Skip to main content
SpringerLink
Log in

Binding Corporate Rules As a New Concept for Data Protection in Data Transfers

  • Chapter
  • First Online:
Personal Data in Competition, Consumer Protection and Intellectual Property Law

Part of the book series: MPI Studies on Intellectual Property and Competition Law ((MSIP,volume 28))

  • 2330 Accesses

Abstract

It took us only a few decades from the introduction of publicly open and printed telephone-number registers to approach the utopian idea of Laudon’s digital information market for personal data. Through the journey concerning data protection we must face challenges in the fields of technological development as well as jurisdictional and legislative issues such as extraterritorial law-making. This paper attempts to provide a brief composition of the economic aspects of personal data given real commercial and strategic value. Additionally, a focus is on conceptual, procedural and applicability aspects of a new legal institution called binding corporate rules, which can offer a new approach for companies to ensure an adequate level of protection not only in the cases of data transfer to third countries but also in general business interests.

Bianka Maksó, dr. jur., is a PhD candidate of the Deák Ferenc Doctoral School of Law, University of Miskolc.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 249.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Laudon (1996), pp. 92-104.

  2. 2.

    ECJ, Google Spain and Google, C-131/12; ECLI:EU:C:2014:317.

  3. 3.

    ECJ, Maximillian Schrems v. Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650.

  4. 4.

    Moorhead (2011).

  5. 5.

    European Commission (2015).

  6. 6.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ [2016] L 119/1.

  7. 7.

    Kuner (2015).

  8. 8.

    Samuelson (2000).

  9. 9.

    It is noteworthy that there is still a current scientific debate over the balance of moral rights and interests.

  10. 10.

    Szabó (2005), pp. 44-54.

  11. 11.

    Finn / Wright / Friedewald (2013).

  12. 12.

    Acquisti (2013).

  13. 13.

    Warren / Brandeis (1890).

  14. 14.

    Luhmann (1979); For further interpretation see: Csegődi, T. L. (1979): A jog pozitivitása mint a modern társadalom feltétele, in: Jog és szociológia., pp. 123-142., Válogatott tanulmányok KJK.

  15. 15.

    Posner (2011); or Tóth (2004).

  16. 16.

    An American would pay 50 cents more for a good which is provided by a business which applies data protection measures; Acquisti (2013).

  17. 17.

    Critics say that this would lead to a world in which there is no privacy at all and discrimination would aggravate the gap between rich and poor people.

  18. 18.

    Laudon (1996), pp. 92-104.

  19. 19.

    Posner (1978).

  20. 20.

    European Commission (2011).

  21. 21.

    Posner (1978).

  22. 22.

    Huang (1998).

  23. 23.

    Huang (1998).

  24. 24.

    Varian (1996).

  25. 25.

    Acquisti (2010).

  26. 26.

    European Commission (2016).

  27. 27.

    Note: with reference to data protection, ‘EU’ stands for the European Economic Area (EEA).

  28. 28.

    Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007, OJ [2007] C 306/1.

  29. 29.

    Charter of Fundamental Rights of the European Union, OJ [2016] C 202/389.

  30. 30.

    Oros / Szurday (2003).

  31. 31.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OL [1995] L 281/31.

  32. 32.

    Ibid., Article 32(1).

  33. 33.

    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ [2016] L 119/89.

  34. 34.

    ECJ, Criminal proceedings against Bodil Lindqvist, C-101/01, ECLI:EU:C:2003:596, paras 56, 59, 60, 70.

  35. 35.

    Special Eurobarometer 431 / Wave EB83.1: Data protection, Fieldwork: March 2015, Publication: June 2015 http://ec.europa.eu/public_opinion/archives/eb_special_439_420_en.htm#431.

  36. 36.

    Ryngaert (2015).

  37. 37.

    List of countries can be found here: http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/. Note: Hungary was declared among these countries before its accession to the EU.

  38. 38.

    ECJ, Maximillian Schrems v. Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650, para 73.

  39. 39.

    ECJ, Maximillian Schrems v. Data Protection Commissioner, C-362/14, ECLI:EU:C:2015:650, para 29.

  40. 40.

    2001/497/EC: Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (Text with EEA relevance) OJ [2001] L 181/19; 2004/915/EC: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries OJ [2004] L 385/74; 2010/87/EC Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council OJ [2010] L 39/5.

  41. 41.

    See for details: Article 29 Data Protection Working Party: National filing requirements for controller BCR (“BCR-C”), available at: http://ec.europa.eu/justice/data-protection/international-transfers/files/table_nat_admin_req_en.pdf.

  42. 42.

    Note: the legal basis of BCRs came into effect on 1 Oct 2015 in Hungary.

  43. 43.

    Wright / de Hert (2016).

  44. 44.

    http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-gdpr-part-9-data-transfer-restrictions-are-here-to-stay-but-so-are-bcr/.

  45. 45.

    In connection with BCRs the relevant working papers are the following: WP 74, WP 108, WP 153, WP 154, WP 155, WP 176, WP 195, WP 204.

  46. 46.

