Data Privacy Protection Laws Pose Challenges For Trans-Atlantic Data Transfer
Compliance by U.S. multinational companies with the data protection and e-discovery laws, rules and regulations in both the U.S. as well as other international jurisdictions can pose significant challenges. While the laws do not impose conflicting requirements, the differences in the approach to data privacy protection between U.S. laws and those of the EU and its member states and the complexities of their requirements demand a comprehensive team approach to compliance.
The U.S. federal and state laws take a patchwork approach to personal data protection, with a myriad of data privacy requirements based upon industry. There is, however, no a comprehensive data privacy protection law. Nor are there special requirements for the transfer of personal data, cross-border or otherwise, as long as the “sharing” has been disclosed to the consumer, or is within the exceptions provided for by applicable law.
More than 35 states have enacted data breach notification and security freeze laws, with many variations on the method and timing of notification among them. To date, the U.S. Congress has not been able to agree upon a uniform approach for data breach notification and security freeze rights. Amendments to the Federal Rules of Civil Procedure that became effective in December, 2006 have underscored the importance of electronic discovery, so that corporate counsel must be concerned with the risks and potential sanctions that could result from non-compliance with a discovery order.
Companies that collect and process their own employee or customer data in the U.S. when that data resides in a European Union member country are presented with even greater challenges. The EU Data Protection Directive, as well as the data protection laws of the country of the data subjects’ residence, impose broader data privacy requirements on companies. In addition to the U.S. laws, such companies must be cognizant of the laws of the jurisdiction where the data to be processed resides. The aim of the Directive is to ensure that each member state imposes a similar level of protection of data, so that data can be transferred freely within the EU subject to the same security standards in the country of receipt as it is in the country of transfer.
The EU member states that were formerly under the control of fascist regimes during World War II are particularly keen on avoiding the abuses of individual privacy rights that occurred during that period. Thus, the Data Protection Authorities of France, Spain, Germany and Italy are very active in their enforcement efforts, conducting costly investigations, and levying monetary sanctions and fines against violators of their laws. On April 12, 2007, the French DPA, CNIL, announced the imposition of a fine of €30,000 against Tyco Healthcare France Corporation for non-cooperation and for providing CNIL with erroneous information. To date, the CNIL has imposed 16 monetary sanctions, ranging from €300 to €60,000, issued 170 summons, 11 orders or cease or amend processing practices, and 15 warnings. This equals a 200% increase in activity since 2006. In July, 2007, Spain’s Supreme Court confirmed its DPA’s largest ever fine in the amount of €1,081,822 against Zeppelin Television, S.A. Additionally, for the first time Spain’s DPA has conducted a data privacy audit outside of Spain, in Colombia, where Spanish citizens’ personal data is being processed. In addition, the EU’s Data Privacy Commission has been active in enforcing the requirements of the Privacy Directive on its member countries.
Earlier this year, an independent EU panel launched an investigation into whether U.S.-based Google Inc.'s Internet search engine abides by European Union privacy rules. The panel convinced Google to clear its user data of information that could be used to identify the user once the data has existed for 18 months. Google accurately noted, however, that governments and businesses are obliged to retain information, and it is difficult to operate a global Internet service according to different privacy standards in different countries.
The same observation can be made as to many other types of businesses as well. The complexities and risks associated with privacy laws have never been greater, and require vigilant monitoring by counsel and data security officers. One of the EU Directive principles requires that personal data be transferred cross-border only if the country of receipt provides “adequate protection.” Various options are available to companies to address the requirements of the EU Privacy Directive. Model contractual clauses have been approved by the EU, for inclusion in contracts between companies and their service providers. For companies with employees or customers in multiple European jurisdictions, adoption of Binding Corporate Rules that address all of the EU Directive requirements has also been deemed acceptable by the EU, provided that the BCR have been approved by the EU Data Privacy Commission and the applicable country’s DPA. The EU DPAs are also working on uniform BCRs, so that it would be unnecessary to obtain approval from each EU member state. Finally, certification within the U.S.-EU. Safe Harbor Framework provides protection against challenges of non-compliance with the EU Directive. More information on Safe Harbor certification, including a list of the more than 1300 U.S. companies who have joined the Safe Harbor Framework, can be found at http://www.export.gov/safeharbor/. Adopting one of the suggested methods to meet the “adequate protection” principle will permit multinational companies with European operations to truly operate without borders with respect to the personal data of their employees and customers.