It is the first time that the data protection watchdog has authorised the transfer of employee data on the basis of what are known as “binding corporate rules”.
European firms are largely restricted by the terms of the Data Protection Directive of 1995 as to what data can be transferred or stored in countries without equivalent rules and enforcement procedures. Such transfers are forbidden unless the country or territory to which the transfer will be made can show an adequate level of protection for the rights and freedoms of data subjects. Only then will the transfer be authorised by the appropriate supervisory authority.
But the procedures used in obtaining authorisation are complex and have made it difficult for multinational corporations to function efficiently.
Until now, authorisations have only been granted if a so-called Safe Harbour agreement exists with the recipient country, the transfer is within one of the allowed exceptions (for example where the individuals concerned have given their consent), or there is an alternative safeguard, such as a contract.
But multinationals find it difficult to comply with this last requirement, because a company cannot contract with itself.
In June 2003 the EU Data Protection Working Party, an independent EU advisory body, therefore proposed that in addition to existing procedures, binding corporate rules could provide another acceptable safeguard to allow transfers to take place between separate parts of a corporate group.
These rules would tie the whole corporate group to compliance with general EU data protection principles, and further specific requirements.
The Information Commissioner has now used these procedures to permit General Electric to share employee information throughout the company, finding that the multinational has the necessary procedures in place and that there is an adequate level of protection for individuals’ rights and freedoms across the group of companies.
The authorisation only applies to information that comes within the Information Commissioner’s jurisdiction – i.e. data generally held in the UK. Other European data protection authorities are currently considering the adequacy of General Electric’s binding corporate rules and may in time issue equivalent authorisations for transfers falling within their jurisdictions under the company’s binding corporate rules.