Data Privacy Basics – International Compliance
Total Page:16
File Type:pdf, Size:1020Kb
Data privacy basics – international compliance By Carol Umhoefer One of the hallmarks of 21st century startups is that they go global early, or even from inception. But while some brilliant ideas hatched in the US have instant global appeal, others may run up against markets organized around laws that don’t even exist in the home country. Many a good idea starts with personal data, and particularly big data – its collection, organization, enhancement and monetization. The unfettered imagination puts data to work in innovative ways that open new markets and create new demand, thus generating revenues. Yet some of the simplest ideas will run afoul of market concerns stemming from laws foreign to us. How are privacy laws outside the US different from US laws? There are several fundamental differences between US privacy laws and data protection laws in other countries. First of all, and particularly in the countries of the EEA (European Economic Area, comprised of the 28 EU member states plus Iceland, Liechtenstein and Norway), data protection rights are considered fundamental rights of the individual, protecting an individual's right to privacy in respect of data relating to an identified or identifiable natural person. Privacy rights are not fundamental rights under US law. Second, countries with data protection laws have generally adopted comprehensive rules that apply to all personal data processing by all persons: natural, legal or governmental. In other words, the standard approach outside the US is not to legislate based on sectors or specific types of data (although of course, even with a comprehensive data protection law there may be specific laws requiring additional protections for, say, patient health data, or bank customer data). Third, in most countries there is a data protection authority dedicated to enforcing the law, issuing recommendations and preparing opinions on proposed legislation that may impact privacy rights in personal data. Is there data that is subject to regulation outside the US that may not be regulated in the US? One example is monitoring data, which alone or combined can provide rich insights into worker productivity and consumer proclivities. Under the laws of the European Union – the world's largest free trade area, with over 500 million consumers – the monitoring of human beings will likely entail the processing of personal data, whether an IP address, an image or the GPS coordinates of a daily commute. In the EU, monitoring persons by collecting their personal data will be subject to specific restrictions, such as express consent of the individual each time she is located, or the vote of workers' representatives. This can mean that an employee-monitoring service measuring productivity against other factors (day, time, weather, sick leave history) that is seen as implementing workplace progress in one jurisdiction will be perceived as risky, if not illegal, in another. A second example is big data that is used to inform decision making. The appeal of more efficient and more predictive decisions around, say, extending loans or detecting fraud seemingly should be universal, but here again the EU legal position www.dlapiperaccelerate.com on protecting individuals' rights may militate against any type of automatic decision making. In many cases, an individual must consent whenever a legal or significant decision about him or her is made automatically, and he or she will be entitled to obtain human intervention in the decision. In other cases, the product itself may need to win the approval of a data protection authority in order to be marketed without creating compliance risks for customers. What is the GDPR? The trend over the past ten years throughout Asia and Latin America has been to adopt data protection laws styled on the EU data protection regime. This trend of geographical expansion of EU data protection principles was compounded on May 25, 2018, with the entry into force of the EU’s General Data Protection Regulation. The GDPR specifically applies to companies outside the EU that offer products or services to, or monitor the behavior of, persons in the EU. One of the new obligations under the GDPR will be to adopt privacy by design and privacy by default principles, such that the protection of individuals' privacy by protecting their personal data can be ensured by the very design and default settings of new market offerings. More than ever, innovation needs to take account of privacy concerns to realize its full revenue potential. What do people mean when they refer to a ''Safe Harbor''? "Safe Harbor" was a program administered by the US Department of Commerce and approved by the European Commission to facilitate transfers of personal data from the EU or Switzerland to the US. In October 2015, the Court of Justice of the European Union invalidated the Safe Harbor. But to fully understand the importance of Safe Harbor, a little bit of history is in order. Safe Harbor was adopted in 2000 in response to the 1995 Data Protection Directive of the EU. Under the Directive, transfers of personal data outside the EU are prohibited unless, notably, the country of destination provides an adequate level of protection to personal data as in the EU. The US is not considered by the EU to provide adequate protection to personal data, meaning that other legal mechanisms for transferring personal data from the EU to the US must be applied (for example, a contract executed between the data exporter in the EU and the data importer in the US). The Safe Harbor allowed US entities to self-certify their compliance with data protection principles very similar to those in the Directive, and those entities were therefore considered to provide adequate protection to personal data, even absent a contract with the EU data exporter – a significant simplification of data transfers for some US companies. What is a privacy shield? Safe Harbor had been subject to criticisms in the EU, particularly after the Snowden revelations, and at the time of the invalidation of Safe Harbor in 2015, the US and EU had already been discussing for several years how to improve the protections under Safe Harbor. Those discussions took on new urgency after the invalidation and in February 2016 a political agreement was reached to replace Safe Harbor with a new program administered by the US Department of Commerce – the Privacy Shield. Similar to Safe Harbor in that it relies on self-certification, Privacy Shield provides substantially more rights of redress for EU individuals whose data is transferred to a Privacy Shield-certified entity in the US. Filing of Privacy Shield applications with the Department of Commerce began in August 2016. www.dlapiperaccelerate.com Do I have to comply with the privacy laws of every country? Privacy laws don't necessarily apply in the same way that other laws do. Data protection laws may apply based on where the data is collected or where the relevant individual resides. It is therefore prudent to check the data protection law of every country from where data originates to see if that law applies. As of May 25, 2018, the GDPR will apply to personal data processing related to offering goods or services to, or monitoring behavior of, natural persons in the EU. What are some steps my company should take to comply with data privacy laws outside the US? One feature of all comprehensive data protection laws is the requirement to provide notice to individuals, at the time of collection of their data, about what is being done with that data: who is collecting it, why, where the data is going and to whom. In the US, most companies comply with this requirement by including a privacy policy on their website (see our article on Privacy Policies). The EU countries notably also require notices to contain information about individuals’ rights in respect of their personal data, and how to exercise those rights. The requirements for the content of the notice are not uniform across the globe, but, at least with respect to consumers, it's usually possible to draft one notice that will get the business close to compliance in most jurisdictions. In practice, this will mean the notice is longer than it might have been were it designed to meet the requirements of only one country's law. But lengthy notices are here to stay. The GDPR mandates more detailed notices, with new types of information, such as how to file a complaint with a regulator and how long personal data is retained. The GDPR also sets out specific notice requirements if a child's data is collected. All of this means notices are getting longer, and making sure they are well drafted will become more and more important to ensure true transparency. While the privacy notice is a key transparency obligation under data protection laws, it is not the only one. The EU countries require notice relating to the use of cookies and other tracking technologies, even if no personal data is collected by those technologies. Many countries also require separate notice to be placed on any personal data collection form. And although not falling under data protection laws, EU directives mandate specific information on websites regarding the site operator and other actors. All these requirements are in addition to consumer protection laws, which also mandate providing a variety of information to consumers (usually in the form of sales terms), such as the conditions for returning a product or obtaining a refund under statutory warranty. Does my privacy policy/notice have to be in any language other than English? If you have a privacy notice intended to satisfy transparency requirements under data protection laws, you might need to translate it into the local language(s) – or you might not.