Considering the fact that many Internet users have been dumping information about themselves onto the Web since the late 1990s, the recent stir about the way our private information is submitted, transmitted and stored has been a long time coming. The concern the average citizen had about this ongoing issue likely peaked when ex-NSA contractor Edward Snowden shined a light on the extent to which we’re under surveillance. And though the fallout from the Snowden leaks will no doubt impact the public psyche for decades to come, this event has also prompted the legal departments of large corporations to reevaluate their policies and procedures regarding private information.
For those organizations, the challenges related to private information don't end with the threat of government surveillance. There are trade secrets to protect, transmission protocols like the Health Insurance Portability and Accountability Act (HIPAA) to comply with, customer information to safeguard and no shortage of serious threats from both inside and outside breach vectors. But perhaps the most befuddling challenges that face these organizations are the complications that arise when they must conduct legal processes in multiple areas with disparate privacy laws.
Comparing USApples to EUranges
The most often cited disparity between privacy laws are those between the United States and the European Union.
The U.S. maintains a number of sectorial standards but does not have an overarching private information protection protocol. The nation is instead protected by a patchwork of laws designed to protect vulnerable citizens and industries from the improper management of private information. HIPAA, for example, enforces the proper transmission and handling of private health information, and the Children's Online Privacy Protection Act (COPPA) protects against the unwarranted collection of private information on kids under the age of 13.
“The definition of personal information (in the EU) is any information that alone or in combination can serve to identify a living person, and then the privacy laws cover collection, use, storage, transfer, international transfer, destruction and the entire life cycle of any information about any person,” says Peter Lefkowitz, chief privacy officer and chief privacy and data protection counsel at General Electric Co. “The European construct places significant burdens on private actors collecting information, and there's more of a notion of a standard data protection regulator from the government, which would act as the overseer.”
From a corporate stand point, the less explicit EU regulations can pose an issue for multinational corporations trying to achieve compliance.
“Europe applies very broad statements about handling personal data, and there is a lot of interpretation involved that makes it difficult to understand exactly what you can and cannot do,” Boesel says.
As a result of that interpretive responsibility, handling standard legal procedures from discovery to investigation can be tricky. Even routine information like salary reports, employee reviews and monitored conversations can be difficult to remove from nations with EU-like privacy standards.
“The biggest difference in terms of investigation is that in the U.S. there are no restrictions on cross-border transfers of personal data, but in the EU and other countries that have adopted EU-like privacy regimes there are restrictions on transfers,” says Philip L. Gordon, shareholder, Littler Mendelson and chair of the firm's Privacy and Data Protection Practice Group. “The first inclination is often going to be to move as much information as possible to the U.S. for the analysis. While that makes sense from the U.S. perspective, from the perspective of non-U.S. data protection laws, that's exactly the opposite approach from what should be taken.”
The overarching directive rules concerning the transmission of data over borders are not the only issues that exist in the litigation and investigation process. Disparity of laws between member states means that expertise on the rule of law in a region is essential to conducting business there as well.
Lefkowitz says, “Where we and other companies encounter our issues is not just with the notion of whether we can transfer data. There's also sensitivity of whether or not we’re doing thing properly according to the law of the specific jurisdiction.”
International diplomacy and boardroom strategy
There are countless examples that illustrate how differences between U.S. and EU-style privacy law could pose headaches for internationally operating organizations. As a general rule, private data compliance starts with having legal teams and privacy officers that not only have access to experts with a deep understanding of regional privacy issues but, increasingly, maintain a high level of technology literacy and policy knowledge themselves.
“The role of the privacy officer is changing; it's important for them to bridge the gap between regulators and legislators who are steeped in privacy talk and technologists and commercial people who are coming up with new technologies,” Lefkowitz says. “Past that, it's important for companies to think of privacy not just in terms of data transfer and where data can be stored, but as a broader set of controls of collection, use and transfer of information.”
“From a broad perspective, you need to become knowledgeable about the legal requirements and be reasonable in your expectations of how to address those requirements,” adds Boesel. “Reading a few articles is not going to be sufficient to form and defend an opinion. You want to understand your legal requirements and be able to work with your client or team to appropriately incorporate those requirements into the contract or project.”
Tactically, says Lefkowitz, systems involving the transfer of data should go through a regimented review process that involves not only legal, but also IT and security. Lefkowitz says that, where possible, review should be able to confirm three things: “a) you have a secure system, b) you’re collecting the right kinds of information, c) that there are the proper controls around the use, storage, retention and transfer of information.”