Organizations sending data abroad must be prepared to comply with a slew of privacy and security regulations.
U.S. companies doing business overseas face a quagmire of global regulations for keeping data private and secure. Take Verispan, a provider of health care information and services to the pharmaceutical industry. Gathering information on physicians around the world can be a time-consuming and cumbersome process due to regulatory requirements, says Scot Ganow, Verispan's corporate privacy and ethics officer.
Not only does the company need to follow European Union privacy rules, which include providing clear notice to and obtaining verifiable consent from the physicians, but it must research and comply with any specific requirements of individual EU member countries. Even with consent, Verispan uses either EU-approved model contract clauses or Safe Harbor self-certification as extra compliance protection when transferring European personally identifiable data to the U.S.
"It's very layered, very involved," Ganow says of the compliance process.
As the number of online users has skyrocketed worldwide, governments have enacted a maze of inconsistent privacy and security laws. This fractured, highly complex global legal framework is creating regulatory headaches for businesses. Laws restricting cross-border data flows and those requiring security breach notification are the most problematic and impose the highest compliance costs. They also carry the greatest risk of damage to reputation or brand, loss of market share, or reduction in stock price.
The complexities and inconsistencies associated with global privacy and security laws are forcing multinational companies to approach these issues in a multidisciplinary manner, blending legal, technical, operational and managerial considerations.
Know Before Your Data Goes
Organizations need to understand their privacy and security compliance obligations prior to sending data across borders. In today's global operating environment, that is no simple task. Consider that nearly 50 countries have some form of data protection law and many of them conflict or require specific security measures. Other countries have no privacy laws at all.
In the U.S., more than 30 states have enacted security breach notification laws, and several similar laws are pending at the federal level. The European Union's (EU) Data Protection Directive (DP Directive) governs the privacy of personally identifiable information (PII) in its 27 member countries, and it has influenced the development of similar legislation in other countries. In addition, the DP Directive restricts cross-border data flows, requires the registration of databases, and establishes privacy supervisory authorities in every member country.
Looking broadly across the various privacy laws around the globe, there are essentially three types of legal frameworks at play: the EU's regulatory model, the U.S.'s self-regulatory approach, and a hybrid approach set forth in the Asia-Pacific Economic Cooperation (APEC) forum's Privacy Framework.
Since 1995, the EU has been the global leader on how governments and companies approach privacy. Its DP Directive affords omnibus protections to any PII that is processed by automatic means or is part of a filing system. It has seven principles, adopted primarily from the Organization for Economic Co-operation and Development (OECD) Guide-lines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe Convention on Data Protection.
These principles were largely incorporated into the Safe Harbor agreement between the EU and U.S. in 2000. They require:
- Collection of PII be limited to only what is necessary
- The data be fairly and lawfully processed
- It be used only for the stated limited purpose
- The data be kept up to date
- It be kept only as long as necessary
- It be accessible to the person, with an avenue for objection to the processing
- It not be transferred to non-EU countries without adequate protections.
The consistency of the DP Directive is undercut, however, by uneven enforcement by the member states' supervisory authorities. Spain, for example, has levied millions of dollars of fines against corporations (primarily in the health and telecommunications sectors) for failure to comply with particular provisions of the directive. Meanwhile, the EU launched actions against Germany and Austria for lax implementation of the directive. The EU regulatory powers may get even stronger if a recent EU proposal requiring entities to notify regulators in the event of a security breach of PII is adopted.
Although the DP Directive was intended to facilitate data flows within the EU, it also works to control the transmission of data outside the EU. In a nutshell, data cannot be sent outside the EU unless it meets one of the following requirements:
- The data is being sent to a country that has received an "adequacy ruling" from the European Commission that its data protection laws afford equivalent protections to those of the DP Directive
- Clear and informed consent has been obtained from the person whose information will be sent outside the EU
- The data is subject to EU-approved contractual clauses between the sender of the data and the recipient
- The data is subject to binding corporate rules (BCR) that have been approved by the data protection authorities of the countries where the data is obtained
- The data is going to a U.S. entity that is registered in the U.S. Safe Harbor program (an option only for U.S. organizations).
