News
International
Feb. 26, 2002
Transfer of Personal Data to the U.S. May Violate EU Directive
Focus Column - By Chris Kelly - Without realizing it, American companies expose themselves to significant liability risks just by doing business in Europe and sharing personal information with the home office.
Focus Column
By Chris Kelly
Without realizing it, American companies expose themselves to significant liability risks just by doing business in Europe and sharing personal information with the home office.
Whether it is human-resources data on compensation, stock-plan information, benefit data on employees in European countries or customer relationship management system data collected in Europe and the transfer to and processing of this information in the United States often violates individual countries' implementation of the 1995 EC Data Protection Directive.
In some EU countries, the data-protection laws even sweep in data solely about businesses (i.e., without any individually identifiable contact information), making its transfer there risky.
Technically, the problem is not with the transfer to the United States per se, but with the transfer to a jurisdiction where data-protection law is not "adequate," roughly speaking, on par with the protection given under the law of EU member states.
Forbidding most nonpermissioned data transfer to the United States reflects a common European view that the United States is a Wild West of data. To date, only Hungary, Switzerland and Canada (once its privacy laws are fully implemented) have been blessed by the EC Commission as having laws that meet the adequate-protection standard.
The possibility of enforcement action has loomed since the Data Protection Directive's effectiveness date in 1998, but data-protection authorities in EU countries started taking real action against corporations in 2001. For instance, Spanish data-protection authorities last year fined Microsoft roughly $60,000 for improperly transferring personal data to the United States.
Europe's decision to set firm, enforceable rules about the collection and processing of personal information that is usually freely given and is essential to the normal course of commerce is driven by a belief that government must set basic standards for the protection of privacy.
This belief stems from both history and fundamental political perspective, as people in Europe view the right to control data collected and used about a person as fundamental to human dignity.
Here in the United States, on the other hand, we have had a history of fearing that government action will improperly stifle the free flow of information, reflected most notably in the First Amendment, and have leaned on private-sector protections and social norms to address the human desire for privacy.
Thus, an all-encompassing approach to data protection governs across Europe, while in the United States, a patchwork quilt of legislation covers privacy protection.
There is much more privacy legislation in the United States than people realize, with the ever-present possibility of Federal Trade Commission action for breaches of privacy policies. Specific legislation also governs in the financial and health care areas, and piecemeal statutes like the Video Privacy Protection Act and the Cable Communications Privacy Act protect privacy as well, not to mention the possibility of state tort and constitutional actions for the invasion of privacy. But in the United States, there is no background presumption that all collection, exchange and processing of personal data is restricted by existing law.
Perhaps the easiest way to illustrate this difference is to note that for many EU countries, notification of the data-protection authorities that you are establishing a database containing personal information is required. Failure to do so can be a criminal act.
Imagine business in the United States if every database had to be registered with federal or state officials, and the FBI or state police could arrest you if you failed to do so. As foreign as the concepts of registration and government supervision of personal data processing might seem, they are the reality in Europe.
The principles that drive this regime need to be understood to prepare for the costs involved in implementing a proper risk-management strategy so that businesses avoid the shock of data-protection authorities knocking on their door.
The directive and individual country laws implementing it set out these principles - colloquially captured under the term "Fair Information Practices":
• Companies should process data fairly and lawfully.
• Companies should gather data for specified purposes and use it accordingly. The purpose of the processing should be explicit and legitimate.
• Data gathered should be adequate, relevant and not excessive in relation to the purpose for which it is processed.
• Data should be accurate and, where necessary, kept up to date. Data controllers must take any reasonable step to ensure the rectification or erasure of inaccurate data.
• Finally, companies should keep data in a form that permits identification of individuals for no longer than it is necessary.
The directive defines data processing as appropriate in certain situations. In the parlance, these pre-approved circumstances are called "derogations" and include situations where:
• There is unambiguous consent (in other words, click-through notice on a Web site is unlikely to pass muster).
• Collection is necessary to perform a contract requested by the data subject.
• The law requires collection.
• Collection and processing are necessary to protect a vital interest of the data subject.
• Collection and processing are necessary to perform tasks in the public interest.
• A general balancing between the legitimate interest of the processor and protection of fundamental rights of data subject, particularly privacy, favors the processor.
Because both the proscriptions and the derogations are ambiguous, a huge pall of uncertainty exists over the collection and use of personal data from European individuals and businesses. In practice, businesses can hope that the contractual necessity and balancing derogations will protect them, but the often-aggressive rhetoric of individual country data-protection authorities indicates that they will narrowly interpret the derogations.
