- Cynthia O’Donoghue, Katharina A. Weimer and Amy Mushahwar
With the global economic downturn, economies of scale are of increasing importance, and to achieve cost synergies,...
many companies have shed their geographic silos in favor of a streamlined centralized data infrastructure. Far more multinational companies with offices on all continents and production facilities in multiple countries share centralized databases, processing capabilities, and even IT support teams that make integrated production possible on a 24/7 basis.
While we have seen many industries such as life sciences, real estate and entertainment streamline their IT operations, all have one item in common -- they store personal employee, customer, supplier and website visitor data. With the myriad data privacy, security and management laws that exist in the U.S. and abroad, data privacy compliance can be a difficult area to navigate.
By now, most companies understand that U.S. federal, state and local governments have weaved an intricate web of laws protecting many aspects of Americans’ privacy (i.e., banking, telecom services, higher education, health care, financial services). Even with all of its privacy laws, the U.S. leaves some areas of personal data-processing largely unregulated. Unlike the U.S. sectoral approach, the EU views privacy as a fundamental human right and has an omnibus data protection law that regulates the collection and handling of information related to identifiable individuals: “European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data” (the EU Directive).
Bear in mind that the legislative tool the EU selected for privacy law --a “directive” --requires each EU member state to enact its own local law adopting (or transposing) the directive into national legislation. Therefore, the text of the EU Data Protection Directive offers only a blueprint or framework for data privacy laws across Europe. National legislation implementing the directive has resulted in variations among EU member states.
Over the years, we have witnessed the compliance issues and various legal conflicts of law that spring from this cross-border culture clash. We will identify a few typical scenarios that require some international data privacy, security and management issue-spotting.
ISSUE SPOTTING WITH THE DOGGIE’S NIGHT OUT HYPOTHETICAL
Before we begin, we would like you to imagine a midsize company, Doggie’s Night Out (DNO, Inc.), a high-end manufacturer of canine retractable leashes with built-in flash lights, treats and waste disposal bags headquartered in the US. DNO, Inc. already has several offices across the U.S., a manufacturing site in China, and subsidiaries across South America, and it intends to acquire a German manufacturer of designer cat collars called Feline Fun AG, with nearly 100 local employees. This little gem is for sale at a bargain-basement price and DNO, after some due diligence, proceeds with the acquisition.
Following the purchase, DNO’s general counsel would like to know everything about Feline Fun, including all information about the employees. DNO wishes to maintain ongoing data flows about the general business operations and activities of Feline Fun to fully integrate it and leverage its data capture and analytics tools globally (i.e., such as those for employees, job applicants, customer data, suppliers, third-party partners, purchased data, conferences, and market research). Such data integration would necessitate the transfer of personal data of European citizens to the U.S. headquarters of DNO, Inc. Not surprisingly, the internal data protection officer of Feline Fun has some objections.
Immediately upon hearing the data integration plans, the internal German data protection officer reminds the U.S.-based general counsel that the EU Directive regulates the processing of individuals’ personal data, a much broader concept than what is referred to in the U.S. as personally identifiable information. He explains that the broad definition covers nearly all information that DNO, Inc. would like to integrate for example, DNO, Inc. knew that certain information fields (or combinations of information fields) were protected under US law. For example items such as a name and account number could be protected personal financial information under the U.S. Graham Leach Bliley Act. Presently, however, there is little U.S. regulation governing the collection of information. For instance, while the EU Directive regulates the mere independent collection of an individual’s name, email address, or IP Address, the U.S. does not unless an individual’s name is collected in conjunction with other information, such as an individual’s social security number.
U.S. Privacy Framework Lagging
But these uniformity proposals are likely to take years to fully implement and there does not appear to be a consensus as to whether either agency's efforts alone can assist with closing the sectoral privacy gaps. It is safe to say that the U.S. is several years away from a fully comprehensive privacy framework.
The German data protection officer made DNO, Inc. aware that such limited information fields are only starting to be scrutinized by U.S. federal regulators as part of the FTC privacy proceeding. Practically speaking, the broad concept of personal data under the EU Directive requires Feline Fun to examine two items for nearly all individual information it wishes to transfer to DNO, Inc.: (1) the legal basis for transferring the data, and (2) whether the transfer was to a country with data protection laws sufficiently similar to those in the EU, such that those laws provide adequate protection to the data, or a legal transfer method.
Local Compliance with Data Transfer Requirements: According to EU and German law, before any processing of personal data may be undertaken (including transfer), there must be a legal basis to do so. The legal basis for transfer is satisfied if the transfer is necessary for the fulfillment of a contract or a contractual relationship with the data subject, i.e., the person whose data shall be transferred.
For instance, personnel data can be transferred if and to the extent such transfer is necessary for the fulfillment of the employment contract. We must emphasize “necessary,” which is more than plain usefulness, for example, the transfer must be required for the employment relationship. Data transfer of customer data can sometimes be based on the contract with the customer; for instance, if the contract will be fulfilled out of another site and the other site requires the customer information for its performance.
While these two examples tend to be the most common, other legal bases exist. As a last resort, the data controller can always try and obtain the individual’s consent to the processing, but any such consent must be voluntary (already disputable in an employment relationship), informed and revocable; it should therefore not be the No. 1 choice for establishing a legally secure way of transferring personal data.
The Feline Fun data protection officer learns that all data will be transferred from Germany to the U.S. and DNO, Inc. has not self-certified under the Safe Harbor Program. But an adequate level of protection may be achieved by other means: (1) Feline Fun and DNO, Inc. could enter into a set of contractual clauses approved by the European Commission as establishing an adequate level of protection (“Model Clauses”), or (2) DNO, Inc. could establish Binding Corporate Rules (“BCRs”) for its entire group that are approved by a lead data protection authority in Europe.
