The changing landscape and widening of legal powers requires a different approach to risk and compliance for global businesses to ensure that it is complying with its obligations both locally and internationally. This article examines the issues and practical implications of achieving compliance with privacy laws where the lines between borders are becoming increasingly blurred.
Get your data law questions in to Paul during our Conflict of Data Laws online talk.
When: November 12 at 11:00 a.m. ET, 8:00 a.m. PT, and 4:00 p.m. GMT
Compliance with data privacy and other laws has been referred to by European regulators as "a rock and hard place," which stems from the global corporate structures that are commonplace, together with increasing usage of technology (e.g. cloud computing) that transcends laws and borders, and results in a conflict between compliance with laws both locally and internationally.
The key starting point for organizations is to determine what laws apply, and for the purposes of data privacy, what are the "applicable laws" that apply to the company as a group and also on a local country by country level.
The EU Data Protection Directive (Directive 95/46/EC) ("Directive") as implemented into the UK Data Protection Act 1998 ("DPA") -- broadly speaking -- provides that the main criteria for determining the applicable law are: A) Where the data controller is located; and b) The location of equipment used in the case of a controller who might be located outside of the European Economic Area ("EEA"). This means that there is a broad scope and application of EU privacy laws, and even if organizations are not physically located within the relevant EU member state, if equipment is being used, EU law may be applicable.
But what about conflicts in law in an international business?
A common scenario that companies will be familiar with applies where a company is located and established within an EU member state, but has other affiliate or subsidiary entities located across the globe. The result is that the one entity within that corporate group may be responsible for complying with the local data protection laws of that EU member state (as it is "established"), while also being under obligation by the laws outside of the EEA (e.g. the US). In the event that the US-based entity is required by US laws to disclose personal data (and failure to do so would result in breach of a court subpoena), it may also look to apply this request to its overseas entities (despite those entities not being directly responsible for compliance). This is an occurrence that happens often, and should the EU-based entity comply, it may be in breach of local laws.
Taking the UK as an example of compliance across the EU landscape, the news of Prism has been a reminder of the complexity that organizations face when dealing with requests for compliance with non-UK (or EU) laws, which may not apply directly to the UK arm of an organization, but might apply to its US parent or subsidiary.
This is by no means a new issue or problem. Organizations have been grappling with this very issue for a number of years. As you may recall, in 2006, the Society for Worldwide Interbank Financial Telecommunications (SWIFT) breached privacy rules by allowing US authorities access to details of banking transactions. The Article 29 Working Party, the EU's official data protection advisory group, made it clear that:
As far as the communication of personal data to the US Treasury is concerned, the Working Party is of the opinion that the hidden, systematic, massive and long-term transfer of personal data by SWIFT to the US Treasury in a confidential, non-transparent and systematic manner for years without effective legal grounds and without the possibility of independent control by public data protection supervisory authorities constitutes a violation of the fundamental European principles as regards data protection and is not in accordance with Belgian and European law.
This is a familiar picture, and over seven years on, organizations are faced with the same issue of US law enforcement agencies requiring access to personal data. In the context of Prism, the Article 29 Working Party has since announced that it is launching its own investigation into the program, and we suspect that in a similar manner to SWIFT, the covert, non-transparent, and systematic access and transfer of personal data will be deemed a violation of the fundamental European privacy principles.
In 2010, the Article 29 Working Party released an opinion on what amounts to applicable law. This opinion confirms that the starting point should always be to consider the "context of activities" of the establishment as this is important to understand the overall structure of a corporate group, and whether its UK arm operates as a central decision making hub or whether the US parent company is the control room for the purposes of the global affiliates. Therefore, context is key.
The UK regulator (the Information Commissioner's Office) adds to this and makes it clear that while organizations may have a duty (legally or otherwise) to co-operate with requests from non-UK law enforcement agencies, there is no blanket exemption that can be relied upon, so organizations must treat each request carefully. In particular, the ICO advises that:
In certain circumstances you will be able to send some personal data to the authorities or other parts of your own organisation in another country where the authorities in that country have requested it. How far you may do so will depend on the nature of the request. You will need to consider these cases carefully.
