United States: Privacy Update: Does Data Privacy Matter to Your Business?

Recent developments in privacy laws have created new challenges for businesses. Now, businesses that fail to consider and plan for data privacy requirements can face official enforcement action, fines, penalties and lawsuits. Even more damaging is the loss of public trust that businesses suffer when customers and employees learn that their private information has been abused, compromised or sold.

Should your business care about data privacy issues? If your business has employees, you face important privacy law issues for their personnel files, medical and other insurance information, performance data, portals, e-learning facilities, and e-mail and Internet use. If your business is in one of the regulated industries, such as financial or health care, or if it collects information from children, then your business already has additional privacy issues to address. If your business collects information from customers, whether in a consumer or business context, then your business has privacy issues regarding the collection, use and disclosure of that data. If your business shares data with third parties, whether as service providers, alliance partners or otherwise, then your business needs to be concerned about the privacy practices of these third parties, and how they could impact your business.

U.S. Developments. The U.S. Congress recently enacted privacy legislation protecting personal financial, health and medical information, as well as the collection of information from children under 13. State legislatures have also been active. The Federal Trade Commission and the individual States are taking more active enforcement roles with respect to privacy issues, based on already existing broad consumer protection legislation and regulations.

International Developments. Outside of the U.S. (e.g., in Canada, Australia, South America, etc.), privacy regulation is developing at a rapid pace, often with requirements that (while consistent with local culture) are surprising to U.S. nationals. Multi-national companies, companies with operations in other countries, or companies that simply receive data from other countries may be subject to local privacy regulations. Global Data Privacy Practice 2

EU Data Privacy Directive. The European Union Data Protection Directive (the "EU Directive") applies to any business that collects and processes personal data. All personal data processed by data controllers established in an EU state is applicable. Your business does not have to be located in the EU to be subject to the Directive and EU country legislation. The Directive will cover many functions, such as those involving the collection and processing of employee data, customer data, patient data and other personal information.

One common misunderstanding is that U.S. businesses can freely move their own data from the EU to the U.S. In fact, the EU privacy laws tightly regulate the transfer of personal data outside of the EU. These trans-border data flow issues are having a global impact on business - influencing both legislation in other countries as well as the privacy practices of many businesses. U.S. negotiated "Safe Harbor" status was intended to allow U.S. based businesses to continue their trans-continental data transfers. So far, the Safe Harbor principles have been slow to catch on, and businesses are addressing their transfer issues in other ways.

What Should You Do? The first step toward privacy readiness and compliance is to understand the impact of the privacy laws on your business. This is best done by assessing what personal data your business collects and uses, what laws apply to that data, and what your current practices may be with respect to use and sharing of that data. To accomplish all this, many businesses appoint a privacy team comprised of individuals from HR, legal, marketing, communications, technology, finance, strategy and others. In a growing number of cases, businesses are creating "Privacy Offices" to lead the effort in helping businesses become privacy compliant. To get started, consult the privacy compliance checklist at the end of these materials.

Comprehensive Data Privacy Advice. Mayer, Brown, Rowe & Maw offers comprehensive legal services in data privacy and security, and other confidentiality related matters, in all information technology, capital markets, employment, financial institutions, electronic commerce, health care (HIPAA) and litigation areas in the United States and the European Union. We provide a cross border approach to data privacy, providing our clients with a team of lawyers with a global perspective, yet local expertise. With offices in seven U.S. cities (Chicago, Charlotte, Houston, Los Angeles, New York, Palo Alto, and Washington) and six European cities (Brussels, Cologne, Frankfurt, London, Manchester, and Paris), Mayer, Brown, Rowe & Maw provides our clients with the turnkey legal analysis necessary to effectively and efficiently assess privacy issues and their worldwide impact on their businesses worldwide.

A compliance checklist

• Collect Data. Collect information about all of the various places where your business collects or processes personal information. Consider all HR functions, all employee interfaces, and all customer inter-faces that collect information (including telemarketing operations, customer databases, websites, etc.).
• Track Data Use. Determine how the information that is collected is used. How is it circulated internally? Is it ever sent outside your business? You need to track data use within your business to identify vulnerabilities. How is Information Shared With Third Parties? Determine whether any information is shared with third parties, for what purposes, and pursuant to what contracts.
• Determine Applicable Privacy Laws. Determine applicable data privacy laws and regulations that affect the various operations of the business. Consider where data transfers occur, and consider where international data privacy laws may apply.
• Develop a Comprehensive Privacy Policy. Review all existing employee policies, notices, privacy statements to customer websites privacy statements, and all other privacy statements currently existing. It may be necessary to change certain previously provided statements or practices. Consider how such changes may be legally implemented.
• Map Data Flow. Determine the appropriate data collection, use, security, notice, opt-out, access and onward transfer policies for each respective data collection area.
• Create a Privacy Office. Create a Privacy Office within your company. Pick a staff member who can assume responsibility for privacy. Give this person the resources needed to meet the new requirements (when the rules are clear). This is an investment; it will be a big job in the beginning but will become routine.
• Establish Privacy Communication Practices. Establish plans to communicate privacy practices and policies, and enforcement of those, throughout the business and with business partners. Going forward, the privacy office should work to set policies and procedures for protecting privacy and addressing complaints, train staff to adhere to privacy policies and procedures, and develop the company’s public positions on privacy.
• Revise Third Party Contracts. Review all existing third party arrangements to determine whether those arrangements are adequate, or if they need to be amended or changed to accommodate business privacy requirements. These arrangements include service providers, consultants, agents, strategic business partners, co-branding partners, and others. Ensure that other parties who receive or provide personal information provide the same protection that you do and will not disclose this information to others.
• Monitor Privacy Developments. Continuously monitor privacy developments, and monitor company practices to ensure that policies and statements accurately reflect actual business practices. For more information on data privacy, see the Mayer, Brown, Rowe & Maw lawyer listing on the following page.

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.