Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

International businesses to produce a global privacy code [2000] PLBIRp 3; (2000) 52 Privacy Laws and Business International Report 3

International businesses to produce a global privacy code

A GLOBAL CODE OF CONDUCT has been drafted in order to help organisations understand the provisions of the EU Data Protection Directive. The work, carried out by the International Commerce Exchange, will now be submitted for approval to the EU Data Protection Authorities.

The first version of the code of conduct, launched on 15th December 1999, provides an insight into the code which is intended to be a practical guide on what organisations ought to do to comply with new data protection rules. The draft is a result of intensive discussions between the

members of the drafting team which includes organisation across Europe such as Shell Services International, The UK Post Office, Telecom Italia and Galileo Consulting. The organisations

behind the code have aimed at interpreting the EU Data Protection Directive in a pragmatic way which fits in with the requirements of international business.

A GLOBAL APPROACH

The code’s objective is to provide a consistent global approach to interpreting the directive’s provisions. While comprehensive, the code does not try to give advice on how the various national laws implementing the EU directive ought to be interpreted. (This would not, anyway,

have been possible due to the fact that some national laws are still being drafted, see p. 5). The 50-page code is, however, supplemented by reviews of some of the national laws that have been adopted. Included are reports on Austria, Belgium, Germany, Greece, Luxembourg, the Netherlands, Portugal, Spain and the United Kingdom. This section of the code will be amended when further information becomes available.

CODE SUITED TO ALL SIZES OF ORGANISATIONS

The International Commerce Exchange (ICX) has drafted the code to be applicable to any organisation. It also relates to the processing of all types of personal data, whether in automated or manual form. As the code is general, it does not address sectoral issues such as direct

marketing or health care. These issues may have to be dealt with by specific codes.

The code is divided into fourteen chapters, which address every article of the directive. Some of the issues are dealt with in general terms. On topics that will vary a great deal from one EU country to another, such as notification, anything else would probably have been impossible.

However, the code suggests some practical steps that are common to all organisations regardless of where they are established. With regard to notification, for example, organisations

are advised to appoint a compliance officer to deal with notification and any further amendments.

INTERNET ISSUES ALSO DEALT WITH

The code does not only address the articles of the directive, but also looks into related issues. One of them is the use of the Internet. Protection of personal data on websites should form a

part of organisations’ compliance programmes as the directive’s provisions apply also to the Internet. The code gives an idea, for example, of how to draft a privacy statement and

how to deal with e-mail in a privacyfriendly way.

Many other practical suggestions are given, for example on drafting an e-mail policy, which could be incorporated in employment contracts. The code puts much emphasis on conducting both internal and external audits, which should be carried out annually. In those EU Member

States where accredited certification schemes exist, organisations may find it useful to be able to demonstrate their compliance in this way to clients and trading partners.

TRANSBORDER FLOWS OF DATA

One of the main reasons behind drafting the code was to seek a solution to the directive’s requirement of adequate protection for data transfers to countries outside the EU. ICX has

produced a specimen contract for transfer of information to third countries. It requires data importers in third countries to agree to process personal data in accordance with the national data protection law of the exporter country. Importers would also have to agree to allow auditors of

the data exporter to inspect their data processing. The exporter would own the data even after the transfer. The more general advice on transborder flows explains in a clear manner the other situations when personal data may be transferred to third countries.

SUPPORT FROM HOLLAND AND THE UK

Both Peter Hustinx, President of the Netherlands’ Data Protection Authority and Chairman of the EU Data Protection Working Party, and Francis Aldhouse, UK Deputy Data Protection Registrar, praised the code at the launch event in the Hague in December. They were willing to take the code further and have it discussed at a meeting of the EU Working Party, which consists of EU Data Protection Authorities. ICX hopes that the code may later be adopted as an international standard. The next steps, however, are to have the code finalised by the end of March, and make it available to others. Once in the public domain, ICX recommends that organizations interested in using the code should write a managers’ handbook advising data protection officers on how to

implement the code. Shell Services International, the sponsor behind the work done so far, is currently working on its handbook. It will specifically address the data protection

questions within Shell, but some material will be useful to other organisations, too.

THE SHELL EXPERIENCE

Shell estimates that the work of the code of conduct, combined with preparing a training and awareness programme, will cost several million US dollars. While the drafting work has been done very quickly in six months, the implementation of the code within Shell may well take at

least a year. Part of the implementation process is internal training. The code itself suggests that a training programme should include general training, for instance at induction, more detailed training for those dealing with specific data protection issues, presentations, and the use of a

company Intranet or bulletin boards.

ICX is a non profit-making organisation. Membership fees for corporate members depend on annual turnover. The organisation promotes secure electronic commerce on open networks. ICX will be organising a seminar in each EU and EEA country to inform organizations about the code of conduct. In addition, ICX and CEN/ISSS (The European Committee for Standardisation and the Information Society Standardisation System) will organise a seminar in Brussels in

order to discuss and agree on possible standards in this area. The provisional dates are 23-24th March. More information and details of how to register will be available on the ICX website. For more information about ICX, see http://www.icx.org, or contact the ICX Secretariat at

81 Chiltley Way, Liphook, Hampshire, GU30 7HE, United Kingdom.

Tel: + 44 (0) 1428 722 909

Fax: + 44 (0) 1428 725 499

e-mail: info@icx.org.