{"id":5,"date":"2013-11-10T20:28:52","date_gmt":"2013-11-11T04:28:52","guid":{"rendered":"http:\/\/intersticeconsulting.com\/ibtt\/?p=5"},"modified":"2013-11-17T15:09:09","modified_gmt":"2013-11-17T23:09:09","slug":"does-one-size-fit-all-data-privacy-considerations-in-global-transactions","status":"publish","type":"post","link":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/2013\/11\/10\/does-one-size-fit-all-data-privacy-considerations-in-global-transactions\/","title":{"rendered":"Does One Size Fit All? Data Privacy Considerations in Global Transactions"},"content":{"rendered":"

How does a global business grapple with implementing a Data Privacy Policy that\u00a0<\/em>addresses the requirements of their largest markets, pursuant to the legislation in each\u00a0<\/em>country it transacts business in, which likely includes the toughest restrictions on the\u00a0<\/em>collection, use, access, transfer and storage of personal privacy data the business has\u00a0<\/em>ever seen?<\/em><\/p>\n

We all know personal consumer data is important to the success of most businesses.\u00a0Being able to target consumers based on personal information such as their known\u00a0likes, dislikes, previous purchases and other personal identifiers such as address,\u00a0gender, age, religion, ethnicity, profession, income, and family life is a necessity to the\u00a0viability and ultimate profitability of the business. A business that is able to leverage\u00a0personal consumer information it has collected is able to more successfully target their\u00a0products and services to be tailored to specific consumers and create a new revenue\u00a0stream by sharing the information collected with other businesses, thereby enhancing\u00a0its ability to succeed.<\/p>\n

Where there is no current legislation, the pressure felt by a business to self-regulate\u00a0by providing consumers a right to access and control their personal data creates a\u00a0balancing act, between the consumers right to control their personal data and the\u00a0business\u2019 desire to use that data to increase its profitability. Consumer confidence and\u00a0trust on a global basis is already weakened by the fragmentation, legal uncertainty and\u00a0inconsistent enforcement of data protection legislation. Unfortunately, Data Privacy\u00a0Legislation, for the foreseeable future covering cross-border transfers are likely to\u00a0remain without consistent enforcement.<\/p>\n

Personal Information.<\/strong> There are two categories of personal information that is the\u00a0subject of most legislation: 1) General Personal Information; and 2) Sensitive Personal\u00a0Information.<\/p>\n

General Personal Information is information that can identify individuals from the\u00a0data collected or together with other information that is or may be in the possession\u00a0of the data controller. Sensitive Personal Information is information collected about a\u00a0person\u2019s racial or ethnic origin, religious beliefs, political opinions, physical or mental\u00a0health or condition; sexual orientation, criminal convictions or other court proceedings.<\/p>\n

Collection and Use of Personal Information.<\/strong> Generally, legislation is aimed at those\u00a0who control and\/or process the data by restricting the collection and use of personal\u00a0information. The processing of such personal data includes collection, recording,\u00a0organization, storage, adaptation, alteration, retrieval, consultation, use, transmission,\u00a0dissemination, alignment, blocking, deletion, and\/or destruction.<\/p>\n

It has become an essential business practice in today\u2019s global market to implement a\u00a0Privacy Policy. The question then becomes: How broadly written should such a Privacy\u00a0Policy be to protect against potential government violation(s) where there is a myriad of\u00a0disparate data privacy laws in different countries, and still suit the business needs?<\/em><\/p>\n

Data Privacy in the European Union.<\/strong> The European Union (“EU”) has one of the\u00a0most sophisticated and well thought out pieces of legislation on the subject of data\u00a0privacy. Perhaps because this legislation, beginning in the form of the 1995 Directive,\u00a0has been tested and revamped over a number of years and enforcement has become\u00a0less fragmented among Member States in the EU.<\/p>\n

