Corporate rules and international data transfers

          • Paris, 17 November 2004

          When a business group wants to transfer data of a personal nature to another country, it has to pause before clicking "send". What are the legal implications in moving such private information to another jurisdiction?

          Corporate rules and international data transfers

          A new report published by the International Chamber of Commerce (ICC), the world business organization, provides guidance on drafting and implementing company policies to provide a workable legal solution for the transfer of personal data. These policies are called "binding corporate rules" (BCRs). A number of companies are already using BCRs in their corporate operations worldwide, but uncertainty remains about their binding legal status in some jurisdictions. Such uncertainty is dispelled in the ICC report.

          ICC carried out a survey of data transfer solutions as well as the legal enforceability of corporate codes of conduct in a wide range of countries, the first research of its type and scope. It became evident that, although existing contractual solutions for data transfer are still useful, they are impractical for many corporate businesses involved in frequent global transfers of data.

          According to Christopher Kuner, Chair of the ICC Data Protection Task Force: "the ICC report demonstrates that BCRs can be legally enforceable under a number of theories, and should thus be recognized under data protection law as a workable solution to provide a legal basis for the international transfer of personal data."

          ICC's report examines the factors that companies should take into account when drafting and using BCRs, as well as their binding legal status in some selected jurisdictions around the world. The report further stresses that BCRs not only help businesses to safely transfer data, but also help to develop consumer confidence by respecting an individual's right to data privacy and security.

          Th e report will now be sent to interested governments, and will be presented at a hearing organized by the European data protection authorities (Article 29 Working Party) in The Hague on November 24.

          Share this