Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

How EDS tackles transborder data flows [1999] PLBIRp 5; (1999) 47 Privacy Laws and Business International Report 7

EDS tackles transborder flows with inter-company agreements

HAVING THE RESPONSIBILITY to secure compliance with the transborder data flow provisions of the EU Data Protection Directive, companies have started to make arrangements. EDS, a US-based multi-national in the field of information technology services, has launched its own global data protection programme.

It was necessary for EDS (Electronic Data Systems) to take action to address the requirements of the EU Data Protection Directive, as the company's business involves, from time to time, the transfer of personal data between countries within and outside of the European Economic Area. This data may be EDS' own or data of a customer for which EDS is serving as processor.

The company, which has its headquarters in the United States, employs more than 120,000 people and operates globally. To avoid disruptions to business, data transfers need to continue without interruption, but in compliance with legally mandated data protection requirements. The challenge is significant in view of the fact that countries where the company operates vary from those having comprehensive data protection laws to those having few or, in some cases, no data protection laws.

The company decided to adopt a global data protection programme consisting of internal data handling procedures and requirements which would, in turn, enable transfers in accordance with the EU directive.

Geofrey L. Master, EDS' General Counsel - International, who addressed the Privacy Laws & Business workshop in London on 19th November, said that this method was chosen largely because the company saw no practical alternative if it desired to continue operating globally. Specifically, while the company embraces the use of Privacy Enhancing Technologies (PETs), no set of technological tools alone would ever assure compliance in the context of the dynamic operations of EDS and its customers. Consequently, the company's approach, on a relatively simplistic level, was to follow the EU directive as if EDS were a country implementing the directive in a manner to set comprehensive standards for the company's handling of personal data. The arrangement consists of a global inter-company agreement among EDS entities, backed by a comprehensive code of practice and guidelines.

GLOBALLY APPLICABLE INTERNAL RULES

EDS' aim was to create a set of globally applicable rules on data handling to which each individual EDS company would agree. The basis of this scheme is the inter-company agreement which is tailored to the specific context and operational requirements of EDS. This relatively static document establishes the basic data protection rules and principles under which EDS now operates. In order to support the agreement, the company has also developed a comprehensive code of practice which provides practical guidance as well as necessary local tailoring of the requirements. Furthermore, sector or practice specific codes of practice guidelines have, and will be developed to give guidance on particular topics, for example, in the areas of human resources and electronic commerce.

DISTINCTIONS BETWEEN CONTROLLER AND PROCESSOR REQUIREMENTS

One of the main features of the programme is its fundamental respect for the clear distinction between controller and processor roles. For example, this distinction applies with respect to data transfers, and defines the requirements applicable to any specific transfer depending on the type of transfer and the controller or processor status of the transferee and the transferor. The inter-company agreement requires transfers among EDS companies to be confidential and secure. In the case of transfers from an EDS data controller to "another" controller, EDS requires compliance with its data handling requirements.

When transferring data to an outside processor, the company requires a written agreement detailing the processing to be undertaken and compliance with security and confidentiality requirements. Provided the transfer meets these requirements, data transfers crossing national borders are subject to the further restriction that they must fall within one of the following categories:

1. Transfers to countries within the European Economic Area

2. Transfers to another EDS company (which has subscribed to the EDS Global Data Protection Programme), or

3. Other transfers which are specifically allowed.

CAN GOOD COMPLIANCE BE ENSURED?

EDS appreciates that its global data protection programme requires actual and demonstrable compliance with the data handling rules. This will be promoted through a variety of mechanisms, notably a network of national and/or local data protection officers, who will be involved in national and/or local implementation, training and complaint investigation and reporting.

"It is still unclear the extent to which a third party element in this area would be appropriate or helpful in promoting compliance," Geof said. "However, the programme reserves flexibility to further address such needs as they may arise."

The company aims to invest in training to make sure that national and/or local data protection officers interpret the internal rules in a legally appropriate manner and consistent with the overall programme, regardless of the country or region that the officer represents. The company has also appointed a full-time Global Data Protection Officer who will oversee the effort, and work closely with the operations and legal staff of the various companies in the different countries.

Interestingly, Geof said that the focus of the company has not been on the specific cost involved in setting up the data protection programme - it just had to be done. "The effort has, right from the beginning, been largely undertaken in-house by EDS employees involved with the day-to-day running of the business," he said.

"In many respects it was an easier sell to top-management than I expected. Many of the requirements are really good business practices which were largely in place anyway," he said. "I was also fortunate to find a strong corporate commitment to a global perspective, and an acceptance that such a commitment carries certain obligations."

The programme is still in its early stages. It will progress according to carefully set priorities and in the light of emerging national and international guidelines and legislation.

This report is based on Geofrey L. Master's presentation at the PL&B workshop in London on 19th November. For more information, contact Privacy Laws & Business, Tel: + 44 (0)181 423 1300.