United States: What U.S. Companies Need To Do To Comply With International Privacy Laws

The United States does not have a uniform national law protecting personally identifiable information, such as age, address and financial information. Unless a company is in a regulated industry (such as banking or health care) or participates in a regulated activity (such as the collection of data from children), it has broad latitude under U.S. law in establishing its own rules for collecting and using such data.

Since the European Union adopted a directive protecting personally identifiable data in 1998, the U.S. has become increasingly isolated in its approach. More than forty countries have adopted laws specifically dealing with the protection of personally identifiable data and all of these countries have more stringent laws than the United States. For U.S. companies doing business internationally, this presents a dilemma: they can no longer ignore international data protection laws without subjecting themselves to significant risk, but there are no easy options for compliance.

In this article, we will describe in more detail the nature of this problem. Then, we will discuss the pros and cons of the various compliance options.

The European Union data directive was designed to guarantee consumers a minimum level of protection for personally identifiable information. Among other things, it limits the data that can be collected and the uses that can be made of that data, it requires the company to ensure that the collected data is secure, and it requires certain disclosures be made to consumers while giving the consumer the right to access records to confirm the accuracy of collected data. This directive applies not only to on-line data, but also to information maintained on automated systems and some paper records.

If this were all that the directive did, it would not be of importance to most companies outside of Europe. But the directive has one additional provision that has created problems for many U.S. companies: once data has been collected, it cannot be transferred to another recipient unless that recipient is subject to rules providing an "adequate level of protection." Many other countries have responded to this requirement by adopting data protection laws that largely copy the E.U. directive to ensure that their companies are subject to "adequate" laws. The U.S. has not. As a result, the transfer of personally identifiable data to a company in the United States may now violate laws in many countries, subjecting U.S. companies to the risk of damage claims and disruption of data flows.

In response to this problem, the U.S. Department of Commerce and the European Commission have developed a "safe harbor" program that will allow U.S. companies to satisfy the European Directive’s requirements and ensure that personal data flows to the United States are uninterrupted. The substance of the safe harbor provision is a restatement of the vague principles of data protection -- such as notice, choice, and access. U.S. companies have the burden of developing specific procedures that comply with these vague guidelines.

Entering the safe harbor is entirely voluntary, but companies must comply with the requirements to gain the safe harbor protection, and publicly declare that they do so. The company must file an annual self-certification of continued compliance. If a company fails to comply with its program, it risks FTC enforcement action that could lead to fines and revocation of the safe harbor protection.

The safe harbor provides two principal benefits to U.S. companies. First, it allows for more predictability and continuity in sending and receiving personal information from Europe. Second, it avoids oversight by potentially unsympathetic European authorities and allows U.S. companies to deal instead with the FTC, which is widely viewed as a more predictable and reasonable enforcement authority.

But the safe harbor comes with costs. It would require most U.S. companies to make radical and expensive overhauls in the way they handle personal data. Unless domestic and foreign data can be segregated, a U.S. company would have to apply the more expensive procedures to all personally identifiable data that it collects. The safe harbor also literally applies to only the European Union and it is uncertain whether other countries would view it as sufficient compliance.

As an alternative to the safe harbor, a company receiving personally identifiable data from a European company can enter into a contract with that company that contractually obligates the U.S. company to adequately safeguard transferred data. Unfortunately, the two companies are not free to negotiate what level of protection is adequate. Instead, the U.S. company must either negotiate acceptable terms with the national data protection authority or adopt an E.U.-developed "model contract."

The use of the model contract may make sense for a company that receives personally identifiable data from only a limited number of sources. It has the advantage of providing more certainty as to the required level of data protection. In addition, if the recipient of the information can segregate the data covered by the contract from its other data, it can avoid overhauling its entire system.

But there is one significant problem with this approach that makes most companies hesitant to use it. The model contract includes extremely unfavorable contract terms that make the U.S. company liable to consumers for any breach of the data protection laws by the disclosing European company and subject the U.S. company to suit in Europe. For most companies, this is too big a risk.

A company can avoid complying with the substantive E.U. data protection rules if it is able to obtain consent from each individual who is subject to the proposed data transfers. To be effective, any such consent must be "unambiguous" and "freely given, specific and informed." Each individual must be notified of the consequences of her choice, and told that the information will be sent to a country lacking adequate privacy protection. It is not sufficient to obtain implied consent by claiming that an individual has failed to object after being told about the transfer. While not all national laws are identical, most countries that have adopted data protection laws follow this basic pattern, so consent can be an almost universal solution to the data transfer problem.

Consent may be particularly useful in two situations. First, if the company has direct contact with the individual about whom information is collected and transferred, such as an employee, it may be practical for the business to solicit explicit consent for personal information transfer. Second, a company that only obtains information over the Internet can use a registration process or an on-line agreement to obtain the required consent. Many companies will find it sensible to obtain consent as an additional protection, even if the company is primarily relying on other compliance measures.

One problem with the consent option is that it makes the company dependent upon obtaining consent from each data subject and can create awkward problems if some subjects refuse the request. In addition, consent is usually impractical if much of the information is collected without direct consumer contact or if the foreign company has already collected a significant amount of personally identifiable data before it begins obtaining consent.

A company does not have to worry about international data transfer regulations if it is not collecting any personally identifiable data from abroad. Companies with insignificant earnings from international sales may decide that it is more practical to discontinue any marketing activities that would require the transfer of any such data to the United States. While this would make it difficult to make direct sales and would limit the usefulness of the Internet, it does not mean that a company necessarily has to abandon all foreign sales. In some cases, it may be possible to use foreign distributors or agents to handle all sales activities and to establish procedures that avoid the transfer of personal data to the United States.

While it is likely that the United States will adopt some law on the protection of consumer information in the near future, the exact scope of any such law remains unclear. Most laws being debated would fall short of what the Europeans would consider to be "adequate" protection and would not solve the data transfer problem.

Nevertheless, for some companies it may make sense to wait until the U.S. situation is clarified before deciding how to deal with foreign data transfers. Many companies are reluctant to radically alter their approach to personally identifiable data until they are sure that the changes will comply with developing U.S. law. And some companies are not ready to abandon hope that the U.S. government can devise a solution that will make the problem go away.

A word of caution: delay is not a means of compliance and any company that chooses this option is taking a risk. This strategy makes sense only for a company that has such a minimal level of international business that it is unlikely to be an enforcement target. A company should never consider this option if its operations would be materially impacted by a sudden disruption in the international transfer of personally identifiable data.

Robinson, Bradshaw & Hinson, P.A. is a business law firm specializing in complex corporate transactions and litigation. For over forty years, the firm has consistently provided innovative solutions to its clients’ business needs from both a legal and practical perspective. The firm serves as counsel to public and closely held corporations operating in domestic and foreign markets; limited liability companies; limited and general partnerships; individuals; municipal, county and state agencies; public utilities; health care institutions; financial institutions and tax-exempt organizations