So how do U.S. corporations properly manage the likelihood that they are, at least technically, violating the law? How do they get on better footing? The only sure way to ensure compliance with a local law is to avoid transfer to the United States and to require all employees to follow the local registration and processing requirements.
Realizing that this is an impractical regime, the EC Commission has been working with the United States to establish more certain options for the operation of normal business.
The first is registration under a "safe harbor" regime negotiated in 2000 between the United States and the EC Commission. The safe-harbor agreement prods U.S. companies to set their privacy efforts on an equivalent footing with their European counterparts. It requires adherence to seven principles that essentially reflect fair information practices: notice (usually an adopted and disseminated privacy policy), choice, restriction of onward transfer, access, security and enforcement - and registration of a pledge to abide by these principles with the Department of Commerce.
Another approach is to use certain model language developed by the EU Advisory Body on Data Protection and Privacy, a group established pursuant to the original directive, for every contract involving data transfer. These clauses are newly developed, although they have recently received EC Commission approval.
Still another way to comply is to assure that there is a clear derogation noted for every collection and use of data (usually consent). But this has its own difficulties of assuring compliance with corporate policy.
Other compliance means are being developed, such as a worldwide corporate privacy policy likely to be found adequate by the various EU member states. But at this point, the safe-harbor, model-contract and derogation-based (usually consent-based) options are the only ones formally recognized as complying with the requirements of the member states' laws.
The data strategy for clients, then, should be to examine the safe-harbor agreement, the model-contract approach and the derogation-based possibilities with experienced counsel, and to determine the one that works best with the state of their operation.
For safe harbor, there are risks of certifying too early, before the company's compliance mechanism is in place, which could lead to government action and unfortunate publicity should officials discover a breach of the certification.
Model contracts may pose too much of a challenge to traditional ways of doing business. And for the derogations, they all risk the likelihood of narrow interpretation from the individual country data-protection authorities.
Despite the awakening giant of enforcement, there may be some signs that the data-protection authorities are softening slightly - recent changes to Italy's laws abolished the option of imprisonment for failure to register a database.
In all seriousness, though, the time when failure to plan for data-protection and privacy challenges was excusable has passed. EU enforcement actions are now a reality. The smart business needs to ready itself to deal with privacy challenges as a matter of business necessity.
Chris Kelly is of counsel to Baker & McKenzie. Until August 2001, he served as the chief privacy officer at Excite@Home.
By Chris Kelly
Without realizing it, American companies expose themselves to significant liability risks just by doing business in Europe and sharing personal information with the home office.
Whether it is human-resources data on compensation, stock-plan information, benefit data on employees in European countries or customer relationship management system data collected in Europe and the transfer to and processing of this information in the United States often violates individual countries' implementation of the 1995 EC Data Protection Directive.
In some EU countries, the data-protection laws even sweep in data solely about businesses (i.e., without any individually identifiable contact information), making its transfer there risky.
Technically, the problem is not with the transfer to the United States per se, but with the transfer to a jurisdiction where data-protection law is not "adequate," roughly speaking, on par with the protection given under the law of EU member states.
Forbidding most nonpermissioned data transfer to the United States reflects a common European view that the United States is a Wild West of data. To date, only Hungary, Switzerland and Canada (once its privacy laws are fully implemented) have been blessed by the EC Commission as having laws that meet the adequate-protection standard.
The possibility of enforcement action has loomed since the Data Protection Directive's effectiveness date in 1998, but data-protection authorities in EU countries started taking real action against corporations in 2001. For instance, Spanish data-protection authorities last year fined Microsoft roughly $60,000 for improperly transferring personal data to the United States.
Europe's decision to set firm, enforceable rules about the collection and processing of personal information that is usually freely given and is essential to the normal course of commerce is driven by a belief that government must set basic standards for the protection of privacy.
This belief stems from both history and fundamental political perspective, as people in Europe view the right to control data collected and used about a person as fundamental to human dignity.
Here in the United States, on the other hand, we have had a history of fearing that government action will improperly stifle the free flow of information, reflected most notably in the First Amendment, and have leaned on private-sector protections and social norms to address the human desire for privacy.
Thus, an all-encompassing approach to data protection governs across Europe, while in the United States, a patchwork quilt of legislation covers privacy protection.
There is much more privacy legislation in the United States than people realize, with the ever-present possibility of Federal Trade Commission action for breaches of privacy policies. Specific legislation also governs in the financial and health care areas, and piecemeal statutes like the Video Privacy Protection Act and the Cable Communications Privacy Act protect privacy as well, not to mention the possibility of state tort and constitutional actions for the invasion of privacy. But in the United States, there is no background presumption that all collection, exchange and processing of personal data is restricted by existing law.
