Privacy & Information Security Law Blog

Every year since 2005, the United States, the European Commission and the Article 29 Working Party on Data Protection meet to review the latest developments in the U.S.-EU Safe Harbor Framework, as well as changes in privacy compliance, information security and data protection.  This year’s  International Conference on Cross Border Data Flows, Data Protection and Privacy occurs November 16 - 18 and features leading experts who will examine these issues and others, as well as changes made to the approval process for binding corporate rules.  Join our privacy professionals, Martin ...

On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

On August 19, 2009, the Official Journal published guidelines issued by the French Data Protection Authority (Commission nationale de l’informatique et des libertés (the “CNIL”)) regarding transfers of personal data carried out in the context of U.S. discovery proceedings (the “Guidelines”). The CNIL’s publication comes in the wake of a recent increase in the volume of requests made to French-based companies involved in U.S. litigation to disclose information or documents for the purposes of civil pre-trial discovery.

On April 27, 2009, the Article 29 Working Party issued a new working document (WP 155 rev.04) on frequently asked questions relating to binding corporate rules ("BCRs").  Two new FAQs were adopted: (1) FAQ 10 deals with the relationship between EEA data protection laws and BCRs; and (2) FAQ 11 relates to the reversal of the burden of proof in the context of BCRs.  The Working Party reiterated that, although BCRs may offer an adequate level of protection to personal data being transferred within the same company, they do not exempt multinationals from complying with national data ...

On October 1, 2008, the Article 29 Working Party issued a toolkit on Binding Corporate Rules (BCRs) aimed at promoting them as a mechanism for transferring data to countries without an adequate level of data protection. The toolkit includes: (1) a table highlighting the elements and principles to be found in BCRs (WP 153); (2) a document setting up a framework for the structure of BCRs (WP 154); and (3) a revised version of the FAQs on BCRs (WP 155). The toolkit also announced the creation of a mutual recognition procedure between nine national data protection authorities ...