This article originally appeared in the June edition of The Privacy Advisor.
By Angelique Carson, CIPP/US
In 2014, Hewlett-Packard (HP) became the first company to win approval for both binding corporate rules (BCRs) and cross-border privacy rules (CBPRs). Both processes take a significant number of man hours to achieve, as HP’s privacy staff will tell you. But to demonstrate compliance, many of the administrative hurdles are the same. That’s why, as companies increasingly turn to BCRs—69 to date with 45 or 50 additional companies in the assessment phase—and CBPRs—with 12 to date with another 20 or so in the pipeline—as data transfer mechanisms, an EU/APEC working group has approved a plan for increased interoperability by making it easier for companies to comply with both BCRs and CBPRs at once.
A U.S. Department of Commerce (DoC) official said the main feedback from industry was the heavy lift in applying for approval under both frameworks was not that they had to make substantial changes to their privacy programs but the demonstration of the provisions of those programs.
The EU’s Article 29 Working Party has agreed to the APEC Data Privacy Subgroup’s proposal to develop a common questionnaire based on the forms that now must be completed to apply for BCRs and CBPRs separately.
The idea is that organizations will be able to submit the single questionnaire to both EU DPAs, whose approval is needed for organizations to be granted BCRs, and to APEC Accountability Agents, whose approval is needed to be granted CBPRs, to reach compliance with both systems at once.
The privacy subgroup heard from representatives from IBM, Merck and Hewlett-Packard on their experiences in gaining approval under both frameworks.
“It was an administrative hurdle more than a substantive one,” the DoC official said. “That’s why we focused on recommending a joint application process. The substantive requirements are very similar between the two systems, but the certification process does have some differences. The end goal is for companies to get credit for the work they’ve done under one system when pursuing approval under another system.”
While the administrative burdens can be high, said the DoC official, it’s important that organizations continue to pursue such certifications and that APEC and EU officials build a bridge to help them do so because the regions the frameworks govern “cover a very significant portion of the global economy and global data flows.”
The DoC official said she doesn’t see the uptick in certification under BCRs and CBPRs as a reflection of fears that Safe Harbor is in trouble as a data transfer mechanism, but the CNIL’s Myriam Gufflet, part of the privacy subgroup, says there may be some truth to that.
“I know in some cases, some organizations that were already Safe Harbor-certified decided they still will comply with Safe Harbor principles but the BCR itself in general provided that, in case of conflicts between Safe Harbor and BCR, it would be BCR principles that would apply,” Gufflet said. “So for them, Safe Harbor is actually the minimal requirements and then the second layer comes with BCRs.”
In the longer term, the group aims to create a referential of the requirements of BCRs and CBPRs for processors. In 2014 at the IAPP Global Privacy Summit, the group released a referential for controllers.
Jacobo Esquenazi is HP’s privacy officer for the America’s and led HP through the CBPR approval process. His main feedback for the group was that while the referential is a useful tool for companies that might not yet have a privacy program and need to understand how to get a comprehensive program in place, the referential was more of a trust-building exercise for the U.S. and APEC countries.
“It was useful as a reference but not as a tool to get your certification done,” Esquenazi said. HP was very vocal about the creation of a common application.
Merck’s Hilary Wandall, CIPP/E, CIPP/US, CIPM, said she found applying for CBPR certification first and then seeking BCRs to be a much more streamlined process for U.S. companies.
“The challenge for companies in seeking BCR in the first instance is what’s the relevant entity, which authority are you going to apply to, how will you create reliability,” she said. That’s because Merck is U.S.-based with a strong EU presence. “It’s not really about the privacy rules but more about liability and enforceability. And that process is complicated for any company.”
Merck is now in final stages of the BCR procedure. She says moving forward, there should be more incentives created in order to encourage greater participation by companies.
“We need to make the system easier for companies to implement based on their existing privacy program and the one they’re building,” Wandall said. “The U.S. is the only economy fully up and running in terms of having established accountability agents.”
And there are only four economies participating.
Esquenazi has the same concerns. He says for the EU and APEC frameworks to be robust, other economies should be considered.
“There are regions of the world that are not part of this, mainly Latin America,” he said. “Our company operates in 170 markets. We need to find a way, once EU and APEC come to an agreement, to have it in other countries who are not part of APEC, because outside of Mexico and potentially Peru and Chile, the rest of Latin America—who have very strong laws—do not have a way to operate within the rest of the world.”
The group will next meet on the sidelines of the APEC data privacy meetings at the end of August in the Philippines to work on the common questionnaire.