Expert Meeting on Binding CorporateRules - Implementing Legal Innovations            De Brauw Blackstone Westbroek, Amster...
HiiL Expert Meeting  BCR Case Study         Lokke MoerelPartner ICT De Brauw Blackstone Westbroek
Thanks
Regulatory landscape• Data protection qualifies as a fundamental  right under ECHR and Treaty on the  Functioning of the E...
10   28/03/2012
Regulatory landscape• Some countries no laws at all• Long arm reach• Overlapping and Conflicting  – Germany requires regis...
Enforcement• Enforcement is not left to the market (protection individuals)• Data Protection Authority (DPA) supervising a...
What• Binding Corporate Rules• Global corporate privacy policy• Rules how to process personal data within the  group• Crea...
Companies process data• Employees   – Past      • Personnel file in cupboard   – Now      • Data of use handheld device, e...
How• With software• Past  – Each group company its own system (e.g. SAP)• Now  – 1 central system
Example
Central IT system• 100% compliance not possible  – 82 omnibus data protection laws, 7 sectoral laws  – Conflicting     • I...
Why1. Strategic decisions as to data processing and   security     • One set global instructions     • Centrally imposed b...
Why3. EU data transfer rules are outdated     • prohibit data transfers outside of the EU, unless a       company has “add...
Example
Not only EU
Next step•   If multinationals have corporate privacy policy…•   And all group companies are bound…•   And policies provid...
BCR requirements• Authorised by DPA of EU headquarters (Lead DPA)• Must be internally binding within the organisation• Mus...
Assessment• Self-regulation has to apply EU wide• Lack of regulatory capacity at EU level• WP 29 as de facto regulator set...
Case study• Evaluation of BCR as form of Transnational Private  Regulation (TPR)• Evaluation criteria for public law   –  ...
Legitimacy• Self-regulation of data protection (being a  fundamental right)?• Inclusion (key stakeholders have to play an ...
Legitimacy• Self-regulation of data protection requires  public framework legislation  – Should have been provided for in ...
Legitimacy• Solved in Proposal for Data Protection  Regulation  – Norm-setting inclusive and transparent  – Direct applica...
Legitimacy• Solved in Proposal for Data Protection Regulation  – Uniform BCR authorisation procedure by the DPA    of the ...
Chart 1                                 Norm -set t ing of                                       BCR                PRESEN...
Quality• Precision and predictability• Consistency• Conformity with public goalsConformity• Prior authorisation by Lead DP...
QualityPrecision and predictability• BCR are global and general in nature• Too EU specific and too legalistic   – Solution...
Enforcement• Monitoring• Enforcement and sanctions• InformationMain issues• Can be the strongest point of BCR (next to  ef...
EnforcementStrongest point (legal innovation)• Internal complaints procedure, which overcomes main obstacles  individuals ...
EnforcementBut• No data yet on effectiveness of enforcement (next study, too early)• No external accountability to stakeho...
Chart 2                      Monitoring and evaluation of                                  BCR           PRESENT          ...
Effectiveness• First empirical research into effectiveness• Nymity, Canadian private research firm, recommended  by EDPS• ...
HiiL Expert Meeting    Terry McQuay
HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSIS   Study Framework   Norms   Results                               ...
MEASURING ACCOUNTABILITY   Ad hoc – procedures or processes are generally informal,    incomplete, and inconsistently app...
NORMSNorms are Repeatable   Ad hoc – procedures or processes are generally informal,    incomplete, and inconsistently ap...
NORMS   Privacy Awareness and Training 1.2.10 (page 10)A privacy awareness program about the entity’s privacy policies an...
NORMS   Ad hoc – procedures or processes are generally informal,    incomplete, and inconsistently applied.   Repeatable...
HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSISBefore BCRRepeatable 72.4%Privacy management procedures or processes e...
HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSIS   Ad hoc – procedures or processes are generally informal,    incomp...
EXAMPLE 1Privacy Awareness and Training 1.2.10 (page 10)A privacy awareness program about the entity’s privacy policies an...
