Interpret Data Privacy Laws - PDF

Document Sample
Interpret Data Privacy Laws - PDF Powered By Docstoc
					Data Privacy

The European Union Directive on Data Privacy
and Its Impact on Global Information Systems in
US Corporations

“...the Directive could have far-reaching effects on business practices
    within the United States...organizations that have not paid close
    attention to data protection laws may suffer rude shocks when
    their standard practices turn out to violate European Law.”

                                       Peter Swire and Robert Litan
                                       “None of Your Business:World Data Flows,
                                       Electronic Commerce, and the European Directive”
Executive Summary

 The European Union (EU) Directive on Data Privacy (The Directive) went into effect on October 25, 1998.The
 Directive governs the movement of data between EU Member States and countries having both “adequate” and
 “inadequate” levels of data protection regulation. Currently, the United States is likely to be categorized as offering
 “inadequate” protection under The Directive.

 After The Directive goes into effect, US companies may be prevented from processing personal data (information about
 their employees, customers, or suppliers) in the US if it relates to EU employees, customers, or suppliers.This includes
 processing of European data on a file server which resides in the US or any access to EU data from the US. It is not
 limited to electronic data and includes manual reports. US companies face penalties that could include suspension of
 business in EU Member States and the risks of lawsuits.

 The Directive includes a number of alternate means to address these issues, and US companies should seek advice in
 implementing the appropriate measures. Doing nothing is not an option.


 In 1995, the Council and Parliament of the European Union adopted Directive 95/46/EC to harmonize the protection
 of data privacy.The Directive had a three-year transition period, by which time it had to be implemented into the
 national laws and regulations of each member bound by the European Community Treaty.The implementation date was
 October 25, 1998.

 The fifteen Member States of the European Union are Austria, Belgium, Denmark, Finland, France, Greece, Germany,
 Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United Kingdom. Both for practical
 reasons and because of treaty or association agreements, many other European nations have already adopted data
 privacy legislation. Other nations, both within Europe and in other regions of the world, are likely to look to The
 Directive as a model.

 Most of the EU Member States, with the exception of Greece and Italy, already have data privacy legislation and will
 therefore be making amendments to their current laws to comply with The Directive. It is anticipated that all Member
 States will have implemented The Directive by the end of 1999.

 •   Sweden recently passed legislation into its national data protection laws to be in compliance with The Directive.
 •   The United Kingdom’s new Act received Royal Assent on July 16, 1998, with the UK parliament announcing that
     there will be a delay in transposing The Directive into the secondary legislation required to support it.The Act
     will not be fully effective until January, 1999.
 •   Belgium, Denmark, and Finland have legislative processes for amendments to their statutes in progress that are
     expected to be completed soon.
 •   Greece and Italy have recently passed legislation based on The Directive, although their administrative institutions
     and detailed regulations are not yet in place.
 •   Austria, France, Germany, Ireland, Luxembourg, the Netherlands, Portugal, and Spain are not expected to have their
     amendments in place until the 1st or 2nd Quarter of 1999. In Germany, the process could take even longer, as it is
     anticipated that the socialist government will make structural changes to the current enforcement agencies.


     The general objectives of European data protection laws are to ensure economic and social progress by common
     action to eliminate the barriers which divide Europe, while respecting the fundamental rights and freedoms of its
     citizens.These rights include the right to privacy, the right to contribute to economic and social progress, the right to
     trade expansion, and the right to nurture the well-being of individuals.The European focus is on the protection of
     privacy as a fundamental and civil right, best guaranteed by legislation and enforced by national protection agencies.

     This is in contrast to the approach adopted in the US, where the attitude of the current administration is that data
     privacy and protection should be achieved by industry self-regulation, rather than by legislation or federal policing.This
     is one of the reasons why the US is unlikely to pass the adequacy requirements.

