Paul H. Silhan
Attorneys who counsel clients with electronic data processing
activities in foreign countries should become aware of the web of
laws which regulate the gathering, processing and transmission of
electronic data. In particular, laws concerning activities involving
the processing and transborder flow of data have become widespread in
Europe. An introductory outline follows for those unfamiliar with
LAWS CONCERNING "PERSONAL" DATA
In 1981, European nations, concerned by the amount of personal data
concerning the identities and activities of their citizens which was
being collected, stored and transmitted, cooperatively adopted,
through the Council of Europe, a directive commonly referred to as
"CoE No. 108". CoE No. 108 established minimum standards for
personal data protection which signatory countries agreed to
implement through domestic legislation (a "personal data protection
law", or "PDPL"). CoE No. 108 also enunciated certain rights
individuals had with regard to their personal data. Although the
formats and precise language of each nation's PDPL differ, they
adhere to CoE No. 108's basic principles of personal data protection.
"Personal data" is usually defined in a PDPL as data which deals with
the material or personal matters of "identified" or "identifiable"
natural persons. Some countries, such as Switzerland, also include
data about "legal persons" (i.e., corporations) as "personal data".
One's banking or credit card information would be examples of data
pertaining to "material" matters, while one's medical information
would be an example of data involving "personal matters". A person is
"identified" if the data in the file, by itself, is sufficient to
enable a determination of who the individual is. A person is
"identifiable" if the data in a file, when combined with other data
possessed by the same data processor, would enable one to determine
the person's identity. For example, data stored in a bank account
file where accounts are identified only by numbers, would nonetheless
be considered "personal data" if the same data processor had in its
possession the necessary deciphering file containing customer names
cross-indexed to the account numbers.
Most PDPLs are limited to data which will be subject to "automatic
processing" with reference to individuals' data, such as computerized
processing of all credit card transactions by customer name. However,
the PDPLs of some nations, such as Switzerland, cover non-automated
processing of personal data as well.
Under PDPLs, the gathering, storage, processing and transmission of
personal data is subject to certain rules which CoE No. 108 made
universal, such as:
- The data must be collected in a "fair" manner (i.e., not through
deceptive or illegal means)
- The data can only be used for the purpose for which it was
collected, and only for the time reasonably necessary
- Persons are entitled to receive a report, on request, on what data
about them has been collected by a particular company or government
- One's personal data cannot be disclosed to third parties unless
authorized by statute or the individual has given consent (although
the consent can sometimes be implied)
- Persons have the right to make corrections to their personal data
and, in some cases, to have it deleted or disputed data "flagged" as
- The transmission of personal data to locations where "equivalent"
personal data protection cannot be assured is prohibited
In several nations, such as the United Kingdom, many forms of
personal data processing operations must be registered with a data
protection authority unless an exemption is available or the
individual has given consent to use and process his/her personal data
in a manner which otherwise would be prohibited by the PDPL.
Registration usually involves filing information about the data
processing operation, such as what types of data are being collected
and processed, what types of security are in place, who has access to
the data, and where the data is contemplated being transmitted.
Failure to register if required subjects the company (and sometimes
the responsible individuals within the company as well) to fines and,
in some countries such as Germany, to possible jail sentences.
TRANSBORDER DATA FLOWS
An important consequence of PDPLs is that they potentially restrict
transborder data flows ("TBDFs") of personal data across
international boundaries, and failure to adhere to their requirements
can subject the data processor to fines and/or jail sentences. For
example, if the British subsidiary of a U.S. brokerage firm wishes to
process its clients' accounts by transmitting data, including some
personal data, to their parent company's U.S. processing facility,
the U.K.'s "Data Protection Law of 1984" will almost certainly come
into play. Registration of the British subsidiary's data processing
operation with the Data Protection Authority may be required in order
to perform such TBDFs.
The PDPLs of some countries, such as Germany, consider a TBDF to a
subsidiary or affiliate outside of the country to be a disclosure to
a "third party", and therefore not permissible unless explicitly
authorized by the statute or the data subject's consent is obtained.