EXAMPLE 2Consequences of Denying or Withdrawing Consent 3.1.2 (page 13)When personal information is collected, individuals...
ANY EXAMPLES OF OPTIMIZED?   Ad hoc – procedures or processes are generally informal,    incomplete, and inconsistently a...
HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSISOptimized Criteria                                     Copyright 2012 ...
HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSIS                                     Copyright 2012                   ...
COMPARE YOUR ORGANIZATION   Use the study and the Privacy Maturity Model to    compare your organization’s privacy progra...
THANK YOU   Thank You                53
Expert Meeting on Binding CorporateRules – Implementing Legal Innovations        Business Perspectives           March 15,...
JPMC Binding Corporate Rules  • On 2/26/10 UK ICO authorised the binding corporate rules of    JPMorgan Chase & Co. (JPMC)...
Research Results  • Disclaimer  • Unsurprising Results     – Multinationals using BCRs are ones that fundamentally seek to...
Largest Issue with Current Regime• Additional national requirements imposed by various Member  States which apply on top o...
Recommendations with Respect to Proposed Regulations • Since controllers are accountable for each processing operation,   ...
Expert meeting BCRSylvia van EsHead of Legal Compliance PhilipsMarch 15, 2012
Philips active in:•Healthcare•CL•Lighting•BCR for controller:Consumer database: over 12 mio consumersEmployee data: over 1...
•Privacy compliance rules are exceptionally prescriptive, to alarge extent justified in light of fundamental rightsNew sys...
Expert Meeting on Binding Corporate Rules, Amsterdam, March 2012                    Colin Scott             University Col...
Modelling and Evaluating                  TPR for BCR Environment                                  B            Eg boycott...
•   Legitimacy      •       Mirroring of Public Proceduralization          •      Transparency          •      Inclusivene...
Binding Corporate Rules for Employee andCustomer Data Protection:What Makes A Successful Innovation? Professor Maurits Bar...
Strongest points•   Moerel: Internal complaints procedure    – Simple access in own country, in every country    –   Appea...
Dispute system designEmerging discipline. How to achieve?A. Fair solutions for problems, optimally serving all interestsB....
Innovation is Hard Work• Life for innovators is very complex!• Many factors contribute to innovation:   – 40 determinants ...
Justice Innovation Impossible?•   Sarat and Grossman 1975:    Problems in Mobilization of Adjudication•   Susskind 2008 Th...
An emotional non-starter?      www.innovatingjustice.com
Law as managingrisk and fear?Innovation = flow, creativity, takingrisks, breaking rules?www.innovatingjustice.com
The eBay/PayPal Resolution Center       Colin Rule       CEO Modria.com
I Paid A Bribe        Ramesh Ramanathan        Co-founder Janaagraha Centre for Citizenship and Democracy
What was/is crucial for BCR tobe/remain sustainable?… 27 factors … and at least 5My talk borrows from:•   Project document...
A.     Generating Possibilities1. Vision and commitment from government2. Focus on users, frontline staff and middle manag...
4. Scanning of horizons and margins:a process need•   Peter Drucker: Innovations often supply the missing link    between ...
8. Allow breaking the rules•   Innovation often involves organizational rule breaking    (Markides 1997). Implicit or expl...
Data protection authorities•   Allowed to proceed although clear that not all 80+ regimes can    be observed•   Putting bu...
B.     Developing Innovations1. Appropriate selection of fruitful ideas: simplifying procedures2. Adequate risk management...
5. Public private partnership•   Regulators work with companies•   Working party 29•   19 DPA’s want to cooperate
C. Replicating and Scaling Up1. Improved incentives for individuals and teams2. Improved incentives for organizations3. Sc...
Incentives (following Colin Scott)Every stakeholder should continue to gain from BCR:•   Reputation for companies that the...
Challenges for BCR•   Legal, formal challenges < ??? Continue to show it works in    the real world•   Major scandal < ???...
