At present, European firms are restricted by the terms of the Data Protection Directive of 1995 as to what data can be transferred or stored in countries without equivalent rules and enforcement procedures.
The procedures currently in place to regulate transfers are complex and, says the ICC, make it difficult for multinational corporations to function at their best.
At present, international transfers can only take place after authorisation from the appropriate supervisory authority. Normally, this requires either that a so-called Safe Harbour agreement exists with the recipient country, that the transfer is within one of the allowed exceptions (for example where the individuals concerned have given their consent), or that there is an alternative safeguard, such as a contract.
But multinationals find it difficult to comply with this last requirement, because a company cannot contract with itself.
According to the ICC, the solution may be that put forward last June by the EU Data Protection Working Party, an independent EU advisory body.
The Working Party, in its Working Document on Binding Corporate Rules for International Data Transfers, proposed that in addition to existing procedures, binding corporate rules could provide another acceptable safeguard to allow transfers to take place between separate parts of a corporate group.
The Proposals
The rules would include general data protection principles, and further specific requirements to:
The transfer of data would relate only to transfers within the corporate group – all members of which would be bound by the proposed corporate rules. Transfers of data out with the group could only take place following a further authorisation under the existing rules, according to the proposals.
The Working Party stressed that the rules must be both binding and enforceable. The internal workings of the corporate group must be structured in such a way that everyone within the company believes that they must comply with the rules. As part of this there should be an EU-based member of the group responsible for ensuring compliance.
In the event of any breach of the rules, the individuals whose data is being transferred would be entitled to complain to either the relevant EU data protection authority, or the relevant court within the EU.
The Survey
In September last year the UK's data protection regulator, the Information Commissioner, set out his proposals as to how the Working Party scheme could be achieved in the UK. The ICC is now canvassing the views of privacy experts worldwide as to whether this is the appropriate way forward.
According to Christopher Kuner, chair of the ICC Task Force on the Protection of Personal Data:
"Businesses and regulators are currently showing considerable interest in the use of binding corporate rules to address the safe movement of personal data cross border. As the world's leading business organization, the ICC needs to assist by providing guidance in this area."
Responses to the questionnaire are required by 28th May 2004.