We all know personal consumer data is important to the success of most businesses. Being able to target consumers based on personal information such as their known likes, dislikes, previous purchases and other personal identifiers such as address, gender, age, religion, ethnicity, profession, income, and family life is a necessity to the viability and ultimate profitability of the business. A business that is able to leverage personal consumer information it has collected is able to more successfully target their products and services to be tailored to specific consumers and create a new revenue stream by sharing the information collected with other businesses, thereby enhancing its ability to succeed.
Where there is no current legislation, the pressure felt by a business to self-regulate by providing consumers a right to access and control their personal data creates a balancing act, between the consumers right to control their personal data and the business’ desire to use that data to increase its profitability. Consumer confidence and trust on a global basis is already weakened by the fragmentation, legal uncertainty and inconsistent enforcement of data protection legislation. Unfortunately, Data Privacy Legislation, for the foreseeable future covering cross-border transfers are likely to remain without consistent enforcement.
Personal Information. There are two categories of personal information that is the subject of most legislation: 1) General Personal Information; and 2) Sensitive Personal Information.
General Personal Information is information that can identify individuals from the data collected or together with other information that is or may be in the possession of the data controller. Sensitive Personal Information is information collected about a person’s racial or ethnic origin, religious beliefs, political opinions, physical or mental health or condition; sexual orientation, criminal convictions or other court proceedings.
Collection and Use of Personal Information. Generally, legislation is aimed at those who control and/or process the data by restricting the collection and use of personal information. The processing of such personal data includes collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, transmission, dissemination, alignment, blocking, deletion, and/or destruction.
Data Privacy in the European Union. The European Union (“EU”) has one of the most sophisticated and well thought out pieces of legislation on the subject of data privacy. Perhaps because this legislation, beginning in the form of the 1995 Directive, has been tested and revamped over a number of years and enforcement has become less fragmented among Member States in the EU.
The US Department of Commerce entered into an agreement for a “Safe Harbor” with the EU in 2000 to ease the administrative burden on US companies doing business with EU consumers. US businesses are able to become “self-certified” under this Program, which is evidenced through compliance with the 1995 EU’s Data Privacy Directive. The Directive, however, is to be superseded by the tougher General Data Protection Regulation, which will likely be finalized and enacted into law in 2014. Public declaration of compliance with the Safe Harbor is all that is needed to self-certify, which shows intent to adhere to the principles contained in the 1995 Directive and therefore freeing the self-certified business from penalties for the transfer of personal data from the EU to the US. The purpose of the Program was to ease compliance with the Directive since each EU Member State was permitted to take the underlying principles set out in the Directive and make adjustments to integrate the principles into their own laws which resulted in inconsistencies and fragmentation making compliance for businesses operating in both the US and EU difficult and inefficient. The Safe Harbor Program sets the threshold wherein self-certification is the shield for a business against penalties for non-compliance.
Several factors are lowering this shield and businesses should be taking a closer look at whether their Data Privacy Policies are up-to-date. First, in July 2013, the EU Commissioner, Viviane Reding announced that the European Commission will be reviewing the Safe Harbor Agreement with the US and has promised to provide an assessment of the Agreement in light of the more stringent changes reflected in the current EU Data Privacy reform. If the Safe Harbor is suspended or revoked by the EU then the transfer of personal data outside the EU would be unlawful unless some other lawful method was used, for example, using EU model contracts, or obtaining individual consent, which will be overburdensome and costly for many global businesses.
Secondly, following the NSA scandal which uncovered mass governmental surveillance in June 2013, the EU Civil Liberties Committee has proposed amendments to the EU Data Protection Regulation that would require permission be obtained from the National Data Privacy Authority by any third country requesting the transfer of any personal data processed in the EU to a company outside the EU, including search engines, social networks or cloud providers. The proposed fines for non-compliance could be as high as EU100 million or 5% of the company’s annual worldwide turnover. The proposed amendments would also give the consumer further rights regarding “erasure”, which requires explicit consent and sets stiffer limits on the profiling of personal information.
The Plenary vote on these amendments is set to proceed before the end of the current Parliamentary term in May 2014.
Data Privacy Around the World. Since the Safe Harbor applies only to transfer of personal data from the EU to US, there is no certainty that data privacy policies designed to meet the Safe Harbor will be sufficient to meet the requirements of other jurisdictions. Other countries, where consumer markets are substantial, are currently passing Data Privacy Legislation which throws businesses new compliance hurdles to overcome. Even larger companies with substantial resources already allotted to Data Privacy compliance will likely be impacted and ultimately overwhelmed.
For example, in Canada only three Provinces (British Columbia, Alberta and Quebec) have privacy laws that mirror the Federal Privacy Act, and the Personal Information Protection and Electronic Documents Act of Canada which regulate the collection, use and disclosure of personal information by businesses and other organizations and provide consumers with a general right of access to, and correction of, their personal information. Other Provinces have not only implemented the Federal Acts but have gone further by enacting privacy laws pertaining specifically to personal health information, consumer credit reporting, financial transactions and the collection and use of personal data.
Also, earlier this year China issued standardized guidelines called the “Security Technology – Guide for Personal Information Protection within Public and Commercial Information Systems” and although this Guide is not legally binding (at this time) it is thought that compliance with the guidelines is prudent as there is no doubt that at some point in the very near future this Guide will become law. The Guide was released by the Standardisation Administration of China with the primary purpose to protect personal information processed by commercial businesses. ‘”Personal information'” (in China) is defined as ‘”computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person”‘. This definition is vague by design. The basic guidelines cover the collection and use of personal information, consent, transfer outside of China, retention and deletion. The guidelines are more stringent with regard to sensitive personal information. Businesses can expect these guidelines, perhaps with some adjustment to become legislation in the very near future.
Further, in Argentina, Section 43 of the Federal Constitution grants citizens, through judicial action, access to information about them on any database and to demand changes, confidentiality or deletion of incorrect data. The Personal Data Protection Law Number 25,326 provides broader protection of personal data and nd registration of all databases used for the collection and transfer of personal data with the Argentine Personal Data Protection Agency, (Dirección Nacional de Protección de Datos Personales or“DNPDP”). Data controllers must also hire a Head of Security to which security requirements will apply. Consent is required to collect personal information in all but very limited circumstances. Transfer of personal information out of Argentina requires consent by the consumer, which may be revoked by the consumer at any time.
Both the transferee and the transferor are jointly and severally liable for any breach of data protection obligations.
Other considerations: There currently are many technological roadblocks to a one-
size fits all solution for global compliance. Many large business can establish global hardware and software standards. Smaller companies may simply find sufficient technology at affordable prices to manage Personal Privacy Data. Certainly businesses will find that the adoption rate for new technology, support and speed differs from country to country. Legal requirements may also differ not only from country to country but also within states and/or provinces within the same country. For example, in India certain states require hard copies with original signatures be maintained for certain records containing personal data. Also, many countries consider the information collected by cookies to be personal information. The EU ePrivacy Directive, effective May 2012, requires the consent of the consumer for a business to use the information contained in a cookie.
The call for global harmonization is present in nearly every country and is unlikely to be reached for many years. However, it is imperative for businesses to begin implementation of Privacy Policies sooner rather than later in order to be ahead of the impending legislation.
Wendy Kennedy or Michelle Berner