D. Analyzing and Learning1. Metrics for success2. Real time learning3. Peer and user involvement4. Double loop learning5. ...
1. Metrics for success•   Nimity tool accountability 73 criteria > further development?•   Before BCR and After BCR > next...
Innovators in Justice Sector•   Have to work on many factors, probably 27 of them•   Are essential for serving legal needs...
HiiL Expert MeetingExpert Meeting on Binding CorporateRules - Implementing Legal Innovations            Evaluation        ...
HiiL Expert MeetingExpert Meeting on Binding CorporateRules - Implementing Legal Innovations            Evaluation    Open...
HiiL Expert MeetingExpert Meeting on Binding CorporateRules - Implementing Legal Innovations            EvaluationConclusi...
Expert Meeting on Binding Corporate Rules | Presentations
Expert Meeting on Binding Corporate Rules | Presentations
Expert Meeting on Binding Corporate Rules | Presentations
Expert Meeting on Binding Corporate Rules | Presentations
Expert Meeting on Binding Corporate Rules | Presentations
Expert Meeting on Binding Corporate Rules | Presentations
Upcoming SlideShare
Loading in …5
×

Expert Meeting on Binding Corporate Rules | Presentations

671
-1

Published on

HiiL | De Brauw Blackstone Westbroek

Presentations
Expert Meeting on Binding Corporate Rules - Implementing Legal Innovations

15 March 2012, Amsterdam

Published in: News & Politics, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
671
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Expert Meeting on Binding Corporate Rules | Presentations

  1. 1. Expert Meeting on Binding CorporateRules - Implementing Legal Innovations De Brauw Blackstone Westbroek, Amsterdam 15 March 2012
  2. 2. HiiL Expert Meeting BCR Case Study Lokke MoerelPartner ICT De Brauw Blackstone Westbroek
  3. 3. Thanks
  4. 4. Regulatory landscape• Data protection qualifies as a fundamental right under ECHR and Treaty on the Functioning of the EU• Data protection is regulated by EU legislators in the Data Protection Directive
  5. 5. 10 28/03/2012
  6. 6. Regulatory landscape• Some countries no laws at all• Long arm reach• Overlapping and Conflicting – Germany requires registration church employees, forbidden in the Netherlands• Data transfer rules
  7. 7. Enforcement• Enforcement is not left to the market (protection individuals)• Data Protection Authority (DPA) supervising and enforcing its national data protection law• Individuals may file complaint with DPA (appeal to the courts) or enforce through courts• The Working Party 29 is the advisory body to the Commission on data protection• Members of the WP 29 are the chairs of the DPAs, the European Data Protection Supervisor and the Commission – Issues opinions on how to apply the Directive – No enforcement powers – Coordinates cross-border enforcement actions DPAs
  8. 8. What• Binding Corporate Rules• Global corporate privacy policy• Rules how to process personal data within the group• Creates a “safe haven” for personal data• Facilitates the intra-group data transfers
  9. 9. Companies process data• Employees – Past • Personnel file in cupboard – Now • Data of use handheld device, email, internet, social media• Customers (consumers) – Past • Guarantuee voucher for vacuum cleaner – Now • All online orders, all surfing tracks
  10. 10. How• With software• Past – Each group company its own system (e.g. SAP)• Now – 1 central system
  11. 11. Example
  12. 12. Central IT system• 100% compliance not possible – 82 omnibus data protection laws, 7 sectoral laws – Conflicting • Italy and Spain have specific data security rules – Can implement security only once – Company must make choices when implementing central system
  13. 13. Why1. Strategic decisions as to data processing and security • One set global instructions • Centrally imposed by parent on all group companies2. Cost perspective: • Cheaper to implement compliance top down than bottom up • Budgetary retraints
  14. 14. Why3. EU data transfer rules are outdated • prohibit data transfers outside of the EU, unless a company has “adduced adequate safeguards” for data protection • The Commission has acknowledged specific tools for companies to adduce adequate safeguards • model contractual clauses to be entered in between data exporter and data importer
  15. 15. Example
  16. 16. Not only EU
  17. 17. Next step• If multinationals have corporate privacy policy…• And all group companies are bound…• And policies provide adequate protection…• Can policies be alternative to EU model contracts?• Various multinationals filed request with DPA of their EU headquarters…• DPAs negotiated draft BCR…• Based on drafts the WP 29 issued 7 opinions on BCR…• The national DPAs followed and approved …• 19 national DPAs agreed on Mutual Recognition Procedure…
