With employees and customers in multiple countries, IT managers must answer to a web of privacy laws to keep international data legal.
by Minda Zetlin
A company that provides online wellness services landed a contract with a major company with offices in Spain, Germany, and France. It was the kind of sale every executive dreams of. But it came with some very big headaches, too. “Now they’ve got this problem where they have to abide by the privacy regulations in each of these three countries and register with the regulators there,” says Stuart Buglass, director of human capital consulting at Nair & Co., which advises companies on internation
al expansion. The wellness company had walked right into one of the most challenging aspects of international business today: data and privacy laws across international borders.
The challenges are considerable. Throughout the world, an evolving mosaic of privacy laws dictate how data must be handled. At issue is personally identifiable information (PII) that can be traced to an individual person (such as name, address, ID number, and job title). Most experts agree that the most-stringent data protection laws are found in the European Union (EU), where the Data Privacy Directive governs all PII use. In general, a company able to deal effectively with the provisions of the EU directive will likely be able to handle privacy laws in other jurisdictions as well.
Although the provisions of the Data Privacy Directive hold across the EU, anyone collecting data on European residents must follow the laws of an individual’s country of residency as well—and those laws differ among EU member states. It might seem logical to find the strictest EU privacy laws and comply with those, but the laws are different enough to make that approach impractical.
“You can’t have a broad sweep of standards that will satisfy all the different types of legislation,” Buglass says. “You have to actually identify where the data subjects are and which specific legislation applies to them.”
One of the EU’s eight “enforceable principles” for privacy protection is that data must not be transferred to countries without adequate legal protection. But that raises the question of what constitutes a data transfer. From a privacy and security standpoint, it makes little difference whether an employee’s name is sent through a network and stored on a server in, say, Russia, or whether a hacker from Russia goes through that same network to view the data while it resides on a server in France. And indeed, the EU defines access to data as a form of transfer, for privacy purposes.
While many experts recommend leaving European data in Europe, that strategy is not sufficient to ensure compliance with the law. And it can create unexpected challenges for Americans accustomed to different privacy rules. “Something as innocuous as a personnel directory that can be accessed by company staff outside of Europe can create a problem,” notes Lisa Sotto, head of the privacy and information management practice at Hunton & Williams, a law firm with expertise in intellectual property and international business.
To make matters worse, international laws may conflict with each other, especially when it comes to keeping data. In general, European laws require companies to destroy PII as soon as its utility has expired. But in the United States, laws may dictate a different retention period. “If you’ve got a U.S.-based company dealing with data from another country, there may be a conflict,” says Jimma Elliott-Stevens, director of risk assurance services at PwC, a global professional services firm.
Meanwhile, the list of nations with strict laws governing the use of PII is growing. In 2011, Costa Rica became the seventh Latin American country to regulate this data. India’s data privacy laws, amended in 2008, are strong enough to draw criticism from U.S. multinationals.
But for nations outside the EU, stricter data privacy laws can be good for business. The European Commission has recognized a handful of countries with adequate data privacy protections—among them Canada and Argentina. Data can be transferred to (or accessed from) countries with laws that offer similar protections to the EU directive.
“It’s interesting to note that a lot of countries coming up with robust sets of legislation are those where there’s a lot of offshoring,” Buglass notes. “India’s privacy law is probably even more robust than that in the EU. It isn’t yet a trusted third country, but if India’s government can prove it can actually enforce these rules, it may be soon.”
However, the chance of the U.S. gaining the status of a trusted third country are virtually nil. The American approach is to have different regulations apply in different industries (for instance, the healthcare industry is subject to the Health Insurance Portability and Accountability Act, more commonly known as HIPAA) and different states.
“I think the U.S. would have to crumble and be rebuilt to change its entire sectoral approach to regulations,” Elliott-Stevens says. “The U.S. cares about data privacy, and we do have strict laws and regulatory bodies in place. But the way we deal with it is to find commonalities and start there. We negotiate and leverage relationships.”
So what are the options for U.S. companies with employees in countries with stricter privacy laws? One way is to keep all personal data within the country or jurisdiction where it is obtained and prevent any access from outside. Another would be to find a way to certify that data transferred outside the jurisdiction will adhere to local legal strictures. (See sidebar “Gaining Customer Consent.”)
The first of these options may be the right choice for many multinational companies. Privacy laws do not prevent managers from accessing sales and performance data from outside a territory, as long as IT ensures that PII, such as a customer phone number or employee attendance history, isn’t involved. “Maintaining local management of data is the perfect solution,” Buglass says. “If you haven’t got the luxury of doing that, try to limit the data transfers to certain countries. The risk, obviously, is when you can’t keep track of the data—for instance, if you have a cloud server that jumps from country to country to take advantage of available storage.” Some companies are coping with this by setting up EU-only clouds, he adds.
For managers who do need to transfer PII among jurisdictions, there are legal frameworks that make this possible. One is the Safe Harbor arrangement, in which U.S. companies certify that they will abide, for example, by the EU directive when handling PII from an EU country. However, since the EU is counting on the U.S. Federal Trade Commission (FTC) to enforce the Safe Harbor provisions, this option is only available to companies regulated by the FTC. Safe Harbor has been in place for more than a decade, and so far roughly 2,000 U.S. companies have signed on.