                                                Data Privacy Elements Highlighted
                                                               by The Directive

                  •    Processing of personal data is defined as any operation performed upon information relating to
                       an identified or identifiable natural person (data subject), whether or not by automatic means,
                       such as collection, recording, organization, storage, adaptation or alteration, retrieval, consulta-
                       tion, use, disclosure by transmission, or dissemination.
                  •    Provisions are included to ensure that personal data being transferred to non-EU countries is
                       adequately protected.
                  •    There are rules for the processing of special personal data, i.e., racial or ethnic origin, political
                       opinions, religious or philosophical beliefs, trade union membership, health or sex life, and
                       criminal convictions.
                  •    A distinction is drawn between the concept of a “data controller” (who is responsible for
                       determining how data will be processed and used), and a data processor (who acts under the
                       direction of the data controller).This distinction exists even if these are both entities within the
                       same corporation.
                  •    It is the responsibility of the data controller, and in some cases the processor, to comply with
                       data protection rules.
                  •    The data controller will be subject to the laws of the member country in which it is established,
                       or in which it collects or processes the data.
                  •    There may be the need for “specific consent” from the individual to process certain types of data.
                  •    There may be a requirement for anyone collecting or processing data to provide detailed
                       information about the uses to which data will be put.
                  •    There may be a requirement for a contract between the controller and the processor of the data.
                  •    Manual records are now within the scope of data protection, although existing manual files may
                       not be fully subject to the law for up to 10 years.

Data Transfer

 Article 25 of The Directive allows the transfer of data to third countries, provided the country in question
 demonstrates an “adequate level of protection.” Adequacy has been defined by the EU in terms of the existence of
 national data protection laws and a national agency to enforce such laws. Although there are ongoing discussions for
 alternate mechanisms, the US does not have such measures and so is unlikely to be given the adequacy status required
 to permit the transfer of personal data from EU countries into the US.

 The international transfer of personal data may only take place freely when the country of destination guarantees a
 level of protection similar to that offered by the sender’s legal status.There is currently no list of countries defined
 as adequate, even though there are over 20 countries that currently have privacy laws.These include such non-EU
 countries as Australia, Canada, Hong Kong, Hungary, Israel, New Zealand, the Czech Republic, Iceland, Norway, Slovakia,
 Switzerland, Slovenia, and Taiwan. For any country defined to be inadequate (including the US), the transfer of data
 could be deemed to be illegal after October 25, 1998.

 Article 26 of The Directive allows for transfers to countries that do not pass the adequacy test in the following cases:

 •   Consent by the data subject (although there is considerable speculation on the nature of the disclosure and form
     of consent required for proof of unambiguous consent);
 •   Performance of a contract with the data subject, or steps taken at the data subject’s request to enter into a contract;
 •   Performance of a contract with a third party in the data subject’s interest (e.g., an intermediary in processing
     payments or deliverables);
 •   Legal requirements or the exercise or defense of legal claims;
 •   Protection of the vital interest of the data subject;
 •   Transfer from a public register, subject to the associated conditions; and
 •   Contractual or other adequate safeguards to protect the privacy of the data despite the lack of public law on data

 However, when a Member State grants authority for data transfer to third party countries under the contractual
 safeguards provisions of Article 26, it must notify the European Commission and the other Member States, which can
 object to the transfer.

 Many countries do not have uniform protection in all economic sectors; for instance, many countries have data
 protection laws in the public sector but not in the private.This is exemplified in the US where specific laws exist in
 certain areas, such as credit reporting and video rental records, but not in others. A further difficulty arises in
 countries that have federal constitutions such as the US and Canada, where differences often exist among the various
 states that make up the federation.

