This is the abstract of an article on the Binding Corporate Rules, which is contained in the Kyung Hee Law Journal, Vol.40 No.2, published in December 2005.

In this Information Age, the common awareness of data protection issues has been significantly enhanced and, at the same time, might stymie the burgeoning electronic commerce. In the European Union, the Data Protection Directive prevents the transfer of personal data to a third country if there is no adequate level of data protection. For the facilitation of free flow of data cross the border, however, it might be allowed to transfer personal data insofar as there are safeguards for the protection of privacy.

Articles 25 and 27 of EU Directive provide for self-regulation, standard contract, the safe harbor principles and newly introduced code of conduct as data protection safeguards. In this regard, the EU Commission has urged multi-national corporations to adopt the binding corporate rules (BCRs) to further trans-border data flow around the globe.

For example, the model contracts for transfer of personal data to third countries, as approved by the EU Data Protection Working Party, require a data exporter and a data importer to observe the data protection provisions and to warrant a third party beneficiary clause. The data subject has the right to have access to his or her own information and may demand to correct or delete incorrect information. He or she may resort to appropriate remedies and damages if his or her personal data have been infringed upon.

The safe harbor principles apply to the transfer of data between the United States and EU member states. They are based on the private sector self-regulation and invoked by the applying organizations when they report voluntary observance of such principles to the U.S. Department of Commerce. But the participating organizations are limited in numbers, and financial companies most eligible for safe harbor principles are excluded from such a regime.

EU member states allows data flow staged by multinationals when they are subject to BCRs. It means the privacy policy of an individual company is extended to the whole group and even to foreign affiliates established in a country with no appropriate data protection legislation. In other words, when a business group transferring personal data around EU countries is committed to comply with the EU data protection provisions and to establish a code of conduct containing appropriate remedies and redress for data subjects, the competent data protection authority may grant the authorisation as safeguards necessary for data protection, which would be almost automatically repeated by other authorities in other member states. In legal terms, BCRs shall respect the EU data protection principles and comply with the relevant law and regulations of member states.

Currently multinationals such as Daimler-Chrysler, GE, Phillips, and others have been implementing BCRs approved by competent data protection authority when transferring personal data to third countries. Increasing number of U.S. financial institutions beyond the scope of the safe harbor principles are adopting BCRs for trans-border data flows.

Korean companies which frequently deal with personal data with foreign trading partners should assess the level of data protection of the foreign country. When they are doing personal data-related business with a partner in EU countries, Korean companies should carefully observe the appropriate safeguards including BCRs, as required by the EU Directive.