This cross-border data flow restriction has created the largest privacy compliance burden for companies. To date, only five countries have received "adequacy rulings" that their data protection laws afford equivalent protections to that of the DP Directive: Argentina, Canada, Switzerland, Guernsey and Isle of Man.
The U.S. Safe Harbor framework is the U.S. solution to the adequacy requirement. It provides an important mechanism for U.S. companies to meet EU DP compliance requirements and avoid prosecution by EU authorities. Administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission, U.S. companies can join the Safe Harbor program and self-certify annually that they are adhering to the seven Safe Harbor principles. Those principles include taking reasonable steps to protect personal data and notifying individuals about why their information is collected. As of November, 1,050 companies had joined.
Even though Verispan participates in the Safe Harbor program, Ganow says "the additional burden for the prudent company comes with the due diligence it must complete on each member state's individual requirements," which can be more stringent than the directive.
Since the U.S. does not have an omnibus, overarching privacy law like the DP Directive, its officials like to claim that it has a simple privacy framework. But in reality, the U.S. has the most complex privacy laws in the world.
The U.S. uses a sectoral approach to privacy, protecting certain kinds of industry data, such as financial and medical and health information, through self-regulation and regulatory enforcement actions. The U.S. also protects various types of information under both federal and state laws, such as school records, insurance documents, driver's license and cable television records, credit information, employment data, Social Security numbers, mailing lists and telephone records.
The only omnibus protections to personal data are those granted through the Privacy Act of 1974, which only applies to personal information collected by the U.S. government. In addition, because the U.S. is a "common law" jurisdiction, it has another layer of privacy law that has been created through court decisions and administrative orders.
Since the privacy uproar two years ago over Choice-Point's sale of consumer PII to a criminal organization, state action has been propelling privacy in the U.S., particularly in the area of security breach notification laws. At that time, California was the only state to require notification of unencrypted PII that was subject to a breach. By last October, 33 more states had passed some form of breach notification law.
Consistency, however, is not a hallmark of these laws. Some have strong consumer protections, requiring prompt notification, whereas others are "risk-based" with some analysis of risk of harm determining whether notification is required. In addition, some laws apply to private sector entities or state agencies, but not both, and others may exempt certain entities, such as financial institutions.
The dichotomy between the U.S. and EU approaches to privacy heavily influenced U.S. involvement in the development of the APEC Privacy Framework. Although it is a voluntary framework that may be adopted by APEC member countries--with key areas of flexibility--it is significant because it establishes a global alternative to the DP Directive.
Contrary to the EU approach, the APEC framework anticipates commercial use of PII, cross-border data flows, and global operations that "follow the sun" in their operations and utilizes new computing concepts, such as grid computing, where data may be processed in multiple jurisdictions simultaneously.
Thus, the framework is a hybrid approach adapted from the U.S. and EU models. It enables multinational corporations to implement consistent approaches to the collection, processing and transfer of information in global operations. It adopts the OECD privacy guidelines and EU definition of PII, and endorses the EU principles regarding the limitation on collection of data, data quality and security.
The framework leans toward the U.S. model, however, through its encouragement of legislative, administrative and self-regulatory approaches within each country and the avoidance of a strict "opt-in" requirement for data collection. It also eases cross-border complaint resolution by providing the option of handling these matters via a company process or through a cooperative process between the regulatory authorities in the sending and receiving countries.
The significance of the APEC framework cannot be overstated. First and foremost, the 21 APEC member countries include the U.S., Canada, Mexico, Peru, Chile, Russia, Australia and China. Consequently, the APEC economies span four continents, represent one-third of the world population, and half of the global gross domestic product (GDP). To be sure, any movement toward a harmonized global framework for privacy and security will be heavily influenced by the APEC framework.