    Other Provisions

     With few exceptions, Article 8 of The Directive generally prohibits the processing of personal data revealing one or
     more of the following:
           -   Racial or ethnic origin;
           -   Political opinions;
           -   Religious or philosophical beliefs;
           -   Trade-union membership;
           -   Health or sex life; or
           -   Criminal convictions.
     •   Article 17 requires that the processor of information must be governed by a contract or a legal act binding the
         processor to the controller.
     •   Under Article 4, the data controllers are responsible for complying with the applicable laws where multiple
         countries are involved, but it is the law of the data controller that will apply in matters concerning trans-border
     •   A “Working Party” set up under Article 29 acts in an advisory capacity to the EU as a discussion forum for
         common issues among the national officials and the Commission.
     •   A committee established by Article 31 serves as a political check on any regulatory measures that might be
         adopted by the Commission on recommendations from the Article 29 Working Party.The actions and decisions
         of the Article 31 committee are binding on the Member States.
     •   A Directorate General XV (DG XV) at the European Commission ensures that the Member States are complying
         with The Directive.

     Exceptions and Other Processing Conditions
     • Consent (explicit consent) – a Member State can choose to forbid certain kinds of processing of sensitive data
        even with consent
     • Obligations under employment law – when the national law also provides for adequate safeguards
     • Vital interests of the data subject – when the data subject is not capable of giving consent
     • Non-profit organizations – when carrying out their political, religious, or union activities, but not including
        their disclosure of data to third parties without consent
     • Information made public by the individual
     • Health care – when processing is required for preventative medicine, diagnosis, or treatment by a professional
        who is subject to professional secrecy laws or rules
     • Other exemptions under national law – these must be established by Member States under notification to
        the European Commission
     • Criminal history information – may only be processed by the authorities or subject to specific safeguards
        under their national law, again under notification to the European Commission
     • Civil and administrative judgements – Member States may choose to limit processing
     • National identification numbers – to be used only as directed under national law


 Under the terms of the European Community treaty, European law takes precedence over domestic law, therefore
 The Directive is enforceable by all members of the EU. Compliance, however, will be tested by each of the individual
 laws of each country. Given the flexibility The Directive allows, it is anticipated that each country will interpret the
 data protection laws in its own way.

 There has been no opportunity to establish legal precedent for The Directive since its enactment on October 25, 1998
 and so it is difficult to determine how the courts will interpret it. US companies are therefore only able to implement
 solutions to minimize rather than eliminate the risk. It is clear from the dialogue between the US and the EU that
 companies must act responsibly to recognize the EU stance on data privacy and that doing nothing is not an option.

 A US company must also recognize that the way forward in globalization is to not to circumvent The Directive,
 but to recognize the differences and the influences of geographic cultures and their social infrastructure, which are
 fundamental components of any global information system.

 The initial action that may be taken to ensure compliance is the blocking of all data transfers by the non-compliant
 company. Any Member State, data protection authority, or the EU itself may prohibit the transfer. In addition, non-
 compliant companies can also anticipate private suits and/or negative publicity.

 The penalties will depend upon the nature of the personal rights affected, the volume of data concerned, profits
 obtained, intent, repetition of the infringement, and the local data protection laws.The data protection agencies
 generally do not act on their own accord, and will only take action if a data subject submits complaints.

 Protection of data can be affected by the security policies applied by companies and also by the security features of
 software used to process data.Weak or inadequate security measures may further exacerbate the situation and
 encourage data protection authorities to adopt a more rigid approach.


 Review of The Directive’s legal requirements indicates that it affects all sectors of industry where personal data is
 gathered and processed, whether by electronic means or not.This includes human resources, auditing and accounting,
 business consulting, calling centers, financial services, the press, non-profit organizations, educational institutions, non-
 EU governments, pharmaceutical research, business and leisure travel, telephone networks, Internet service providers,
 direct marketing, and information technologies.

 The Directive treats privacy as a basic human right, and seeks to protect individuals against violations of that right. On
 the international level,The Directive makes it clear that third countries seeking to do business with the EU must
 respect The Directive’s protection of its subjects.

 The Directive could have far-reaching effects on business practices within the US and other third countries (countries
 not part of the EU). Mainframes and web sites in the US might be cut off from data from Europe. A range of marketing
 and management practices that are now routine in the US might be disrupted.

