|
|
|
|
|
 |
 |
|
|||
|
Search:
|
International Personal Information Flow, Privacy, and Security
Posted: June 2, 2008
Page Tools:
For More Information Contact:
Related Practice Areas:
Employers must consider the requirements of international privacy laws when transferring employees’ personal information across national borders, even if within the same company. Dramatic and frequent headlines of inadvertent data loss, security breaches, unauthorized disclosures, and theft have put a spotlight on the vulnerability of data repositories. Predictably, governments worldwide have enacted laws and regulations designed to balance legitimate business needs for personal information with individual interests in keeping that information safe. Internationally, the scope of data protection regulations is complex and far reaching. The movement to protect employees’ personal data dates back to 1997 when the International Labor Organization promulgated the Code of Practice on the Protection of Workers’ Personal Data. A year later, in 1998, the European Commission issued its Data Privacy Directive on the protection of individuals with regard to the processing and free movement of personal data. U.S. corporations should not view the EU as covered by one set of requirements. Twenty-seven different laws apply. Each EU member country is compelled to introduce the data privacy principles and protections of the Data Privacy Directive into their national laws. As a result, all EU member countries have their own data privacy laws. While established on the same basic principles, the laws vary. It is important to learn the specific rules of the country in which you operate. Generally, the laws are enforced by the national data privacy agency (“DPA”) in each country. The DPAs may have the authority to prosecute and subject violators to heavy fines and penalties and even ban the transfer of important human resources information. Under the general data privacy principles of the Data Privacy Directive, personal information must be collected for specific, explicit and legitimate purposes, can be held only if relevant to those purposes, must be accurate and up to date, can be kept for no longer than necessary, and must be processed fairly and lawfully. Processing of certain “sensitive” personal data is more strictly regulated. Sensitive personal data includes information regarding a person’s racial and ethnic background, political affiliation, religious or philosophical beliefs, trade-union membership, sexual preferences, and health. Individuals have the right to access, rectify, and object to their personal data being processed. Further, the data must be adequately protected. Generally, EU data privacy laws require that employers institute “appropriate technical and organizational measures” to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, particularly where transmission of data over a network is involved. Also, the personal data of an employee may be transferred cross border (from the employee’s place of work in Europe to another non-EU country) only if authorized and adequate safeguards are in place. Transferring Data Across BordersThe EU data privacy law permits the cross-border flow of personal data if an “adequate level of protection” exists in the receiving non-EU country. If the receiving country is one with no comprehensive data privacy law (the U.S., for instance), the personal data may be transferred only under specific circumstances, including 1) after obtaining the formal written consent from the employees, 2) after concluding an inter-company agreement, or 3) if a global company, after adopting and registering a global data privacy code. In all cases, the organization must commit to implementing and observing the basic data privacy principles. To address the EU Data Privacy Directive protocols, the U.S. has negotiated a “safe harbor” agreement with the EC to provide minimum safeguards for transmitting personal information to the U.S. Under the agreement, U.S. businesses certify they will abide by a scheme of self-regulation and observe seven basic principles for handling the data:
Interested businesses must implement reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Noncompliance may subject them to charges of criminal misrepresentation. A list of these businesses is maintained by the U.S. Department of Commerce. The movement towards enhanced personal data and privacy security laws is not “Euro-centric”. The trend to adopt comprehensive data protection laws continues in other countries, including Australia, Argentina, Canada, Chile, Finland, Hong Kong, Hungary, Japan, Korea, South Africa and Switzerland. In most instances, these countries’ personal data protection laws impose broad personal data processing and security obligations on employers. Moreover, they also restrict cross-border transfer of personal data and make enforcement a priority. “As the world becomes more ‘flat’, U.S. businesses with foreign-based employees have to comply with foreign data privacy laws,” says Partner Johan Lubbe. “Lackadaisical personal data management practices can be costly and disruptive. Employers may face penalties under state law, enforcement proceedings by foreign DPAs, and even a total ban on receiving important human resources data. This could seriously impede the efficient management of international operations and foreign-based employees.” The Jackson Lewis International Employment Issues Practice Group offers guidance, advice, counsel and representation in matters affecting domestic employers doing business abroad and foreign employers doing business in the United States.
|