The US Department of Commerce entered into an agreement for a \u201cSafe Harbor\u201d with\u00a0the EU in 2000 to ease the administrative burden on US companies doing business\u00a0with EU consumers. US businesses are able to become \u201cself-certified\u201d under this\u00a0Program, which is evidenced through compliance with the 1995 EU’s Data Privacy\u00a0Directive. The Directive, however, is to be superseded by the tougher General Data\u00a0Protection Regulation, which will likely be finalized and enacted into law in 2014. Public\u00a0declaration of compliance with the Safe Harbor is all that is needed to self-certify, which\u00a0shows intent to adhere to the principles contained in the 1995 Directive and therefore\u00a0freeing the self-certified business from penalties for the transfer of personal data from\u00a0the EU to the US. The purpose of the Program was to ease compliance with the\u00a0Directive since each EU Member State was permitted to take the underlying principles\u00a0set out in the Directive and make adjustments to integrate the principles into their\u00a0own laws which resulted in inconsistencies and fragmentation making compliance for\u00a0businesses operating in both the US and EU difficult and inefficient. The Safe Harbor\u00a0Program sets the threshold wherein self-certification is the shield for a business against\u00a0penalties for non-compliance.<\/p>\n

Several factors are lowering this shield and businesses should be taking a closer\u00a0look at whether their Data Privacy Policies are up-to-date. First, in July 2013, the EU\u00a0Commissioner, Viviane Reding announced that the European Commission will be\u00a0reviewing the Safe Harbor Agreement with the US and has promised to provide an\u00a0assessment of the Agreement in light of the more stringent changes reflected in the\u00a0current EU Data Privacy reform. If the Safe Harbor is suspended or revoked by the EU\u00a0then the transfer of personal data outside the EU would be unlawful unless some other\u00a0lawful method was used, for example, using EU model contracts, or obtaining individual\u00a0consent, which will be overburdensome and costly for many global businesses.<\/p>\n

Secondly, following the NSA scandal which uncovered mass governmental surveillance\u00a0in June 2013, the EU Civil Liberties Committee has proposed amendments to the EU\u00a0Data Protection Regulation that would require permission be obtained from the National\u00a0Data Privacy Authority by any third country requesting the transfer of any personal data\u00a0processed in the EU to a company outside the EU, including search engines, social\u00a0networks or cloud providers. The proposed fines for non-compliance could be as high\u00a0as EU100 million or 5% of the company\u2019s annual worldwide turnover. The proposed\u00a0amendments would also give the consumer further rights regarding “erasure”, which\u00a0requires explicit consent and sets stiffer limits on the profiling of personal information.<\/p>\n

The Plenary vote on these amendments is set to proceed before the end of the current\u00a0Parliamentary term in May 2014.<\/p>\n

Data Privacy Around the World.<\/strong> Since the Safe Harbor applies only to transfer\u00a0of personal data from the EU to US, there is no certainty that data privacy policies\u00a0designed to meet the Safe Harbor will be sufficient to meet the requirements of other\u00a0jurisdictions. Other countries, where consumer markets are substantial, are currently\u00a0passing Data Privacy Legislation which throws businesses new compliance hurdles to\u00a0overcome. Even larger companies with substantial resources already allotted to Data\u00a0Privacy compliance will likely be impacted and ultimately overwhelmed.<\/p>\n

For example, in Canada only three Provinces (British Columbia, Alberta and Quebec)\u00a0have privacy laws that mirror the Federal Privacy Act, and the Personal Information\u00a0Protection and Electronic Documents Act of Canada which regulate the collection,\u00a0use and disclosure of personal information by businesses and other organizations\u00a0and provide consumers with a general right of access to, and correction of, their\u00a0personal information. Other Provinces have not only implemented the Federal Acts but\u00a0have gone further by enacting privacy laws pertaining specifically to personal health\u00a0information, consumer credit reporting, financial transactions and the collection and use\u00a0of personal data.<\/p>\n

Also, earlier this year China issued standardized guidelines called the “Security\u00a0Technology – Guide for Personal Information Protection within Public and Commercial\u00a0Information Systems” and although this Guide is not legally binding (at this time) it is\u00a0thought that compliance with the guidelines is prudent as there is no doubt that at some\u00a0point in the very near future this Guide will become law. The Guide was released by the\u00a0Standardisation Administration of China with the primary purpose to protect personal\u00a0information processed by commercial businesses. ‘”Personal information'” (in China) is\u00a0defined as ‘”computer data that may be processed by an information system, relevant to\u00a0a certain natural person, and that may be used solely or along with other information to\u00a0identify such natural person”‘. This definition is vague by design. The basic guidelines\u00a0cover the collection and use of personal information, consent, transfer outside of China,\u00a0retention and deletion. The guidelines are more stringent with regard to sensitive\u00a0personal information. Businesses can expect these guidelines, perhaps with some\u00a0adjustment to become legislation in the very near future.<\/p>\n