Between a "rock and a hard place"?
This is a growing problem, and depending upon the sector within which an organization is regulated by, may change the appetite for risk. If faced with a US Subpoena to disclose information that may be "supported" from an obligation under the Office of Foreign Assets Control (OFAC); the Foreign Account Tax Compliance Act (FATCA); or the Patriot Act 2001; organizations must treat each request individually and have controls in place to ensure that if a request is made to a US part of the business, it doesn't automatically allow for the disclosure of non-US personal data without an analysis of the merits and legitimacy of doing so.
Organizations are routinely grappling with this issue, and will often weigh up the risk of breaching EU privacy laws (e.g. associated fining powers) against the risk of not complying with US reporting obligations (which have fines that are often substantially higher than the EU). However, in the wake of Prism, and also in light of the proposed changes to the Directive (which will bring with it increased powers of fines), the pendulum may certainly change in the coming months and years.
In order to navigate through this web of different compliance requirements, we would strongly advocate that businesses consider the following:
Data Map: undertake a data mapping audit to identify where personal data flows across the business (both employee and customer personal data) to ensure that a picture is developed that will form the basis of understanding the controls to put in place
Analysis of Control: understand the controls and procedures that are already in place across the organization to address and deal with processing of personal data, and analyze which entities are "controlling" data and which are merely "processing" on behalf of the controlling center
Applicable Law: once you have a clear picture of what data is processed and where, you should be able to understand which laws apply to your business and whether there are any possible areas for conflict
Governance Structure: ensure you have a governance structure to deal with how data might be disclosed, and the process that should be followed to prevent compliance with one law at the expense of another
Responding to Requests: implement a policy for responding to requests.
This is clearly a "watch this space" environment, and with changing laws and proposed amendments to the Directive, there is clearly an appetite to clarify this space -- especially in light of Prism.
User Rank: Exabyte Executive 12/22/2013 | 6:16:12 PM
Re: 5 steps to fewer headaches Practicing risk management can prevent you from the vulnerabilities of emerging security threats and risks. Data security and breaches are now a well known fact. The large number of data breaches still exists with little public knowledge.
User Rank: Petabyte Pathfinder 11/18/2013 | 11:45:45 AM
Re: 5 steps to fewer headaches Just as laws on a variety of offenses and matters vary from country to country, as would data and privacy laws. But for laws where anyone, anywhere can potentially be affected, I would think that changes things. Having a universal law on it though? I doubt that will happen.
User Rank: Blogger 11/14/2013 | 8:23:58 AM
Re: 5 steps to fewer headaches @Saul I see what you're saying, though I got the impression that is precisely what the EU wishes to avoid with respect to data privacy laws. The selling point of one law equally enforced everywhere is the major selling point for the new guidelines.
As for things like smoking, I suppose that may always be subject to regional differences. New York City, for example, has grown more and more restrictive about smoking, banning it in bars and public parks. But I'm sure there are states where that is not the case.
User Rank: Blogger 11/14/2013 | 5:46:54 AM
Re: 5 steps to fewer headaches If only it were ever that simple @Ariella! Taking the smoking ban into consideration - the pubs in London don't smell of smoke anymore, they smell of stale beer.
But walk down a busy street in Berlin and you will see bars billowing with smoke.
Businesses are always going to exploit their local advantages.... so a start up in a nation which take the EU rulings with a pinch of salt are likely to take advntage of that fact, only for it to scupper them as they scale up.
User Rank: Blogger 11/14/2013 | 5:44:05 AM
Re: After the audit Ahhhh that makes sense @legalcio - what if two of your clients get each other in their sights, could be tricky. Still, I can alreay imagine the banner ads for legal services which should be following you if you have been researching cloud based solutions.