Information Age: News, analysis & insight for IT & business leaders

Exotic locations such as Mumbai and Bangalore in India and Johannesburg in South Africa are fast becoming operational hubs for many international companies.

Business processes such as the running of call centres, the collection of debts and the delivery of direct marketing campaigns are increasingly being set up thousands of miles away from the headquarters of those companies. Cost-effectiveness is the clear and overriding reason for this strategy.

However, it is equally obvious that this movement is not entirely risk-free. In addition to political instability, radical cultural differences and local regulations, European Union (EU) businesses that decide to place their data processing operations offshore face the stringent limitations imposed by the 1995 Data Protection Directive.

The directive placed a controversial requirement on EU governments: to ban the transfer of personal data to any non-EU country unless regulations in that third country can provide a similar level of privacy protection.

Bearing in mind the high standards of privacy protection imposed by the directive, it is difficult to see how countries without the same strict legislative approach can avoid falling foul of it. As a consequence of this, the directive is often regarded as a serious barrier to offshore data processing.

But the directive does at least allow Brussels to determine whether a third country provides an adequate level of protection, either in its domestic law or the international commitments it has entered into. How this works is that the European Commission (EC) investigates whether individual countries ensure adequate levels of data protection. At the moment, the countries that have gained EC approval are few in number: only Argentina, Canada, Hungary and Switzerland can boast of such designation. The Channel Island of Guernsey has also won approval.

As a result, the many UK organisations that offshore their data processing operations to places in India or South Africa need to find a way to legitimise their operations.

One idea is for individual organisations to provide guarantees to the UK government. The 1995 directive enables EU member states to authorise transfers of personal data to non-EU countries that lack adequate data protection laws, but only if the organisations involved provide adequate safeguards to protect individuals' privacy rights. These should be in the form of standard clauses - agreed by the EC in 2001 - that would be inserted into contracts with offshore outsourcers.

Another possible solution arose out of proposals drawn up in 2003 by an independent body of EU data protection authorities known as the Article 29 Working Party. The body's proposal was narrow in scope: it proposes establishing binding corporate rules only for the transfer of data between international branches of multinational companies.

But the working party's proposal could be extended to cover data processing organisations and their offshore suppliers. In my view, there is no reason why the same approach would not legitimise the provision of data processing services outside Europe if an offshore supplier adopted a set of rules that met the working party's requirements.

As in many instances affected by data protection law, choosing the right course of action to address a legal obligation is ultimately an important management decision. It has become clear that dealing with data protection compliance should be part of the risk assessment of the operation when sending data processing functions offshore.

Some countries appear to be trying hard to work through the legislative standards required by the EC to qualify as countries that provide an adequate level of protection. Before they qualify for approval, however, suppliers from those countries will need to add data protection compliance to their sales pitches to European organisations.