  18. 18. BCR requirements• Authorised by DPA of EU headquarters (Lead DPA)• Must be internally binding within the organisation• Must be externally binding for the benefit of the beneficiaries (employees, consumers)• Incorporate the material data processing principles of the Directive• Privacy governance (global network of privacy officers)• Internal complaints procedure• Auditing programme• Training programme for employees who process the data• Be enforceable against EU headquarters before Lead DPA and its courts• EU headquarters should accept liability for paying compensation and remedying breaches• Group companies should have a duty to cooperate with the DPAs and to submit to their audits
  19. 19. Assessment• Self-regulation has to apply EU wide• Lack of regulatory capacity at EU level• WP 29 as de facto regulator set rules• Authorisation BCR at national level by Lead DPA• By mutual recognition of national approvals EU wide application is achieved• Circumvention of EU regulators (and unwilling Member States)• Transnational supervision and enforcement achieved not at EU level, but by DPA of EU headquarters
  20. 20. Case study• Evaluation of BCR as form of Transnational Private Regulation (TPR)• Evaluation criteria for public law – Legitimacy – Monitoring, evaluation and enforcement – Quality – Effectiveness• “Transposed” for evaluating TPR – More actors and accountability forums involved – Problem of the many hands and the many eyes• Often: self-regulation is trade off between legitimacy and effectiveness
  21. 21. Legitimacy• Self-regulation of data protection (being a fundamental right)?• Inclusion (key stakeholders have to play an active role in the decision-making processes and activities which affect them)• Procedural transparency (key stakeholders should have accessible and timely information)• Independence (also de facto regulator should be independent)
  22. 22. Legitimacy• Self-regulation of data protection requires public framework legislation – Should have been provided for in Directive• Current norm-setting by de facto regulator WP 29 in opinions on BCR – Not inclusive (no civil society stakeholders) – Not transparent – Not independent • Commission is at same time member, secretariat and addressee of opinions
  23. 23. Legitimacy• Solved in Proposal for Data Protection Regulation – Norm-setting inclusive and transparent – Direct applicability in all Member States – BCR acknowledged as valid tool for inter-company data transfers – Regulates main substantive requirements – Detailed norm-setting delegated to Commission (no longer WP 29)
  24. 24. Legitimacy• Solved in Proposal for Data Protection Regulation – Uniform BCR authorisation procedure by the DPA of the main establishment of the multinational in the EU – Still not at EU level (risk of national interest prevailing) – However, consistency mechanism: BCR authorisation requires prior opinion of successor WP 29 – WP 29 still de facto regulator • Independency and transparency WP 29 ensured
  25. 25. Chart 1 Norm -set t ing of BCR PRESENT FUTURE BCR EU legislat or stake EU legislat or holders EU EU WP 29 WP 29 MS Lead DPA Lead DPA MS EU Mult inat ional EU Actors involved involved in norm -set t ing Consult at ion input
  26. 26. Quality• Precision and predictability• Consistency• Conformity with public goalsConformity• Prior authorisation by Lead DPA – very much aligned with public goals – Much more effective than current public regulation: public policy even benefits
  27. 27. QualityPrecision and predictability• BCR are global and general in nature• Too EU specific and too legalistic – Solution: practical guidelinesConsistency• Yes if approved by same Lead DPA• Not if approved by different Lead DPAs – Caused by differences in national implementation laws – Solved by Proposed Regulation – Detailed norm-setting by Commission – Consistency mechanism (prior opinion successor WP 29)
  28. 28. Enforcement• Monitoring• Enforcement and sanctions• InformationMain issues• Can be the strongest point of BCR (next to effectiveness), but requires additional measures
  29. 29. EnforcementStrongest point (legal innovation)• Internal complaints procedure, which overcomes main obstacles individuals encounter when enforcing their rights on cross-border basis – Also if damages are diffuse or too small – Even if countries do not provide for adequate protection – Or have insufficient enforcement infrastructure – Overcomes time zones and language issues – If individual does not agree outcome, appeal to Lead DPA and courts Lead DPA (also to be facilitated by local group company)• Lead DPA is in country of EU headquarters: sanctions can be enforced on global basis• Export of rule of law and judiciary enforcement infrastructure
  30. 30. EnforcementBut• No data yet on effectiveness of enforcement (next study, too early)• No external accountability to stakeholders• Monitoring, audit and reporting requirements to internal forums company only – CPO – Board of management• Reporting on compliance and complaints procedure to external stakeholders also – Driver: is reputation – Deleted from Proposed Regulation• But what is the quid pro quo?
  31. 31. Chart 2 Monitoring and evaluation of BCR PRESENT FUTURE EU legislator EU legislator EU EU BCR WP 29 stake WP 29 holders MS Lead DPA Lead DPA MS Int ernal EU Multinational Account abilit y Multinational EU Forum s Accountability forums involved Active information duty Passive information duty
  32. 32. Effectiveness• First empirical research into effectiveness• Nymity, Canadian private research firm, recommended by EDPS• Nymity Maturity Tool measuring compliance maturity of 10 multinationals on 73 criteria, adding up to 10 privacy principles• Nymity tool is based on accountability• Verified whether complete “match” with BCR requirements• Different sequence, but 95% match• Added some elements
  33. 33. HiiL Expert Meeting Terry McQuay
  34. 34. HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSIS Study Framework Norms Results 39
  35. 35. MEASURING ACCOUNTABILITY Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied. Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects. Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects. Managed – reviews are conducted to assess the effectiveness of the controls in place. Optimized – regular review and feedback are used to ensure continuous improvement towards optimization of the given process. 40
  36. 36. NORMSNorms are Repeatable Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied. Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects. Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects. Managed – reviews are conducted to assess the effectiveness of the controls in place. Optimized – regular review and feedback are used to ensure continuous improvement towards optimization of the given process. 42
  37. 37. NORMS Privacy Awareness and Training 1.2.10 (page 10)A privacy awareness program about the entity’s privacy policies and relatedmatters, and specific training for selected personnel depending on their rolesand responsibilities, are provided. 43
  38. 38. NORMS Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied. Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects. Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects. Managed – reviews are conducted to assess the effectiveness of the controls in place. Optimized – regular review and feedback are used to ensure continuous improvement towards optimization of the given process. 44
  39. 39. HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSISBefore BCRRepeatable 72.4%Privacy management procedures or processes exist; however, they are not fullydocumented and do not cover all relevant aspects.After BCRManaged 22.4%Privacy management procedures and processes are fully documented andimplemented, and cover all relevant aspects (i.e. Defined) plus 22.4% of the timereviews are conducted to assess the effectiveness of the controls in place. Post BCR Pre BCR Copyright 2012 Nymity Inc. 45 All rights reserved.
  40. 40. HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSIS Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied. Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects. Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects. Managed – reviews are conducted to assess the effectiveness of the controls in place. Optimized – regular review and feedback are used to ensure continuous improvement towards optimization of the given process. 46
  41. 41. EXAMPLE 1Privacy Awareness and Training 1.2.10 (page 10)A privacy awareness program about the entity’s privacy policies and relatedmatters, and specific training for selected personnel depending on their rolesand responsibilities, are provided.Before BCR: Repeatable 60%The entity has a privacy awareness program, but training is sporadic andinconsistent.After BCR: Managed 10%An enterprise-wide privacy awareness and training program exists and ismonitored by management to ensure compliance with specific trainingrequirements. The entity has determined which employees require privacytraining and tracks their participation during such training. 47
  42. 42. EXAMPLE 2Consequences of Denying or Withdrawing Consent 3.1.2 (page 13)When personal information is collected, individuals are informed of theconsequences of refusing to provide personal information or of denying orwithdrawing consent to use personal information for purposes identified in thenotice.Before BCR: Repeatable 86%Consequences may be identified but may not be fully documented orconsistently disclosed to individuals.After BCR: Managed 14%Processes are in place to review the stated consequences periodically toensure completeness, accuracy and relevance. 48
  43. 43. ANY EXAMPLES OF OPTIMIZED? Ad hoc – procedures or processes are generally informal, incomplete, and inconsistently applied. Repeatable – procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects. Defined – procedures and processes are fully documented and implemented, and cover all relevant aspects. Managed – reviews are conducted to assess the effectiveness of the controls in place. Optimized – regular review and feedback are used to ensure continuous improvement towards optimization of the given process. 49
  44. 44. HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSISOptimized Criteria Copyright 2012 Nymity Inc. 50 All rights reserved.
  45. 45. HIIL STUDY RESULTSNYMITY BCR ACCOUNTABILITY ANALYSIS Copyright 2012 Nymity Inc. 51 All rights reserved.
  46. 46. COMPARE YOUR ORGANIZATION Use the study and the Privacy Maturity Model to compare your organization’s privacy program to before and after BCR Paper or automated – no cost. 52
  47. 47. THANK YOU Thank You 53
  48. 48. Expert Meeting on Binding CorporateRules – Implementing Legal Innovations Business Perspectives March 15, 2012
  49. 49. JPMC Binding Corporate Rules • On 2/26/10 UK ICO authorised the binding corporate rules of JPMorgan Chase & Co. (JPMC) • JPMC BCRs apply to any – processing of Personal Data in one of 12 specified jurisdictions in JPMC’s Europe, Middle East and Africa (EMEA) region in the European Economic Area (EEA) by a JPMC data controller – export of EMEA Personal Data out of the EEA by a JPMC data controller to another JPMC Affiliate outside the EEA – processing by a JPMC data controller or JPMC data processor of EMEA Personal Data exported out of the EEA by a JPMC data controller • JPMC BCRs are published on JPM website
  50. 50. Research Results • Disclaimer • Unsurprising Results – Multinationals using BCRs are ones that fundamentally seek to be compliant as one of their operating values. (Question 5) – Companies before introduction of BCRs had a basic maturity level of compliance – After BCR, disclosure to third parties of personal information 7.2.1, 78% said repeatable – After BCR, accuracy and completeness of personal information 9.2.1, 100% said repeatable • Surprising Results – After BCR, access communication to individuals 6.1.1, 70% said repeatable
  51. 51. Largest Issue with Current Regime• Additional national requirements imposed by various Member States which apply on top of the requirements set by the Article 29 Working Party• For example, although JPMC BCRs were authorised in February 2010, the royal decree approving JPMC BCRs was signed by the Belgian king on February 15, 2012.
  52. 52. Recommendations with Respect to Proposed Regulations • Since controllers are accountable for each processing operation, BCRs should be expanded to transfers to third parties (i.e. not limited to within a corporate group) • Supervisory authority in accordance with the consistency mechanism approves binding corporate rules – Consistency from Member State to Member State needed – However, process cannot be too bureaucratic • With inclusion of BCRs in regulation, BCRs may become more popular and demand for approval could exceed DPA resources; therefore, further simplification of approval process may be necessary
  53. 53. Expert meeting BCRSylvia van EsHead of Legal Compliance PhilipsMarch 15, 2012
  54. 54. Philips active in:•Healthcare•CL•Lighting•BCR for controller:Consumer database: over 12 mio consumersEmployee data: over 100.000 employees•Filed for BCR for processor:Processor of Health data for hospitals March 15, 2012 60
  55. 55. •Privacy compliance rules are exceptionally prescriptive, to alarge extent justified in light of fundamental rightsNew system is an improvement but not all issues resolved:•Article 26 (2) still requires internal processor agreementsdespite BCR;•Why not EU model contracts by parent company thatadopted BCR? (position of WP29);•Even worse: Article 34: obligation to perform PIAs and obtainprior approval; added value BCR?•Article 28: Extensive documentation obligations•Administrative burden will not by definition lead to morematerial compliance, especially if company has adopted BCR March 15, 2012 61
  56. 56. Expert Meeting on Binding Corporate Rules, Amsterdam, March 2012 Colin Scott University College Dublin
  57. 57. Modelling and Evaluating TPR for BCR Environment B Eg boycotts Rules buycotts Monitoring Legislation Enforcement Contract Social/market D pressures/ contracts A C standards Self- Regulation Eg CSR Contract employment - supply chains contracts - audit and assuranceA – FirmB – Government (agency and/or department) OR Trade AssociationC – Contracting Party (firm or government)D – Third parties – eg consumers, employees NGOs, investors
  58. 58. • Legitimacy • Mirroring of Public Proceduralization • Transparency • Inclusiveness, etc • OR mixing market incentives with public models?• Effectiveness • Scope of BCR • Outcomes• Quality • Reflection and Evaluation • Benchmarking – eg grievance handling processes• Enforcement • Providing reassurance /credibility • Public oversight • Self-reporting • Compliance programmes and third party assurance • Enforceable consumer and employee rights
  59. 59. Binding Corporate Rules for Employee andCustomer Data Protection:What Makes A Successful Innovation? Professor Maurits Barendrecht Tilburg Institute for the Interdisciplinary Studies of Civil Law and Conflict Resolution Systems (TISCO) Hague Institute for the Internationalisation of Law (HiiL) www.innovatingjustice.com
  60. 60. Strongest points• Moerel: Internal complaints procedure – Simple access in own country, in every country – Appeal to Lead DPA and its court• Nymity – Security for privacy, collection close to optimal – All dimensions improved – Including complaints process (subfactor 10.2.1 to 2 partly cover this)• JP Morgan and Philips – Great, but local Kings ask more! – Great, but danger of new administrative burdens
  61. 61. Dispute system designEmerging discipline. How to achieve?A. Fair solutions for problems, optimally serving all interestsB. Just in time/low costs/sustainable for all stakeholdersWhat makes a dispute system work? Generally:1. A setting for better communication, win/win negotiation and zero sum bargaining/decision making2. Backed up by norms/schedules showing what generally is paid/done to solve such problems3. Access to third party who guarantees parties grow towards decision
  62. 62. Innovation is Hard Work• Life for innovators is very complex!• Many factors contribute to innovation: – 40 determinants of succesful product innovation (meta-analytic review 108 articles, Becheikh et al. 2006) – 27 factors associated to successful public sector innovation
  63. 63. Justice Innovation Impossible?• Sarat and Grossman 1975: Problems in Mobilization of Adjudication• Susskind 2008 The End of Lawyers: Predicting commoditization• Hadfield 2008: Regulation of profession blocks innovation• Botero et al. 2003 and Cabrillo et al. 2008: Insufficient incentives on courts to offer better services• Carothers 2006 and Fukuyama 2011: Rule of law and accountability very hard to implement• World Bank World Development Report 2011: Conflict, Security, and Development: Rule of Law takes 40 years to build
  64. 64. An emotional non-starter? www.innovatingjustice.com
  65. 65. Law as managingrisk and fear?Innovation = flow, creativity, takingrisks, breaking rules?www.innovatingjustice.com
