ICC Commission on E-Business, IT and Telecoms (EBITT) 

Task Forces

Task Force on Privacy and the Protection of Personal Data

Chair - Christopher Kuner (Hunton & Williams, Belgium)

Data Protection and Privacy

In today's digital and interconnected world, businesses need to move and process information across locations and networks to serve their global customers in faster, more efficient and cost-effective ways. Members of this task force are kept up to date on data protection developments around the world that affect their businesses in areas such as international data transfer, RFID, whistleblower hotlines, and human resources data. This task force works to streamline processes and save companies money by developing standardized, practical tools.

Tools for Business

• Binding Corporate Rules for the Transfer of Personal Data outside EU 
• Basel II Initiative by the Bank for International Settlements (BIS) 
• Privacy Toolkit 

Policy Statements

• ICC Policy Statement on Spam and Unsolicited Commercial Electronic Messages
• ICC Policy Statement on Employee Privacy, Data Protection and Human Resources 

Other topics

• French Data Protection Authority (CNIL) guidelines on anonymous hotlines – ICC input in English and in French 
• Data Protection Issues related to RFID technology – EU Article 29 Working Party

1. Joint response by ICC, EICTA, ICRT and JBCE

EU Standard Contractual Clauses for the Transfer of Personal Data

In a move to standardize and speed up transfers of international data worldwide, ICC, in conjunction with other business organizations, has worked with the European Commission to establish standard contractual clauses for international transfers of data. On 27 December 2004, the European Commission approved standard contractual clauses for the transfer of personal data from EU to non-EU countries proposed by seven international business associations, judging them as offering an “adequate level of data protection" under the EU's strict data protection laws. The most recent proposal by business covers flows of personal data from the EU to non-EU countries between data controllers and data processors.

Related documents:

• Proposed Amendments to Standard Contractual Clauses for the Transfer of Personal Data from the EU to Third Countries (data controller to data processor transfers)
• Minutes of 4 July 2008 discussion between ICC and the EU Commission on EU Standard Contract Clauses for the Transfer of Personal Data from the EU to Third Countries (data controller to data processor transfers) 
  Final Approved Version of Alternative Standard Contractual Clauses for the Transfer of Personal Data from the EU to Third Countries (controller to controller transfers)
• European Union approves clauses for international data transfers: joint associations' press release, EU press release  

Return to top

Binding Corporate Rules for the Transfer of Personal Data outside EU

The EU Data Protection Directive 95/46/EC allows personal data to be transferred outside the EU only when the transfer provides an “adequate level of protection” for the data. Binding corporate rules (BCRs) – corporate codes which contain measures to ensure data protection in transfers from one country within the EU to a country outside it – are one of the ways in which such an “adequate level of protection” may be demonstrated. Until ICC introduced its standard application, companies had to submit different application forms to each EU member state when asking data protection authorities to approve their BCRs. ICC’s initiative to help businesses demonstrate their compliance and standardize the process for transferring data internationally from any EU country is now the foundation of the form adopted by all European data protection authorities.

Related documents:

• Standard application for approval of binding corporate rules for the transfer of personal data outside EU    
• ICC report on binding corporate rules for international transfers of personal data 

Available in English, French and Arabic. The Arabic translation was provided courtesy of Abu-Ghazaleh Translation, Distribution and Publishing.

Return to top

Basel II initiative of the Bank for International Settlements (BIS)

Basel II requires banks to collect and exchange huge amounts of data, including customer data falling under data protection legislation. To find out more and collect facts on the problems that banks experience in the field of Basel II and data protection, ICC developed a questionnaire.

Related documents:

• Introduction to ICC work on Basel II and questionnaire  
• Answers to ICC fact-finding questionnaire Basel II and data protection 

Return to top

Privacy Toolkit 

Effective and appropriate privacy protection is a business enabler, not a barrier. It is a way to ensure consumer confidence and trust, and an enabler of lasting and fruitful customer relationships. Global business supports the use of a wide range of privacy enabling measures, and recognizes that there is no ‘one size fits all’ approach to privacy protection. This Toolkit sets out the business context for privacy protection and describes the characteristics and benefits of optimal privacy protection regimes.

ICC advocates consensus on principles for the use of personal data, and flexibility on the many mechanisms that can be used to apply these principles and ensure compliance. This Toolkit points out the potential adverse effects of relying too heavily on overly burdensome and legislation-centered approaches to privacy protection. It concludes with a set of action items for governments to promote appropriate and effective privacy protection regimes.

Related documents:

• Privacy Toolkit  

Return to top 

For more information please contact:

Elizabeth Thomas-Raynaud

Policy Manager 

Tel: +33 1 49 53 28 07

Fax: +33 1 49 53 28 59

Email: Click here to send an email  

Back to EBITT Commission page