Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: BCR

Posted in International/EU Privacy

Thinking Strategically About Brexit and Data Protection

To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.

Posted in International/EU Privacy

Q&A with Hogan Lovells on Security in the EU GDPR

Earlier this week, Bret Cohen and Sian Rudgard from the Hogan Lovells Privacy & Cybersecurity practice were interviewed as follows by Varonis’ The Inside Out Security Blog about data security requirements in the EU General Data Protection Regulation.

Posted in International/EU Privacy

Future-Proofing Privacy: International Data Transfers 2.0

Part 9 of Future-Proofing Privacy: Future-Proofing Privacy: International Data Transfers 2.0. The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA. These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue
with some variations.

Posted in International/EU Privacy

EU Data Transfers: Considering Your Options After Today’s Article 29 Working Party Statement

The EU’s Article 29 Working Party issued a statement today on the recent Schrems decision invalidating the adequacy of the EU-U.S. Safe Harbor framework, emphasizing that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” In response, we publish here a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.

Posted in International/EU Privacy

The CNIL Simplifies Formalities Regarding the Implementation of Binding Corporate Rules

On 24 March, the French data protection authority, the CNIL, announced that it will soon make easier the practical implementation of intra-group transfers of data from French entities to entities located outside the European Union where groups of companies have adopted Binding Corporate Rules (BCRs). BCRs are becoming increasingly popular among multinationals as a legal means for providing adequate protection to personal data which are transferred from the European Union to countries that are not considered to provide an adequate level of protection by the European Commission. In the CNIL’s view, the implementation of BCRs shows a strong commitment from multinational organisations to protect personal data. Indeed, the CNIL has been a champion of the emerging “BCR for processors” initiative which is also prompting interest from sophisticated processors who operate globally.

Posted in International/EU Privacy

Personal Data Protection in Poland – Important Legal Changes

On 7 November 2014 the Polish Parliament passed the Act on the Facilitation of Business Activity which substantially amends the existing Act on Personal Data Protection. As we previously reported, this new Act requires an administrator for information security to be given an independent position within the data controller’s organization. Additionally, the new Act introduces provisions facilitating the transfer of personal data to countries outside the European Economic Area (further implementing provisions from Directive 95/46/EC and the proposed draft General Data Protection Regulation). The new law will come into force on 1 January 2015.

Posted in International/EU Privacy, News & Events

Hogan Lovells Sets Privacy Example Among Major Law Firms by Proceeding with Binding Corporate Rules

Hogan Lovells is pleased to announce that we are among the first major law firms to launch implementation of Binding Corporate Rules (“BCRs”) for the worldwide protection by the firm of personal information. The implementation of these rules will not only add a level of protection and efficiency to privacy and data protection, but also provides a concrete example of Hogan Lovells’ experience with BCRs, relevant to clients of the firm also adopting BCRs.

Posted in International/EU Privacy

Article 29 Working Party Issues Additional Guidance on BCRs for Data Processors

On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive. The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.

Posted in International/EU Privacy

CNIL Cloud Guidelines Address Controller vs. Processor Issues

The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller under French data protection law. The CNIL’s guidelines contain seven recommendations for cloud customers, and a list of recommended contractual clauses. The CNIL points out that when the cloud provider is located in a non-European country “local government authorities can send requests to the provider to have access to the data.”