OneTrust_Square Banner_300x250_DD_ROS_01_19

David Bender

Privacy officers face increasing challenges as data protection laws, enacted to protect personally identifiable information (PII), proliferate. At multinational corporations, the situation is especially confusing because compliance requirements vary from jurisdiction to jurisdiction. Protecting PII is important not only because of heightened concern about liability, but also because many customers and employees expect that their personal information will be not be shared or used inappropriately.

A 2002 Harris Poll ("Privacy On and Off the Internet: What Consumers Want," Harris Interactive, Feb. 20, 2002, wwww.harrisinteractive.com/news) revealed 75 percent of adults surveyed are extremely concerned that companies are providing personal information to other companies without permission. The same poll showed that 89 percent of adults surveyed would value having a third party verify that a company does not release customer personal data without permission or unless required by law. So when a company fails to protect that information, it risks having its customers express their dissatisfaction by taking their business elsewhere. And failure to protect employee data can incur problems of its own.

As a result, many privacy officers are seeking tools to help improve PII compliance. One such tool, the data protection audit, is being used with increasing frequency as an effective approach for dealing with the challenge of compliance with data protection laws in multiple jurisdictions.

Penalties and Compliance Costs

Penalties have been assessed in the United States (generally through consent orders) against companies such as ToySmart, Geocities Reverse Auctions.com, and others for allegedly departing from their stated privacy policies in violation of the Federal Trade Commission Act. FTC penalties in at least one instance have gone up to $100,000. And it doesn't necessarily take multiple incidents to get you in trouble. Eli Lilly was penalized for alleged lax security practices that resulted from a single inadvertent unauthorized disclosure of data. Even an FTC investigation that does not result in a proceeding may incur substantial expenditures of corporate funds and effort, as well as negative publicity. Amazon.com settled a class action for $1.9 million, and pending privacy class actions in the United States seek large sums of money.

The European Union nations have assessed many millions of dollars in fines, with the highest to date running about US$900,000. Spain has been particularly vigorous, alone assessing more than 150 penalties just in 1999. In 2001, Spain imposed fines against approximately 500 companies totaling $13 million. Microsoft was fined about $40,000 by the Spanish data protection authority. Canada last year launched some 1,700 investigations and found many violations across the spectrum of commerce. In other nations privacy enforcement authorities have stated that they are just getting started, and expect enforcement to increase markedly.

Apart from potential penalties, the costs of compliance with varying rules governing PII can also quickly add up. According to the May 7, 2001, AEI-Brookings Joint Center for Regulatory Studies white paper, "An Assessment of the Costs of Proposed Online Privacy Legislation," by Robert W. Hahn, and commissioned by the Association for Competitive Technology, compliance with proposed data privacy protection laws would cost most companies at least $100,000 each just to develop the appropriate software and hardware systems to track how customers' PII is shared. According to that same white paper, compliance is expected to cost American businesses as much as $36 billion.

Cross-Border Data Transfer Laws

Transferring PII internationally in the face of cross-border restrictions has emerged as a major challenge. White & Case LLP recently conducted a survey that summarizes cross-border transfer laws for 22 commercially significant jurisdictions. That survey found that 11 of the jurisdictions treat cross-border data transfers differently from domestic transfers, and five more jurisdictions have laws proposed or pending that would treat cross-border data transfers differently from domestic transfers. In particular, 12 of the jurisdictions impose restrictions of various kinds on moving personal data across borders, and five others would do so under proposed or pending new laws. Of the nations surveyed, only China, Japan, and the United States permit such data transfers generally unimpeded.

A good example of the diversity of these laws can be found within the European Union. While EU member states must all conform to the EU Data Protection Directive, their implementation statutes differ from nation to nation. Moreover, their national data protection authorities differ markedly in their interpretation of the law.

Even the most routine cross-border transfers can cause problems for an enterprise, such as sharing business contact information among its own business units. The most widely accepted basis for permitting transfer, regardless of jurisdiction, is the data subject's consent. But in some jurisdictions even consent is unacceptable for employee data because of the employer's leverage inherent in the employment relationship. Thus, there appear to be no easy "outs" for the multinational confronted with getting its PII to the United States from some other nations.

So far, no jurisdiction seems to have imposed the one type of civil penalty most likely to cripple a U.S. multinational: an order prohibiting it from exporting its data to the United States. The effect of such an order could be devastating. The more prudent multinationals want to comply with data protection laws in an efficient and coordinated manner. It's just not obvious to them how to do it, given the constantly evolving legal landscape to which these companies must adapt and readapt. The sixty-four-dollar question is, just what single or segmented set of practices should a multinational adopt to lawfully and efficiently transfer its PII from various other nations to the United States?

The Role of Data Protection Audits

The answer may lie with a data protection audit. In a data protection audit, knowledgeable people in the pertinent jurisdictions summarize the laws. The company's data protection policies and practices are also summarized; if the company has no policy, the audit will promulgate one. The audit also analyzes the procedures used in processing PII, and it suggests modifications. The work-product of the audit is a set of revisions to the policies and procedures to bring them into conformity with the laws of the pertinent jurisdictions. This audit will impose on the company's policies and practices a certain discipline that would be lacking in a less diligent review. More importantly, it provides a framework for making the many comparisons that must be made among law, policy, and procedures.

There are two keys to an effective data protection audit. The first is ready access to the law in each pertinent jurisdiction. The second is a single framework suitable for portraying (1) the law, (2) the policy, and (3) the company's collection and processing procedures. The same framework should be used for portraying all three to permit facile comparisons. With ready access to the law and a good framework, a company can perform a data protection audit that will focus on critical issues without being trapped in the inefficient wheel spinning inherent in less effective, less organized, and less precise methods. In short, a well-organized data protection audit can help transform chaos into order.


The question of how best to protect PII without strangling commerce will not be resolved overnight. It appears that tougher restrictions will be enacted in the United States and elsewhere over the next few years. A surprisingly large number of companies are still "solving" this compliance problem by ignoring it. They effectively put their heads in the sand hoping it will all go away — even now, with the scope of the problem beyond denial. For many of those companies this will be a solution of short duration — until they change their game plan or get caught.

In this environment, a company's long-term viability will depend on its ability to conform to the ever-changing legal landscape while simultaneously keeping its customers and employees reasonably satisfied as to the degree of protection accorded their PII. A data protection audit is a major step in that direction.

David Bender is counsel with White & Case in New York, where he regularly advises multinational clients concerning compliance with data protection requirements. He is also a member of IAPP. For more information about cross-border data transfer laws or data protection audits, contact (212) 819-8200 or



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»