Perhaps the easiest way to illustrate this difference is to note that for many EU countries, notification of the data-protection authorities that you are establishing a database containing personal information is required. Failure to do so can be a criminal act.
Imagine business in the United States if every database had to be registered with federal or state officials, and the FBI or state police could arrest you if you failed to do so. As foreign as the concepts of registration and government supervision of personal data processing might seem, they are the reality in Europe.
The principles that drive this regime need to be understood to prepare for the costs involved in implementing a proper risk-management strategy so that businesses avoid the shock of data-protection authorities knocking on their door.
The directive and individual country laws implementing it set out these principles - colloquially captured under the term "Fair Information Practices":
• Companies should process data fairly and lawfully.
• Companies should gather data for specified purposes and use it accordingly. The purpose of the processing should be explicit and legitimate.
• Data gathered should be adequate, relevant and not excessive in relation to the purpose for which it is processed.
• Data should be accurate and, where necessary, kept up to date. Data controllers must take any reasonable step to ensure the rectification or erasure of inaccurate data.
• Finally, companies should keep data in a form that permits identification of individuals for no longer than it is necessary.
The directive defines data processing as appropriate in certain situations. In the parlance, these pre-approved circumstances are called "derogations" and include situations where:
• There is unambiguous consent (in other words, click-through notice on a Web site is unlikely to pass muster).
• Collection is necessary to perform a contract requested by the data subject.
• The law requires collection.
• Collection and processing are necessary to protect a vital interest of the data subject.
• Collection and processing are necessary to perform tasks in the public interest.
• A general balancing between the legitimate interest of the processor and protection of fundamental rights of data subject, particularly privacy, favors the processor.
Because both the proscriptions and the derogations are ambiguous, a huge pall of uncertainty exists over the collection and use of personal data from European individuals and businesses. In practice, businesses can hope that the contractual necessity and balancing derogations will protect them, but the often-aggressive rhetoric of individual country data-protection authorities indicates that they will narrowly interpret the derogations.
So how do U.S. corporations properly manage the likelihood that they are, at least technically, violating the law? How do they get on better footing? The only sure way to ensure compliance with a local law is to avoid transfer to the United States and to require all employees to follow the local registration and processing requirements.
Realizing that this is an impractical regime, the EC Commission has been working with the United States to establish more certain options for the operation of normal business.
The first is registration under a "safe harbor" regime negotiated in 2000 between the United States and the EC Commission. The safe-harbor agreement prods U.S. companies to set their privacy efforts on an equivalent footing with their European counterparts. It requires adherence to seven principles that essentially reflect fair information practices: notice (usually an adopted and disseminated privacy policy), choice, restriction of onward transfer, access, security and enforcement - and registration of a pledge to abide by these principles with the Department of Commerce.
Another approach is to use certain model language developed by the EU Advisory Body on Data Protection and Privacy, a group established pursuant to the original directive, for every contract involving data transfer. These clauses are newly developed, although they have recently received EC Commission approval.
Still another way to comply is to assure that there is a clear derogation noted for every collection and use of data (usually consent). But this has its own difficulties of assuring compliance with corporate policy.
Other compliance means are being developed, such as a worldwide corporate privacy policy likely to be found adequate by the various EU member states. But at this point, the safe-harbor, model-contract and derogation-based (usually consent-based) options are the only ones formally recognized as complying with the requirements of the member states' laws.
The data strategy for clients, then, should be to examine the safe-harbor agreement, the model-contract approach and the derogation-based possibilities with experienced counsel, and to determine the one that works best with the state of their operation.
For safe harbor, there are risks of certifying too early, before the company's compliance mechanism is in place, which could lead to government action and unfortunate publicity should officials discover a breach of the certification.
Model contracts may pose too much of a challenge to traditional ways of doing business. And for the derogations, they all risk the likelihood of narrow interpretation from the individual country data-protection authorities.
Despite the awakening giant of enforcement, there may be some signs that the data-protection authorities are softening slightly - recent changes to Italy's laws abolished the option of imprisonment for failure to register a database.
In all seriousness, though, the time when failure to plan for data-protection and privacy challenges was excusable has passed. EU enforcement actions are now a reality. The smart business needs to ready itself to deal with privacy challenges as a matter of business necessity.
Chris Kelly is of counsel to Baker & McKenzie. Until August 2001, he served as the chief privacy officer at Excite@Home.
#337617
Columnist
Daily Journal Staff Writer
For reprint rights or to order a copy of your photo:
Email
Jeremy_Ellis@dailyjournal.com
for prices.
Direct dial: 213-229-5424
Send a letter to the editor:
Email: letters@dailyjournal.com