Each year, more organizations operate outside their home country, whether to sell products, to lower production costs, or to find additional qualified employees. Data privacy laws differ across nations—this can present a compliance challenge to any organization, with potentially severe penalties if these laws are ignored.
Data privacy laws (often called data protection laws) control how an organization can collect and process information that identifies individuals. This information (generally called personal data) includes a name, address, social security number, email address, credit card number, other financial or health information, beliefs, family background, or other data. Some types of personal data are obviously more sensitive than others, and are more strictly regulated.
The U.S. has not passed a comprehensive law on data privacy. The data privacy laws that are currently on the books focus on particular types of data or potential victims of data privacy abuses. Two examples are the privacy rule in the Health Insurance Portability and Accountability Act (HIPPA), which controls the use of health care data, and the Federal Communication Commission’s Do-Not-Call list. Both of these government measures regulate what an organization can do with personal data that it has collected. Additionally, California passed four new laws this year that regulate the use of personal data. These include measures to stop spyware, to keep social security numbers private, to restrict marketing activities that use health care information, and to impose security requirements on companies that hold personal data. Any organization that deals with California residents must abide by these new laws. As legal and technical measures are adopted to combat spam and identity fraud, other such laws will likely be passed in the U.S. But, in general, constitutional constraints and free-market concerns have prevented the existence of broad-reaching data privacy laws in the U.S.
Most other nations have taken a different approach—one that can have serious implications for any organization operating in those nations. The European Union issued a Directive in 1995 that has become the basis for detailed legislation on “personal data protection” in all 25 Member States (including those who joined the EU in 2004). Many countries—including Australia, Taiwan, and Argentina—have followed the example of the EU by passing comprehensive data protection laws. Local data protection laws in the EU create a data protection agency in each country. That agency (often called an Inspectorate) provides administrative enforcement of data privacy laws and usually has authority to inspect any location where personal data is processed. Administrative penalties for violating these laws include fines ranging from a few thousand dollars to hundreds of thousands of dollars. Prison terms are prescribed in some cases for willful violations motivated by financial gain. Data privacy laws grant individuals whose personal data has been processed illegally a right to sue.
The basic structure of all data protection laws in the EU includes requirements to inform both the Inspectorate and the individuals whose data will be collected or processed. In some cases, an organization must obtain permission from the Inspectorate; in other cases, mere notification is sufficient. Also, in some cases, explicit consent is required from each individual; in other cases, a general disclosure is sufficient. The precise rules—and various exemptions to them—differ from country to country. Exemptions generally apply to personal data processed by a non-profit group, or personal data processed solely to fulfill the requirements of local employment laws or to perform a contract with an individual.
For organizations in the U.S., the most troubling aspect of data privacy laws in other countries is the prohibition on exporting data to countries with less complete data protection laws. For example, a U.S. company working with customers, employees, or suppliers in Europe cannot typically transfer any personal information to the U.S. without violating the local data privacy laws. The increasing use of the Internet by businesses can make such violations commonplace and difficult to remedy.
The United States Department of Commerce has, however, negotiated a safe harbor framework with the European Commission. This framework permits organizations in the U.S. to create an internal system that complies with EU data protection concerns. By “self-certifying” in this way, an organization can transfer personal data to the U.S. that would otherwise violate EU laws.
Compliance with data privacy laws—in the U.S. and in other nations—is becoming increasingly important, both to avoid administrative penalties and civil suits, and to provide clients, employees, and partners with the assurance that their personal data is protected.
For more information about data privacy laws, please contact Nick Wells at nwells@kmclaw.com.