In a significant move the Information Commissioner has allowed a company to transfer employees' personal data outwith the EU under binding internal rules

In a landmark decision, the data protection watchdog recently allowed General Electric in the UK to pass information about its employees to other divisions of the group located outside the European Economic Area.

The significance of GE’s human resources manager being able to send information from the employment records on someone testing medical scanners in Chalfont St Giles to her HR colleague in Wisconsin may pass by anyone unaware that until now, even in this age of globalisation and multinationals, doing this has often given data managers headaches and sleepless nights.

The 1998 Data Protection Act and the European legislation on which it is based have always required that, even if it is still inside the same group of businesses, personal data can only be exported from Europe to countries where there is an adequate legislative framework to protect it. The assessment of what is adequate is made by the European Commission. It has over the years decided that countries such as Canada, Switzerland and Hungary pass the test. Others, it considers, do not. Interestingly, these include the US, whose mix of sector-specific privacy legislation and self-regulation is not robust enough for the EC, although where information is transferred to a company in the US who is a party to the "Safe Harbor" agreement this will be permitted.

The EU Directive does contain a number of derogations from the adequacy rule; however these derogations merely legitimise the data transfer, and do not ensure protection of the personal information itself. In contrast to this the European Commission has drafted and prepared model clauses (two sets in fact), and where businesses use these in transfers outside the EEA, there shall be adequacy. While the second set of model clauses has provided a wider choice to businesses, unfortunately data importers have continued to find these to be burdensome and difficult to work with due to their restrictive nature.

In 2003 the EC working party set up under the directive to tackle issues of this sort set out an alternative solution. Individual organisations would be allowed once and for all to make international transfers of personal data as often as they like under “binding corporate rules” or, as some might call them, codes of conduct.

This is what makes the Information Commissioner’s decision on GE significant. For the first time, he has allowed an organisation to transfer personal data beyond Europe using binding corporate rules. Not that the process is straightforward. In putting forward its version of the rules for approval, in accordance with the EC working party’s rules GE will have had to set out to the Information Commissioner in sufficient detail what types of data will be transferred, why they would be transferred, what they would be processed elsewhere for, and the procedures for storing them securely and then disposing of them when no longer required.

The binding corporate rules process also requires an organisation to submit to regular self-audit and independent audits reporting directly to the ultimate parent board. The reports must also be sent to the Information Commissioner who might also instigate an audit by his own inspectors. Within the organisation, an effective, rigorous and clearly identified department must be set up to handle complaints from individuals – data subjects – about how their personal data are handled or any similar problem.

Meanwhile, the organisation originally holding the data, whether having its headquarters in Europe or a subsidiary based there, must accept responsibility for the actions of any part of the group elsewhere. That means that it will have to act to remedy anything they do, agree that it will be sued under European law and where necessary pay damages and compensation where any part of its group breaches the binding corporate rules. The whole principle and purpose is that data subjects benefit from the same rights, remedies and compensations as they would have if the data never left European soil.

GE clearly satisfied the Information Commissioner that it had in place all the necessary procedures and protection for data subjects’ rights. The fact that the company’s binding corporate rules were drafted in user-friendly language, and so more understandable to any individuals affected, no doubt also helped. Other European data protection authorities are now also assessing the adequacy of GE’s corporate binding rules and may in time also authorise transfer of data falling under their jurisdictions.

All this could mean that the binding corporate rules route will soon be well and truly open, ending the problems of transferring data in an international marketplace and allowing businesses to operate more efficiently and competitively as a result. Meanwhile, going through the process itself requires each organisation to examine clearly the uses and flows of personal data within it, which should unearth a wealth of knowledge about how and why it does what it does and where it could improve its use of resources. That alone can be no bad thing.

The Author
Valerie Surgenor is an associate in MacRoberts’ Technology Media & Communications group.
Share this article
Add To Favorites