In a landmark decision, the data protection watchdog recently allowed General Electric in the UK to pass information about its employees to other divisions of the group located outside the European Economic Area.
The significance of GE’s human resources manager being able to send information from the employment records on someone testing medical scanners in Chalfont St Giles to her HR colleague in Wisconsin may pass by anyone unaware that until now, even in this age of globalisation and multinationals, doing this has often given data managers headaches and sleepless nights.
The 1998 Data Protection Act and the European legislation on which it is based have always required that, even if it is still inside the same group of businesses, personal data can only be exported from Europe to countries where there is an adequate legislative framework to protect it. The assessment of what is adequate is made by the European Commission. It has over the years decided that countries such as Canada, Switzerland and Hungary pass the test. Others, it considers, do not. Interestingly, these include the US, whose mix of sector-specific privacy legislation and self-regulation is not robust enough for the EC, although where information is transferred to a company in the US who is a party to the "Safe Harbor" agreement this will be permitted.
The EU Directive does contain a number of derogations from the adequacy rule; however these derogations merely legitimise the data transfer, and do not ensure protection of the personal information itself. In contrast to this the European Commission has drafted and prepared model clauses (two sets in fact), and where businesses use these in transfers outside the EEA, there shall be adequacy. While the second set of model clauses has provided a wider choice to businesses, unfortunately data importers have continued to find these to be burdensome and difficult to work with due to their restrictive nature.
In 2003 the EC working party set up under the directive to tackle issues of this sort set out an alternative solution. Individual organisations would be allowed once and for all to make international transfers of personal data as often as they like under “binding corporate rules” or, as some might call them, codes of conduct.
This is what makes the Information Commissioner’s decision on GE significant. For the first time, he has allowed an organisation to transfer personal data beyond Europe using binding corporate rules. Not that the process is straightforward. In putting forward its version of the rules for approval, in accordance with the EC working party’s rules GE will have had to set out to the Information Commissioner in sufficient detail what types of data will be transferred, why they would be transferred, what they would be processed elsewhere for, and the procedures for storing them securely and then disposing of them when no longer required.
The binding corporate rules process also requires an organisation to submit to regular self-audit and independent audits reporting directly to the ultimate parent board. The reports must also be sent to the Information Commissioner who might also instigate an audit by his own inspectors. Within the organisation, an effective, rigorous and clearly identified department must be set up to handle complaints from individuals – data subjects – about how their personal data are handled or any similar problem.
Meanwhile, the organisation originally holding the data, whether having its headquarters in Europe or a subsidiary based there, must accept responsibility for the actions of any part of the group elsewhere. That means that it will have to act to remedy anything they do, agree that it will be sued under European law and where necessary pay damages and compensation where any part of its group breaches the binding corporate rules. The whole principle and purpose is that data subjects benefit from the same rights, remedies and compensations as they would have if the data never left European soil.
GE clearly satisfied the Information Commissioner that it had in place all the necessary procedures and protection for data subjects’ rights. The fact that the company’s binding corporate rules were drafted in user-friendly language, and so more understandable to any individuals affected, no doubt also helped. Other European data protection authorities are now also assessing the adequacy of GE’s corporate binding rules and may in time also authorise transfer of data falling under their jurisdictions.
All this could mean that the binding corporate rules route will soon be well and truly open, ending the problems of transferring data in an international marketplace and allowing businesses to operate more efficiently and competitively as a result. Meanwhile, going through the process itself requires each organisation to examine clearly the uses and flows of personal data within it, which should unearth a wealth of knowledge about how and why it does what it does and where it could improve its use of resources. That alone can be no bad thing.
Valerie Surgenor is an associate in MacRoberts’ Technology Media & Communications group.