     There is also further concern that data protection rules, such as The Directive, can have the effect of excluding firms in
     the US and other third countries from the European market. A potential way to comply with some of The Directive’s
     requirements is to move data processing operations, and the accompanying jobs, into Europe.This is unlikely to be an
     attractive option for many organizations.

     Although some Member States have long had legal restrictions on trans-border data flows,The Directive will have
     significant effects on US and other non-EU organizations in the following ways:

     •   Limits on trans-border flows will obviously affect international and global companies more than entirely domestic
         ones, as only international actions involve the rules on transfers. Companies based in Europe will design their data
         processing operations for the local conditions, and thus more routinely take The Directive into account. Companies
         based elsewhere often will not establish their internal processing procedures with European regulations clearly in
     •   The central processing operations of US companies will often be based in the US. Management decisions will be made
         there, and managers expect to have access to the underlying information needed for decisions.The restrictions on the
         flow of personal information from Europe to the US will have significant impact in this respect.


     The Directive sets out certain procedures which can be followed in countries whose data privacy laws do not meet
     the adequacy test.These include contracts between a parent company and its subsidiary, supplier, and/or customer;
     consent from employees; and codes of conduct. More recently, the approach of “safe harbor” under Article 25 now
     offers an additional solution.These procedures are by no means clearly defined, and there is considerable room for
     uncertainty and conjecture on interpretation.

     In earlier discussions, the EU downplayed the contractual alternatives to US companies and the US government. But as
     the US has made it clear that its fundamental approach is going to be one of industry self-regulation, the Europeans
     have now indicated that the notion of a “model contract” may be acceptable under certain circumstances. Currently
     there are three organizations that are developing model contracts projects for the flow of data across borders.These
     are Privacy and American Business (P&AB),The International Chamber of Commerce (ICC) and The Confederation of
     British Industry (CBI).

     These contracts have not yet received endorsement since the EU is reluctant to move from its position of protecting
     rights by way of legislation rather than by contract.This approach may force contracts that incorporate far-reaching
     clauses, which may inhibit the way in which companies do business.The EU does not see the model contract approach
     as the solution to all types of personal data flows.The approach may have increased acceptance if used in combination
     with other available methods.

    Safe Harbor

     In recent months, the US Department of Commerce (DOC) has been engaged in informal discussions with the EU
     concerning the application of The Directive on US companies.The DOC and the EU believe they are close to agreeing
     on a “safe harbor” approach.This would enable US companies to self-certify that they comply with a set of accepted

standards and would therefore be entitled to a presumption of adequacy under Article 25.This would avoid prior
authorization requirements from the national protection agencies. However, it would not prevent those authorities
from investigating a company’s compliance with those standards, nor prevent individuals from filing complaints about
compliance issues.

To qualify for the safe harbor, US companies would have to certify that they had implemented and complied with a set
of data privacy principles.The DOC data privacy guidelines are being used as the model for the proposed principles.
These guidelines may be further defined following the discussions.The EU obtained a mandate from the Member
States to proceed with refining this approach on September 30, 1998. If the safe harbor approach is adopted, it will be
binding on all Member States; however, at this stage, it is not clear whether all the Member States will support this

The principles of the safe harbor approach would include independent investigation of complaints and redress for
injured parties.These enforcement principles may be satisfied by recourse to regulatory bodies, self regulatory bodies
or by parties outside the EU agreeing contractually to cooperate with the investigations by the national data protection
authorities and to comply with their decisions. It is not yet clear which authority in the US would perform such
enforcement duties, as there are no government agencies or functioning self-regulatory bodies that currently perform
them.The DOC measures are primarily focused on the issues of data privacy on the Internet and in electronic
commerce. Human resources data and other kinds of data processing may not be covered by the self-regulatory
mechanisms.The DOC is therefore encouraging industry to employ contractual as well as institutional alternatives for
satisfying the enforcement principles of data privacy protection.

