Monday, April 13, 2009

What Should You Know About International Data Privacy Protection Laws?

In 1995, the European Commission issued its Directive on Data Protection, directing all member states to adopt laws consistent with the Directive. The goal is to protect private, personal identity data [1]. Article 25 specifically prohibits transfer of personal data to non-EU nations (such as the U.S.) that the EU believes do not adequately protect such information.

These laws are very broad. The UK’s Information Commissioner’s Office describes the UK act as applicable to everyone “unless you are an individual holding personal information for your own domestic use, e.g. an address book.” In other words, personal data may not be processed unless it fits in one of the express exceptions [2]. The EU member laws differ substantially from U.S. laws.

The Risks
The risk to American organizations is that they can inadvertently violate these laws through their online activities [3] and thereby become liable to actions by governments and organizations in other countries.

Violations need not be intentional. The mere act of “exporting” personal information from an EU country to a non-EU country—even if within the same organization or family of companies—creates a risk of legal action. Under some interpretations of Canadian and EU laws, for example, an "export" occurs when a person "sees" data on a local computer via a web conference--even a technical support session!--because the data was "made available" to a third person in a non-EU country. A California firm's newsletter, "60 Seconds of Privacy," lists some examples of American businesses who have been charged with data protection violations. You may recall the stand-off in 2007 over the U.S. government’s demand for passenger data on all in-bound flights from outside the U.S. The conflict between the U.S. laws and the EU Data Privacy Act almost caused a complete cancellation of all flights from the EU to the U.S. before an EU-USA agreement on passenger name records resolved the issue.
Exports happen and can happen to you. If you have personal information about anyone—employees, customers, website visitors, etc.—in a database that is not under your control on your premises, you need to know where that data is, including all backups and mirror sites. If your web pages collect personal data on visitors who unintentionally leave such data without an adequate privacy notice AND without specific actions on your part to prevent unlawful disclosure of that data, you may be at risk of legal action by the European Commission or data protection authorities in any of the EU member countries. If any of the personal data belongs to an EU citizen, regardless of how you obtained it, it is protected.

A relatively new risk, so called “cloud computing,” can mean private data is moved across international lines even if only as a back-up or redundant “mirror” site. (The Privacy Law Blog also has a good post that expands on this risk.) Showing data in or sending a database of personal data to a non-EU country, whether for technical support or a legitimate business purpose, can also cause a violation. And clearly, doing business with any European organization, even the subsidiary of a non-EU organization, can open the door to this risk.

The "Safe Harbor" Solution
In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the EU Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework ( Registration is easy and compliance is uncomplicated. It also makes a huge difference. Participation in and compliance with the Safe Harbor program can shield your organization entirely. (Explanatory slideshow here.)

What should you do if you are involved in activities that put you at risk of violating EU Data Protection laws? First, get into compliance with the Safe Harbor program and register voluntarily. Second, know where your data is at all times and ensure you comply with your own security policies. Third, stay in compliance with the Safe Harbor rules. Fourth, do what you can to make all personal data anonymous to the point it cannot be connected to any person and or encrypt it--such as at the field level in your database--to further protect from inadvertent disclosures.

The Department of Commerce’s Safe Harbor program is easy to adopt and provides several important benefits to U.S. and EU firms. Benefits for U.S. organizations participating in the safe harbor include:
>>>All 25 Member States of the European Union are bound by the European Commission's finding of adequacy. One finding fits all, even if there is dissent or disagreement.
Companies participating in the safe harbor are deemed adequate and data flows to those companies continue. It is similar to being presumed innocent until proven guilty in American criminal cases.
>>>Member State requirements for prior approval of data transfers either are waived or approval is automatically granted. This simplifies compliance immensely by reducing to one the number of regulatory schemes that affect your organization.
>>>Claims brought by European citizens against U.S. companies are heard in the U.S. subject to limited exceptions. It is much better to deal with issues in your own country.

The DOC’s Safe Harbor Checklist for joining the Safe Harbor and self-certifying your businesses walks you through the actions you must take to register, such as:
1. Affirm that your organization is subject to the jurisdiction of either the Federal Trade Commission or the U.S. Department of Transportation
2. Develop a Privacy Policy that conforms to the seven Privacy Principles and states in plain language the data you plan to collect and what you will do with it
3. Confirm that you have or will definitely use an “Independent Recourse Mechanism” to promptly and fairly resolve disputes related to alleged violations, such as the TRUSTe, BB EU Safe Harbor or American Arbitration Association
4. Put an internal compliance verification mechanism in place before collecting any private data
5. Identify the primary contact person in your organization for any inquiries from the Safe Harbor program.

In addition to, you can find additional useful information at the Global Information Assurance Certification (GAIC) website.

[1] 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Directive 95/46/EC OF The European Parliament And of The Council of 24 October 1995, Article 2(a)).

[2] a) the data subject has unambiguously given his consent
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; etc. (Id., Article 7 (a) and (b))

[3] 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Id. Article 2(b))

Finally, here is a PDF with VERY helpful "FAQs."


Arizona foreclosures said...

Hello, i am glad to read the whole content of this blog and am very excited and happy to say that the webmaster has done a very good job here to put all the information content and information at one place.

Nicholas Sullivan said...

There are certainly a lot of details like that to take into consideration. That’s a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith.

Personal Injury Attorney Houston