Privacy and data security issues and concerns do not stop at the water’s edge. Companies needing to share personal information, even when the sharing will take place inside the same “company,” frequently run into challenges when that sharing takes place across national borders. In some ways, the obstacles created by the matrix of federal and state data privacy and security laws in the U.S. are dwarfed by the matrix that exists internationally. Most countries regulate to some degree the handling of data, from access, to processing, to disclosure and destruction. And, the law continues to develop rapidly, sometimes due to unexpected events.
Take, for example, the U.S. Safe Harbor program that was designed to facilitate the transfer of personal data of individuals in the European Union (EU) to the United States. Because the EU believes that the law in some countries, including the U.S., fails to provide “adequate safeguards,” the general rule is that personal data of EU persons cannot be sent to the U.S. unless an exception applies. One exception is based on a negotiated deal between the EU and the U.S., commonly known as the U.S. Safe Harbor, a program which currently is in some jeopardy due to the recent reports of NSA monitoring, Snowden, etc.
Currently, to meet the Safe Harbor, a company must take certain steps, including (i) appointing a privacy ombudsman; (ii) reviewing and auditing data privacy practices; (iii) establishing a data privacy policy that addresses the following principles: notice, choice, onward transfer of data, security, integrity, access and enforcement; (iv) implementing privacy and enforcement procedures; (v) obtaining consents and creating inventory of consents for certain disclosures; and (vi) self-certifying compliance to the U.S. Department of Commerce.
A recent statement from Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, quoted in The Guardian, October 17, 2013, signals some changes may be in store for the Safe Harbor:
The Safe Harbour may not be so safe after all. It could be a loophole because it allows data transfers from EU to US companies, although US data protection standards are lower than our European ones,” said Reding. “Safe Harbour is based on self-regulation and codes of conduct. In the light of the recent revelations, I am not convinced that relying on codes of conduct and self-regulation that are not policed in a strict manner offer the best way of protecting our citizens.
At the same time, the EU continues to update and strengthen its protections for personal data. Companies that operate globally need to be sensitive to not only complying with the laws specific to activities within a jurisdiction, but also to activities between jurisdictions. Common business decisions such as deciding where data will be stored, setting up global databases for employees medical, personnel and other information, arranging for enterprise-wide employee benefits or monitoring programs, can face significant obstacles relating to the interplay of the data privacy and security laws of the countries involved.