Data transfer: be prepared for protection

While governments prove, yet again, that a unified response to data protection is beyond them, corporate IT should make moves to...

While governments prove, yet again, that a unified response to data protection is beyond them, corporate IT should make moves to regulate itself

Today, in the week that the UK adopts a new data protection regime, similar European rules for cross-border transfer of data also come into force.

Businesses in Europe have a duty to comply with rules on how they handle personal information about their employees, especially if that data is transferred outside the European Union.

But the EU is at odds with the US over the rules. The US government believes the EU directive is too stringent compared with its own "self-regulatory" approach.

After months of negotiations, a deal is said to be on the cards over a compromise dubbed "safe harbour". That involves personal information - which needs employee approval before it can be transferred - being protected, even in the US.

In reality, the US is now playing hardball and the EU is under political pressure to back down. The word is that the European Commission will agree to safe harbour - though it has no teeth - while, confusingly, the European Parliament could throw it out.

While the EU and US slug it out, other governments wonder how the principles will apply to them. For example, what rules cover data transferred for processing in India?

The whole sorry mess is a perfect example of how governments are bungling legislation needed to unleash the power of the Internet.

As the dispute over the Regulation of Interceptory Procedures Bill has proved, governments and Internet legislation make very unhappy bedfellows.

To guard against this, IT users should protect themselves by being fully aware of the issues, and by putting their own solutions in place. Your firm is now obliged to ensure that privacy rules - however indistinct - are not breached.

This means ensuring your company has registered under the UK Data Protection Act and is implementing the code of conduct on privacy produced by lawyers for the International Commerce Exchange at Shell's bidding.

Regardless of whether self-regulation or legislation triumphs in the transatlantic data war, you must put in place the policies and mechanisms to self-regulate. The better and more efficiently firms regulate themselves, the fewer legal restrictions on trade.

Shell's IT operation decided it had no choice but to take action to prevent being caught up in a government-inspired privacy foul-up. You should adopt the same philosophy.

Protect yourself.

Read more on Privacy and data protection