The world may be getting smaller, but the number of ways various countries approach confidentiality is growing. A mosaic of disparate regulations should give any auditor or accountant pause when providing services for clients that have operations across international borders. What may be sufficient client data protection in one country may not be in another. What may be common data handling in one country may be a crime in another. To complicate matters, the regulatory landscape is consistently evolving, thrusting more duties and obligations on accountants than ever before. A firm with international clientele would best be served by identifying those jurisdictions in which it has clients and assessing the impact of the applicable confidentiality and data protection laws.
Pursuant to regulations scheduled to be adopted by the European Union, firms that collect or store data and information about their European clients may be subject to strict data protection standards and potential sanctions for violations of those regulations. The General Data Protection Regulation (GDPR) is a comprehensive data protection scheme meant to consolidate and unify the disparate data and privacy laws across the countries of the European Union. The current and anticipated final version of the GDPR would subject to its jurisdiction any entity that possesses protected information about a resident of the EU.
This law and its predecessor regulations recently made headlines when the European Court of Justice ruled that individuals had a “right to be forgotten,” such that data that is “inadequate, irrelevant … or excessive” must be removed by “data controllers.” It is not difficult to imagine a scenario where accounting firms that maintain such data find themselves in the middle of a legal action due to the data’s misuse, abuse or theft.
Across the Globe
Other jurisdictions have similar regulations of similarly expansive scope. For example, in the United States the regulations promulgated by the Department of the Treasury and Internal Revenue Service make it a criminal act for a tax return preparer to use (or misuse) the personal tax return information of a taxpayer in contravention of the regulations. There is no geographic scope limitation on the regulations. Thus, it would appear that an Argentinean or Australian or German firm that prepares tax forms to be filed in the United States would be subject to the U.S. privacy regulations and potentially subject to criminal prosecution for violations thereof.
In Australia, the Privacy Act governs such data collection, storage and use. In Canada, the Personal Information and Electronic Documents Act would apply to the types of information routinely collected and stored by accounting firms. Taiwan passed the Personal Data Protection Act in 2010 to cover this type of data. In Brazil, there are two proposed bills addressing Internet security and personal data protection. Interestingly – and subject to much controversy – the Brazilian proposed bills would require that information concerning Brazilian citizens be stored on servers physically located in Brazil.
What all of these regulations have in common is that they are designed to protect those residing in the jurisdiction, even though the business handling the personal data may be elsewhere. Additionally, there is very little guidance about how the regulators will enforce these regulations across jurisdictions. Indeed, there are no reported cases of U.S. regulators sanctioning foreign entities for misuse of a taxpayer’s personal information or, conversely, foreign regulators prosecuting a U.S.-based entity.
Regardless of the status of regulations or which ones may or may not be applicable in a given situation, it would be prudent for accounting firms with clients that reside outside the firm’s home jurisdiction to gain an understanding of the various potential applicable laws and act accordingly. Indeed, what may be permissible in one country for one set of clients may not be permissible in another.
In addition, accounting firms should establish an understanding with their clients at the outset of any engagement regarding what jurisdiction’s law should apply to the relationship with and conduct of the party. In most cases, the engagement letter would specify the jurisdiction of the accountant as the controlling jurisdiction. The engagement letter may also limit liability for certain uses or misuses of data. However, some regulators, such as the U.S. SEC, view certain liability-limiting agreements as compromising independence.
Not surprisingly, the state of the regulations already seems behind the technology. As more and more firms begin storing data “in the cloud,” it is not clear who controls the data under the various regulations or even if such storage would constitute a transmission of the data governed by other regulations. As a matter of best practices, firms should affirmatively identify the home jurisdictions of its clients and routinely reevaluate the firm’s compliance with confidentiality and data protection laws.