Current Submissions04.07.08 Getting a Get in Scotland - 2This follow-up to the article published in March 2006 explains how current Scots divorce law affects Jewish clients and how solicitors can give appropriate advice 12.06.08 No place for secrecyFuller version of the Opinion article, Journal, June 2008: critique of the system for appointment as Queen’s Counsel in Scotland 11.03.08 One Scotland, many cultures?Despite the protections of the Human Rights Act, the position of travelling people in Scotland appears to have worsened in recent years - why? 26.02.08 Bank charges and the Unfair Terms RegulationsThe significance of the Unfair Terms in Consumer Contracts Regulations in the context of the current litigation over bank charges 21.02.08 CGT: Don't lose out on 6 April 2008Couples should consider asset transfers before then to preserve indexation relief 14.12.07 Common sense prevailsThe options open, and the issues that arise, now that the proposed planning gain supplement is not to be introduced 07.12.07 Discounting justiceAuthor contends that sentencing discounts and other developments have created an imbalance in the justice system 10.10.07 Advocacy in mediationAn overview of the mediation process and the opportunities for solicitors and clients 06.09.07 TUPE: stay your handA Court of Session ruling on a law firm redundancy marks a fundamental change in TUPE 24.07.07 EAT breaks ground with TUPE insolvency rulingRuling on when insolvency proceedings begin leaves successor employer liable 06.07.07 Confidentiality clauses - beware!The Information Commissioner's decision in the VisitScotland case requires very careful drafting of confidentiality provisions in public sector contracts if they are to work 06.07.07 The power of marks: Frankie goes after Hollys nameHow failure to address issues of ownership of the band's name stored up trouble for Frankie Goes to Hollywood 14.05.07 Court plans with little appealThe fuller version of the Opinion article in the Journal for May 2007 14.05.07 Winning waysThe fuller version of the article in the Journal for May 2007 08.02.07 Routes to qualification: the Italian pictureAn Italian lawyer with an interest in training in different jurisdictions reports on current developments in the Italian legal system 09.01.07 Contractual handcuffs: enhanced redundancy rightsThe Court of Appeal decision in Keeley v FOSROC International Ltd requires employers to exercise caution when referring to redundancy rights in staff handbooks 27.12.06 The Isle of ManAn summary of the current legal and tax regime for individuals and companies based on the island (a longer version of the briefing in the November 2006 issue) 15.11.06 Costume Wars: copyright storm over the troopersA row over "Star Wars" costumes illustrates the need to protect all intellectual property rights in written agreements 13.10.06 Survival of the fittest? A replyReply to article on selection for Diploma and traineeship places by Michael Torrance in the September 2006 Journal 13.10.06 TUPE passes the buckFar from providing clarity, the new regulations will need litigation to decide the effect of the insolvency provisions (longer version of October 2006 briefing article) 17.08.06 For supplement read tax - an updateAuthors update their previous Journal article on the proposed planning gain supplement 17.08.06 Technology and the Scottish courtsAn update on the use of technology in the Scottish courts, based on the author's experience of a recent patent case 26.07.06 A lack of trustForthcoming in August issue, put online because of its urgency, the article outlines the final form of the trust tax changes in this year's Finance Act 17.07.06 Ireland 4, Italy 0The ECJ decision in the Irish-Italian dispute in the Parmalat companies liquidation proceedings provides important guidance on jurisdiction 05.04.06 Legal science or law-lite? A responseThis reply to Professor Gretton argues that changes in Scots law teaching are a necessary response to changes in universities, the wider community and the law itself 03.04.06 Opening a binding global route for personal dataIn a significant move the Information Commissioner has allowed a company to transfer employees' personal data outwith the EU under binding internal rules 02.04.06 Mentally disordered offendersOverview of the options available to the courts when dealing with offenders who have or may have a mental disorder, following recent legislative reforms 30.03.06 Bias and mental health tribunals: a replyReply to criticisms of the new tribunals, arguing that the composition of the tribunals is not inherently unfair and only research can assess their performance 17.01.06 Legal aid in children's hearing referralsThis paper delivered at the legal aid conference, argues that the interests of justice require better remuneration for solicitors appearing in children's hearing cases 09.12.05 Holes in Scotland's corporate killing proposalsGaps in the expert working group's proposals could make them unworkable and bad for business 10.08.05 Prosecuting bigotry offencesTwo appeal decisions have exposed limitations in the statutory offences directed at racial abuse 08.07.05 Commissioner: Public Authorities must do moreInformation Commissioner's first appeal decision highlights areas for improvement 14.04.05 New identity for criminal justice bodyScottish Association for the Study of Offending launches by removing "Delinquency" from title 14.04.05 Information and Consultation RegulationsBriefing on the regulations in force from 6 April 2005, covering businesses with more than the prescribed number of employees 13.04.05 Retailers seek effective court action on crimeScottish Retail Consortium proposes more effective intervention following 3rd Retail Crime Survey 11.04.05 Appropriate dispute resolutionThis paper, given to the Four Jurisdictions Conference in Nice this year, discusses how family law can make a difference for the better by careful choice of the most suitable method of resolution 09.03.05 ASBOs and young peopleWhat to look for when acting for a young person facing an antisocial behaviour order application 21.02.05 Sell or transfer?Longer version of briefing published in February 2005 issue, page 44 08.02.05 Promoting competitiveness or competition?Discussion of EU rules on state aids with particular reference to Highlands and Islands ferries 10.11.04 Guarding the inner sanctumHow to minimise the risk of breaches of internet security 10.11.04 The Clinical Trials Directive - a summaryWhat the EU Clinical Trials Directive means for trials of medicinal products 13.10.04 Sheriff Court Rules Council consultation paperConsultation on proposals for further extension of the use of information technology in civil cases in the sheriff court (response date: 15 November 2004) 13.10.04 Ignorantia juris: it's all Greek to meSecond annual APEX lecture given by the President of the Law Society of Scotland, on the rule of law and its essential components 13.10.04 Virtual firms: transactional learning on the webHow today's Diploma students are introduced to legal transactions in a virtual environment 13.10.04 Drafting consumer contractsGuidance on drafting consumer contracts and ensuring compliance with the Unfair Terms in Consumer Contracts Regulations 1999 |