The Information Commissioner's Office (ICO) has authorised the transfer of personal information from the UK by Accenture and Atmel to countries outside the European Economic Area. This adds to the number of companies who have Binding Corporate Rules (BCR) approval for international data transfers. Does this mean BCRs are the way of the future?
Accenture and Atmel approvals
Accenture was authorised on 30 April 2009 in respect of employee and client personal information. Atmel was authorised on 22 April 2009 in respect of employee personal information. In both cases, the BCRs permit the international transfer of this information to group companies. The implication is that the other European countries in which these groups operate will also approve the BCRs for the same purposes. However, this decision is one for the data protection regulators in the relevant jurisdictions. It will be helpful, however, that nine European countries have signed up to the BCR mutual recognition programme, which ought to mean that, once the "lead regulator" has spoken, others will follow suit.
Other current issues on international transfers
The international transfer of data has recently highlighted a number of complex issues. Some solutions are also being proposed:
- Bernie Madoff ruling – multinational groups may be subject to e-Discovery orders (for example, US court orders) requiring the retention and disclosure of documents held in Europe. The UK High Court recently ruled that the transfer of personal data outside Europe was in the public interest to allow the investigation of Bernie Madoff's alleged fraud.
- The High Court ordered the transfer of personal data held by the liquidators of an English company in the Madoff group to the trustee in bankruptcy of the US parent. The decision was made on the basis that this transfer was "necessary for reasons of substantial public interest" and therefore exempt from the Eighth Principle of the Data Protection Act (this is the Principle that prohibits the international transfer of data). The court also held that the transfer was necessary in order to "establish legal rights" in the process of winding up the company, which satisfied another exemption from the Eighth Principle.
- European Commission – the Commission has clarified a number of issues relating to cross-border data transfers by publishing a "Frequently Asked Questions" document. The FAQs deal with general questions, issues relating to standard contractual clauses and BCRs. The questions also address issues such as the use of the Safe Harbor scheme by companies based in the US. A copy of the FAQ's can be found here.
Where next for international data transfers?
International transfers of data remain a fraught area for international business:
- The general rule, contained in the Eighth Principle of the Data Protection Act 1998, is that personal information should not be transferred to territories outside the European Economic Area except where adequate measures are taken to ensure that the personal data is properly protected. So, when you export personal data from Europe, you need, in a sense, to export the EU data privacy laws as well.
- BCRs are gaining momentum. There are now a number of companies that have been authorised in the UK and we see the ICO as a "leading light" in terms of BCR approvals. The nine-country mutual recognition arrangements are also helpful.
- Nevertheless, there are many thorny issues. For example, the international transfer of data to comply with US court e-Discovery orders. This requires a careful analysis of the circumstances and putting appropriate contractual arrangements in place at an early stage to ensure compliance. Data transfers must be relevant and proportionate in order to comply with EU data privacy laws.
- The fact that the UK High Court has authorised transfers in connection with the Madoff scandal indicates a willingness, in some cases, to use exemptions and other arrangements to ensure that personal data is, where necessary, transferred to non-EEA jurisdiction. While this might work in some cases, it will not work for the average day-to-day transfers of data which are fundamental to international business.