The UK’s Information Commissioner has made use of new procedures governing the transfer of personal data outside the European Economic Area, by authorising General Electric to pass employee information to parts of the group situated overseas.
The move, reported by law firm Pinsent Masons, is said to be the first time that the data protection watchdog has authorised the transfer of employee data on the basis of what are known as “binding corporate rules”.
European firms are largely restricted by the terms of the Data Protection Directive of 1995 as to what data can be transferred or stored in countries without equivalent rules and enforcement procedures.
Such transfers are forbidden unless the country or territory to which the data is being transfered can show an adequate level of protection for the rights and freedoms of data subjects.
Until now, authorisations have only been granted if a so-called Safe Harbour agreement exists with the recipient country, the transfer is within one of the allowed exceptions (for example where the individuals concerned have given their consent), or there is an alternative safeguard, such as a contract.
But multinationals find it difficult to comply with this last requirement, because a company cannot contract with itself.
In June 2003 the EU Data Protection Working Party, an independent EU advisory body, proposed that in addition to existing procedures, binding corporate rules could provide another acceptable safeguard to allow transfers to take place between separate parts of a corporate group.
These rules would tie the whole corporate group to compliance with general EU data protection principles, and further specific requirements.
The Information Commissioner has now used these procedures to permit General Electric to share employee information throughout the company. It has found that the multinational has the necessary procedures in place and that there is an adequate level of protection for individuals’ rights and freedoms across the group of companies.
The authorisation only applies to information that comes within the Information Commissioner’s jurisdiction – in other words, data generally held in the UK.
Other European data protection authorities are considering the adequacy of General Electric’s binding corporate rules, and may in time issue equivalent authorisations for transfers falling within their jurisdictions.