From the 'Lectric Law Library's Stacks
Search The Library
Paul H. Silhan
Attorneys who counsel clients with electronic data processing activities in foreign countries should become aware of the web of laws which regulate the gathering, processing and transmission of electronic data. In particular, laws concerning activities involving the processing and transborder flow of data have become widespread in Europe. An introductory outline follows for those unfamiliar with this subject.
LAWS CONCERNING "PERSONAL" DATA
In 1981, European nations, concerned by the amount of personal data concerning the identities and activities of their citizens which was being collected, stored and transmitted, cooperatively adopted, through the Council of Europe, a directive commonly referred to as "CoE No. 108". CoE No. 108 established minimum standards for personal data protection which signatory countries agreed to implement through domestic legislation (a "personal data protection law", or "PDPL"). CoE No. 108 also enunciated certain rights individuals had with regard to their personal data. Although the formats and precise language of each nation's PDPL differ, they adhere to CoE No. 108's basic principles of personal data protection.
"Personal data" is usually defined in a PDPL as data which deals with the material or personal matters of "identified" or "identifiable" natural persons. Some countries, such as Switzerland, also include data about "legal persons" (i.e., corporations) as "personal data". One's banking or credit card information would be examples of data pertaining to "material" matters, while one's medical information would be an example of data involving "personal matters". A person is "identified" if the data in the file, by itself, is sufficient to enable a determination of who the individual is. A person is "identifiable" if the data in a file, when combined with other data possessed by the same data processor, would enable one to determine the person's identity. For example, data stored in a bank account file where accounts are identified only by numbers, would nonetheless be considered "personal data" if the same data processor had in its possession the necessary deciphering file containing customer names cross-indexed to the account numbers.
Most PDPLs are limited to data which will be subject to "automatic processing" with reference to individuals' data, such as computerized processing of all credit card transactions by customer name. However, the PDPLs of some nations, such as Switzerland, cover non-automated processing of personal data as well.
Under PDPLs, the gathering, storage, processing and transmission of personal data is subject to certain rules which CoE No. 108 made universal, such as:
- The data must be collected in a "fair" manner (i.e., not through deceptive or illegal means)
- The data can only be used for the purpose for which it was collected, and only for the time reasonably necessary
- Persons are entitled to receive a report, on request, on what data about them has been collected by a particular company or government agency
- One's personal data cannot be disclosed to third parties unless authorized by statute or the individual has given consent (although the consent can sometimes be implied)
- Persons have the right to make corrections to their personal data and, in some cases, to have it deleted or disputed data "flagged" as such
- The transmission of personal data to locations where "equivalent" personal data protection cannot be assured is prohibited
In several nations, such as the United Kingdom, many forms of personal data processing operations must be registered with a data protection authority unless an exemption is available or the individual has given consent to use and process his/her personal data in a manner which otherwise would be prohibited by the PDPL.
Registration usually involves filing information about the data processing operation, such as what types of data are being collected and processed, what types of security are in place, who has access to the data, and where the data is contemplated being transmitted. Failure to register if required subjects the company (and sometimes the responsible individuals within the company as well) to fines and, in some countries such as Germany, to possible jail sentences.
TRANSBORDER DATA FLOWS
An important consequence of PDPLs is that they potentially restrict transborder data flows ("TBDFs") of personal data across international boundaries, and failure to adhere to their requirements can subject the data processor to fines and/or jail sentences. For example, if the British subsidiary of a U.S. brokerage firm wishes to process its clients' accounts by transmitting data, including some personal data, to their parent company's U.S. processing facility, the U.K.'s "Data Protection Law of 1984" will almost certainly come into play. Registration of the British subsidiary's data processing operation with the Data Protection Authority may be required in order to perform such TBDFs.