While outsourcing has fueled globalization and corporate competitiveness, it has significantly complicated cross-border data flows and privacy compliance obligations. Although functions and processes can be outsourced, compliance requirements cannot. Therefore, it is crucial that companies ensure that their compliance obligations are not jeopardized in the outsourced environment.
"Even those of us who don't necessarily have international business, most have international outsourcing of one function or another," says Kirk Herath, chief privacy officer and associate general counsel at Nationwide Insurance Companies. "Outsourcers even outsource. The data can end up being in some far-flung places. It could be unprotected or more protected."
The two largest compliance hurdles associated with outsourcing are inadequate legal frameworks in outsourcing jurisdictions and the inability of their law enforcement agencies to cooperate and investigate cyber incidents.
The three primary outsourcing jurisdictions--India, China and the Philippines--have no data protection laws. Thus, privacy protections accorded to client data may have no statutory protection in the country where the processing is taking place. Even though a provider may have a contractual obligation to protect data, the lack of a statutory right to privacy can raise serious issues in the prosecution of privacy breaches and other cybercrimes.
Breaches in outsourced operations can also invite regulatory action. For example, the Australian Privacy Commissioner has initiated investigations into breaches of protected personal information through an Indian call center. Likewise, the United Kingdom's Information Commissioner's Office responded to an Indian call center worker's sale of British consumer financial data by notifying U.K. banks that they could face prosecution under the U.K. Data Protection Act for such breaches.
Even if there is a data protection law in the outsourced jurisdiction, there may not be a criminal law such as the U.S. Computer Fraud and Abuse Act, which covers cybercrime and the unauthorized disclosure of confidential data. Many countries also have dual criminality requirements--the activity must be unlawful in both the country requesting the assistance and the country from which assistance is sought.
Additionally, although cyberspace has no borders, law enforcement, prosecutors and government officials do; they must stop at national borders and formally request assistance from other countries when tracking and tracing cybercrime, which can be cumbersome.
If the country does have a multilateral assistance treaty (MLAT) with the country requesting assistance, the requesting country must use the Letters Rogatory process to apply for assistance through the other country's courts. Even if assistance is granted, often the law enforcement officials don't have enough training on investigating and seizing electronic evidence.
Multilateral efforts in addressing some of these issues have fallen short. In 1997, the G8 established a network of around-the-clock contacts to assist with cybercrimes investigations. According to the U.S. Department of Justice, membership in the network is 45 nations--hardly enough to impact the security of an Internet connected to 240 countries.
What To Do
Managing cross-border risks and getting a grip on privacy compliance requirements is a complicated undertaking that requires analyzing cross-border data flows, conducting privacy impact assessments, mapping privacy and cybercrime laws, and determining how assistance can be obtained in the event of a breach.
While Safe Harbor and EU-approved model contractual clauses provide two legal options for companies to use in tackling the global regulatory morass, enterprise security programs are the best way to link the various factors involved and manage risks associated with cross-border data flows.
In addition to being a requirement of U.S. laws such as GLBA and HIPAA, enterprise security programs have been a key component of all FTC consent decrees involving the safeguarding of PII. They require the dovetailing of an organization's managerial, technical and operational considerations, span the entire system development lifecycle, and involve key personnel across an organization in their development.
The governance process is one of the most important components of an enterprise security program. It requires:
- Developing an inventory of key digital assets and processes
- Identifying compliance requirements and liability risks
- Assessing reasonably foreseeable internal and external risks
- Categorizing networks, applications and information according to the risk of harm to the organization caused by a loss of confidentiality, integrity and availability.
This process helps identify needed controls and technological requirements and drives the development of policies and procedures. In addition, it provides critical input into the development of incident response, disaster recovery, business continuity and crisis communication plans--all components of enterprise security programs.
Finally, testing, monitoring, enforcing, auditing, reviewing and updating are all crucial to managing risk, especially in cross-border situations.
Looking ahead, there is certain to be public and private- sector pressure for global harmonization of privacy laws. This process, however, could take years of multilateral negotiations. In the meantime, companies will have to remain vigilant and closely monitor their privacy compliance risks.