At present, European firms are severely restricted in terms of the Data Protection Directive of 1995 as to what data can be transferred or stored in countries without equivalent rules and enforcement procedures. And question marks remain over the security of the systems and policies used in developing countries.
But the procedures currently in place to regulate transfers are complex, and make it difficult for multinational corporations to function at their best.
The EU Data Protection Working Party, an independent EU advisory body, has therefore been considering ways to smooth the application of the procedures, with the side effect of simplifying matters for those multinationals who regularly transfer personal data across the world.
In its Working Document on Binding Corporate Rules for International Data Transfers, the Working Party explains that, at present, international transfers of personal data can only take place after authorisation from the appropriate supervisory authority.
Normally, this requires either that a Safe Harbour agreement exists with the recipient country, that the transfer is within one of the allowed exceptions (for example where the individuals concerned have given their agreement), or that there is an alternative safeguard, such as a contract.
The Working Party is now proposing that in addition to these avenues, binding corporate rules could provide another acceptable safeguard to allow transfers to take place between separate parts of a corporate group.
What constitutes a "corporate group" may, according to the Document, "vary from one country to another and may correspond to very different business realities: from closely-knit, highly hierarchically structured multinational companies to groups of loose conglomerates; from groups of companies sharing very similar economical activities and therefore processing operations to broad partnerships of companies with very different economical activities and different processing operations."
But the Working Party expects that multinational companies will be the most likely users of the proposed procedure.
The transfer of data will relate only to transfers within the corporate group – all members of which will be bound by the proposed corporate rules. Transfers of data out with the group can only take place following a further authorization under the existing rules.
The Working Party stresses that the rules must both be binding and enforceable. The internal workings of the corporate group must be structured in such a way that everyone within the company believes that they must comply with the rules. As part of this there should be an EU-based member of the group responsible for ensuring compliance.
The right to enforce the rules is extended to the individuals whose data is being transferred. In the event of any breach of the rules they will be entitled to complain to either the relevant EU data protection authority, or the relevant court within the EU.
The binding corporate rules will include general data protection principles, and further specific requirements to:
This is not the last word from the Working Group on the matter. It calls on all interested parties to comment and will reconsider the position if required.
The full text of the Working Document can be found at: www.europa.eu.int/comm/internal_market/
privacy/docs/wpdocs/2003/wp74_en.pdf