Privacy & Data Protection: Export of Personal Data: Important Developments

12 January 2009

Hazel Grant, Ruth Boardman

Thirteen Data Protection Authorities have agreed to streamline procedures for approving exports of personal data within multinationals.  This is a significant step forward and should start to make data export more manageable for organisations.

The problem

The EU Data Protection Directive prohibits most transfers of personal information outside the EU.  Traditionally, global businesses have used EU-approved model contracts or consent to resolve this.  Neither of these solutions is perfect: many data protection authorities believe that consent cannot be freely given by employees and so consent does not work for HR outsourcing projects.  Where there are a number of companies or data flows, the EU-approved model contracts result in a complex mass of contracts which need to be updated as the group and data flows change over time.

Binding Corporate Rules (BCRs)

In 2003, procedures were established to allow organisations to transfer personal information using “binding corporate rules”.  These form a binding code of practice for a multinational to protect its personal information.  The Information Commissioner’s Office in the UK gave the first approval  on this new basis in 2005.  However, since then progress has been slow, with only a few further approvals in the UK and other jurisdictions.  One of the key concerns for organisations looking to use BCRs is the process of national approval of the BCRs.  One authority receives the application (the lead authority) and obtains and circulates the comments of all relevant authorities.  Responding to these comments can be time consuming and frustrating.

Mutual Recognition of BCRs

On 1 October 2008, 9 data protection authorities agreed to a mutual recognition arrangement.  Then, on 10 December 2008 a further 4 data protection authorities joined the arrangement, making a total of thirteen.  The thirteen are Cyprus, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, The Netherlands, Norway, Spain and the UK.  The intention is that all these data protection authorities commit to agree a BCR application, once the lead authority has approved it.

In some jurisdictions the applicant will still need to submit an application for its data exports to be authorised.  However, participating data protection authorities should authorise the BCRs as a matter of course.

There are, however, still some differences of approach within the thirteen: some authorities  have clearly committed to follow the lead authority’s view;  others  consider themselves to be working towards such a position.  We will, therefore, have to wait and see how this works in practice. A number of BCR applications are about to be submitted on this basis, so within weeks we may see the impact of this new process.

For further help

If you would like to discuss BCRs or data transfers generally, please contact one of our privacy & data protection specialists or your Bird & Bird contact.