DPI16_Banner_300x250 WITH COPY

By Bridget Treacy and Maureen Cooney

Stories concerning the theft of data are commonplace across Europe and the United States. Consumers worry about the security of their data held domestically, and increased awareness of security vulnerabilities fuels concerns over security breaches in offshore locations, where consumers may feel that they have even less control over their data. Some stories are motivated by a genuine concern to protect consumers, while others are the result of concerted attempts to undermine off-shoring and outsourcing markets. Whatever the motivation, these stories still attract adverse publicity for the businesses involved, serving as a reminder of the significance of data protection and information security in an outsourcing context — particularly where data are sent abroad.

Businesses make the mistake of overlooking data protection as a significant legal obligation and risk management issue when devising their outsourcing strategy. Too often, data protection is addressed as an afterthought instead of as a primary component of any offshoring plans. There are key data protection factors to consider when planning an outsourcing transaction.

How the EU Data Protection Directive Affects Outsourcing Transactions

The European Data Protection Directive (1995/46/EC) seeks to regulate the procession of personal data by controllers. "Personal data" is broadly defined to mean any information relating to an identifiable natural person. A business' staff records, customer records and supplier details all constitute personal data. The Directive imposes obligations on controllers—the individuals or entities which determine the purposes and means of the processing of personal data. A business will be the controller in relation to its staff, customer and supplier personal data. If that business decides to outsource some of its functions, whether they be IT or business process activities (such as finance, payroll or human resources), there is every likelihood that personal data will need to be transferred to the outsource vendor as part of that transaction. In most (but not all) circumstances, the business transferring its data will remain the controller; this means that, even though the data will be processed by the outsource vendor, the business remains responsible under the law for how those data are processed.

The Data Protection Directive is by no means unique in the way in which it ensures responsibility remains with the business which has collected personal data. A similar emphasis is evident in the approach of other regulators who, invariably, stipulate that the business entering into an outsourcing arrangement remains responsible for the outsourced function. Specifically, this means that the outsource contract must deal adequately with issues of system security and control.

An example of this is the UK's financial services regulator, the Financial Services Authority (FSA), which states very clearly in its guidance that the businesses it regulates cannot contract out their regulatory obligations and must supervise outsourced functions. Material outsourcing arrangements must be notified to the regulator and all outsourcing arrangements must be the subject of analysis to assess how the outsourced arrangement fits within the business' overall reporting structure, risk profile and ability to discharge its regulatory obligations. Further, the ability to monitor and control operational risk exposure relating to the outsourcing must be specifically covered in the outsourcing contract.

U.S. Privacy Regulation

Similarly, the Federal Trade Commission (FTC) in the U.S., with broad oversight over business activities affecting the U.S. market, and the federal financial services regulators for banks, thrift institutions, securities brokers and other covered entities, take the view that U.S. companies subject to U.S. laws cannot escape their responsibilities under those laws through outsourcing arrangements. In other words, legal accountability for privacy and information security does not shift from the business to the outsourcing vendor.

Consequently, much like the European position, even though data may be processed by an outsourced vendor, compliance with the privacy and information security requirements that exist under U.S. laws remain the responsibility of the business that is the outsourcing organization.

Further, the FTC has advised Congress that its current statutory authority provides sufficient jurisdiction for the FTC to enforce the privacy and information security requirements contained in a range of legislation, including the Children's Online Privacy Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Safeguards Rule and privacy provisions of the Gramm-Leach-Bliley Act (GLBA), irrespective of whether the activity is outsourced to a third party based either locally or abroad.

The extension of the FTC's authority to cooperate across borders on enforcement matters, through recent passage of the U.S. Safe Web Act, could further assist the FTC in exercising enforcement jurisdiction in relation to consumer privacy issues. This could apply to the foreign outsourced activities of a U.S. company, including possible privacy and information security issues using the unfairness or deception doctrines under Section 5 of the Federal Trade Commission Act.

U.S. Federal Financial regulators, including the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision regulate each entity under their respective jurisdictions on an enterprise-wide level, regardless of whether individual offices are located within the U.S. or overseas. They also extend their broad regulatory authority to the outsourced activities of a regulated institution.

In 2004, through the Federal Financial Institutions Examination Council (FFIEC), the regulators collaboratively issued joint examination guidance on Outsourcing Technology Services and included examination for privacy risk management. The guidance provides that U.S. financial regulatory authorities will focus their reviews of a business which has outsourced some of its activities on the adequacy of that business' due diligence efforts, its risk management assessments, and the steps taken to manage those risks throughout the lifecycle of the outsourcing process.

In particular, regulators will consider the effect of the outsourced arrangement upon the business' compliance with applicable laws and its ability to access and safeguard critical information. Reviews by the regulators will assess the business' contract provisions and its ongoing monitoring or oversight program, including any internal and external audits arranged by a foreign-based service provider or other outsource vendor.

Data Protection Issues to Consider When Planning to Outsource

Know your data
Because the business is likely to remain responsible for the personal data it outsources, and because outsource vendors are well aware of their legal obligations in this context, it is crucial that the business identifies which personal data it processes that is about to be outsourced. A degree of due diligence should be undertaken to establish exactly what those data consist of, how they were collected, the sensitivity of the data, what the business is entitled to do with the data (including considering whether there are any constraints on transferring the data to third parties or abroad), how the data are processed in practice and what security measures are in place.

Outsource vendors should require that their customers warrant the quality of the personal data which are transferred to them and to warrant that existing processing activity complies in all respects with the EU Directive, U.S. laws, and with domestic legislative equivalents in specific jurisdictions. Frequently, businesses do not know enough about their internal data protection compliance to readily provide such warranties.

