I’m often asked by my international clients to review their privacy statements. These clients operate in many jurisdictions and so, naturally, many of them want one consolidated privacy statement that satisfies every country in which they operate. And they come to me to make sure they have a thumbs up in Canada.
The problem I’m starting to see with this approach is that policies for international organizations now have rather large sections explaining specific privacy rights for certain people. Of course, if you say that one group of people have certain rights, by implication, you’re also saying that if you’re not within that jurisdiction then you can’t avail yourself of those rights. This is problematic because every jurisdiction provides some rights that overlap with others, but sometimes the rights uniquely belong to only one jurisdiction.
It takes a lot of wordsmithing to make this work in practice.
One way is to have specific riders for each jurisdiction. But this can be cumbersome and result in a very long privacy statement filled with mostly irrelevant and often confusing information to the average reader. And one might question whether this approach, with the best of intentions, would satisfy the need to obtain meaningful consent.
Another way is to try and map out all obligations applicable to the organization and simply take the high road. I have to admit I’m a fan of this way of doing things, both as a privacy practitioner-sometimes advocate and someone who prefers simplicity and clarity. Whether it is the EU General Data Protection Regulation, the California law or PIPEDA that creates the privacy right, one could argue that it’s actually easier and more streamlined to just make the rights available to all the people that your organization services. Regardless of their specific jurisdiction of residence.
There’s no easy or one-size-fits-all solution out there. These are some of the issues our regulators should recognize we’re grappling with, trying to do the right thing for everyone concerned. I do think that as more and more countries (and states and provinces) pass their own laws and as online commerce continues to remind us of our new absence of borders, this problem is only going to get more cumbersome to deal with. I suggest reading up is a way of simplifying life, as opposed to reading down. You’re going to have to take a hardline in certain areas anyway, so why not engender the trust, appreciation and loyalty that can come from this approach?
How about you? Are you grappling with this issue and if so, how are you approaching it? Do you have a magical way of dealing with this challenge?