Update on International Regulation of Data Privacy

March 31, 2016

Data privacyAs e-commerce has grown in the world economy, one of the most challenging issues has been what to do with all of the personal data that is accumulated by merchants from electronic transactions. At the very least, a mailing address and credit card number are required to complete an online transaction (sometimes not even the address, if the buyer is merely paying to download software). This information alone has many potential uses and requires serious legal protection. The Internet, however, makes the protection of personal information all the more complicated through certain automatic data-gathering operations which take place. Whereas most personal data is freely given by the consumer, “cookies” and other automated information trackers also add to the identifying information that is transmitted over the Internet. Furthermore, most Web browsers automatically create cache and history files that are meant to speed up access to frequently visited sites, but these may also be used to identify a particular user’s browsing habits and interests. That information could be of great use to advertisers and sellers, let alone the criminal element.  Today, many companies, regardless of their size or line of business activities, operate a global website and/or are engaged in cross-border communications that will inevitably involve the collection, use and transfer of personal information and they are now obligated to do so in accordance with United States and foreign laws and regulations pertaining to protection of personal data.

S026845_160x600_BIn the U.S., online collection of user information raises a number of privacy concerns. Parties wanting or needing to collect information should take a number of steps to ensure that users are aware that the information is being collected and that they knowingly consent to the intended uses. The purpose for collecting the information (e.g., entering the user in a contest or including the name of the user on a mailing list) should be disclosed. Users should be informed about other contemplated uses of the information, including the possibility that data will be shared with, or sold or otherwise distributed to, others. If users are not required to provide the information to purchase the product or service or participate in any other activity on the site, they should be informed.  If the site is employing passive methods for collecting information, such as navigational tracking tools or browser files, users should be advised of these methods. They should also be notified about the type of information being collected. If the information collected on the site is subject to public posting, users should be encouraged to use a ““screen name”” or some alternative means of identification other than full names. If e-mail addresses are solicited and the site is not secure, users should be warned about the possibility that unauthorized parties may be able to use their e-mail addresses to learn personal information about them. If users are sent subsequent communications via e-mail, procedures should be established that allow users to discontinue receipt of messages.

While there is some level of convergence on the international level regarding fundamental legal principles relating to privacy and data security companies, attitudes still vary substantially around the world regarding issues in these areas; and, in general, U.S. website operators will find that foreign laws can be quite restrictive and mandate the implementation of costly and complex security systems and procedures. For example, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which were first adopted in 1980 and updated in 2013, have become the basis for many of the laws implemented around the world.  The 2013 version of the Guidelines lay out the following basic principles on national application:

  • There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  • Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
  • The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  • Personal data should not be disclosed, made available or otherwise used for purposes other than those specified above except with the consent of the data subject or by the authority of law.
  • Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
  • There should be a general policy of openness about developments, practices and policies with respect to personal data, and means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
  • Individuals should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; (b) to have communicated to them, data relating to them (i) within a reasonable time, (ii) at a charge, if any, that is not excessive, (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to them; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to them and, if the challenge is successful to have the data erased, rectified, completed or amended.

The Guidelines also state that data controllers should be accountable for complying with measures which give effect to the principles stated above, which means that data controllers are expected to have in a privacy management program that gives effect to the Guidelines for all personal data under its control; is tailored to the structure, scale, volume and sensitivity of its operations; provides for appropriate safeguards based on privacy risk assessment; is integrated into its governance structure and establishes internal oversight mechanisms; includes plans for responding to inquiries and incidents; and is updated in light of ongoing monitoring and periodic assessment.

Since the late 1990s, the most comprehensive and well-known foreign regulatory scheme in this area has been the Data Directive in the European Union, which has served as the basis (i.e., “minimum standards”) for the national laws in the EU Member States. US companies doing business in the EU have needed comply with the specific national laws in each country where sensitive information is collected and reconcile the Gutterman WLEC bannerdiverse requirements of US and EU law when it is necessary to transfer information within the company back and forth between the US and the EU.  For a number of years, such transfers have been conducted under the umbrella of a “safe harbor agreement” negotiated between representatives of the US and the EU; however, the original version of that agreement was struck down by the European Court of Justice in October 2015 and subsequent discussions have led to the creation of a new framework, referred to as the “EU-US Privacy Shield”, which will impose stricter rules and standards on US companies.  US companies will also need to be aware of, and comply with, new national laws that will be adopted throughout the EU in the near future to meeting the uniform standards included in a new General Data Protection Regulation relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data, which will replace the EU Data Directive.

In addition, other major industrial countries, such as Canada and Japan, have their own complex networks of privacy and security laws, which makes it challenging for global companies to establish privacy-related standards and procedures that can be uniformly applied across their entire organizational structure. The problem are multiplied in countries such as Canada where there are provincial, as well as federal, laws that must be adhered to and incorporated into any compliance program. Finally, privacy rights are emerging in other economically important countries such as China.  For further discussion of privacy and data security, see Business Transactions Solution §§230:1 et seq. on Westlaw Next.  Information on the EU-US Privacy Shield is available from the US Commerce Department here.

Titles by Alan Gutterman