    Directive 95/46/EC Article 19 point e) declares that proposed transfers of data to third countries may be subject to notification in advance for the national DPA.

  47. 47.

    Article 29 Data Protection Working Party: (2003) Working Document: Transfers of personal data to third countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf.

  48. 48.

    Baker (2006).

  49. 49.

    List of companies, for which the EU BCR cooperation procedure is closed, available at: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.

  50. 50.

    List of companies available at: https://www.oecd.org/sti/ieconomy/46968784.pdf.

  51. 51.

    For further substantive issues see: WP74 and WP 153.

  52. 52.

    Hewlett Packard’s BCRs are available at: http://www8.hp.com/uk/en/binding-corporate-rules.html.

  53. 53.

    eBay’s BCRs are available at: http://www.ebayprivacycenter.com/sites/default/files/user_corporate_rules_11-2-09_v1-01.pdf.

  54. 54.

    WP 153 point 6.4.

  55. 55.

    WP 108.

  56. 56.

    Horváth-Egri Katalin (2015). However, it is noteworthy that according to the draft modification of Hungarian Data Protection Act the authorizing process will be administered according to the rules of the general administrative procedure.

  57. 57.

    See the country-specific details in the table, available at: http://ec.europa.eu/justice/data-protection/international-transfers/files/table_nat_admin_req_en.pdf.

  58. 58.

    Until October 2017 the Hungarian DPA has not act as lead authority.

  59. 59.

    See the full list of factors in WP 108 point 3.3.

  60. 60.

    So far 21 countries take part in this process. See the list: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/mutual_recognition/index_en.htm.

  61. 61.

    Currency rate available at: https://www.mnb.hu/arfolyamok.

  62. 62.

    http://ec.europa.eu/justice/data-protection/international-transfers/files/table_nat_admin_req_en.pdf.

  63. 63.

    https://www.lexology.com/library/detail.aspx?g=7a63e6fe-e1f8-4a17-a517-77ee1c0f4218.

  64. 64.

    Szőke (2015).

  65. 65.

    An example of its application is listed in Article 27 of Council Regulation (EC) No 1083/2006 of 11 July 2006 laying down general provisions on the European Regional Development Fund, the European Social Fund and the Cohesion Fund and repealing Regulation (EC) No 1260/1999, OJ [2006] L 210/25 (no longer in force).

  66. 66.

    Such as Bulgaria, the Slovak Republic and certain states of Germany.

  67. 67.

    The Hungarian national DPA in its annual control plans in 2013 and in 2014 put the focus on claim management and debt collector companies because of the high rate of complaints on their activity, available at: http://www.naih.hu/files/NAIH-ellenorzesi-terv-2013.pdf; https://www.naih.hu/files/NAIH_ell_terv_2014.pdf.

  68. 68.

    Article 29 Data Protection Working Party: Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents, Adopted on 27 February 2014, WP212, 538/14/EN.

References

  • Acquisti, A. (2010), The Economics of Personal Data and the Economics of Privacy, Background Paper #3, OECD, OECD Conference Centre 1 Dec. 2010, available at: https://www.oecd.org/sti/ieconomy/46968784.pdf

  • Acquisti, A. (2013), The Economics of Privacy: Theoretical and Empirical Aspects, Carnegie Mellon University, first page, available at: https://pdfs.semanticscholar.org/4807/d80005a2dfc8af1d149ddb77096bcc26e488.pdf.

  • Baker, R.K. (2006), Offshore IT Outsourcing and the 8th Data Production Principle - Legal and Regulatory Requirements - with Reference to Financial Services, 14 International Journal of Law and Information Technology Issue 1, 1 March 2006, pp 1–27.

    Article  Google Scholar 

  • Csegődi, T. L. (1979), A jog pozitivitása mint a modern társadalom feltétele, In: Jog és szociológia., Válogatott tanulmányok KJK, pp. 123-142.

    Google Scholar 

  • Finn, R.L. / Wright, D. / Friedewald, M. (2013), Seven Types of Privacy, in: S. Gutwirth et al. / R. Leenes / P. de Hert / Y. Poullet (Eds.), European Data Protection: Coming of Age, Springer, pp 3-32.

    Google Scholar 

  • Horváth-Egri Katalin (2015), A kötelező szervezeti szabályok (Binding Corporate Rules, BCR) és az együttműködési eljárási lehetőségei, Infokommunikáció és Jog, Vol XII, No 64, HVG Orac Lap- és Könyvkiadó Kft, Budapest, 2015. pp. 143 – 147.

