© Sergey Ilin - Fotolia.com
The sweeping effects of globalization continue to transform the economic fortunes of organizations. Companies that were previously content to limit their business operations to the United States are now branching into international markets in an effort to increase their revenues. As clients push into far-reaching markets, they frequently encounter a complex set of international data protection and privacy laws. These laws present a novel challenge to American companies, which enjoy fewer domestic restraints on collecting and storing personal data of employees and consumers. The ability to comply with these laws could be the difference between seizing business opportunities or drowning the enterprise in attorney fees, legal minutiae and lost opportunities.
Data Privacy in the U.S.
Data privacy laws are not alien concepts to American corporations. Contrary to popular belief, laws do exist in the U.S. to help protect certain personal and financial information from unauthorized disclosure. At the federal level, the Gramm-Leach-Bliley Act, or GLBA, requires certain financial institutions to implement appropriate safeguards to protect consumers' confidential information. Other federal safeguards include the Electronic Communications Privacy Act, more commonly known as the Stored Communications Act. The SCA generally protects individuals from the unauthorized disclosure of their emails, social networking posts or other electronic communications by third-party providers.
At the state level, California has implemented an analogue to the GLBA, which restricts financial institutions from sharing or selling "nonpublic personal information" about a consumer without first obtaining her consent. Moreover, a majority of states have enacted breach notification laws, which require organizations to notify consumers when their personal information is compromised.
Data Privacy in Europe
Despite the existence of these and other laws, the approach to data privacy in the U.S. is mostly patchwork and is unmatched by the comprehensive approach taken in some other regions. For example, the data protection regime adopted by the European Union presents unique challenges to even the most sophisticated organizations.
Developed to address the abuses of 20th century despotism, the EU system emphasizes the importance of securing personal information from unreasonable government and corporate intrusions. To guard against such intrusions, the EU member states have enacted laws that curtail unlimited processing, collection and storage of this data. Those laws prevent organizations from processing personal information unless it is done for a lawful purpose and it is not excessive. Furthermore, personal data may not be maintained longer than is necessary and must be properly secured. To safeguard the privacy rights of individuals, "personal information" is broadly construed to include any information that could be used to identify a person, such as the details accompanying an email. Moreover, the collection of sensitive personal data such as race, ethnicity, political beliefs and the like are generally proscribed unless consent is obtained from the data subject.
Beyond these basic data protection principles, certain countries in Europe provide additional safeguards. In Germany, for instance, state governments have implemented their own data privacy provisions that are exclusive of, and in the case of Schleswig-Holstein, more exacting than the federal protection framework. Furthermore, corporate data processing in Germany and certain other European nations must satisfy company works councils, which represent the interests of employees and protect their privacy rights.
Personal Information in Cross-Border Litigation
Another area of complexity facing organizations with respect to the governance of personal information concerns the treatment of that data in European and cross-border litigation. In domestic European litigation, personal data could be subject to discovery if it supports the claims of the parties or a court requires its disclosure. That could place an organization in the difficult position of having to produce personal data that may very well be protected by privacy laws. While legal exceptions do exist for these situations, the person whose data is subject to disclosure may nonetheless seek to prevent its dissemination on privacy grounds. Furthermore, company works councils and data protection officers may also object to these disclosures.
Additional difficulty may arise when addressing international discovery requests that seek personal information. Enterprises whose European offices receive such requests must ensure that the country where the data will be transferred has enacted laws that meet EU data protection standards. Transfers of personal data to countries that do not meet those standards are generally proscribed, with substantial fines imposed for noncompliance.
Certain countries have more stringent rules regarding proposed transfers of personal information. In Italy, for example, personal data transfers are typically prohibited unless consent is obtained from the data subject or the transfer is authorized by the Italian data protection authority, Garante per la protezione dei dati personali. In France, such transfers must satisfy the rules promulgated by the French data protection authority, the Commission nationale de l'informatique et des libertès, or CNIL. Those rules require that the CNIL and the data subjects be notified regarding the proposed data transfer. In addition, disclosures must be limited to relevant information, with appropriate redactions of data that could be used to identify the data subjects.
Despite these and others restrictions imposed by European data protection authorities, organizations are often compelled by U.S. courts to produce personal information without regard to these laws. Acquiescence with a U.S. court order could invite fines and even imprisonment in Europe for violating data protection laws. Yet noncompliance with that order could result in U.S. court sanctions. This scenario presents a difficult dilemma for enterprises stuck in the middle of a cross-border tug-of-war.
Best Practices for Addressing Data Privacy Laws
The first step organizations and their counsel can take to ensuring compliance with data privacy laws is to obtain a better understanding of those laws. U.S. companies operating abroad need to know what privacy laws affect their overseas operations and how to develop a comprehensive strategy to comply with litigation discovery demands that does not run afoul of such laws. This may very well require the engagement of counsel to provide relevant legal advice.
With an understanding of the applicable privacy landscape, companies and their counsel should consider developing a cooperative, proactive approach to managing their information. Such an approach will typically require a corporation's legal and IT departments to work together on myriad legal and logistical issues surrounding information retention. Legal and IT should also develop a process for how the enterprise will address data preservation and production during litigation. Where applicable, works councils and data protection officers should be involved in the process to ensure that data protection laws are properly observed and employee privacy rights are safeguarded.
Companies should also consider the use of enabling technologies to meet company information retention goals while observing data privacy laws. Archiving software, data loss prevention functionality and e-discovery tools are all examples of technologies that together provide the means to protect personal information processed in connection with an organization's information governance strategy.
By following these steps, companies will be better prepared for the challenges of complying with cross-border data privacy laws and the legal traps that are inextricably intertwined with globalization.
Philip Favro serves as discovery counsel for Symantec Corp. He is a speaker, author, blogger and consultant on the challenges that electronic data have imposed on information retention and e-discovery practices and how to address those challenges in legal matters.
This article originally appeared in The Recorder.