Binding Corporate Rules

22 March 2006

Nick Aries

On 15 December 2005, General Electric obtained an authorisation for transfers of employee data outside the European Economic Area (‘EEA’) on the basis of binding corporate rules (‘BCRs’). BCRs are approved codes of corporate conduct that bind all members within a corporate group. By doing so, the US based company became the first to have its BCRs approved by the UK’s Information Commissioner. The BCRs of General Electric are in the public domain and are available on the company’s website (click here).

The 8th principle of the Data Protection Act 1998 (‘DPA’) prohibits the transfer of personal data outside the EEA (i.e. the EU Member States plus Iceland, Liechtenstein and Norway), unless the country or territory to which it is transferred ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data. There are exceptions to this principle where (among other things):

  • the data subject has given his/her consent to the transfer;
  • transfers are made to the USA and the transferee company is a signatory to a ‘Safe Harbor’ agreement;
  • the European Commission deems that the transferee country has adequate rules to protect personal data;
  • the transfer is made on the basis of a contract containing European Commission approved model clauses;
  • the transfer takes place between different entities within the same corporate group, and the entities are subject to BCRs.

For more information on this, please see the article below (‘EU Working Party document on transborder dataflows’) on the interpretation of the transborder dataflow provisions in Directive 95/46/EC.

Where data is transferred between wholly or majority owned entities of one company around the world, the use of BCRs provides a pragmatic solution to the international data transfer compliance issue. If the BCRs are supported by the necessary procedures and there is an adequate level of protection for individuals’ rights and freedoms across the group of companies, they ought to be approved by the relevant data protection authority. The Article 29 working party has adopted a model checklist which describes the information required to make an application to a data protection authority for approval of potential BCRs (click here for the checklist).

In the case of GE, the lead data protection authority for the negotiation was the UK (the ICO), because there are more GE affiliated legal entities in the UK than in any other EU Member State. The ICO will now support GE in its bid to gain approval from the other data protection authorities across Europe.

The BCR scheme adopted by GE covers the transfer of employee data. EU Working Party document on transborder dataflows
Coincidentally, the GE approval (see above) came against the background of a recent paper released by the Article 29 Working Party on a common interpretation of Article 26(1) of Directive 95/46/EC (the ‘Directive’).

The Working Party is an independent European advisory body set up under the Directive to advise on data protection and privacy issues. At the end November 2005 it adopted a paper (the ‘Paper’) providing guidance as to how Article 26(1) of the Directive should be applied by data controllers intending to initiate data transfers to countries which do not ensure an adequate level of protection.

The aim was to promote consistency of interpretation throughout the EU of Article 26 (1). The provisions of Article 26(1) state that a data controller, subject to certain specified conditions, can transfer personal data to a third country by way of derogation from the principle of “adequate protection” laid down in Article 25 of the Directive.

The Paper (available here) highlights the necessity, in particular, that the provisions of Article 26(1) be strictly interpreted. In support of this, it refers, among other things, to the principle whereby fundamental rights are interpreted widely in the European Court of Human Rights (and therefore, derogations from fundamental rights are to be applied strictly). However, this particular reasoning is not flawless, as privacy is not a fundamental right under the European Convention on Human Rights.

The Working Party also recommended that where transfers are “repeated, mass or structural”, they should be carried out within a specific legal framework (i.e. using contracts or binding corporate rules).

The Paper then embarks on a detailed analysis of the individual provisions of Article 26(1). It comments most notably on the consent of the data subject (Article 26(1)(a)), saying that implied consent will not be good enough for data transfers, and that particular difficulties exist in obtaining genuine consent from employees due to the natural relationship of subordination in an employment context.

Generally, the Paper is broadly in line with an older paper issued by the previous UK Information Commissioner (available here) in its interpretation, except in the respect that it places emphasis on the use of consent and the other derogations only as a last resort after contracts or BCRs have been considered.