Further, in Argentina, Section 43 of the Federal Constitution grants citizens, through\u00a0judicial action, access to information about them on any database and to demand\u00a0changes, confidentiality or deletion of incorrect data. The Personal Data Protection\u00a0Law Number 25,326 provides broader protection of personal data and nd registration\u00a0of all databases used for the collection and transfer of personal data with the Argentine\u00a0Personal Data Protection Agency, (Direcci\u00f3n Nacional de Protecci\u00f3n de Datos\u00a0Personales or\u201cDNPDP”). Data controllers must also hire a Head of Security to which\u00a0security requirements will apply. Consent is required to collect personal information in\u00a0all but very limited circumstances. Transfer of personal information out of Argentina\u00a0requires consent by the consumer, which may be revoked by the consumer at any time.<\/p>\n

Both the transferee and the transferor are jointly and severally liable for any breach of\u00a0data protection obligations.<\/p>\n

Other considerations:<\/strong> There currently are many technological roadblocks to a one-
\nsize fits all solution for global compliance. Many large business can establish global\u00a0hardware and software standards. Smaller companies may simply find sufficient\u00a0technology at affordable prices to manage Personal Privacy Data. Certainly businesses\u00a0will find that the adoption rate for new technology, support and speed differs from\u00a0country to country. Legal requirements may also differ not only from country to country\u00a0but also within states and\/or provinces within the same country. For example, in India\u00a0certain states require hard copies with original signatures be maintained for certain\u00a0records containing personal data. Also, many countries consider the information\u00a0collected by cookies to be personal information. The EU ePrivacy Directive, effective\u00a0May 2012, requires the consent of the consumer for a business to use the information\u00a0contained in a cookie.<\/p>\n

Formulating a Privacy Policy to ensure compliance with the widest range of is difficult\u00a0and time consuming. The Policy should differentiate the two categories of personal\u00a0data (General Personal Information and Sensitive Personal Information. Different types\u00a0of personal information collected will require different protective measures to be put in\u00a0place by the business. Understanding the nature of the personal information collected,\u00a0and identify the damage that might arise in the event of a breach is crucial. Further, it\u00a0must determine whether the personal information will be transferred from one country\u00a0to another, or from one company to another company. If the personal information is\u00a0to be transferred to be used or processed for any purpose or retained by the other\u00a0company, the business transferring the personal information must review the Privacy\u00a0Policy of the company accepting the transfer, including contractual assurances with\u00a0regard to confidentiality, control, access, transfer, deletion and security measure and\u00a0monitor continuously for compliance. Consent must be obtained from consumers where\u00a0necessary so opt-in choices may be drafted in a clever fashion as to entice consumers\u00a0to provide their consent. Significant changes increasing the administrative burden are\u00a0likely.<\/p>\n

The call for global harmonization is present in nearly every country and is unlikely\u00a0to be reached for many years. However, it is imperative for businesses to begin\u00a0implementation of Privacy Policies sooner rather than later in order to be ahead of the\u00a0impending legislation.<\/p>\n

Contact:<\/p>\n

Wendy Kennedy or Michelle Berner<\/p>\n

(949) 481-0112<\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

How does a global business grapple with implementing a Data Privacy Policy that\u00a0addresses the requirements of their largest markets, pursuant to the legislation in each\u00a0country it transacts business in, which likely includes the toughest restrictions on the\u00a0collection, use, access, transfer and storage of personal privacy data the business has\u00a0ever seen? We all know personal consumer … Continue reading Does One Size Fit All? Data Privacy Considerations in Global Transactions<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[],"tags":[],"_links":{"self":[{"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/posts\/5"}],"collection":[{"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/comments?post=5"}],"version-history":[{"count":3,"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/posts\/5\/revisions"}],"predecessor-version":[{"id":30,"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/posts\/5\/revisions\/30"}],"wp:attachment":[{"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/media?parent=5"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/categories?post=5"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/intersticeconsulting.com\/ibtt\/index.php\/wp-json\/wp\/v2\/tags?post=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}