The problem of transferring personal data is not a new one for many organisations. Data Protection laws put all manner of obstacles in the way for organisations, quite legitimately protecting individuals' interests. All manner of work-rounds have been tried, such as insisting that individuals grant permission for their data to be transferred in exchange for services. For example, callers to Hewlett-Packards UK customer help desk are told that unless they agree that call details, including personal information, can be used outside the UK, they should consult HP's website.
Earlier attempts to circumvent Data Protection rules included getting overseas companies to sign ‘safe harbour' agreements. Unfortunately, when this was piloted in the US, few local companies would agree to be bound by European rules.
But now a new trend is emerging. The Information Commissioner's Office (ICO) recently approved a set of procedures – called Binding Corporate Rules – for the multinational conglomerate GE, the first such approval that has been made. This allows GE to safely transfer personal data between its UK operations and its other divisions throughout the world.
For GE that solves the problem of transferring personal data from the UK – it still needs to seek approval from other EU regulators should it wish to transfer personal data from their location. However, the Binding Corporate Rules approach looks to be winning favour, with other large businesses, including Philips and DaimlerChrysler now looking to get their own versions approved by the ICO.