New Forms of Leadership, A Privacy Compliance Perspective

Contributor: Frédéric Blas
Posted: 07/19/2010  12:00:00 AM EDT  |  0
Rate this Rate this Article: (4.9 Stars | 1481 Votes)

Tags: privacy compliance | competition | data protection | in-house counsel

Business response, reorganization and speed are of the utmost importance to be a competitive market player in the face of stiff competition and as tomorrow’s world will be globally-integrated with interconnected business all around the world then you should adapt your privacy approach to your global business model. May you need a holistic strategy to deal with European privacy issues or not, but privacy compliance is such a critical asset to trade in today’s business world that you should really consider creating competitive compliance policies. 

For a global company, to offer services and products with the same quality standards is equally important as the ability to share data and information with its affiliates and subsidiaries in order to centralize or decentralize the management of this information and using it as an informational reference or to analyse it as a whole or in a way that relates to a particular sector or industry so as to develop trends or strategic proposals to improve efficiency and management.

It is also increasingly seen how companies, regardless of size, delegate or outsource part of their services or tasks to other companies that provide this service in a third country outside the European Economic Area (call center, data processing, cloud computing). Much of this information contains personal data whose processing and transfer are subject to numerous regulatory constraints in order to preserve the privacy of the data subject.

The information that a company holds about employees, customers, business partners, suppliers and providers is a very valuable asset. Exploiting this information correctly is crucial for a company’s operations and many applications, but its use on a global basis is strictly regulated by European Union data protection law.

It is difficult to predict accurately the value of a privacy initiative, but you should be confident that it can be hugely beneficial to many deals, business units, back-office support, or your company’s corporate image. If you still doubt about it then you should have a look on a couple of record fines in USA and UK for data loss and identity theft (Data broker ChoicePoint Inc. agreed to pay a $10 million federal fine over security breaches[1]; The Financial Services Authority fined three HSBC firms a total of $5 million for inadequate security controls, or a complete lack thereof[2]).

 I. New forms of leadership

• Global business processes depend on data flows
• State borders should not define your corporate thinking, as you will work on functional boundaries instead of national boundaries
• Forge an alliance between privacy and business and a bond with your global corporate model
• Rethinking your privacy approach means improvement (faster, better, cheaper) and to bring value and sustainable business agility to your business model
• Think about it now, because your privacy policy should stem from the concern that, in the future, you may not be in a position to offer an efficient legal support if you are not capable of anticipating your business needs and consequently adapt your privacy approach to those needs

 

II. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data[3]

 1. Scope

  Rationae personae:       

• Data subject
• Data controller
• Data processor

Rationae materiae:        

• Personal data
• Processing activities of personal data (whatever the technology used)
• MaastrichtTreaty (Treaty on European Union), Title VI.

 Rationae loci:

• European Economic Area (EEA) countries: 27 EU Member States plus Norway, Iceland and Lichtenstein
• Art. 4.1 (National law applicable)

2. 8 Principles govern the processing of personal data within the EU

Simply stated, personal data must be:

• Processed fairly and lawfully
• Processed only for specific, limited purposes and not in any manner inconsistent with those purposes
• Adequate, relevant and not excessive in relation to those purposes
• Accurate, complete and kept up-to-date
• Not kept in personally identifiable form longer than necessary
• Processed in accordance with the rights of the data subject under applicable law
• Kept secure
• Not transferred to countries that do not have adequate data protection laws unless the data exporter takes certain specific steps to ensure that the data is adequately protected (cf. III). 

3. Legal Issues, strategic & operational challenge

The transfer of personal data is a complex legal issue as Directive 95/46 prohibits the transfer of such data from EEA to countries without an adequate level of protection (nearly all non-EEA countries).

 For multinational companies, to take advantage of their scale on a world-wide basis is a huge privacy challenge.

The Directive required all Member States to enact comprehensive data protection laws and each Member State now has its own law, administered by its own Data Protection Authority.

It means to work with 30 slightly different regulatory requirements, adding months to any initiative you want to roll out globally. 

III. Specific legal Instruments for International Data Transfer

1. Clear, Unambiguous Consent (Article 7 and 26 a EU Directive)

 As a very sensitive topic, the unambiguous consent exemption must be used carefully in order not to lead to critical works council issues.

2. Transfer is necessary or legally required (Article 26 b, c, d, e EU Directive)

For most businesses, the exemption relating to the performance of a contract is the most relevant one.

3. SafeHarbor[4]

 Applies only to:

• U.S.entities that are regulated by the Department of Transportation or Federal Trade Commission (excludes financial and telecoms)
• Only data transfers from EU & Switzerland to USA

 4. European Union Model Clauses[5]

• Agreement between a data exporter and one or more data importers
• 3 set of Standard contractual clauses:
• Controller to Controller
• Controller to Controller (developed by the International Chamber of Commerce, more business friendly)
• Controller to Processor to Sub-processor
• Legally enforceable declaration: individuals may enforce their rights under the contract
• Administrative and compliance nightmare
• The most widely-used method to legitimize global data flows

5. Countries that are deemed by EU Commission to provide/ensure an adequate level of protection

•  Switzerland, Canada, Argentina, Guernsey, Isle of Man, Faeroe Island, Jersey (Israel will soon join the list)

 6. Binding Corporate Rules (BCR)[6]

• Allow companies to transfer personal data around the world between a company’s affiliates and subsidiaries, using a single set of rules and providing overall compliance within the corporate group.
• It gives individuals the confidence that their personal data are being processed using a binding and enforceable set of privacy standards.
• Very difficult to manage as rules have to be binding within the entire corporate group, parent and subsidiaries
• The path to a BCR certification involves significant procedural challenge and substantive hurdles.

 The WP 29 imposes three substantive requirements on BCR, the rules must:

• Relate to the protection of personal information
• Be legally binding or enforceable by data subjects
• Apply throughout a corporation's entire global structure

  

IV. Data Privacy Best Practices

 In order to avoid data breach or devastating thefts or loss of sensitive data you need to deploy many data privacy solutions, here are some of the best practices of a data privacy implementation:

• Wide governance with Ad hoc steering committees:
• EnterpriseRisk Management
• Data Security
• IT Security
  • Global legal privacy team with C-level executive support (Chief Privacy Officer, Data Privacy Officers, Lawyers…)
  • Global compliance strategy tailored to your business needs
  • Codes of conduct / Privacy and Corporate Guidelines
  • Create tools and processes (data incident response process and monitoring…)
  • Ensure a high level security standard (access control, encryption, activity logging, adherence to security policy, physical security…)
  • Identify data flows, from origin to destination
  • Train the trainers
  • Communication plan to your employees

 V. 5 ideas you should really think about

• Plan a forward-thinking strategy with a holistic approach in order to workfaster and smarter
• Transparency and a message of compliance with data privacy laws will enhance your clients’ trust
• Data must flow to create value and an adequate privacy policy will give you the ability to launch projects on a global scale faster and with lower costs
• By providing in-depth understanding of business issues from a legal perspective you can make privacy a win-win situation that adds value in international data flows and offers world-class compliance
• Good privacy does good business

Click here for information about Frédéric Blas