Privacy protection: more private, less public regulation

Privacy protection: more private, less public regulation 02 April 2012

Hundreds of different data protection regimes worldwide make it impossible for multinational corporations to comply fully and consistently. Binding Corporate Rules are an alternative says a research project conducted by HiiL Fellow Lokke Moerel.

Hundreds of Contracts
Under the existing various data protection regimes multinational group companies, often with hundreds of subsidiaries worldwide, were obliged to conclude contracts amongst each other, while each contract had to meet the privacy laws of the host countries. This made it impossible for multinational corporations to comply fully and consistently and was detrimental to the protection of personal data.

Binding Corporate Rules
In response to this situation, global firms wrote their own codes of conduct, called Binding Corporate Rules (BCR), for handling sensitive data. In doing so, they had to convince national and EU authorities that BCR is a more effective and efficient instrument for data protection than the present legal regime created by public authorities.

BCR would make the conclusion of separate contracts redundant, would create rights for consumers and provide for an innovative enforcement mechanism through internal complaints and appeal with a national Data Protection Authority. No more obstacles as a result of cross-border complaints.

Therefore, BCR is to be preferred over public regulation. This is the outcome of a research project conducted by Lokke Moerel, HiiL Fellow and partner at the Dutch law firm De Brauw Blackstone Westbroek, as part of the HiiL research project Private Transnational Regulation: Constitutional Foundations and Governance Design.

Evidence and Remaining Challenges
The effectiveness of BCR has been proven through the use of an accountability measuring instrument, called ‘Nymity’. The assessment among a number of multinational companies showed that the degree of accountability and compliance had increased after they introduced BCR. Sympathy with BCR was shown by the European Commission through its recent launch of a Draft Regulation on Data Protection which provides for a broad regulatory framework for BCR. However, administrative burdens remain under the proposed EU legislation and these may lead companies to abandon BCR altogether. Moreover, and importantly, only a worldwide endorsement of BCR as an alternative to state regulation can make the system truly work.

A summary report of the seminar will be published soon.

Downloads & Resources

  • Book: L. Moerel, Binding Corporate Rules, Oxford University Press 2012 (forthcoming)
  • Interview: Privacy Protection: More Private, Less Public Regulation

Related items


Related impact area