Under the laws of various EU member states, pursuant to the EU Data Privacy Directive, there are restrictions on the ability of corporations based in EU countries to send data to non-EU countries whose laws fail to provide an “adequate” level of data protection. There are many ways to overcome the restriction, one of which is for a corporation to create its own internal “binding corporate rules” and to have those rules ratified and approved by the data protection authorities in the EU member states. There has been some concern in the past, as we have reported, over the difficulty in getting all data protection authorities to approve the same set of binding corporate rules. The recent approval by 14 member states of eBay’s rules is a good sign that this process may work for other companies in the future. Indeed, many suspect that the use of the process may increase now that eBay has successfully gone through it.
TIP: If your company finds itself in need of transferring data across borders, creating and adopting binding corporate rules is beginning to look like a more feasible option, and may be something to consider.