Approximately 50 U.S. companies per month file initial self-certifications to the Safe Harbor program, and approximately 150 companies submit annual re-certifications. More than 50 percent of the companies in Safe Harbor have joined during the past two years. Currently, more than 2,100 companies are on the Safe Harbor list. Placed in context, this means that more companies join Safe Harbor in a single month than the total number of companies that have obtained approval for BCRs to date. This trend is counter-intuitive, given the recent statements of the Düsseldorfer Kreis (a body formed by the German data protection authorities) and other EU member state bodies issuing critical opinions regarding the Safe Harbor program.
Practitioners point to the following items as a potential reason for Safe Harbor’s increased popularity at the moment:
- Greater control for the U.S. company. Safe Harbor primarily requires the U.S. company to undertake relevant compliance steps, and requires little to no significant local affiliate involvement.
- Enhanced brand reputation for outsourcing providers and satisfaction of EU customer requirements.
- The Swiss Federal Data Protection and Information Commission (Swiss DPA) has recently established the U.S.-Swiss Safe Harbor Framework with the United States.
- Streamlining of local filing procedures. In a number of EU member states, cross-border transfers of EU personal data trigger registration requirements with the data protection authorities. In some of these countries, the Safe Harbor facilitates the local registration process by avoiding procedural approvals that apply to the use of Model Contracts and the “substantive” approvals for BCRs.
- Avoiding administrative burdens of maintaining several versions of Model Contracts.
However, there are as many good reasons to join Safe Harbor, or use it as a baseline to authorize certain data transfers, as there are good reasons why the program may not be sufficient for all data transfers. Some negative aspects of Safe Harbor include:
- FTC enforcement. The promise to comply with Safe Harbor is ultimately subject to the enforcement authority of the FTC.
- Some data transfers are not eligible for coverage by Safe Harbor. U.S. companies are only eligible to join the Safe Harbor to protect certain transfers of EU Personal Data to the United States. Other transfers within a global enterprise, such as transfers from the EU to Asia or Latin America, are not covered by Safe Harbor. Likewise, financial institutions and other organizations that fall outside the scope of FTC and DOT authority are not eligible to join the program, even if the organizations are located in the United States.
Likewise, even in the context of e-discovery, attorneys must address whether cross-border data transfers are permissible under local EU law, and this is typically viewed as a prime area of conflict, and transfers of data for purposes of litigation may expose the EU affiliate to liability. With this general data transfer background, we also identify a few other issue-spotting items that we have seen reoccur over the years.
EEA EMPLOYEES ENJOY MORE PRIVACY PROTECTIONS
Implementing data integration measures along those proposed by DNO, Inc. may be common sense to any U.S. company, but integrating the data of European affiliates may trigger a variety of issues, such as whistleblower protections. A person whose behavior is reported through an employer-provided hotline retains his or her data privacy rights. Yet his/her personal details have been communicated to a third party in a country without adequate protection and without his/her knowledge.
Employee monitoring, for example, is a sensitive topic in Europe; every country has different rules and, generally speaking, employees have a rightful expectation of privacy even in the work environment. The employee’s (potentially private) use of the telecommunications infrastructure provided by the employer may trigger obligations of secrecy vis-à-vis the employee -- the employer may not be able to access the employee’s communication or even Internet history.
USING WEBSITE ADVERTISING AND ANALYTICS IN THE EU
If DNO, Inc. were to integrate website advertising and analytics operations, there may also be issues. Recently, German data protection authorities have been in discussions with Google about the legitimacy of its analytics programs under German data protection law and came to the conclusion that analytics currently does not provide adequate safeguards to the consumer. The authorities objected to the use of IP addresses, considered personal data by the data protection authorities.
Court decisions differ in this aspect. Some consider an IP address to be personal data, others do not. While it is ultimately up to a court to decide, the initial assessment will be carried out by the data protection authorities and their opinion should be carefully considered. It should also be noted that the U.S. FTC has made recent statements that an IP address may be included in the definition of protected personally identifiable information.
While Google demonstrated goodwill and allowed an anonymization tool to be built into the software, and additionally built a plug-in for Internet users with which they can set their browser to object to the collection of the IP address, this did not satisfy the data protection authorities’ requirements: The anonymization is in the discretion of the website operator and the plug-in does not work for all browsers. As the issue has yet to be resolved, there is a risk that the authorities may proceed against website operators that use analytics without consumer opt-in.
IT MAY BE RAINING CATS AND DOGS BUT THERE ARE TOOLS TO WEATHER THE STORM
Decisions by multinationals to centralize data should not be taken lightly. The complexity of the EU data protection law poses special problems and must be considered fully as part of any data centralization initiative. Recently, the U.S. has made attempts to move closer to EU-style data protection, but these efforts will not come into fruition for some time. The data compliance scramble should not stop U.S. companies from wading out into the storm to access the wide variety of personal data available from EU entities. Rather, the philosophical and jurisprudential gap can be bridged by relying on the number of tools available to organizations that allows them to transfer data, while being mindful that the EU takes its obligation to safeguard its citizens’ privacy very seriously.
Cynthia O’Donoghue is a partner and co-practice leader of Reed Smith LLP’s Data Privacy, Security and Management group and is based in London. Katharina A. Weimer is an associate in the Munich office of Reed Smith LLP with a focus on Media law and Data Protection. Amy Mushahwar is an associate in the Data Privacy, Security an d Management practice in the Washington D.C. law office of Reed Smith LLP. Send comments on this column to firstname.lastname@example.org.