Global solution for cross-border data transfers: Making the case for corporate privacy rules.

Author:Wugmeister, Miriam

    Technology has radically changed the manner in which information flows around the world. Global transfers of information are now a common and essential component of our daily lives. Sharing information allows businesses to provide consumers with enhanced services such as 24-hour customer hotlines as well as a greater choice of products and services at lower prices. At the same time, businesses are able to manage their operations in a more cost effective and efficient manner. Countries, in turn, benefit from increased global business investment and activity. All in all, consumers, businesses and governments receive enormous benefits from global data transfers.

    Nevertheless, such transfers are becoming more difficult and costly from a business perspective as more countries adopt privacy laws that, among other things, regulate and limit cross-border transfers of personal information, including transfers to headquarters, affiliates, branch offices or subsidiaries. Typically these laws either explicitly prohibit transfers to other countries unless certain conditions are met or impose regulatory obligations on the organizations transferring the personal information. Many of these laws are enacted in response to growing public concern about the potential and actual misuse of personal information in an increasingly networked economy.

    Privacy laws, however, vary dramatically from country to country. Some countries have enacted comprehensive laws while others have little or no rules in place. For those countries that do have laws in place, the standard of protection provided for in the law, its interpretation and the level of enforcement can vary significantly.

    At the same time, the cross-border limitations are adversely affecting both the quality and choice of products and services that can be offered to consumers on a global basis. Consumers and employees (herein referred to as "individuals") as well as businesses are equally ill served by this patchwork arrangement of cross-border privacy protections.

    As a result, greater attention is being paid to the development and use of global or enterprise-wide privacy rules ("Corporate Privacy Rules") as a way to correct the problems associated with this patchwork of cross-border privacy rules. Under Corporate Privacy Rules, businesses would establish their own set of rules for the transmission of personal information via the Internet. These rules would incorporate internationally accepted principles of fair information practices. If all affiliates are subject to the Corporate Privacy Rules, then a business could freely move information within the entire group, e.g., between headquarters, subsidiaries, branch offices and any affiliated entities.

    The concept of Corporate Privacy Rules is based on the notion of accountability--that is, the organization as a whole assumes responsibility for protecting the data. Corporate Privacy Rules are not a new concept; rather, they are an extension of an approach that has worked successfully in other areas for many years (e.g., enterprise-wide policies in the field of financial reporting and determination of conflicts of interest). The challenge, however, will be to secure the necessary international acceptance and cooperation that will enable businesses to implement Corporate Privacy Rules as a global, rather than a national or regional, solution for cross-border data transfers.

    Two of the major stumbling blocks to the widespread acceptance and use of Corporate Privacy Rules are concerns about the manner in which such rules can be enforced under existing laws and methods to secure the necessary cooperation among the respective enforcement authorities in the event of cross-border disputes or breaches. These stumbling blocks, however, are not insurmountable, contrary to what some in the data protection community might think. As we will explain, there are other laws such as those that pertain to unfair commercial practices which can be used to enforce Corporate Privacy Rules. Moreover, while cross-border cooperation is not easy to accomplish, it is not unprecedented. There are many areas in which government agencies around the world are already collaborating. These existing arrangements could serve as a source or model for cooperation in the privacy area.

    Before addressing the issues of enforcement and cross-border cooperation, this article will provide an overview of the international privacy legislative landscape and the difficulties that arise on a practical level from both a consumer and business perspective. It will then assess the current options available for cross-border transfers, identify the advantages and disadvantages of same, and then discuss how Corporate Privacy Rules can be used to overcome the current difficulties.


    1. Privacy Landscape

      More than sixty countries around the world have laws that regulate the collection, use and disclosure of personal information. (1) Typically these laws cover any personal information pertaining to individual customers, business contacts, consumers, employees and in some cases legal entities. By and large, these laws require that the collection of personal information or establishment of databases containing personal information be publicly disclosed and that these activities be registered with the government or with an independent data protection authority ("DPA"). They also require that individuals whose personal information is maintained by an organization be given notice of, and in certain circumstances the right to consent (or to withhold consent) to, the collection, use and transfer of their personal information, as well as the right to access and correct the information held about them. In addition, organizations must protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Growing concerns about data security have resulted in some countries prescribing detailed technical and organizational security measures.

      The laws of some of these nations also require the permission of a DPA to "export" or transfer personal information. These DPAs may refuse permission if the data protection laws of the receiving country are not considered to be as strong as those of the home country. Failure to adhere to these rules may result in civil and/or criminal penalties for the organization concerned.

      Countries or jurisdictions that now have privacy statutes include:

      * Asia: Australia, (2) Japan, (3) Hong Kong, (4) Macau, (5) New Zealand, (6) South Korea (7) and Taiwan; (8)

      * Europe: the 27 European Union (EU) Member States, (9) Albania, (10) Bosnia and Herzegovina, (11) Croatia, (12) Iceland, (13) Liechtenstein, (14) Macedonia, (15) Norway, (16) Russian Federation, (17) and Switzerland; (18)

      * Middle East/Africa: Israel, (19) Mauritius, (20) Tunisia (21) and the U.A.E. (DIFC); (22) and

      * North/South America: Argentina, (23) Canada, (24) Chile, (25) Paraguay, (26) Peru, (27) the United States, (28) and Uruguay. (29)

      Moreover, many other countries are debating or considering privacy legislation, including Barbados, Bolivia, Brazil, China, Costa Rica, Ecuador, India, Jordan, Lebanon, Malaysia, Mexico, Morocco, Pakistan, Panama, Singapore, South Africa, Sri Lanka, Tanzania, Thailand, Trinidad and Tobago, Turkey, the Ukraine, and Venezuela.

    2. Local Compliance Obligations


      The twenty-seven Member States of the European Union (EU) have adopted comprehensive privacy laws based on the 1995 Data Protection Directive (30) (the "EU Directive"). The laws of the members of the European Economic Area (EEA), i.e., Iceland, Liechtenstein, and Norway, provide for very similar requirements, and the laws of neighboring countries such as Albania, Andorra, Bosnia and Herzegovina, Croatia, Macedonia, and Switzerland largely reflect the EU Directive. The Russian Federation has also recently adopted legislation that is similar to the EU Directive.

      Personal information is very broadly defined as "any relating to an identified or identifiable natural person." (31) An identifiable person is one who can be identified, directly or indirectly, taking account of all means that are likely to be reasonably used either by the controller or by any other person to identify the said person. (32)

      According to the EU Directive, personal information can only be processed when one of the following exceptions is met: consent from the individual; contractual necessity (that is, data may be used if necessary for the performance of the contract with the individual); compliance with (local) legal obligations; or the legitimate interests of the entity collecting the personal information outweigh the privacy interests of the individual.

      Asia, Americas, Middle East, and Africa

      Unlike in Europe, the data privacy laws elsewhere around the world vary more widely from country to country, particularly with respect to the processing of certain types of personal information and database registration.

      For example, Hong Kong, Japan, and New Zealand regulate the processing of personal information in all sectors; Australia regulates all sectors of the economy but exempts much of employee data from requirements of its Act; Taiwan and, to some extent, Korea regulate only selected sectors of the economy. (33)

      In the Americas, only a few countries have adopted omnibus data protection laws. Argentina has adopted legislation that is similar to the EU Directive, but it only regulates the collection, use, and disclosure of personal information contained in databases that are shared, (34) Chile regulates the processing and use of personal information by the public and private sectors, and has specific provisions that pertain to the use of financial, commercial and banking data, as well as the use of information by government agencies. (35) Canada regulates the collection, use, and disclosure of personal information by all private sector businesses in the...

To continue reading