The PDPLs of some countries, such as Germany, consider a TBDF to a subsidiary or affiliate outside of the country to be a disclosure to a "third party", and therefore not permissible unless explicitly authorized by the statute or the data subject's consent is obtained. A TBDF of personal data to a different division or office location of the same legal entity would be permissible, however, since it would be merely an intracorporate TBDF and not a disclosure to a "third party". On the other hand, the PDPLs of other countries, such as the U.K., focus on the destination, rather than the relationship between sender and recipient. If the personal data would flow out of the country, the PDPL becomes applicable - even where the TBDF is merely to another office location.
Since the United States currently does not have a comprehensive PDPL, the U.S. is not considered to be a country having a law which offers "equivalent protection" of personal data. Therefore, unless other measures are taken, the transmission of personal data to the U.S. for automatic processing may be prohibited by the PDPLs of some countries, even if registration is not necessary under the relevant PDPLs to conduct identical data processing functions within those countries.
In some cases, obtaining the consent of the data subjects is sufficient to permit an otherwise impermissible TBDF to occur. However, in other countries, such as Switzerland, the duty to avoid sending personal data to a recipient without having "equivalent protection" in place is absolute, and even obtaining individuals' consents is not a cure.
In order to provide "equivalent protection" when personal data is to be transmitted to the U.S., the sender may have to enter into a written agreement with the U.S. recipient, whereby the recipient affirmatively agrees to abide by data processing standards comparable to those required by CoE No. 108. Formal adoption of written data protection policies and implementation of additional security measures may also be necessary. In those countries where obtaining consent is sufficient, obtaining the consent of all affected customers - no small task - may be the only way to provide a basis for a TBDF to the U.S. which would otherwise be impermissible.
You should be aware that PDPLs usually provide for criminal penalties for violations, which range from monetary fines to jail sentences. In the case of violations by corporate data operations, the individuals in charge of the company's data operations usually can be held liable on a personal basis.
As entangling as personal data protection laws can be, they are not the only laws which might have to be examined with regard to data processing. Depending on your client's industry, additional sets of laws may also be applicable. For example, in the banking industry, various countries' laws provide for extensive oversight of the bank's data processing operations. Arranging for the transfer of data processing operations from the host country to a foreign location, via TBDFs, will usually require obtaining approval from the banking authorities. Many countries such as Germany and Luxembourg have adopted "laundry lists" of requirements which must be met, dealing with data security, processing turnaround times, local access by banking authorities, permission of domestic bank auditors to enter the foreign premises where data processing will occur, and so on.
Another issue which must be examined is whether relocating data processing operations to a foreign country requires the transfer of operational software and, if so, whether there are applicable export regulations. Also, if relocation of data processing to a foreign country will cause the local processing operation to cease or substantially reduce its work force, the labor laws of the affected country may call for the provision of benefits to terminated employees, and advance notice requirements similar to the U.S. plant closing law.
There was a time when data transfer had few legal implications, and decisions about where and how to process data used in business operations were based solely on business considerations such as efficiency, local labor rates, communication costs, and so on. Those days are gone. Today, you must be prepared to counsel a client who has data processing operations that a panoply of laws may have a bearing on where, and manner in which, those operations are carried out.
Paul H. Silhan
Ridge, New York 72702,3211
THE ABOVE IS INTENDED TO BE A GENERAL DISCUSSION ONLY OF THE TYPES OF EXISTING LAWS WHICH MAY AFFECT FOREIGN DATA PROCESSING OPERATIONS AND TRANSBORDER DATA FLOWS, FOR OVERVIEW PURPOSES ONLY. IT IS NOT INTENDED TO BE ALL-INCLUSIVE, AND THE FACTS CONCERNING EACH SITUATION WILL BE UNIQUE AND WILL AFFECT PARTICULAR LEGAL CONCLUSIONS TO BE DRAWN. FURTHERMORE, THE LAW IN THIS AREA CONTINUES TO EXPAND AND CHANGE. ATTORNEYS ARE ADVISED TO CONSULT WITH COUNSEL WITHIN RELEVANT COUNTRIES PRIOR TO RENDERING ADVISE.
Brought to you by - The 'Lectric Law Library
The Net's Finest Legal Resource For Legal Pros & Laypeople Alike.