Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.

With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in numerous countries. But when marketing or HR asks for data pertaining to global customers or employees to be sent to the home office, this can raise complex cross-border data-transfer issues and the specter of a patchwork of privacy laws applicable to personal information. These laws can pose myriad and sometimes conflicting obligations for a multinational enterprise or any business with global reach. Our attorneys are experienced at guiding our clients through this global labyrinth.

For example, some countries have no general data protection framework in place, but perhaps have sector-specific laws or regulations applicable to cross-border data transfers. Other countries use vague language, such as requiring that the recipient country (the country where the data is to be transferred) have a “sufficient” or “comparable” level of protection in place for data containing personal information. In other countries, such as South Korea, the transfer of personal data may require the prior consent of the data subject. India combines the two approaches, so that data can be transferred only if the recipient adheres to the same level of data protection as the transferor entity and the data subject consents to the transfer.

The European Economic Area (EEA), which includes the 28 EU Member States, has established a framework applicable to cross-border data transfers. Unfortunately, this doesn’t remove complexity from the legal landscape. Generally, under Data Protection Directive 95/46/EC (the DPD), personal data may be transferred outside the EEA only when the recipient country provides an “adequate level of protection” for the data. The European Commission maintains a list of countries that are deemed to provide adequate protection for the processing of data subjects’ personal information, so data transfers from the EEA/EU are allowed to those nations. Presently, there are only a handful of countries on the list, including Argentina, Australia, Canada, Israel, New Zealand, Switzerland and Uruguay.

Notably, the United States is not on the list. However, a U.S. business can instead self-certify with the U.S.-EU Safe Harbor program and therefore meet the “adequacy” standard for privacy protection. Organizations that participate in the Safe Harbor program must annually self-certify with the U.S. Department of Commerce in writing that they agree to adhere to the U.S.-EU Safe Harbor Framework’s requirements, which includes seven privacy principles such as notice, choice, security, access and enforcement. They must also state in their published privacy policy statement that they adhere to the Safe Harbor Privacy Principles.

In addition to the Safe Harbor program, other mechanisms are available to demonstrate that adequate safeguards are in place for data transfers from the EEA/EU. These options, such as Binding Corporate Rules (BCRs) and standard contractual clauses (also known as model contract clauses), may be useful in the context of transferring data from the EEA/EU to countries other than the U.S.

In light of the scope and reach of the various rules and regulations, cross-border data transfer issues can arise under various circumstances. These can include preparing global employee privacy policies, implementing a new global HR system, selling to customers overseas, hiring employees from around the globe and, of course, transferring data between office locations.

Your organization may be unsure which regulations apply or how to ensure compliance. The Privacy and Data Protection team at BakerHostetler can proactively guide you through these issues. For instance, if you are considering consolidating customer data or HR data from offices outside the U.S., we can assess whether Safe Harbor certification, BCRs or model contracts make the most sense for your company.

We can also help companies (1) determine eligibility for participation in the U.S.-EU Safe Harbor program; (2) create or modify privacy notices and internal privacy policies to conform to the seven Safe Harbor Privacy Principles; (3) establish an independent recourse mechanism to investigate unresolved complaints relating to personal information; (4) ensure that procedures are in place for compliance with the Safe Harbor program (by using a self-assessment or an outside/third-party assessment program); and (6) self-certify annually with the Department of Commerce.

In addition, our team can work with clients in drafting policies that may invoke cross-border transfer issues, such as employee personal information privacy policies. Such policies should include the circumstances under which the employer will process personal data, including the transfer of data to third parties.

Accordingly, whether your organization processes, controls or maintains personal data in Europe, Asia or elsewhere, the regulatory landscape can be complex and constantly changing. No matter where your company does business, we can assist with navigating the murky waters of cross-border data transfers and provide expert guidance on the applicable privacy laws and regulations.

CyberRisk Graphic