The EU looks set to relax its stringent requirements on data protection transfers to non-EU countries, a move that could make it easier and cheaper for Bermuda companies to comply with the bloc's rules.

The Bermuda government is currently considering whether to implement the international data transfer requirements outlined in an EU's directive but is worried about the prohibitive costs these would impose on businesses. But some global firms, including KPMG's offices worldwide, have already found ways to reduce the cost of compliance through the issuing of 'binding corporate rules'.

Now an EU working party is looking at such a solution, which would allow multinational firms to transfer data to non-EU countries once they have issued internal 'binding corporate rules' for all of a company's worldwide operations.

The current EU data protection rules, Directive 95/46/EC, does not allow the transfer of data from the member states to non-members unless the entity in the third country has signed up to a special contract on data protection and is also subject to equivalent data protection laws in its own jurisdiction.

For data transfers to countries that do not have similar standards entities must also get the explicit permission of EU residents for the transmission of their personal information.

Only Argentina, Canada, Hungary, Switzerland and the US have been approved by the EU as having adequate data protection standards under the directive.

Large companies based in other places like Bermuda face huge costs in getting each of their employees' consent when transferring data from their European offices.

Hence the decision by the Bermuda government to issue a public consultation on data protection legislation that would comply with the EU's directive.Government notes that the cost of compliance is high and that perhaps Bermuda need not adopt such tough requirements.

Now there is a solution in the making to the cost problem. In June 2003 the EU's working party published a consultation on an amendment to Directive 95/46/EC that would allow 'binding corporate rules'.

The proposal would help companies by allowing them to implement a data protection rule for all of their worldwide operations rather than gathering the consent of every employee.

How do these rules work? In its report to the working party, KPMG International said it has already successfully implemented just such a solution. KPMG first noted that current EU requirements are too 'cost prohibitive and ineffective'. KPMG, which has offices in 150 countries, is registered in Switzerland and is headquartered in the Netherlands.

'It became clear that obtaining consent from each member of KPMG's rapidly changing and increasingly mobile workforce of nearly 100,000 personnel worldwide would be cost prohibitive and ineffective,'' KPMG said in September this year.

KPMG decided that because KPMG member firms are each separate legal entities, the use of bilateral contracts, as recommended by the EU, was not an effective option. The firm responded by developing a global privacy policy for all member firms that would provide minimum standards for the' adequate protection' of employee data. KPMG issued its data privacy protection policy in April 2001 and it is legally binding on all firms,including its office in Bermuda.

"Binding corporate rules provide a method of compliance with the directive for large, multinational organisations, such as the association of entities that constitutes KPMG, for which individual employee consents or the use of standard contractual clauses are not feasible or practicable," KPMG said.

The firm noted that data protection authorities in non-EU countries would have to cooperate in the process of authorising the corporate rules on international data transfers.

Others weighing in with their support of the use of 'binding corporate rules' include the US Council for International Business and the International Chamber of Commerce.

Allowing the use of 'binding corporate rules' should greatly reduce the reservations Bermuda companies have about government implementing a tough data protection law, one that in my view would greatly benefit consumers.

However, the Bermuda government's consultation paper on data protection notes that before Bermuda makes a 'rush to introduce EU-style legislation' it should also consider any harm to the island's ability to attract non-EU businesses here aside from the cost factor.

'Indeed, Bermuda could even stand to gain from an environment where companies came here, with respect to transacting customer or employee data,to escape harsh data protection regimes in their base country,' the document states.

Now, that doesn't sound very consumer friendly to me, when countries and international organisations are attempting to come up with an international standards for data protection. The EU has taken a good shot at it and now realises the need for amendments.

Does Bermuda now want to set itself up as an anti-data protection haven?

Your comments please! But first read the submissions on the EU's new proposal on data protection and the submissions on 'binding corporate rules at the EU's data protection site(http://europa.eu.int/comm/internal_market/privacy/index_en.htm).

****

E-mail your comments to Ahmed ElAmin at editor@offshoreon.com