The Obama administration’s Consumer Privacy Bill of Rights should be seen as a vital document to help shape an expansive and globally accepted privacy framework in the United States (U.S.).
“Strong consumer data privacy protections are essential to maintaining consumer’s trust in the technologies and companies that drive the digital economy. The existing framework in the U.S. effectively addresses some privacy issues in our increasingly networked society, but additional protections are necessary to preserve consumer trust.” – Excerpt from Consumer Privacy Bill of Rights.
Outsourcing arrangements often involve the processing of large volumes of personal information about a company’s customers or employees. In many cases, this information includes sensitive information, such as financial data, medical data, payroll and benefits information, social security numbers and purchasing histories.
This blogs outlines and tackles the general issues that companies must consider when they permit outsourcing partners to transfer personal data across national boundaries. In particular, it examines issues that may arise under U.S. law, and also considers the regimes in three popular outsourcing destinations, the Philippines, India and Canada.
The Global Privacy Laws, as most corporate executives know, different countries have taken different approaches to privacy. The European Union, for example, has long-standing laws that strictly limit the processing and transfer of all personal information. The U.S. has taken a more focused approach, limiting companies’ ability to process data when that processing creates the possibility of real harm to individuals. When considering any type of data processing — internal or by a vendor — the company must consider what regulations apply to the processing in the jurisdiction where the data was collected. When data is transferred to another jurisdiction for processing, such as in an off-shore outsourcing relationship, the company must also consider how the laws (or lack of laws) in the target jurisdiction may affect the processing and its rights with respect to the information.
With regard to any trans-border data flow, each company must consider two separate legal perspectives. First, it must consider whether any laws in the country where the data originates will continue to regulate the data post-transfer. For example, U.S. financial institutions’ information is regulated by the Gramm-Leach-Bliley Privacy and Safeguards Rules, and these will continue to apply, even if the data is transferred off-shore.
Second, it must consider whether laws in the country where the data is processed give rise to any additional risks or benefits. For example, if U.S. data is transferred to Europe, the European data protection laws may themselves impose additional obligations on the processing of the data. These additional obligations may constitute risks in that the company (as the owner of the data) may have liability if the requirements of the EU laws are not followed by its agents. The laws may also be beneficial in that the company may use the law to its advantage in the event of misconduct by its processor.
The United States has never enacted a comprehensive data protection or privacy law in the EU-model. Instead, the U.S. has enacted laws to address particular privacy harms (such as collection of personal information from children) and to regulate certain applications of data (such as use of credit reporting data). Additionally, even for highly-regulated data (such as healthcare information subject to the HIPAA regulations and financial information subject to the Gramm-Leach-Bliley (GLB) Act), the U.S. laws do not address the issue of trans-border data flows directly. These laws do impose obligations to maintain reasonable security, access controls and the like, which must be considered in any vendor relationship, domestic or off-shore. Accordingly, assuming the vendor provides appropriate security and confidentiality, U.S. laws do not now limit a company’s ability to select vendors in any other geography.
The lack of a data privacy law dealing with outsourcing does not mean that a company’s use of off-shore vendors is without risk. The U.S. laws do impose various obligations on companies to maintain the privacy and security of its U.S. databases, and these obligations necessitate that the company ensure the requirements of law are met.
Additionally, to the extent the company has posted privacy statements (or otherwise made representations to consumers or employees) about privacy and security, the company will be expected to comply with these statements.
U.S. Consumer Privacy Bill of Rights
“It is not the be-all and end-all,” according to Lisa Sotto, privacy and a data security lawyer, and managing partner at the law firm Hunton & Williams, says in an interview with Information Security Media Group. “This just one of the critical building blocks that has been put out there in the move toward the development of a comprehensive privacy regime in the United States.”
The White House on Feb. 23 issued the Consumer Privacy Bill of Rights, which the administration says would provide a baseline of clear protections for consumers and greater certainty for businesses. The rights are:
- Individual control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable information about privacy and security practices.
- Respect for context: Consumers have a right to expect that organizations will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
- Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
“The Consumer Privacy Bill of Rights provides general principles that afford companies discretion in how they implement them. This flexibility will help promote innovation. Flexibility will also encourage effective privacy protections by allowing companies, informed by input from consumers and other stakeholders, to address the privacy issues that are likely to be most important to their customers and users, rather than requiring companies to adhere to a single, rigid set of requirements.
Enacting the Consumer Privacy Bill of Rights through Federal legislation would increase legal certainty for companies, strengthen consumer trust, and bolster the United States’ ability to lead consumer data privacy engagements with our international partners. Even if Congress does not pass legislation, the Consumer Privacy Bill of Rights will serve as a template for privacy protections that increase consumer trust on the Internet and promote innovation.”
Improving Global Interoperability
“The Administration’s framework embraces the goal of increased international interoperability as a means to provide consistent, low-barrier rules for personal data in the user-driven and decentralized Internet environment. The two principles that underlie our approach to interoperability are mutual recognition and enforcement cooperation.
- Mutual recognition depends on effective enforcement and well-defined accountability mechanisms. Multi-stakeholder processes can provide scalable, flexible means of developing codes of conduct that simplify companies’ compliance obligations.
- Enforcement cooperation helps to ensure that countries are able to protect their citizens’ rights when personal data crosses national boundaries. These approaches will guide United States efforts to clarify data protections globally while ensuring the flexibility that is critical to innovation in the commercial world.
The Administration will implement this framework without delay. In the coming months, the Department of Commerce will work with other Federal agencies to convene stakeholders, including our international partners, to develop enforceable codes of conduct that build on the Consumer Privacy Bill of Rights.”
