How Did Merck Successfully Achieve the First APEC-based BCR Approval?
On March 1st, Merck & Co. Inc. formally concluded their Binding Corporate Rules (BCR) approval process with the Belgian Data Protection Authority, becoming the 82nd company to achieve the compliance landmark. But in a global first, Merck based its BCR application on its APEC Cross Border Privacy Rules (CBPR) certification.
This work was facilitated by Merck’s use of a common referential developed by the Article 29 Working Party and APEC’s Data Privacy Sub Group in 2014 to facilitate interoperability between companies seeking certification under both systems.
In October 2013, TRUSTe certified Merck as the first healthcare company and the second multinational company under the CBPR system.
“The value of this approach is that we obtained both CBPR and BCR approvals while maintaining the substance and structure of our existing global privacy program.
The practical effect is that we gained greater efficiency in how we manage cross-border data transfer and global data processing without adding complexity to how we operate,” said Hilary Wandall, Chief Privacy Officer.
A Faster BCR Approval Process
As was reported in a recent review of CBPR benefits by Information Integrity Solutions, the first phase of Merck’s BCR approval took less than three months. In comparison, the mutual recognition phase took an additional nine months.
In addition to the time to complete the EU cooperation procedure and transition between the approval phases, the entire approval process was approximately three months faster than the 18-month average.
Most importantly, because Merck based its BCR approval on its previously-approved CBPR certification, a broadly BCR-compliant global privacy program was already in place. As a result, according to Merck’s internal estimates, the total cost of its BCR was approximately 90% less than it would have otherwise been.
Future BCR-CBPR Project
When announcing the referential’s endorsement in March 2014, Isabelle Falque-Pierrotin, Chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party called it a “very political and symbolic act” for companies seeking to obtain both BCR and CBPR certification.
FTC Chairwoman Edith Ramirez noted that “[i]nteroperability is absolutely critical,” adding that “[w]ithout the ability to work across systems, we simply can’t effectively protect the privacy of consumer data, and that’s why as part of the U.S. delegation to the APEC data privacy subgroup, the FTC has been actively involved, along with the Department of Commerce, in developing the CBPRs and also working on this referential.”
Earlier this month, Article 29 affirmed that work on the BCR-CBPR project would be a key component of its 2016-2018 work plan.
The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers.