Thank you for sharing!

Your article was successfully shared with the contacts you provided.
As globalization drives more law firms to open offices abroad, the transfer of employees and exchange of data among countries are making it tougher to comply with complex cross-border privacy regulations. Some of the most stringent regulations emerge when data are transferred from the European Union to the United States, a growing portion of many law firms’ operations. The arduous compliance process leads some law firms to ignore the rules, while others are just starting to comply, privacy experts said. The data include information on partners and salaries, as well as company directories. Many U.S. firms are reacting to the European Commission’s Data Protection Directive, which was established in 1998 to help govern the collection, storage and use of personal information. Several privacy experts said they are not aware of any U.S. companies drawing fines as of yet, but warned that many European countries are just starting to toughen up on enforcement. The directive requires companies to take a number of steps to protect personal data, such as registering with a national data-protection authority, providing details about privacy policies and giving employees access to their personnel records. ‘A dangerous strategy’ “It’s been a smart move to get ahead of some of the privacy concerns that have been bothering clients and employees both in Europe and the United States,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington research center. “Other companies are flying under the radar hoping not to be caught, but that’s a dangerous strategy.” Companies that have improperly transferred data to the United States have been punished. Last May, a Spanish company, Correduria de Seguros, was fined about $385,000 by Spain’s data-protection authority for transferring personal data without proper consent. The United Kingdom-whose higher courts can impose unlimited fines-is considering a maximum two-year prison term for privacy law violators. “Everyone is waking up to see this is serious business,” said Stewart Dresner, chief executive of Privacy Laws & Business in Harrow, England, which advises multinational law firms on privacy issues. The European Union has deemed that only a handful of countries meet its privacy standards, including Argentina, Canada and Switzerland. In order to bring the United States to the same level, E.U. laws often apply to the transfer of the most mundane data between Europe and the United States, such as company directories. For multinational law firms, the rules can apply in many situations, such as the sharing of information about partners and salaries between U.S. and European offices, said Miriam Wugmeister, a partner in the New York office of Morrison & Foerster who heads the firm’s privacy and security data group. Many European laws are counterintuitive for American human resource officials, said Daniel Cooper, a special counsel to the London office of Covington & Burling who was transferred from the firm’s Washington headquarters in 1998. “U.S. companies simply have H.R. departments that file and forget and end up archiving materials that are no longer relevant, which is in contrast to the European laws,” he said. In Europe, privacy laws mandate that only a small amount of an employee’s personal information be stored at any time, Cooper said. As a result, many parts of an employee’s file that contain personal information must be destroyed after certain periods of time, he said. There are several tools U.S. firms can use to comply to the 1998 E.U. directive, such as self-certifying under the safe harbor agreement. Safe harbor is a set of principles negotiated by European governments and the United States that provides a framework for U.S. organizations to follow E.U. privacy laws. Firms that choose to certify under safe harbor must comply with the agreement’s seven principles. For example, the principle on notices requires the U.S. organization to notify individuals whose data are being collected about why it’s being collected and where he or she could make complaints about the data’s use. But many law firms prefer model contractual clauses, which are preapproved contracts on which the importer and the exporter of data agree, said Donald Dowling Jr., an international employment counsel to White & Case in New York.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.