Consent Forms
In an attempt to comply with data protection legislation, some companies have opted to gather a waiver or statement
of consent from employees and customers authorizing the collection and transfer of their personal data. However,
under Article 7 of The Directive, the consent must be “unambiguously given” and the definition of the “data subject’s
consent” is that it shall be freely given, specific, and an informed indication of his/her wishes. Obtaining consent is a
desirable, but difficult, solution; US companies must ensure that the terms of the consent are framed in such a way that
it authorizes both current and future defined uses to which the data will be put.

Codes of Practice
Codes of conduct or a set of industry standards may be acceptable as a means of complying with The Directive.This is
currently seen as the preferred option by some human resources professionals where the creation of standards for
managing and protecting employee data is seen as a natural step in the development of HR best practices. But the
agreement on a set of codes that will comply with business and industry standards will require extensive discussion
and negotiation.

The Association for International Human Resource Information Management (IHRIM) Committee on Information Use
and Protection is currently producing a set of such standards, with the first discussion draft due for release to its
members at the end of October 1998.This is a first release that will require agreement among IHRIM members before
it can be presented to the EU for informal discussion. No one can predict the reaction of the EU to such a solution,
especially as there are currently no HR self-regulatory bodies currently in existence and it is not at all clear that
compliance with an industry code will allow the transfer of data to a non-EU country.

    Compliance Guidelines

     A basic level of compliance can be achieved by following these guidelines, which will assist an organization in evaluating
     its data privacy position and enable it to comply with the data privacy regulations.

              Know what information is being          Ensure the organization adopts a proactive approach to personal
              collected                               information and performs an audit of all business units to understand
                                                      what personal data is being collected, accessed, transferred, and
                                                      processed in the US. Determine the purpose of the collection and
                                                      determine where data subject consent may be obtained.

              Understand specific country             Understand the organization’s state of compliance with the local data
              regulations under The Directive         privacy requirements in each of the countries in which the organization
                                                      conducts business. Since data protection may be interpreted differently
                                                      throughout the EU, it is advisable to adopt a conservative approach to
                                                      the solution selected.

              Know what to do when any data           Register the data transfer, describe the nature of the transfer, and,
              is being transferred outside the        where necessary, get approval for the transfer from the originating
              country                                 country’s data regulator, using the appropriate approach for the data
                                                      type and business.

              Know which employees have access        Audit the company’s existing security systems to ensure that all
              to personal data                        personal data is adequately secured and protected in its use.

              Ensure customers and employees          Create and communicate a corporate privacy policy statement for
              are aware of their legal rights         customers and employees.

              Stay informed                           Work closely with the individual EU Member States’ regulators, legal
                                                      advisors, and external consultants to learn of best practices, regulatory
                                                      changes, and new legislation.

    About Cedar

     Cedar, Inc. offers industry-leading solutions to help clients maximize their enterprise system investments and more
     effectively manage their overall business. Enterprise service areas are targeted to reflect key strategic initiatives within
     today’s global enterprises, including: enterprise applications for the front-office and back-office; harnessing the power
     of the Internet; and intelligently using knowledge to support business decisions.

  Cedar offers the industry-leading solutions to help organizations
   maximize the return on their enterprise system investments and
    drive improved organizational performance.We assist public,
    private, and not-for-profit sector organizations with strategy,
         design, implementation, and support for technology
               solutions across all enterprise functions.
    We are focused on solutions that deliver results to maximize
    the power of institutional systems and enhance competitive
        advantage by connecting constituents and data in a
             cost effective and service oriented manner.
Our experience, coupled with partnerships with world-class solutions,
     provides us with unmatched expertise to serve our clients.
     We are also closely aligned with premier industry analyst
      organizations to monitor and shape the trends that will
         bring about new levels of business transformation.
     This report is one example of our commitment to industry
     research as a means to assist our clients and partners.We
          invite you to visit our website at
            for continued research news and information.

                            Cedar, Inc.
                 100 East Pratt Street, Suite 1600
                 Baltimore, Maryland 21202 USA
                        Tel: 410 576 1515
                        Fax: 410 752 2879


                  Offices in Principal Cities of the World

Description: Interpret Data Privacy Laws document sample