More Needs to Be Done
According to the administration, the advertising industry is committed not to release consumers’ browsing data to companies who might use it for purposes other than advertising, such as employers making hiring decisions or insurers determining coverage. “It’s great to see that companies are stepping up to our challenge to protect privacy so consumers have greater choice and control over how they are tracked online,” says Federal Trade Commission Chairman Jon Leibowitz, who briefed the media on the Consumer Privacy Bill of Rights. “More needs to be done, but the work they have done so far is very encouraging.”
A White House statement says the administration wants to work with Congress to develop legislation based on these rights to promote trust in the digital economy and extend baseline privacy protections to commercial sectors that existing federal privacy laws do not cover.
Sotto, however, says the mood on Capitol Hill makes it unlikely that privacy legislation would be enacted anytime soon. “This should be a bipartisan issue, and in theory it’s that,” she says. “But in practice, it’s not, and our legislators found that the devil is in the details.”
In the interview, Sotto also discussed the impact of the Consumer Privacy Bill of Rights on:
- Corporate and governmental professionals charged with protecting the data and privacy of information stored in their systems;
- Mobile technology;
- Consumers and businesses on assuring privacy.
Sotto has earned a No. 1 U.S. national ranking for privacy and data security from Chambers and Partners, publisher of leading guides to the legal profession
The Philippines Privacy, the APEC Privacy Principles
The Philippines does not have (yet) any comprehensive data protection laws, so data flows into and out of the Philippines can occur without local restriction. The Philippine government has expressed an interest in enacting a more comprehensive data protection regime. A draft data protection law, based on the EU-approach, has been circulated. As an Asia-Pacific Economic Cooperation (APEC) economy, however, the Philippine government has also followed the development of the APEC Privacy Principles.
These APEC Privacy Principles were developed over the past two years by a working group of APEC nations to provide an alternative to the EU data protection model. The U.S. was heavily involved in this process, which also includes major economies in the Asia-Pacific region, Latin America (including Mexico) and Canada. The APEC model for privacy and data protection legislation was finalized last November, and implementation workshops are being held now. These Principles will likely form the basis for a Philippine law in the next few years, so this situation bears watching.
The APEC Principles are noteworthy for two reasons. First, the laws that stems from these Principles will likely present lower compliance burdens for companies because they will recognize the necessity of appropriate processing and transfer of personal information. For example, the laws will likely facilitate off-shore outsourcing by permitting these arrangements if appropriate (but not overly burdensome) protections are in place.
Second, the Center for Information Policy Leadership at Hunton & Williams developed the basic framework document that the US government has suggested for the APEC model. Professor Fred Cate was the primary drafter of this framework. This approach is more business-process friendly, as it takes into account the many benefits that multinational data flows have for the economies. APEC-approach-based laws will recognize that global data flows are facilitated if the laws focus on ensuring that local companies are accountable for data processing activities. They will also reflect an understanding that enforcement and restrictions should be tied to harmful uses of data, not the mere processing of data itself. These concepts, while revolutionary compared with the EU approach, are necessary to enable the types of 21st century data flows that would support the company’s needs.
In order to manage the risks associated with its own liability for vendor malfeasance, the company will want to ensure that it (and its vendors) can enforce their contracts and protect their computer systems and data in the foreign country. In general, the Philippine legal system provides legal and equitable remedies that are analogous to those found in the United States. The Philippine legal system is quite well developed, and is based on respect for the rule of law and court decisions. There are excellent local law firms in the Philippines, and the legal industry is quite mature. In particular, the Philippine legal system recognizes rights of data owners and would likely provide a reasonable forum for achieving redress in the event of a security or privacy issue. With regard to information security, it is important to note that the Philippines has made great progress the past few years in enacting legislation to enable both companies and law enforcement agencies to address security concerns and computer crimes, such as hacking. Prior to the infamous “I LOVE YOU” virus incident in 2000, the Philippines did not have laws that made computer hacking and similar behavior a crime. After this incident, the Philippine government enacted the Electronic Commerce Act of 2000. This Act provides civil and criminal penalties for unauthorized access to computer systems, and imposes legal obligations of confidentiality on persons who receive electronic data, keys, messages or other information.
The mere existence of this Act is important. As the company considers outsourcing processor locations, it should do some amount of due diligence on the recourse it would have in the event of a security or privacy breach. For example, while legal (monetary) recourse for a security breach might exist in the U.S., it would be important to consider whether the company could reasonably get an injunction (or other comparable order) in a local jurisdiction to compel return or destruction of misappropriated data. It appears that the Philippine legal system would offer these types of relief.
As each company considers its outsourcing options, it must understand both the impact of laws of the country where the data originates and well as the laws of the country where the data will be processed. Because the responsibility for compliance with the originating-countries’ laws will continue to rest with the company and because the company will also need to ensure that it complies with requirements of applicable state laws as well as any representations it has made, due diligence about the vendor and the receiving-countries’ legal systems must be complete.
Once the due diligence is complete, the company must ensure that appropriate protections are built into its vendor contracts. These protections include thoughtful contractual provisions related to confidentiality, appropriate use, data security, audit rights, insurance and remedies. We recommend that a safeguards schedule be included in the outsourcing contract in order to provide sufficient detail on the security expectations. Ongoing vendor monitoring and management is also essential. In each case, the level of effort needed will depend on the amount and sensitivity of the personal information being processed.
For all off-shore relationships, I also recommend that the company develop a formal plan for responding to “worst case scenario” type events, such as misappropriation of personal data. This plan would contain an analysis of legal remedies available in the jurisdiction. It would identify both local legal resources that could be called upon quickly as well as the legal recourse that would be sought in the event of a security incident or breach of contract.
Hope this helps…