Privacy & Information Security Law Blog

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs").  Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs.  The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...

On May 19 and 20 the European Commission held a conference which was perhaps the most important data protection event in Brussels since the Commission conference on evaluation of the EU Data Protection Directive 95/46/EC held in 2002. The conference was part of the Commission's current evaluation of the Directive, and was designed to explore both the current status of data protection in the EU and where it is headed in the coming years. Speakers included Jacques Barrot, the European Commissioner in charge of justice, freedom and security; Alex Türk, chairman of the CNIL (French Data Protection Authority) and the Article 29 Working Party; European Data Protection Supervisor Peter Hustinx; and representatives of European academia, business and non-governmental organizations.

On March 17, 2009, the Article 29 Working Party released Opinion 3/2009 on the Commission’s draft decision for standard contractual clauses (SCCs), which discusses proposed updates of the clauses allowing the transfer of personal data to sub-processors established in third-world countries, in light of increased global outsourcing practices. Opinion 3/2009 is available here, and further analysis on the Working Party’s Opinion is available here.

To read more and for more EU data protection updates, please click here.

On March 17, the Article 29 Working Party released its Opinion 3/2009 (dated March 5) on standard contractual clauses for the transfer of personal data from data controllers in the EU to data processors outside the EU. The Opinion deals with proposed changes to the European Commission's decision 2002/16 containing standard clauses for controller to processor transfers. The Opinion discusses proposals to update these clauses to accommodate data transfers to sub-processors, in light of increased global outsourcing. Although not mentioned in the Opinion, the March 17 Opinion is based on the proposal made in October 2006 to the European Commission by three business groups (the International Chamber of Commerce (ICC), the American Chamber of Commerce to the European Union (AmCham EU) and the Federation of European Direct and Interactive Marketing (FEDMA)). The proposal of the three business groups would amend the existing clauses from 2002 to bring them into line with business realities.

On February 11, 2009, the EU Article 29 Data Protection Working Party released its long-awaited Working Document (the “Working Document”) on reconciling U.S. civil discovery requirements with European data protection law. The guidelines the Working Document offers for data controllers highlight the challenges that multinational businesses face to comply with competing legal obligations in civil litigation.

On December 5, 2008, the Austrian data protection authority ("DPA") issued its first decision on the implementation of a whistleblowing hotline as required by the Sarbanes-Oxley Act ("SOX"), to be administered by the Austrian subsidiary of a U.S.-based company. The DPA partly approved the data transfers from the Austrian entity to the U.S. entity for the purpose of enabling it to prosecute "serious incidents" caused by the behavior of executive managers. The DPA ordered the Austrian subsidiary to implement a contract guarantying data subjects the ability to exercise their rights ...

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities ...