ebook img

Binding corporate rules : corporate self-regulation of global data transfers PDF

377 Pages·2012·1.578 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Binding corporate rules : corporate self-regulation of global data transfers

BINDING CORPORATE RULES This page intentionally left blank Binding Corporate Rules Corporate Self-Regulation of Global Data Transfers LOKKE MOEREL 1 3 GreatClarendonStreet,Oxford,OX26DP UnitedKingdom OxfordUniversityPressisadepartmentoftheUniversityofOxford. ItfurtherstheUniversity’sobjectiveofexcellenceinresearch,scholarship, andeducationbypublishingworldwide.Oxfordisaregisteredtrademarkof OxfordUniversityPressintheUKandincertainothercountries #LokkeMoerel,2012 Themoralrightsoftheauthorhavebeenasserted FirstEditionpublishedin2012 Impression:1 Allrightsreserved.Nopartofthispublicationmaybereproduced,storedin aretrievalsystem,ortransmitted,inanyformorbyanymeans,withoutthe priorpermissioninwritingofOxfordUniversityPress,orasexpresslypermitted bylaw,bylicenceorundertermsagreedwiththeappropriatereprographics rightsorganization.Enquiriesconcerningreproductionoutsidethescopeofthe aboveshouldbesenttotheRightsDepartment,OxfordUniversityPress,atthe addressabove Youmustnotcirculatethisworkinanyotherform andyoumustimposethissameconditiononanyacquirer CrowncopyrightmaterialisreproducedunderClassLicence NumberC01P0000148withthepermissionofOPSI andtheQueen’sPrinterforScotland BritishLibraryCataloguinginPublicationData Dataavailable LibraryofCongressCataloginginPublicationData LibraryofCongressControlNumber:2012939876 ISBN 978–0–19–966291–3 PrintedinGreatBritainby CPIGroup(UK)Ltd,Croydon,CR04YY LinkstothirdpartywebsitesareprovidedbyOxfordingoodfaithand forinformationonly.Oxforddisclaimsanyresponsibilityforthematerials containedinanythirdpartywebsitereferencedinthiswork. Acknowledgements InperformingtheresearchforthisbookIhavehadhelpinmanyforms.Iobviously benefited from all discussions on Binding Corporate Rules with the Dutch Data ProtectionAuthorityandthemembersoftheBCRworkinggroup,theadviceand input we received from their foreign group companies, as well as US and other external foreign counsel. My thanks further go to my firm De Brauw Blackstone Westbroek for again granting me the space to pursue my academic interests and facilitatedpracticalsupport,providedbyStephenMachon,whoeditedmyEnglish andMiekeMerkelijn,whoprovidedresearchassistanceandeditedmanyfootnotes. IamfurtherindebtedtoTheHagueInstituteforInternationalLawforlaunching theHiiLResearchProgram‘PrivateActorsandSelf-regulation’,intothelegitimacy, effectiveness, enforcement, and quality of different forms of transnational private regulation.MyparticipationintheHiiLProgrambroughtmeintocontactwiththe European experts on transnational private regulation and their invaluable work products as part of this programme, from which I greatly benefited. This book is basedonPartIIofmydissertation‘BCR–FixingtheRegulatoryPatchworkofData Protection’, which I publicly defended at Tilburg University on 11 September 2011. In writing my dissertation I greatly benefited from the constructive com- mentsofmyPhDsupervisorCorienPrins,andthoseofthemembersofmyReview Committee,ChristopherMillard,MartijnPolak,LindaSenden,andColinScott. This page intentionally left blank Contents TableofCases xiii TableofInstruments,InternationalAgreements,andGuidelines xiv ListofAbbreviations xxi 1. Introduction 1 1.1 Background 1 1.2 SubjectMatterandAimofthisBook 8 1.2.1 Background 9 1.2.2 Aimofthisbook 11 1.2.3 Relevanceandrecommendations 12 1.2.4 Priorresearchandpublications 13 1.2.5 Scope 15 1.3 Outline 15 2. BindingCorporateRules:AnOverview 18 2.1 DataHere,DataThere,DataEverywhere 18 2.2 RelevanceofBCRasaDataTransferToolatGlobalLevel 24 2.2.1 Noglobalstandard 25 2.2.2 BridgingfunctionofBCRbetweendifferentlegalsystems 26 2.2.3 Limitationsofstatelegislativeandenforcementpowers 28 2.2.4 Steppingstonetofurtherharmonization 31 2.3 EvaluationoftheBCRRegimefromDifferentDimensions 32 2.3.1 EvaluationofBCRasaformoftransnationalprivate regulation 33 2.3.2 EvaluationofBCRasimplementationofcorporate accountability 33 2.3.3 EvaluationofBCRinthecontextofcorporatesocial responsibility 34 2.4 TheQuestforMeta-normsforBCR 35 3. TheWorldwideDataProtectionRegulatoryLandscape 37 3.1 EUDataProtectionRegime 37 3.1.1 Materialprocessingprinciples 39 3.1.2 Otherfundamentalobligations 40 3.1.3 Rightsofdatasubjects 41 3.1.4 Scopeofapplicability 41 3.1.5 EUtransferrules 43 3.1.6 Third-partyprocessors 47 3.1.7 Jurisdictionandenforcement 48 3.1.8 WorkingParty29 54 3.1.9 Self-andco-regulation 56 viii Contents 3.2 OtherComprehensiveRegimes 57 3.3 LimitedRegimes 58 3.4 APECPrivacyFramework 58 4. TrendsandDevelopmentsintheLegalLandscape 61 4.1 IncreasingTensionbetweenDifferentRegulatorySystems 61 4.2 TowardsaGlobalStandardforDataProtection? 63 4.3 Cross-borderEnforcementIssues 68 4.4 ThinkingaboutAlternativeSolutionsforEnforcement 74 4.4.1 Self-regulationbackedupbygovernmentalenforcementtools 74 4.4.2 Parallelwithenforcementofconsumerprotectionlaws 75 4.4.3 Countryoforiginapproach 80 4.4.4 Accountabilityapproach 85 4.4.5 Privatechoiceoflawandforumintransnationalprivate regulation 86 5. TrendsandDevelopmentsinMultinationalCorporatePractice 87 5.1 IncreaseinInternationalDataTransferswithinandbetween Multinationals 87 5.2 MultipleJurisdictions 88 5.3 CorporateMitigationofDataProtectionRisks 91 5.4 OtherDriversforCorporatePrivacyPolicies 94 6. TheBCRRegime 100 6.1 Introduction 100 6.2 BCRRequirements 101 6.3 DifferentTypesofBCR 105 6.3.1 BCRforcontrollers 105 6.3.2 BCRforemployeedatavsBCRforcustomerdata 106 6.3.3 BCRforprocessors 106 6.4 EUBCRApprovalProcedure 108 6.4.1 HowtoaligntheMRPwithEUworkscouncilrequirements? 109 6.5 ShortcomingsoftheBCRApprovalProcedure 111 6.6 HowtoAddressShortcomingsintheBCRRegimeandthe BCRApprovalProcedure? 113 6.6.1 RecognizeBCR,definemainBCRrequirements,and imposetheMutualRecognitionProcedure 113 6.6.2 DefineBCRrequirementsingeneralprinciples 117 6.6.3 Adequatelevelofprotection 118 6.6.4 HarmonizethepowersofDPAs 119 6.6.5 ReplaceDirectivebyanEUregulation 120 6.6.6 RoleoftheWorkingParty29 121 6.7 RecognitionofBCRinOtherCountries 127 6.8 Conclusion 130 Contents ix 7. BCRandContractLaw 131 7.1 Introduction 131 7.2 InternallyBinding 132 7.2.1 Bindingongroupcompanies 132 7.2.2 Bindingonemployees 132 7.3 ExternallyBinding 132 7.3.1 Enforceabilityofunilateralundertakings 132 7.3.2 Othergroundsofenforcement 133 7.3.3 GroundsofenforcementintheEU 134 7.3.4 EnforcementofcorporatedataprotectionpoliciesintheUS 135 7.3.5 SolutionstoensurethatBCRareexternallybinding 136 7.4 Contractual‘SupplyChainManagement’ 137 7.5 HowtoAddresstheContractualSupplyChainManagement IssuesinBCR? 139 7.5.1 Enforceabilityagainsttheexternalsupplier 139 7.5.2 Enforceabilityagainstthemultinational 141 7.5.3 From‘supplychain’to‘network’ 143 7.6 ConclusionastoContractualIssuesofBCR 144 8. BCRandEURulesofPrivateInternationalLaw 145 8.1 Introduction 145 8.1.1 PILasamechanism 146 8.1.2 Preferencesofmultinationals 147 8.1.3 PreferencesofbeneficiariesofBCR? 147 8.2 Applicability,Jurisdiction,andEnforcement 148 8.3 RoleLeftforEURulesofPIL? 149 8.3.1 Qualificationofdataprotectionlaw 149 8.3.2 DotheconflictrulesoftheDirectivetakeprecedence overPIL? 151 8.3.3 Choiceoflawandforum 152 8.4 TheApplicability,Supervision,andEnforcementRegimeof BCR:HowItMayWork 159 8.4.1 HowshouldtheapplicablelawregimebesetupunderBCR? 160 8.4.2 HowshouldtheenforcementregimeforBCRbesetup? 161 8.4.3 HowshouldsupervisionofBCRbesetup? 161 8.5 ChoiceofLawandForum 162 8.5.1 Employeecontracts 162 8.5.2 Consumercontracts 163 8.6 RelevanceofRomeIandtheBrusselsIRegulationforBCR 163 8.6.1 Contractconcluded 165 8.6.2 Mattersrelatingtoacontract 167 8.6.3 ApplicationofECJcaselawtoBCR 167 8.6.4 RelevanceofRomeII? 169

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.