Privacy officers face increasing challenges as data protection laws, enacted to protect personally identifiable information (PII), proliferate. At multinational corporations, the situation is especially confusing because compliance requirements vary from jurisdiction to jurisdiction. Protecting PII is important not only because of heightened concern about liability, but also because many customers and employees expect that their personal information will be not be shared or used inappropriately.
A 2002 Harris Poll ("Privacy On and Off the Internet: What Consumers Want," Harris Interactive, Feb. 20, 2002, wwww.harrisinteractive.com/news) revealed 75 percent of adults surveyed are extremely concerned that companies are providing personal information to other companies without permission. The same poll showed that 89 percent of adults surveyed would value having a third party verify that a company does not release customer personal data without permission or unless required by law. So when a company fails to protect that information, it risks having its customers express their dissatisfaction by taking their business elsewhere. And failure to protect employee data can incur problems of its own.
As a result, many privacy officers are seeking tools to help improve PII compliance. One such tool, the data protection audit, is being used with increasing frequency as an effective approach for dealing with the challenge of compliance with data protection laws in multiple jurisdictions.
Penalties and Compliance Costs
Penalties have been assessed in the United States (generally through consent orders) against companies such as ToySmart, Geocities Reverse Auctions.com, and others for allegedly departing from their stated privacy policies in violation of the Federal Trade Commission Act. FTC penalties in at least one instance have gone up to $100,000. And it doesn't necessarily take multiple incidents to get you in trouble. Eli Lilly was penalized for alleged lax security practices that resulted from a single inadvertent unauthorized disclosure of data. Even an FTC investigation that does not result in a proceeding may incur substantial expenditures of corporate funds and effort, as well as negative publicity. Amazon.com settled a class action for $1.9 million, and pending privacy class actions in the United States seek large sums of money.
The European Union nations have assessed many millions of dollars in fines, with the highest to date running about US$900,000. Spain has been particularly vigorous, alone assessing more than 150 penalties just in 1999. In 2001, Spain imposed fines against approximately 500 companies totaling $13 million. Microsoft was fined about $40,000 by the Spanish data protection authority. Canada last year launched some 1,700 investigations and found many violations across the spectrum of commerce. In other nations privacy enforcement authorities have stated that they are just getting started, and expect enforcement to increase markedly.
Apart from potential penalties, the costs of compliance with varying rules governing PII can also quickly add up. According to the May 7, 2001, AEI-Brookings Joint Center for Regulatory Studies white paper, "An Assessment of the Costs of Proposed Online Privacy Legislation," by Robert W. Hahn, and commissioned by the Association for Competitive Technology, compliance with proposed data privacy protection laws would cost most companies at least $100,000 each just to develop the appropriate software and hardware systems to track how customers' PII is shared. According to that same white paper, compliance is expected to cost American businesses as much as $36 billion.
Cross-Border Data Transfer Laws
Transferring PII internationally in the face of cross-border restrictions has emerged as a major challenge. White & Case LLP recently conducted a survey that summarizes cross-border transfer laws for 22 commercially significant jurisdictions. That survey found that 11 of the jurisdictions treat cross-border data transfers differently from domestic transfers, and five more jurisdictions have laws proposed or pending that would treat cross-border data transfers differently from domestic transfers. In particular, 12 of the jurisdictions impose restrictions of various kinds on moving personal data across borders, and five others would do so under proposed or pending new laws. Of the nations surveyed, only China, Japan, and the United States permit such data transfers generally unimpeded.
A good example of the diversity of these laws can be found within the European Union. While EU member states must all conform to the EU Data Protection Directive, their implementation statutes differ from nation to nation. Moreover, their national data protection authorities differ markedly in their interpretation of the law.
Even the most routine cross-border transfers can cause problems for an enterprise, such as sharing business contact information among its own business units. The most widely accepted basis for permitting transfer, regardless of jurisdiction, is the data subject's consent. But in some jurisdictions even consent is unacceptable for employee data because of the employer's leverage inherent in the employment relationship. Thus, there appear to be no easy "outs" for the multinational confronted with getting its PII to the United States from some other nations.
So far, no jurisdiction seems to have imposed the one type of civil penalty most likely to cripple a U.S. multinational: an order prohibiting it from exporting its data to the United States. The effect of such an order could be devastating. The more prudent multinationals want to comply with data protection laws in an efficient and coordinated manner. It's just not obvious to them how to do it, given the constantly evolving legal landscape to which these companies must adapt and readapt. The sixty-four-dollar question is, just what single or segmented set of practices should a multinational adopt to lawfully and efficiently transfer its PII from various other nations to the United States?
The Role of Data Protection Audits
The answer may lie with a data protection audit. In a data protection audit, knowledgeable people in the pertinent jurisdictions summarize the laws. The company's data protection policies and practices are also summarized; if the company has no policy, the audit will promulgate one. The audit also analyzes the procedures used in processing PII, and it suggests modifications. The work-product of the audit is a set of revisions to the policies and procedures to bring them into conformity with the laws of the pertinent jurisdictions. This audit will impose on the company's policies and practices a certain discipline that would be lacking in a less diligent review. More importantly, it provides a framework for making the many comparisons that must be made among law, policy, and procedures.
There are two keys to an effective data protection audit. The first is ready access to the law in each pertinent jurisdiction. The second is a single framework suitable for portraying (1) the law, (2) the policy, and (3) the company's collection and processing procedures. The same framework should be used for portraying all three to permit facile comparisons. With ready access to the law and a good framework, a company can perform a data protection audit that will focus on critical issues without being trapped in the inefficient wheel spinning inherent in less effective, less organized, and less precise methods. In short, a well-organized data protection audit can help transform chaos into order.
The question of how best to protect PII without strangling commerce will not be resolved overnight. It appears that tougher restrictions will be enacted in the United States and elsewhere over the next few years. A surprisingly large number of companies are still "solving" this compliance problem by ignoring it. They effectively put their heads in the sand hoping it will all go away — even now, with the scope of the problem beyond denial. For many of those companies this will be a solution of short duration — until they change their game plan or get caught.
In this environment, a company's long-term viability will depend on its ability to conform to the ever-changing legal landscape while simultaneously keeping its customers and employees reasonably satisfied as to the degree of protection accorded their PII. A data protection audit is a major step in that direction.
David Bender is counsel with White & Case in New York, where he regularly advises multinational clients concerning compliance with data protection requirements. He is also a member of IAPP. For more information about cross-border data transfer laws or data protection audits, contact (212) 819-8200 or