A TBDF of personal data to a different division or office location of
the same legal entity would be permissible, however, since it would
be merely an intracorporate TBDF and not a disclosure to a "third
party". On the other hand, the PDPLs of other countries, such as the
U.K., focus on the destination, rather than the relationship between
sender and recipient. If the personal data would flow out of the
country, the PDPL becomes applicable - even where the TBDF is merely
to another office location.
Since the United States currently does not have a comprehensive PDPL,
the U.S. is not considered to be a country having a law which offers
"equivalent protection" of personal data. Therefore, unless other
measures are taken, the transmission of personal data to the U.S. for
automatic processing may be prohibited by the PDPLs of some
countries, even if registration is not necessary under the relevant
PDPLs to conduct identical data processing functions within those
In some cases, obtaining the consent of the data subjects is
sufficient to permit an otherwise impermissible TBDF to occur.
However, in other countries, such as Switzerland, the duty to avoid
sending personal data to a recipient without having "equivalent
protection" in place is absolute, and even obtaining individuals'
consents is not a cure.
In order to provide "equivalent protection" when personal data is to
be transmitted to the U.S., the sender may have to enter into a
written agreement with the U.S. recipient, whereby the recipient
affirmatively agrees to abide by data processing standards comparable
to those required by CoE No. 108. Formal adoption of written data
protection policies and implementation of additional security
measures may also be necessary. In those countries where obtaining
consent is sufficient, obtaining the consent of all affected
customers - no small task - may be the only way to provide a basis
for a TBDF to the U.S. which would otherwise be impermissible.
You should be aware that PDPLs usually provide for criminal penalties
for violations, which range from monetary fines to jail sentences.
In the case of violations by corporate data operations, the
individuals in charge of the company's data operations usually can be
held liable on a personal basis.
As entangling as personal data protection laws can be, they are not
the only laws which might have to be examined with regard to data
processing. Depending on your client's industry, additional sets of
laws may also be applicable. For example, in the banking industry,
various countries' laws provide for extensive oversight of the bank's
data processing operations. Arranging for the transfer of data
processing operations from the host country to a foreign location,
via TBDFs, will usually require obtaining approval from the banking
authorities. Many countries such as Germany and Luxembourg have
adopted "laundry lists" of requirements which must be met, dealing
with data security, processing turnaround times, local access by
banking authorities, permission of domestic bank auditors to enter
the foreign premises where data processing will occur, and so on.
Another issue which must be examined is whether relocating data
processing operations to a foreign country requires the transfer of
operational software and, if so, whether there are applicable export
regulations. Also, if relocation of data processing to a foreign
country will cause the local processing operation to cease or
substantially reduce its work force, the labor laws of the affected
country may call for the provision of benefits to terminated
employees, and advance notice requirements similar to the U.S. plant
There was a time when data transfer had few legal implications, and
decisions about where and how to process data used in business
operations were based solely on business considerations such as
efficiency, local labor rates, communication costs, and so on. Those
days are gone. Today, you must be prepared to counsel a client who
has data processing operations that a panoply of laws may have a
bearing on where, and manner in which, those operations are carried
Paul H. Silhan
Ridge, New York 72702,3211
THE ABOVE IS INTENDED TO BE A GENERAL DISCUSSION ONLY OF THE TYPES OF
EXISTING LAWS WHICH MAY AFFECT FOREIGN DATA PROCESSING OPERATIONS AND
TRANSBORDER DATA FLOWS, FOR OVERVIEW PURPOSES ONLY. IT IS NOT
INTENDED TO BE ALL-INCLUSIVE, AND THE FACTS CONCERNING EACH SITUATION
WILL BE UNIQUE AND WILL AFFECT PARTICULAR LEGAL CONCLUSIONS TO BE
DRAWN. FURTHERMORE, THE LAW IN THIS AREA CONTINUES TO EXPAND AND
CHANGE. ATTORNEYS ARE ADVISED TO CONSULT WITH COUNSEL WITHIN
RELEVANT COUNTRIES PRIOR TO RENDERING ADVISE.
Brought to you by - The 'Lectric Law Library
The Net's Finest Legal Resource For Legal Pros & Laypeople Alike.