Identify Which Data Need to be Transferred, When and How
The next stage is to consider which personal data need to be provided to the vendor as part of the outsource transaction, determine what the capacity of the parties will be in relation to those data (i.e., controller or processor) and consider how the transfer of the data may be undertaken on a lawful basis.

For companies based in the EU, the transfer must comply with the "fair and lawful processing" principle which, in practical terms, requires the business to comply with one of a pre-determined list of conditions. Sometimes, in an outsourcing context, compliance with this requirement can be difficult. Further, in setting up an outsource, there might well be two or more stages of data transfer: at due diligence, and at one or more stages after the contract is signed. Different considerations may apply to each transfer of data.

A further complicating factor is raised by the transfer of employees to the outsource vendor. Within the EU, specific regulations based on the Acquired Rights Directive 2001/23/EC govern the terms and conditions upon which employees transfer to a new employer in circumstances where the business activity transfers to a new entity, such as an outsource vendor. The regulations are intended to ensure that employees' rights are protected and that their pay and conditions are not adversely affected as a result of the transfer. In effecting the transfer, employees' personal data will need to be disclosed to the outsource vendor. This disclosure must be undertaken in compliance with the Acquired Rights Directive as well as the Data Protection Directive.

Transfer of Data Outside the EEA and U.S.

Careful thought must also be given to whether any transfer of personal data to the outsource vendor involves the data being sent to a country outside the EEA. Such transfers are prohibited by Article 25 of the Data Protection Directive unless the importing jurisdiction has adequate data protection, but careful consideration and expert advice should be sought in order to determine which route is the most appropriate for the particular transaction at hand. The particular requirements of individual European jurisdictions vary, and some jurisdictions require that transfers of data to other jurisdictions are notified to individual data protection regulators.

In considering this particular issue, it is important to look at the overall structure of the transaction. Three common scenarios involve either an initial rationalization or transfer of data within the business before the data move to the outsource vendor; data transfers directly to an outsource vendor based off-shore; or a transfer of data to a domestic vendor who subsequently transfers the data to an affiliated or outsourced off-shore operation.

With respect to transfers outside the U.S., financial services regulators emphasize the importance of their examination function and the requirement that their ability to examine a business' books and records, across the organization, should not be impeded. When selecting an offshore vendor, financial institutions must be aware of the existence of any legal impediments in foreign jurisdictions that might prevent financial regulators from having ready access to the books and records of the institution. This includes the ability of the financial institution itself to have full access to documents and to share them with the appropriate regulator upon request.

Vendor Due Diligence and Security

Data protection and security considerations must be featured in the initial vendor due diligence, and are required by regulated businesses. This initial due diligence should be supplemented by the exercise of audit rights during the life of the outsourcing agreement so that the business may reassure itself that personal data is lawfully processed and protected by adequate security.

Not surprisingly, it is increasingly common for businesses to impose detailed security obligations on outsource vendors. This is particularly the case for financial institutions and other regulated entities, especially where the outsource vendor operates from outside the EEA or the U.S. The detailed security requirements may cover technical security measures relating to the systems over which data may be transferred, accessed, manipulated and stored, as well as organizational security measures governing access to premises (such as prohibitions on staff use of data storage devices, including iPods and mobile phones).

Contract Terms
For the purposes of compliance with the Data Protection Directive, it is key to establish the capacity in which the outsource vendor will process the data. If the vendor is a mere processor, it will have no obligation to comply with the requirements of the Data Protection Directive and the business must seek to flow down into the outsource contract certain of its obligations as controller. In addition, Article 17 requires the business, as controller, to evidence the processing arrangements by a written contract, to require the vendor to process data only in accordance with the business' instructions, and to ensure that the processor has in place adequate technical and organizational security measures.

Under the Gramm-Leach-Bliley Act, safeguards provisions have similar requirements. The FTC's Safeguards Rule implementing the Gramm-Leach-Bliley Act is now the de facto information security standard for commercial companies, whether or not they are financial entities. Thus, the detailed contractual clauses requiring compliance with EU and U.S. law should be drafted with expert input.

In an outsourcing context it is invariably the case that the vendor will subcontract aspects of the service provision. Contract terms between the business and the outsource vendor should address this possibility and, if permitted, the basis upon which subcontracting may take place. The business must bear in mind that as controller it will retain responsibility at law for the processing of the data, even where the processing is subcontracted or sub-subcontracted. Where the subcontractors are based abroad, it becomes more of a challenge to deal adequately with the data protection requirements; nevertheless, accountability remains with the business that is the outsourcing organization.

Data protection regulators across Europe, and consumer protection and financial services regulators in the U.S., are turning their attention to the issue of the security of oursourced data. Individuals are increasingly aware of their rights and are expressing legitimate concerns for the privacy and security of their personal information. A failure to deal adequately with data protection issues in a systematic manner at the outset of an outsourcing transaction may well result in long lasting reputational damage in the event of breach. A focus on data protection issues at an early stage of the outsourcing transaction can minimize risks and promote beneficial and successful outsourcing relationships, preserving the company's reputation, information assets and customer relationships.

This article does not provide a complete statement of the law. It is intended merely to highlight issues which may be of general interest and does not constitute legal advice.

Bridget Treacy (London) and Maureen Cooney are members of the privacy and information management practice at Hunton & Williams. Treacy is a partner in the firm's Global Sourcing and Privacy practices in London and can be reached at +44 (0)20 7220 5700. Cooney serves as Counsel and as a Senior Policy Advisor for Global Privacy Strategies at the firm's Center for Information Policy Leadership in Washington, D.C. and can be reached at (202) 955-1500.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»