    Google Scholar 

  • Huang, P.H. (1998), The Law and Economics of Consumer Privacy Versus Data Mining, University of Pennsylvania, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=94041

  • Kuner, C. (2015), Extraterritoriality and Regulation of International Data Transfers in EU Data Protection Law, University of Cambridge Faculty of Law Research Paper No. 49/2015, 2015, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2644237

    Article  Google Scholar 

  • Laudon, K.C. (1996), Markets and Privacy, Association for Computing Machinery, Communications of the ACM, Sep 1996, Vol 39, No 9, 92-104, ABI/INFORM Global

    Google Scholar 

  • Luhmann, N. (1979), The unity of the legal system, in: G. Teubner (Ed.), Autopoietic Law: A new approach to law and society, Gruyter

    Google Scholar 

  • Moorhead P.: Why Your Personal Data Is The New Oil (2011), please give a sourceOros / Szurday (2003), Európai Füzetek 35.: Adatvédelem az Európai Unióban – Szakmai összefoglaló a magyar csatlakozási tárgyalások lezárt fejezetiből, A Miniszterelnöki Hivatal Kormányzati Stratégiai Elemző Központ és a Külügyminisztérium közös kiadványa.

    Google Scholar 

  • Oros P. / Szurday K. (2003), Adatvédelem az Európai Unióban – Szakmai összefoglaló a magyar csatlakozási tárgyalások lezárt fejezeteiből, A Miniszterelnöki Hivatal Kormányzati Stratégiai Elemző Központ és a Külügyminisztérium közös kiadványa, Európai Füzetek 35., Budapest, 2003.

    Google Scholar 

  • Posner, R.A. (1978), The Right of Privacy, 12 Georgia Law Review first page.

    Google Scholar 

  • Posner, R.A. (2011), Economic Analysis of Law, Aspen Publisher

    Google Scholar 

  • Tóth, J.Z. (2004), Richard Posner és a gazdasági jogelmélet, Jogelméleti Szemle, 2004/1.szám, available at: http://jesz.ajk.elte.hu/toth17.html

  • Ryngaert, C. (2015) Symposium issue on extraterritoriality and EU data protection, International Data Privacy Law, Volume 5, Issue 4, 1 November 2015, Pages 221–225, Oxford University Press, https://academic.oup.com/idpl/article/5/4/221/2404465

  • Samuelson, P. (2000), Privacy As Intellectual Property?, Stanford Law Review, Vol. 52, No. 5, Symposium: Cyberspace and Privacy: A New Legal Paradigm? (May, 2000), pp. 1125-1173 available at: http://people.ischool.berkeley.edu/~pam/papers/privasip_draft.pdf

  • Szabó, M.D. (2005), Kísérlet a privacy fogalmának meghatározására a magyar jogrendszer fogalmaival, Információs társadalom, 44-54.

    Google Scholar 

  • Szőke, G.L. (2015), Az európai adatvédelmi jog megújítása – Tendenciák és lehetőségek az önszabályozás területén, HVG-ORAC Lap- és Könyvkiadó Kft

    Google Scholar 

  • Varian, H.R. (1996), Economic aspects of Personal Privacy, In: Lehr W., Pupillo L. (eds) Internet Policy and Economics. Springer, Boston, MA, available at: http://people.ischool.berkeley.edu/~hal/Papers/privacy/

  • Warren, S.D. / Brandeis, L.D. (1890), The Right to Privacy, Harvard Law Review, Vol. 4, No. 5. (Dec. 15, 1890), pp. 193-220.

    Article  Google Scholar 

  • Wright, D. / de Hert, P. (2016), Enforcing Privacy: Regulatory, Legal and Technological Approaches Law, Governance and Technology Series, Volume 25, Springer International Publishing

    Google Scholar 

Additional Sources

  • Article 29 Data Protection Working Party: (2003) Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers, available at: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf

  • Article 29 Data Protection Working Party: Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents, Adopted on 27 February 2014, WP212, 538/14/EN

    Google Scholar 

  • Article 29 Data Protection Working Party: WP 74, WP 108, WP 133, WP 153, WP 154, WP 155, WP 176, WP 195, WP 204

    Google Scholar 

  • European Commission (2015), Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses, Press Release Database, available at: http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en

  • European Commission (2011), Social Eurobarometer 359 Attitudes on Data Protection and Electronic Identity in the European Union, available at: http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf

  • European Commission (2016), Digital Privacy, available at: https://ec.europa.eu/digital-single-market/online-privacy

Download references

Author information

Authors and Affiliations

  1. Deák Ferenc Doctoral School of Law, University of Miskolc, Miskolc, Hungary

    Bianka Maksó

Authors
  1. Bianka Maksó
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bianka Maksó .

Editor information

Editors and Affiliations

  1. Max Planck Institute for Innovation and Competition, Munich, Germany

    Mor Bakhoum

  2. Max Planck Institute for Innovation and Competition, Munich, Germany

    Beatriz Conde Gallego

  3. Max Planck Institute for Innovation and Competition, Munich, Germany

    Mark-Oliver Mackenrodt

  4. Faculty of Law, Vilnius University, Vilnius, Lithuania

    Gintarė Surblytė-Namavičienė

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer-Verlag GmbH Germany, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Maksó, B. (2018). Binding Corporate Rules As a New Concept for Data Protection in Data Transfers. In: Bakhoum, M., Conde Gallego, B., Mackenrodt, MO., Surblytė-Namavičienė, G. (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. MPI Studies on Intellectual Property and Competition Law, vol 28. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-57646-5_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-57646-5_18

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-57645-8

  • Online ISBN: 978-3-662-57646-5

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation