Not long ago, describing a business as “multinational” implied membership in an elite club of the very largest corporations, with billions of dollars in revenues and thousands of employees spread across the globe. The term was generally reserved for companies like Coca-Cola, Ford and General Electric. No more. Now, overnight mail and Internet access enable companies with only a few diversely located employees to qualify. And because the World Wide Web makes virtually all online marketing efforts global, even companies with all of their employees in a single country can find themselves hip-deep in international business.
While the increased mobility of information has made life easier – in some cases, possible – for businesses operating internationally, it has made life tremendously complex for their lawyers. Applying the appropriate nation’s law correctly is especially tricky in the evolving area of data privacy and protection. Cyberspace is renown for ignoring international boundaries, and it is often quite difficult to determine where data is collected or used. For example, a web surfer in Germany making an online purchase may submit payment information to a website hosted in Canada which forwards the information to a US-based retailer for fulfillment. In such a situation, it is not obvious where the data was “collected,” and the retailer may be confronted with multiple conflicting statutory schemes, each imposing its own strictures on the data. Furthermore, information once collected has a tendency to migrate — even across borders. Rules regarding the use of data may apply poorly to data collected under a different and inconsistent regime. Companies moving information between the US and Europe can find themselves in particularly difficult waters, given a wide legal chasm that separates Europe’s proactive approach to data privacy from America’s more laissez faire attitude.
The European scheme of data protection is ensconced in a European Union directive on the subject. The directive, which recognizes a fundamental right of data privacy, imposes strict limitations on the collection and use of data about individuals absent adequate notice and consent. This is in stark contrast to the United States, which has no uniform approach to the collection of personal data from individuals. The US does have a patchwork of federal privacy laws, mostly covering particular industries (e.g., health care providers) or classes of individuals (e.g., children under 13), but businesses are for the most part free to collect information from individuals without notice, and to use and distribute it without restriction.
At the intersection of these divergent schemes lives the potential for extraordinary confusion and risk. The EU privacy directive has attempted to address the issue by taking an expansive view of the data to which it applies, and prohibiting the transfer of covered data to jurisdictions without commensurate legal protections. American companies can easily run afoul of this scheme simply by using data that originated in, or transited through, Europe. Therefore, US companies with virtually any business connection to EU countries — whether it involves European customers, European employees or European partners — should have at least some understanding of the privacy directive, and its implications here in the States.
B. Scope of the EU Data Privacy Directive
The EU privacy directive, formally known as “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data” (“Directive”) was passed on October 24, 1995, as the Internet was starting to heat up commercially. It does not have the force of law per se, but instead compels member countries (1) to enact their own laws implementing its provisions. Consequently, the laws of the individual member states, while each consistent with the Directive, will differ from each other in material ways. This is significant, because entities processing “personal data” must comply with the laws of any EU country in which equipment processing the data is located, (2) as well as the EU country in which the entity is itself established. It is beyond the scope of this article to delve into the fifteen member states’ individual laws, however, so the Directive shall here serve as a reasonable substitute for them all.
Generally, the Directive applies to “controllers” involved in the “processing” of “personal data.” “Personal data” is defined expansively as “any information relating to an identified or identifiable natural person.” It ostensibly covers everything from an individual’s medical records to the telephone extension at his office. “Processing” pertains to the collection, storage, use, disclosure and destruction of such personal data by wholly or partly automatic means, or by purely manual means if the data is intended to be used in a filing system. Virtually anything that can be done with, or to, electronic data constitutes processing. Finally, “controllers” are any individuals or other legal entities (including governmental authorities) which, alone or with others, “determine[ ] the purpose and means of the processing of personal data.” While there are some narrow exceptions to the scope of the Directive, including the processing of data in criminal law, state security, and purely household contexts, most business-related activity will fall under its aegis. If data was ever made manifest by electrons located on EU soil, no one should feel confident it is beyond the reach of the Directive without a careful reading of its provisions and a thorough understanding of the use and history of the data.
C. Requisite Conditions for Data Collection
Essentially, the Directive provides that personal information may be only collected by another party with the individual’s consent or in light of an overriding interest. This is expressed in the Directive as six situations that justify the “processing” (including collection) of personal information about an individual:
|(a)||the individual has provided his or her unambiguous consent to such processing;|
|(b)||the individual has entered into a contract which provides for, or anticipates, the processing of the data;|
|(c)||the processing is necessary to fulfill a legal obligation of the individual;|
|(d)||the processing is necessary to protect the individual’s “vital interests”;|
|(e)||the processing is in the public interest, or is being done at the behest of an official authority; or|
|(f)||the processing is necessary to pursue the legitimate interests of the party collecting or using the data, except to the extent those interests may be overridden by the rights of the individual to the privacy of the information about himself/herself.|
The first four of these all involve, expressly or impliedly, the consent of the “data subject” whom the information concerns: consent may be express, implied by a contract to which the individual previously agreed; implied by a legal obligation with which the individual must comply; or implied by an interest the individual may be presumed to want to protect. The last two concern interests which may override the individual’s rights: the public interest, or certain interests of third parties. In these latter circumstances, the Directive preserves the right of “data subjects” to object to the collection and use of personal information about them in contravention of their data privacy right. This is wholly consistent with the Directive’s philosophy of the fundamental right of individuals to protect and keep private personal information about themselves.
Recognizing that the fundamental right to data privacy is not the only such right enjoyed by individuals, the Directive permits liberalization of these rules to the extent they are deemed to conflict with, and be outweighed by, interests relating to the freedom of expression. The Directive expressly contemplates “exemptions and derogations” of these strictures where “the processing of personal data [is] carried out solely for journalistic purposes or the purpose of artistic or literary expression. . . .” It is up to individual member countries to determine how conflicts between these rights are resolved. Consequently, one must look to the laws of individual countries to determine, for example, when journalists may be free to disclose “personal data” about the individuals they write about.
The Directive places heightened restrictions on the collection and use of information about an individual’s “racial or ethnic origin, political opinions, religious or political beliefs, trade-union membership . . . health or sex life.” With respect to these particularly sensitive topics, personal data about an individual can be processed only if:
|(a)||the individual has provided his or her consent, if the laws of the country recognize it;|
|(b)||the party collecting or using the information is doing so in fulfillment of its legal employment law-related obligations;|
|(c)||the individual is unable to give consent, and his or her vital interests are at stake;|
|(d)||the party collecting or using the information is a non-profit organization with a political, philosophical, religious or trade union aim of which the individual is a member or is regularly associated. Such data may not be shared with third parties absent express consent, however;|
|(e)||the information is the subject of legal claims, or has otherwise been made public;|
|(f)||the information concerns health care, provided it is collected or used by a professional under a legal or professional obligation of confidentiality; or|
|(g)||such use or collection of data is in the interest of substantial public interest, in accordance with national law.|
Here, the Directive heightens the standard set by the six circumstances that justify data collection and use generally. When dealing with these sensitive categories of personal data, consent alone may be insufficient – if a member state determines that consent is ineffective. Implication of an individual’s “vital interests” only justifies data processing if the individual is unable to consent for some reason. Competing interests of third parties are only considered in specific situations, such as those involving compliance with employment laws or the pursuit of legal claims. Even the shadow of public interest is only relevant to the extent codified by national law. Companies are well advised to exercise great care in the collection and maintenance of databases containing such sensitive data.
In addition to the foregoing restrictions, the Directive provides that information relating to criminal convictions or security measures may only be processed by a governmental authority or under such suitable specific safeguards as a member state may otherwise provide. This may impact an employer’s ability to inquire into an applicant’s criminal background.
D. Notice Requirements
In many ways, notice is a companion concept to the notion of consent discussed above. It is only with sufficient information about what personal data will be collected and how it will be used that an individual can reasonably be said to meaningfully consent to such collection and use. The Directive imposes notice requirements which extend beyond this context, however. Even where data is being processed without consent (e.g., when collection is in the public interest), the individual about whom the data concerns must be provided with adequate notice of such activity. The notice must indicate (i) the identity of the party collecting or using the data; (ii) the purpose for which the data may be used; and (iii) such other information as is necessary to ensure that the processing is “fair” to the individual. While the Directive does not define “fairness” in this context, it provides as examples such disclosures as the intended recipients of the information, and whether responses to questions are mandatory or voluntary.
Where the personal data has not been obtained directly from the individual about whom the data concerns, the Directive nonetheless imposes a requirement that notice be given. Again, such notice must indicate (i) the identity of the party collecting or using the data; (ii) the purpose for which the data may be used; and (iii) such other information as is necessary to ensure that the processing is “fair” to the individual. The notice must be provided when the data is recorded, or, if intended to be disclosed to a third party, at the time of such disclosure. This closes any loophole that may exist regarding data not originally obtained directly from the “data subject.”
This comprehensive notice scheme is designed to ensure that an individual can effectively “track” his or her personal data as it moves from party to party, thereby enabling the individual to exercise control and oversight as permitted under other provisions of the Directive. Two exceptions incorporated in the Directive acknowledge the logistical difficulty involved in such a comprehensive notice requirement, while leaving this goal intact. The first relieves the data “controller” from a notice obligation where the recipient already has the information the notice would contain. Since the information to be included in a notice will normally be disclosed during the process of obtaining consent, this exception drastically alleviates the logistical strain this provision would otherwise place on e-commerce. The second exception relieves the controller from a notice obligation if (i) the data has not been obtained directly from the data subject, (ii) it is being processed for statistical, scientific or historical reasons, and (iii) notice would require disproportionate effort or is expressly exempted by law.
Even with the stated exceptions, these notice requirements can impose extraordinary (and sometimes silly) obligations if taken literally. For example, an employer with a listing of its employees’ names and telephone extensions is, technically, processing personal data within the meaning of the Directive. Unless express consent of its employees is first obtained, the employer must seemingly provide notice to any employee whose office telephone extension is given to a third party. While this “dilemma” has clearly not left employers across Europe wringing their hands in despair, it illustrates the potentially extraordinary reach of the Directive provisions.
E. Right of Access and Accuracy
An individual’s rights regarding his or her personal data do not end once data is legitimately collected and notice is provided. The Directive expressly grants to individuals the right to examine data that has been collected about them, and the right to have errors in the data corrected. Unlike in America, where individuals can rarely determine who has personal data about them, the Directive’s notice provisions provide individuals with the tools necessary to make such an inquiry. Under the Directive, an individual can request of a data controller:
|(a)||whether the controller has any data about the individual;|
|(b)||the purpose for which the data is being used, if any;|
|(c)||the categories of data that have been obtained;|
|(d)||the recipients or categories of recipients of the data;|
|(e)||the actual data undergoing processing, in a readable form;|
|(f)||the source of the data, if known; and|
|(g)||to the extent the data is being used in any “automated decision making” capacity, the logic by which such decisions are being made.|
Such information must be provided “without constraint,” and “without excessive delay or expense.” (3) While the Directive does not state the frequency with which such requests may be made, they must be accommodated at “reasonable intervals.” Through this mechanism, individual data subjects can effectively police their own data.
Through examination by data subjects or otherwise, entities which collect or use personal data may find that the data is, or has become, inaccurate or incomplete. In such a situation, the Directive imposes an affirmative obligation on the keeper of the data to either correct the problem, or erase or block the data from use. In addition, to the extent practicable, controllers who have knowledge of such “bad” data must report the problem to third parties who may also be using it. While Americans often joke about inaccurate data becoming forever lodged in an unseen computer and proliferating uncontrollably to other computer networks, this aspect of the Directive is aimed specifically at removing as an excuse “It’s in the computer that way; there’s nothing we can do.”
F. Security of Personal Data
Further, in Europe the controller cannot simply delegate his security obligations. Agents of the controller are only permitted access to personal data when required by law, or upon the express instructions of the controller. The controller must choose an agent which provides sufficient security guarantees regarding both technical and organizational measures designed to safeguard personal data, and the controller must ensure compliance with those measures. Moreover, the relationship between the controller and its agent must appear in a written contract, which spells out the responsibilities of the parties regarding the processing of personal data. The Directive clearly intends to remove ambiguity from the controller/agent relationship, and permit a high degree of accountability in the event data is not handled appropriately.
G. The Supervisory Authority
Even with the stringent provisions described above, the authors of the Directive were apparently not confident that the system would work absent active governmental supervision and public oversight. In general, data controllers must report any processing of personal data to a “supervisory authority” designated by each member country. The information provided in these reports must also be made public. The notification process can be avoided or streamlined in certain situations, however, where the processing presents a reduced risk of adversely affecting the rights of individual data subjects or the controller has appointed a personal data protection official. By way of this reporting requirement, the likelihood of enforcement is increased.
H. The Transfer of Personal Data Outside of the EU
The elaborate structure set forth in the Directive would afford little protection if it could be circumvented by merely moving data to less heavily regulated venues (such as the United States). Realizing that, the authors of the Directive spent considerable energy erecting a wall around EU personal data. Specifically, the Directive provides that personal data can only be sent to a third country if ” the third country in question ensures an adequate level of protection.” The notion of “adequate protection” is not a static one, and is determined “in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations.” Among the factors to be considered are “the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law . . . in force in the third country in question and the professional rules and security measures which are complied with in that country.” While the language of the provision leaves room for much subjective judgment, given the generally hands-off approach adopted by the United States government, it quickly became clear that many (if not most) transfers of data to America from the EU would be prohibited.
This was, indeed, quite a quandary. The language of the Directive does not even state that such transfers are permissible if the consent of the data subject is first obtained. This means, for example, that a multinational company’s European operation might be limited in its ability to share human resources information with its US headquarters. Or, technically, an EU doctor might be unable to share a patient’s medical information with her US counterparts in determining an appropriate course of treatment. Fortunately, the Directive also contemplated international negotiations to rectify the enormous problems this limitation on data transfer presents, and such negotiations between the EU and the US bore fruit.
I. The Safe Harbor
The United States Department of Commerce, in cooperation with the EU, has developed a “Safe Harbor” framework pursuant to which companies (as opposed to countries) can be deemed to provide a level of data protection adequate to receive personal data transferred from the EU. Approved by the EU in July 2000, the Safe Harbor framework permits companies to certify compliance with seven major principles: notice, choice, onward transfer, access, security, data integrity and enforcement. The process is, in many respects, self-regulatory; companies may self-certify compliance. Once a company certifies to the Department of Commerce through the proper process, it is deemed in each of the EU member countries to provide “adequate protection” to receive EU personal data.
The seven principles in many ways mirror the requirements of EU data controllers set forth in the Directive itself.
“Notice” requires certifying organizations to notify individuals about the purposes for which they collect and use information about them, the types of third parties to whom the information may be disclosed, contact information for inquiries and complaints, and the choices and means the organization offers for limiting its use and disclosure.
“Choice” mandates that organizations give individuals the ability to “opt out” of disclosures to third parties or for uses for which consent was not obtained. In the case of certain sensitive information, the individual must “opt in” to such disclosure or use.
“Onward Transfer” provides that data may only be disclosed to third parties if the notice and choice principles are adhered to. Disclosures to agents must include a commitment by the agent to adhere to Safe Harbor principles or to provide a commensurate level of data privacy protection.
“Access” means that, to the extent it would not unduly burden the organization or infringe the privacy of another, individuals about whom personal data has been collected must be permitted to “correct, amend or delete information where it is inaccurate.”
“Security” requires that organizations take “reasonable” precautions against destruction, alteration or unauthorized disclosure or access of personal data.
“Data Integrity” limits the collection of personal data to that which is relevant for the purposes for which it is authorized. Further, an organization must take reasonable steps to ensure the accuracy and completeness of the data.
|“Enforcement” contemplates mechanisms – both governmental and private – for ensuring that commitments by Safe Harbor participants are honored. In addition to annual submission of self-certification letters by participating organizations, the framework anticipates that federal and state unfair and deceptive practices statutes will put the force of law behind Safe Harbor representations.|
The Department of Commerce accepts safe harbor certification regarding particular classes of personal data, such as “human resources data” or “off-line data,” so an organization can insulate just that area of its business where Safe Harbor protection is needed.
As of the date of this article, the Department of Commerce Safe Harbor website ( http://www.export.gov/safeharbor/ ) listed 89 companies as having self-certified for Safe Harbor status. Given the number of companies doing business internationally, this reflects a small fraction. The reason for the meager participation in the Safe Harbor framework is varied. Some companies may be reticent to make legal commitments that may lead to liability in the US for the purpose of alleviating headaches in Europe. Others may not have a full understanding of the Directive and the Safe Harbor, and therefore may not see any need. Still other companies may be content to “fly under the radar” until the issue attracts more enforcement attention. Whatever the reason, however, the perceived need is far from universal.
Clearly, Safe Harbor certification is not right for everyone. There are legal risks attendant with the Safe Harbor commitment, and costs associated with implementing the policies and measures involved are not trivial. However, as international transactions involving personal data inevitably increase, the need to avoid the administrative hurdles erected by the Directive will also increase. One can expect the rolls on the Safe Harbor website to grow in proportion.
Joseph J. Laferrera is a partner with the firm of Gesmer Updegrove LLP in Boston, MA. He is chair of the firm’s Privacy Practice Group, and specializes in serving high technology clients.
(1) Currently, the European Union is comprised of Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Portugal, Spain, Sweden and the United Kingdom.
(2) A country’s laws do not apply to data that merely passes through the country, although this exception may be limited to situations where the data does little more than transit through cabling and routers. Data which is cached, backed up, filtered or otherwise processed on its way through computer equipment in that country may push it beyond the scope of this exception.
(3) Individual member states are permitted to limit this right of access in certain situations involving scientific research or the creation of statistics, provided there is no risk to breaching the privacy of the individuals about whom the data concerns.