Regulators to lessen pain of exporting data

Data protection law is a continuing headache for international businesses. The 1997 EU Data Protection Directive even applies to...

New Asset  
Data protection law is a continuing headache for international businesses. The 1997 EU Data Protection Directive even applies to transfers of data between subsidiaries of the same group based in different countries.



Transfers of data on employees, customers and suppliers are all affected by the prohibition.

There have been many complaints that the law is inflexible and bureaucratic. In response, regulators are planning to make life easier for multinationals transferring data between their sites around the world.

Broadly speaking, EU law prohibits the transfer of personal data outside the European Economic Area (EEA) unless one of the listed exceptions applies. The law covers the relocation or duplication of databases outside the EEA.

It even applies where an overseas office merely accesses a database within the EEA and updates the data locally before saving the changes in the EEA database - a routine process for companies that outsource functions such as human resources, payroll, accounting or call centres to another country.

This prohibition creates a compliance issue for IT directors managing the flow of data around the world within multinationals.

In many EU countries, unless each individual affected consents to the data export, or the data is to be exported to one of the EU "white-listed" destinations (Switz- erland, Argentina, Guernsey, Canada and the Isle of Man) compliance can only be achieved in one of two ways.

The first requires an EU-approved standard form data transfer contract to be entered into between the data exporter and every recipient of the data.

Many businesses see this as either impractical or too onerous for internal company transfers.

The alternative, if the destination is the US, is for the data importer to sign up to the Safe Harbour code of conduct (a compromise agreement - the EU allows data to be shipped to the US if the recipients sign a declaration stating that they believe they comply with EU data protection principles).

However, a recent EU report has highlighted serious problems with that method of compliance for the EU-based data exporter.

A company-wide agreement on how data should be transferred offers a simpler solution. This requires an internal policy that complies with the obligations of the Data Protection Directive and which will be binding globally on all subsidiaries of the relevant company.

The rules will need to be approved by the data protection authority in the EU country in which the head office of the company is located, but the EU is working towards a pan-European approval process so that approval in one EU country will also mean compliance with national data export restrictions in all of the other EU countries.

The development of binding corporate rules as a compliance option is an encouraging sign for IT directors that data protection regulators are taking a more practical approach.

It will still be necessary to comply with the data handling practices (security, access controls etc) under the Data Protection Directive, but the problems associated with legitimising data exports will at least be alleviated.

Mark Turner is a partner in the IT department of law firm Herbert Smith

Read more on Privacy and data protection