One of the more troubling issues that globalization has inadvertently imposed on organizations is compliance with a complex set of international data protection and privacy laws. Such laws present an enigmatic and novel challenge to American companies, which enjoy fewer domestic restraints on collecting and storing the personal data of employees and consumers. The ability of organizations to solve this cross-border data protection puzzle through careful and proactive information governance could be the difference between seizing and losing business opportunities. This article discusses a variety of such laws that may affect U.S. organizations and offers some best practices for solving these conundrums.
Cross-border data protection and privacy laws
Data protection and privacy laws are not foreign concepts to American corporations. Contrary to popular belief, laws do exist in the U.S. to help protect certain personal and financial information from unauthorized disclosure. At the federal level, the Gramm-Leach-Bliley Act (GLBA) requires certain financial institutions to implement appropriate safeguards to protect consumers’ confidential information. Similarly, the Health Insurance Portability and Accountability Act provides “federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information.”
At the state level, California has implemented an analogue to the GLBA, which restricts financial institutions from sharing or selling “nonpublic personal information” about a consumer without first obtaining her consent. Moreover, a majority of states have enacted breach notification laws, which require organizations to notify consumers when their personal information is compromised.
Data protection in Europe
Despite the existence of these and other privacy laws, the approach to data protection in the U.S. is mostly patchwork and is outmatched by the comprehensive approach of other regions. Take, for example, the European Union’s (EU) data protection regime. That system presents unique information governance challenges to even the most sophisticated organizations.
Developed to address the abuses of 20th century fascism and communism, the EU system emphasizes the importance of securing personal information from unreasonable government and corporate intrusions. To guard against such intrusions, the EU member states have enacted laws that curtail unlimited processing, collection and storage of this data. Those laws prevent organizations from processing personal information unless it is done for a lawful purpose and it is not excessive. Furthermore, personal data may not be maintained longer than is necessary and must be properly secured. To safeguard the privacy rights of individuals, “personal information” is broadly construed to include any information that could be used to identify a person, such as the details accompanying an email. Moreover, the collection of sensitive personal data such as race, ethnicity, political beliefs and the like are generally proscribed unless the data subject gives consent.
Beyond these basic data protection principles, certain countries in Europe provide additional safeguards. In Germany, for instance, state governments have implemented their own data privacy provisions that are exclusive of and, in the case of Schleswig-Holstein, more exacting than the federal protection framework. Furthermore, corporate data processing in Germany and certain other European nations must satisfy company works councils, which represent the interests of employees and protect their privacy rights.
The treatment of personal information in litigation
Another area of complexity facing organizations with respect to the governance of personal information concerns the treatment of that data in European and cross-border litigation. In domestic European litigation, personal data could be subject to discovery if it supports the claims of the parties or a court requires its disclosure. That could place an organization in the difficult position of having to produce personal data that may very well be protected by privacy laws. While legal exceptions do exist for these situations, the person whose data is subject to disclosure may nonetheless seek to prevent its dissemination on privacy grounds. Furthermore, company works councils and data protection officers may also object to these disclosures.
Additional difficulty may arise when addressing international discovery requests that seek personal information. Enterprises whose European offices receive such requests must ensure that the country where the data will be transferred has enacted laws that meet EU data protection standards. Transfers of personal data to countries that do not meet those standards are generally proscribed, with fines and jail time imposed for non-compliance.
Certain countries have more stringent rules regarding proposed transfers of personal information. In Italy, for example, personal data transfers are typically prohibited unless the data subject consents or the transfer is authorized by the Italian data protection authority (Garante per la protezione dei dati personali). In France, such transfers must satisfy the rules promulgated by the French data protection authority, La Commission Nationale de l’Informatique et des Libertès (CNIL). Those rules require that the CNIL and the data subjects be notified regarding the proposed data transfer. In addition, disclosures must be limited to relevant information, with appropriate redactions of data that could identify the subjects.
Despite these and others restrictions imposed by EU data protection authorities, U.S. courts often compel organizations to produce personal information without regard to these laws. Acquiescence with a U.S. court order could invite fines and even imprisonment in Europe for violating data protection laws. Yet noncompliance with that order could result in U.S. court sanctions. This scenario presents a difficult dilemma for enterprises stuck in the middle of a cross-border tug-of-war.
Using information governance to solve the data protection conundrum
Given the complexity of these cross-border data protection rules, organizations should consider developing an information governance strategy to effectively address these issues. Such an approach will typically require that the data management principals, legal and IT, work together on the myriad of legal and logistical issues surrounding information retention. This includes developing a protocol for processing and storing electronic data. As part of that protocol, legal and IT should consider how to address data preservation and production during litigation. Works councils and data protection officers may also need to be involved to help ensure that the organization observes data protection laws and safeguards privacy rights.
An effective governance strategy should also incorporate effective, enabling technologies. Archiving software, data loss prevention functionality and e-discovery tools are all examples of technologies that together provide the means to protect personal information processed in connection with an organization's information governance strategy.
Finally, enterprises should consider retaining legal counsel to provide informed and targeted advice in response to specific legal questions.
Organizations that follow these steps will be better prepared for the challenges of addressing cross-border data protection traps that are inextricably intertwined with globalization.