A second, more difficult option is Binding Corporate Rules, a legal framework in which companies certify that they have put in place corporate rules protecting the privacy of PII. Though created as an alternative to Safe Harbor and model contracts (see below), Binding Corporate Rules is a difficult choice, Sotto says, because it requires getting specific approval for your rules from some individual countries. While many EU countries’ data protection authorities will recognize the blessing of another country’s authority, some EU countries will not. “It’s very hard to implement,” she says.
A third solution is to use the model contracts provision of the EU privacy directive. In this case, a contract between European and non-European entities requires the non-European entity to protect the privacy of personal data, Sotto says. Since the European subsidiary of a multinational company is nearly always created as a separate legal entity, the two can sign a binding contract that fulfills the data transfer requirements of the EU privacy directive.
“For these solutions, you need to understand the relevant data flows within your company,” Sotto says. “What you’re collecting, the use to which you’re putting the data, and who will have access to it. And ultimately, how and when you will dispose of it.”
Inevitably, compliance with global data privacy laws falls to IT—but industry best practices can help.
Know your data. Having a precise understanding of the data you have is an essential first step, according to Carolyn Holcomb, partner, risk assurance services, at PwC. “Think about every data element that could be used to identify an individual,” she says. “If you put them all together, there are somewhere in the neighborhood of 60 different elements that are common across the different privacy laws. Make a list of all those data points, and then do a data inventory. Find out exactly where the data resides and what countries it comes from.”
Don’t take what you don’t need. “Another practical solution is not to collect the data,” Holcomb says. Of course every company collects some PII from customers and employees. But many have the mindset that the more data they can collect—especially from customers—the better. While that data can be useful for market research, it will make following international data laws much harder.
Consider privacy when planning cloud implementations. Buglass notes that cloud providers often move data around among different hosting companies. To address this problem, some are providing EU-only cloud solutions. But that’s not the only option, he says. “If it’s a U.S.-based cloud company, it should be a Safe Harbor adherent, and it should certify that the data won’t go beyond U.S. shores. Yet another option is to bind the cloud vendor with a contract that requires it to treat PII in accordance with the EU directive. But remember that the company that first accepted the data is still legally responsible for what happens to it if the vendor fails to abide by the contract.”
Manage international data in a GRC plan. “The same risk tools that help you from being fined for regulatory violations can also help you with the bottom line for reasons unrelated to compliance,” notes Sid Sinha, senior director of governance, risk, and compliance (GRC) product management at Oracle. The same solutions used for compliance with important regulations can also eliminate process errors like finding incorrect or duplicate payments.
Oracle GRC applications aid compliance with international privacy laws, as well as U.S., local, and industry regulations and audit requirements. A great time to think about GRC is at the start of a major deployment or upgrade, Sinha adds. “If you’re implementing a new system and defining business processes, that is an ideal opportunity not only to minimize the long-term cost of compliance but to proactively manage the risk of a global IT project. What we hear from many Oracle GRC customers is that they wish they had started sooner and incorporated GRC before they rolled their new system out.”
Indeed, tackling international privacy laws in the context of an enterprise resource planning (ERP) system will make the process as painless as possible, says Michael Baccala, partner, risk assurance services, at PwC. “When I think about using technology to deal with these challenges, an ERP solution such as Oracle’s is much better than trying to do it with a legacy or homegrown system,” Baccala says. “Clients with older or unique systems struggle more, as [those systems] are typically not as well integrated with each other. With an ERP solution such as Oracle’s, you have more-consistent controls and more-global enforcement. And once you understand the legally required process, the technology is there to support it.”
Minda Zetlin is coauthor of The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive (Prometheus Books, 2006).
If your company has customers in the European Union (EU) or another jurisdiction with similar privacy laws, you may have a relatively simple solution for dealing with their personally identifiable information (PII): getting their consent for its use. The EU privacy directive allows for export of customers’ PII to other countries (or access from other countries) as long as the customers fully understand what will happen to their data and why you’re collecting it, and you have obtained their consent. Under European law, employees can’t give consent for fear they may be doing so under duress. So this solution works only for customer data.
It’s an easier process than the Safe Harbor, contractual, or Binding Corporate Rules described elsewhere in this article, but that doesn’t mean it’s easy. Obtaining informed consent from a European customer goes beyond standard “click-wrap” agreements where users click “I agree” to a lengthy agreement they have almost certainly not read.
What constitutes meaningful notice and/or consent may differ from country to country within the EU, and these definitions are still being debated. “I often work with clients on what customers will see when they first come to a site, and where to put a clear and conspicuous notice about what the site’s information practices are,” says Lisa Sotto, head of the privacy and information management practice at the law firm of Hunton & Williams. It’s also important, Sotto says, to give that notice in plain English (or whatever language is appropriate), not legalese.
“The Oracle Public Cloud is a little different,” Oracle CEO Larry Ellison said at Oracle OpenWorld in 2011. “The Oracle Public Cloud is both a platform as a service and applications as a service. The key difference is the Oracle Public Cloud is based on industry standards and supports full interoperability with other clouds and your data center on premise.”