  66. 66. The eBay/PayPal Resolution Center Colin Rule CEO Modria.com
  67. 67. I Paid A Bribe Ramesh Ramanathan Co-founder Janaagraha Centre for Citizenship and Democracy
  68. 68. What was/is crucial for BCR tobe/remain sustainable?… 27 factors … and at least 5My talk borrows from:• Project documents• Short interview with Lokke Moerel• Innovation in The Justice Sector: What Makes it Happen? Innovation Model Version 1.5: June 2011 www.innovatingjustice.org
  69. 69. A. Generating Possibilities1. Vision and commitment from government2. Focus on users, frontline staff and middle managers3. Diversity4. Scanning of horizons and margins: a process need5. Developing capacity for creative thinking6. Working backwards from outcome goals: terms of reference7. Creating time and space8. Allow breaking the rules9. Competition: the submission problem and regulation of legal services
  70. 70. 4. Scanning of horizons and margins:a process need• Peter Drucker: Innovations often supply the missing link between processes. They start from an incongruity between how things are and how they ought to work.• Here: – Cross border data transfers within companies – A need for privacy protection of employees and customers – National regulation and enforcement – ‘Networks of intragroup contracts’ as ‘red tape’ with high administrative costs, and doubtful access to remedies
  71. 71. 8. Allow breaking the rules• Innovation often involves organizational rule breaking (Markides 1997). Implicit or explicit ways of thinking, practices or norms are a barrier (Johnson, Christensen et al. 2008).• Public sector best practice: Give innovative projects space for breaking the rules (suspension) ….. If it can be shown that better results can be reached by not following the rule.• In a legal environment, where practices tend to become norms and norms tend to become sacred, it is more difficult to overcome such barriers.
  72. 72. Data protection authorities• Allowed to proceed although clear that not all 80+ regimes can be observed• Putting burden of proof that it can be done in a ‘better way’ on innovators and companies• Took risks
  73. 73. B. Developing Innovations1. Appropriate selection of fruitful ideas: simplifying procedures2. Adequate risk management3. Fostering innovation champions4. Creating incubating space5. Involving incubators and public-private partnerships6. Introduce modeling7. Better funding for early development8. Involving end users at all stages
  74. 74. 5. Public private partnership• Regulators work with companies• Working party 29• 19 DPA’s want to cooperate
  75. 75. C. Replicating and Scaling Up1. Improved incentives for individuals and teams2. Improved incentives for organizations3. Scaling up and disruptive innovation4. Specialize and beware of early standardization5. Change management
  76. 76. Incentives (following Colin Scott)Every stakeholder should continue to gain from BCR:• Reputation for companies that they are careful with data• Employees and customers get more protection and better remedies• Legal profession• Administrative costs for companies• Data Protection Authorities show they create good protection• DPA show they are necessary and need budgets• DPA have lower administrative costsRather unstable equilibrium
  77. 77. Challenges for BCR• Legal, formal challenges < ??? Continue to show it works in the real world• Major scandal < ??? Risk management• DPA’s create new administrative burdens < ???• Competition by even better system < ???• Covering the less compliant guys < ???Continuous improvement and further innovation is essential
  78. 78. D. Analyzing and Learning1. Metrics for success2. Real time learning3. Peer and user involvement4. Double loop learning5. Variety of perspectives
  79. 79. 1. Metrics for success• Nimity tool accountability 73 criteria > further development?• Before BCR and After BCR > next phase?• Many procedural requirements > more indicators for what happens in real world?• Independent from particular procedure > innovation means standards have to renew all the time and indicators get new weights
  80. 80. Innovators in Justice Sector• Have to work on many factors, probably 27 of them• Are essential for serving legal needs, for making the system work and for building the law of the future• Deserve our deep respect• Need our continuous support
  81. 81. HiiL Expert MeetingExpert Meeting on Binding CorporateRules - Implementing Legal Innovations Evaluation Peter Hustinx Colin Scott
  82. 82. HiiL Expert MeetingExpert Meeting on Binding CorporateRules - Implementing Legal Innovations Evaluation Open forum discussion Colin Scott
  83. 83. HiiL Expert MeetingExpert Meeting on Binding CorporateRules - Implementing Legal Innovations EvaluationConclusion Colin Scott and recommendations
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×