With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in numerous countries. But when marketing or HR asks for data pertaining to global customers or employees to be sent to the home office, this can raise complex cross-border data-transfer issues and the specter of a patchwork of privacy laws applicable to personal information. These laws can pose myriad and sometimes conflicting obligations for a multinational enterprise or any business with global reach. Our attorneys are experienced at guiding our clients through this global labyrinth.

For example, some countries have no general data protection framework in place, but perhaps have sector-specific laws or regulations applicable to cross-border data transfers. Other countries use vague language, such as requiring that the recipient country (the country where the data is to be transferred) have a “sufficient” or “comparable” level of protection in place for data containing personal information. In other countries, such as South Korea, the transfer of personal data may require the prior consent of the data subject. India combines the two approaches, so that data can be transferred only if the recipient adheres to the same level of data protection as the transferor entity and the data subject consents to the transfer.

The European Economic Area (EEA), which includes the 28 EU Member States, has established a framework applicable to cross-border data transfers. Unfortunately, this doesn’t remove complexity from the legal landscape. Generally, under Data Protection Directive 95/46/EC (the DPD), personal data may be transferred outside the EEA only when the recipient country provides an “adequate level of protection” for the data. The European Commission maintains a list of countries that are deemed to provide adequate protection for the processing of data subjects’ personal information, so data transfers from the EEA/EU are allowed to those nations. Presently, there are only a handful of countries on the list, including Argentina, Australia, Canada, Israel, New Zealand, Switzerland and Uruguay.

Notably, the United States is not on the list. However, a U.S. business can instead self-certify with the U.S.-EU Safe Harbor program and therefore meet the “adequacy” standard for privacy protection. Organizations that participate in the Safe Harbor program must annually self-certify with the U.S. Department of Commerce in writing that they agree to adhere to the U.S.-EU Safe Harbor Framework’s requirements, which includes seven privacy principles such as notice, choice, security, access and enforcement. They must also state in their published privacy policy statement that they adhere to the Safe Harbor Privacy Principles.

In addition to the Safe Harbor program, other mechanisms are available to demonstrate that adequate safeguards are in place for data transfers from the EEA/EU. These options, such as Binding Corporate Rules (BCRs) and standard contractual clauses (also known as model contract clauses), may be useful in the context of transferring data from the EEA/EU to countries other than the U.S.

In light of the scope and reach of the various rules and regulations, cross-border data transfer issues can arise under various circumstances. These can include preparing global employee privacy policies, implementing a new global HR system, selling to customers overseas, hiring employees from around the globe and, of course, transferring data between office locations.