Global Outsourcing and Legal Compliance
Over the past twenty years, the outsourcing of business functions by U.S. companies has evolved from a revolutionary business idea to a key model business strategy. While global outsourcing provides a number of benefits for companies struggling to manage costs and to streamline operations, it also produces new risks that companies have not previously had to address. Companies that outsource core business functions must now rely upon third party service providers (TPSPs) to maintain the security of the data that they have transferred as a part of the outsourced functions. In addition to data security, outsourcing companies must also depend upon TPSPs for legal compliance with applicable state and federal privacy and data protection laws and regulations. When the data is located overseas, the host country’s privacy and data protections laws must be added to the legal compliance burden.
Legal compliance is not a subject that is likely to produce an adrenalin rush among business executives. Small business executives in particular tend to believe they're better protected than they really are, because unlike larger organizations, they don't have in-house experts to advise them on what else they should be doing beyond locking up their storefronts. Further, they find it difficult to commit the resources required to thoroughly address legal compliance and data security issues. All too frequently, it isn’t until an infraction occurs that management realizes that compliance gaps exist.
Outsourcing business functions often necessitates the transfer of personal data belonging to employees or customers of the business both into and out of the U.S. The law of the country of residence of the individual whose data is being transferred will dictate the protections governing that transfer. Laws governing data privacy vary widely around the world. Consider, for example, the European Union (EU). The EU’s Privacy Directive provides data privacy protection to individuals residing in member states by requiring companies operating within those states to comply with the EU’s very strict privacy standards before transferring any data to a company in another country. The “data exporter” must determine that the country of the “data importer” provides “adequate protection” to individuals’ personal data consistent with the protection mandated by the EU’s Privacy Directive. Failure to comply can result in hefty fines imposed against the offending company. Few countries have received the “adequate protection” designation, although US companies that have obtained a Safe Harbor designation from the US Department of Commerce are considered to provide adequate protection. Additionally, in December, 2004, the European Commission recognized as “adequate” a second set of model contractual clauses that were proposed by a group of seven business associations. This set is considered to be an important additional tool for businesses which are faced with complying with the stringent EU privacy standards.
In contrast, the privacy laws of Japan have similarities to both the US privacy protection scheme (opt-out) and the EU privacy protection scheme (opt-in), as noted in a recent article for this newsletter by Joe Dehner. “Affiliates of companies are considered third parties. Thus, if a Japanese subsidiary of a UScompany wants to send home addresses of Japanese employees to the USparent (so that holiday cards might be sent from the USCEO), this requires advance permission of the Japanese individuals. The originating business, under several ministry regimes, will remain accountable for what third parties do with the data. As a result, the sending business must obtain assurances from third parties regarding proper use and restrictions regarding the data to be shared.”
Thus, it is important for US companies considering global outsourcing to give serious consideration to the legal compliance requirements triggered by outsourcing business operations to locations outside the U.S. In addition to the US legal restrictions on transborder data-flow imposed by HIPAA and Gramm-Leach Bliley, personal information is entitled to differing levels of protection depending on the country of residence of the individual, and a failure to abide by the applicable laws can result in sizeable fines. Delegating these responsibilities to the TPSP by contract is a first step, and an enforceable indemnification provision is essential. But legal compliance and liability cannot be outsourced. It is also incumbent upon the outsourcing company to be diligent in evaluating the TPSP's performance history, security plan and policy, and project success rates. Effective due diligence conducted during the contract negotiations will provide the outsourcing company with the information necessary to allow it to evaluate the extent of legal compliance oversight necessary once the contract has been executed.