United States: Corporate Privacy Rules: Moving Toward A Global Solution

The global economy requires the cross-border transfer of personal information. At the same time, such transfers are becoming more difficult and costly from a business perspective because more countries are adopting privacy laws that regulate, among other things, cross-border data transfers. These laws vary dramatically from country to country but typically either explicitly prohibit transfers to other countries unless certain conditions are met or impose regulatory obligations on the organizations transferring the personal information. These cross-border limitations are affecting both the quality and choice of products and services that can be offered to consumers on a global basis.

As a result, greater attention is being paid to the development and use of global or enterprise-wide privacy rules ("Corporate Privacy Rules") as a way to correct the problems faced by consumers and organizations under the current international privacy regime. The concept of Corporate Privacy Rules is based on the notion of accountability – that is, the organization as a whole assumes responsibility for protecting the data. Corporate Privacy Rules are not a new concept; rather, they are an extension of an approach that has worked successfully in other areas for many years (e.g., enterprise-wide policies in the field of financial reporting, and conflicts of interest).

Implementing such rules within an organization is relatively easy. The bigger challenge, however, will be to secure the necessary international acceptance and cooperation that will enable organizations to implement Corporate Privacy Rules as a global, rather than a national or regional solution for cross-border data transfers.

Efforts are currently underway in Europe and Asia to build acceptance for this approach.¹ In the meantime, companies are reassessing their current cross-border data transfer arrangements and are taking the necessary internal steps to develop Corporate Privacy Rules so that when there are a sufficient number of countries willing to accept them in lieu of other cross-border mechanisms, they will be well positioned to phase out their existing cross-border arrangements in favor of a global solution.

Organizations that want to transfer personal information legally have only two viable options available to them.² They may either obtain the (opt-in) consent of the individual concerned or establish a contract with the entity that is receiving the data. In certain situations, however, organizations may be unable to rely on the use of consent or contracts to make their international data transfers. For example, many banks and law firms function internationally through branches rather than through separate legal entities; therefore, contracts cannot be used when the same legal entity would be on both sides of the contract. Likewise, in certain jurisdictions, consent is strongly disfavored particularly when it involves the transfer of employee data because there is a view that consent cannot be given "freely" within the context of the employment relationship or in exchange for goods or services.³ In addition, if consent is required and a customer does not consent, then the organization may not be able to provide the services (i.e., a company cannot ship the goods if the individual will not permit the information to be disclosed to the affiliated entity that runs the fulfillment house where the goods are stored). Failure to adhere to these cross-border rules restrictions may result in civil and/or criminal penalties for the organization concerned.

To understand how these cross-border transfer mechanisms work and what the implications are for both organizations and consumers, consider the following practical, real-world scenario:

Under current data protection rules, in order to provide this service and comply with the various national privacy laws,⁵ the company must either obtain relevant personal information from the customer each time he or she calls (i.e., his or her name, contact information, information about his or her purchase to ensure that he or she is covered by the warranty) and require the customer to repeat the same information about his or her problem during each call with customer service or, to avoid such repetition, put into place four different contracts that will enable information to be shared among the affiliates. If the company opts for the latter approach, then the Irish affiliate must enter into a contract with the Japanese affiliate to transfer the data to it; the Irish affiliate must also enter into a contract with the U.S. affiliate or the U.S. affiliate must certify to the Safe Harbor.⁶ The Japanese entity must also enter into contracts with the Irish and the U.S. affiliates. Even with such contracts in place, in addition to providing the customer with a written notice at the time he or she initially provides his or her personal information to the company, the customer service representatives will still need to provide the customer with two or possibly three verbal privacy notices before they can begin to address the customer’s problem.

Cumbersome Access Or Degraded Service For Consumers. The customer will most likely be extremely frustrated that he or she must hear the privacy notice each time and, if there are no affiliate contracts in place, will be equally frustrated that he or she must provide his or her relevant data each time he or she calls customer service. He or she also will need to recount the content of all of his or her previous conversations with customer service because the affiliates will be unable to share the information they collect from or advice they dispense to the customer. Moreover, the customer may not get an immediate response to his or her inquiry because, without access to a centralized database, the affiliate answering the customer’s call must first obtain the customer’s affirmative consent to request information from the affiliate from whom the purchase was made in order to verify, for example, the warranty information which it would need before it can provide an answer to the inquiry. This entire process could take hours or days to complete. For these reasons and those discussed below, some companies will forgo providing such support services entirely, thereby denying consumers access to such important services.

Regulatory Burden Discourages Compliance And Provision Of Goods And Services At Competitive Prices. For the company, the costs associated with establishing this type of customer service system is enormous. For example, if an organization with offices in 15 EU Member States, Japan, the U.S. and Canada wishes to have a centralized customer database to provide global customer services to its clients, the organization would be required to enter into 79 separate contracts among the corporate affiliates and to have 18 different privacy notices. In addition, any time there is an organizational change among the parties to the contract (e.g., a different affiliate is assigned responsibility for processing warranty data for a given affiliate or possibly on an enterprise-wide basis), new contracts will need to be negotiated. Or, if the organization relies on consent, then it must permit the individual to withdraw consent at any time and keep track of those preferences. Because the cost of compliance is so administratively burdensome and so expensive, it may be easier to not provide 24-hour customer service.

Disparities In Service Quality. The current system reduces business flexibility and inhibits businesses from managing their operations (e.g., controlling their costs) in an effective and efficient manner which, in turn, impacts the range and price of products and services offered to consumers. In particular, the existing arrangement discourages or impedes enterprise-wide initiatives in such areas as training, security and procurement. Given the complexity and administrative burden of obtaining consent to transfer personal information, some organizations opt to implement such programs locally which makes it difficult to ensure the same level of standards are followed at the local level as well as to achieve the same economies of scale that could be achieved if the program were operated on an enterprise-wide basis (e.g., negotiating supplier discounts on an enterprise-wide basis). So, in the customer service example cited above, the customer service representatives may not have the same level of troubleshooting expertise which will yield poorer support service for the customer.

