Self-Regulation of Global Data Transfers$

Lokke Moerel

Print publication date: 2012

Print ISBN-13: 9780199662913

Published to Oxford Scholarship Online: September 2012

DOI: 10.1093/acprof:oso/9780199662913.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (www.oxfordscholarship.com). (c) Copyright Oxford University Press, 2017. All Rights Reserved. Under the terms of the licence agreement, an individual user may print out a PDF of a single chapter of a monograph in OSO for personal use (for details see http://www.oxfordscholarship.com/page/privacy-policy). Subscriber: null; date: 24 February 2017

Appendix 1 Overview of Recommendations to EU Legislators (p.297)

Appendix 1 Overview of Recommendations to EU Legislators (p.297)

Source:
Binding Corporate Rules
Publisher:
Oxford University Press

Appendix 1

Overview of Recommendations to EU Legislators (p.297)

Recommendations

  1. 1. Introduce the country of origin principle both for applicable law and jurisdiction and extend this principle also to countries having obtained an adequacy ruling under Article 25(6) Directive.

  2. 2. Recognize BCR as an appropriate tool to provide adequate safeguards for the transfer of data and define the main substantive requirements for BCR:

    • to be defined in general principles

    • to be set at an adequate level

    • taking into account the specific comments in Chapter 6, paragraph 6.6.6,

      and to delegate the further norm-setting to the Commission pursuant to Articles 290 and 291 TFEU.

  1. 3. Define the MRP and impose the MRP on all Member States.

  2. 4. Investigate whether it is indicated to establish a pan-European Data Protection Supervisory Authority to which certain decision-making and enforcement powers are delegated in case of data processing operations with an EU dimension.

  3. 5. Provide for equal enforcement powers for DPAs and develop a common enforcement strategy for the DPAs to ensure equal enforcement.

  4. 6. Replace the Directive by an EU regulation when revising the Directive.

  5. 7. Engage with non-EU countries in mutual recognition and enforcement of BCR as a tool for cross-border data transfers.

  6. 8. Provide that BCR can be enforced as unilateral undertakings by the beneficiaries of BCR.

  7. 9. Provide that in BCR a choice of law and forum may be made for the laws and courts of the Member State of the Lead DPA and further that the Lead DPA will have central supervision in respect of such BCR, and may involve other DPAs if so required for enforcement in the territories of the other Member States.

  8. 10. Provide that if multinationals adopt BCR, the BCR apply instead of the national data protection laws of the Member States.

  9. 11. Introduce incentives for multinationals to adopt BCR, such as:

    • risk-based sanctions for a violation of data protection by multinationals that have implemented BCR (whereby the implementation of a proper compliance program is a mitigating factor)

    • provide that if multinationals adopt BCR, the BCR apply instead of the national data protection laws of the Member States (as per Recommendation 10)

    • provide that in BCR a choice of law and forum may be made for the laws and courts of the Member State of the Lead DPA (see Recommendation 9)

    • (p.298) abolish the notification requirements, or, as next best alternative, provide for the possibility of central notification of all data processing of a multinational to the Lead DPA

    • provide that multinationals having BCR do not have to have intra-group data processor agreements in place if group companies process personal data on behalf of other group companies

    • provide that multinationals having BCR in place may in respect of onward data transfers to third parties have their EU (Delegated) Headquarters enter into EU Standard Contractual Clauses with such third party on behalf of all group companies

    • exempt multinationals that have BCR in place from the ex ante consultation or authorization requirements as included in the Proposed Regulation.

  10. 12. To delegate the detailed norm-setting in respect of the BCR requirements to the Commission in accordance with Articles 290 and 291 TFEU, or as the next best alternative, to define the BCR requirements as general obligations of the multinational on the basis of the common fundamentals defined by the Centre for Information Policy Leadership, and add as requirements for BCR:

    • prescribe the reporting on BCR in the annual reports of company in a comparable format

    • the multinational should be transparent vis-à-vis the third-party beneficiaries as to the number of complaints received and the nature of these complaints under the internal complaints procedure.

  11. 13. To delegate the detailed norm-setting in respect of the core accountability principles for onward transfers under BCR by multinationals to third parties to the Commission in accordance with Article 290 and 291 TFEU, or as the next best alternative, define these accountability principles taking into account the guidelines identified in Chapter 9, paragraph 9.5.3.

    • To impose certain obligations direct on processors (such as in any event the data security obligations and data transfer obligations).

    • To provide that controllers and processors may divide responsibilities between them.

  12. 14. Not to follow the recommendation by the Working Party 29 to include a provision in the revised Directive that processors that process data against the instructions of the controller shall be considered to be a controller.

  13. 15. Not to follow the recommendation by the Working Party 29 to include a provision in the revised Directive that controllers remain accountable and responsible for the protection of data for which they are controllers, even if the data have been transferred to other controllers.

  14. 16. Hold a proper consultation of all stakeholders of BCR prior to enacting the norms for BCR in the revised Directive.

    • Instruct the Commission to hold a consultation of all stakeholders of BCR prior to the further norm-setting on BCR by the Commission.

    • Instruct the Working Party 29 to hold a consultation of relevant stakeholders prior to the Working Party 29 issuing opinions on BCR.

  15. 17. Instruct the Working Party 29 to amend its Rules of Procedure to remedy the lack of transparency as to its decision-making progress.

  16. (p.299) 18. • Ensure the independence of the Working Party in accordance with the criteria developed by the ECJ for independence of DPAs.

    • Instruct the Working Party 29 to amend its Rules of Procedure to ensure its accountability as to independence by:

      • having any experts participating in its meetings issue a public declaration of interests

      • introducing job rotation of the members of any sub-groups installed by the Working Party 29.

  17. 19. Require Lead DPAs to publish the BCR authorizations including the text of the BCR authorized.

  18. 20. Provide that the BCR regime should apply to all personal data processed by the multinational adopting the BCR. (p.300) Appendix 1 Overview of Recommendations to EU Legislators