Illusory Cross-Border Privacy Protection. Consumers are ill served because their personal information is not protected in a uniform and consistent manner. For example, if a customer becomes a victim of identity theft as a result of a security breach by one of the affiliates or if an affiliate shares his or her personal information with a third party against his or her wishes, the customer is likely to have a very difficult time resolving his or her problem, particularly since the affiliate from whom he or she purchased the computer is under no obligation to provide a local complaint resolution mechanism. As a result, the customer would have to overcome significant linguistic barriers as well as even larger legal barriers. First, the customer will have to determine who is at fault; however, even with superb computer forensics, it may be difficult to determine at precisely which point in the global network a hacker found entry. If it cannot be determined where in the system the hacking occurred or if the hacker was from a completely different country and the information was collected in transmission between two affiliated entities, then it will be impossible to assign fault or responsibility for the security breach. Given that none of the affiliates will be responsible, each can avoid liability, thus, leaving the consumer completely unprotected and with no viable recourse mechanism.

Second, the customer will need to determine what law (or laws) applies, what his or her rights are with respect to the standard of protection in that jurisdiction and who needs to be contacted to have the problem resolved. The answer to these questions may be very complex given the multi-jurisdictional nature of data flows; one or more sets of national rules will likely apply. It is entirely possible, given the jurisdictional differences in protections provided, that no privacy law has been violated. Consequently, the customer would have no recourse. The U.S. customer could appeal to the FTC for assistance but, unless the organization has demonstrated a pattern of abuse, the FTC is not likely to pursue redress for the customer. Alternatively, the customer might appeal to the local data protection authorities but often they are understaffed and under-resourced and are not likely to take any action based on an issue raised by a U.S. consumer.

Given the problems inherent in the existing approaches, the concept of Corporate Privacy Rules is emerging as a new and better approach to managing global data transfers. Both the parent and its affiliates are bound to protect the data according to the Corporate Privacy Rules adopted by the organization. Data may then be transferred among affiliates around the world without restrictions. However, if a breach occurs, the affected individual will be able to file a complaint locally in his or her native language – regardless of where the breach occurred or which affiliate was responsible for the breach – and have the complaint addressed in an appropriate manner by the company with whom he or she has a relationship. In short, a breach by one affiliate would be treated the same as a breach by any other, so consumers and employees ("individuals") would be provided with consistent and enforceable rights even in jurisdictions with no privacy laws in place.

To understand how such rules would work in practice, consider the following scenario:

Rather than force the individual to resolve the problem directly with the Asian affiliate and have to contend with different time zones as well as linguistic and cultural differences, the individual would be able to contact his or her local affiliate to file a complaint. The local (European) affiliate would be responsible for resolving the problem within the organization and would serve as the local interface with the individual. How the organization chooses to resolve the problem internally (e.g., determine which entity is financially or legally responsible) would be for the organization to decide.

If the individual is unable to resolve the problem with the organization, the individual would then be directed to an independent dispute resolution body authorized by the organization to hear and resolve complaints. If the issue was not resolved to his or her satisfaction, the individual would still be able to pursue legal claims against the organization or file a complaint with the authorities in the jurisdiction in which its Corporate Privacy Rules were approved or certified. As discussed later on in this article, there should be a logical connection between the designated jurisdiction and the organization’s operations (e.g., the jurisdiction selected might be the jurisdiction in which it has its center of activity or in which it is headquartered).

Corporate Privacy Rules offer significant benefits to individuals. The individual’s rights and recourses are protected no matter where the breach occurs. Moreover, such rules will simplify and reduce the cost of data privacy compliance for cross-border transfers, thereby encouraging greater compliance. In particular, organizations will be able to implement uniform privacy policies and practices on a regional or global basis without the administrative, legal and organizational complexities of multiple contracts.

For the company, use of Corporate Privacy Rules would reduce the compliance, training, and set up costs associated with establishing this type of customer service system. It would be cheaper and more effective for the company to roll out a single organization-wide program rather than replicate the program in multiple local markets.

The first step is for the organization to develop its own internal set of Corporate Privacy Rules relating to the treatment of personal data. These rules would need to incorporate internationally accepted principles of fair information practices. These rules can be tailored to the needs of the organization taking account of particular challenges and sensitivities, the corporate culture and processes, and the organizational structure. Once the Corporate Privacy Rules are developed by the organization, they would then need to be evaluated against internationally accepted principles of fair information practices to assure that they are compliant. While the process of assuring compliance still needs to worked out, industry has urged that the process be sufficiently flexible to permit attestations/self-declaration of compliance or reviews by designated public or private entities. Once the compliance process has been completed successfully, the organization’s rules would be regarded by all of the participating jurisdictions as satisfying the cross-border data transfer requirements of each jurisdiction without the need for further authorization or regulation. The organization would then be able to move data among its affiliates as required to meet its business needs among participating jurisdictions pursuant to its Corporate Privacy Rules.

Corporate Privacy Rules offer a promising alternative means to safeguard cross-border data transfers. Many companies are already beginning to develop such rules internally so that once governments work out an acceptable approval process they will be ready to proceed. Clearly, the proactive involvement of companies, data protection/privacy authorities, consumer protection agencies and other relevant government agencies, working collaboratively within and across jurisdictions will be required to make Corporate Privacy Rules a reality. Individuals, organizations and government all have a stake in resolving this issue so that individuals can have meaningful protections for their personal information as well as access to a wide variety of products and services at competitive prices.