The pervasiveness of information that is created, stored and transferred electronically raises unique legal and practical concerns for any business that collects and retains consumer data. Companies that operate in the United States and abroad need to develop coherent policies and procedures on privacy and electronic data retention.
Electronic records raise a host of complex issues, including whether to retain or periodically delete them, how to deal with discovery of electronic records in litigation, and to what extent companies should monitor their employees’ e-mail and internet communications. Employees have access to confidential consumer information that can easily be shared electronically and is highly susceptible to theft. It will become increasingly important for all companies to be able to assure customers that their personal data is protected and used responsibly.
Electronic Data Protection and Privacy
The legal framework for the protection and dissemination of consumer data does not always keep pace with new technologies. Data warehousing and mining allow companies to learn more from the data they collect, but these technologies also increase the risk of unauthorised disclosure of confidential consumer information. There are a myriad of privacy-related laws throughout the world that govern how companies can manage these issues. Beyond these minimum legal requirements, companies must balance the need to protect consumer privacy against the benefits of retaining more information.
Data protection and privacy issues are much more heavily regulated in Europe than in the United States. Directive 95/46 EG of 24 October 1995 and Directive 2002/58 EG of 12 July 2002 are the principle sources of European privacy law. According to these, the processing of personal data is only allowed if the data subject consents or if statutory provisions allow processing. The retention of personal data generated or processed by providers of publicly available electronic communications services or of a public communications network will become mandatory for the investigation, detection and prosecution of serious crime under the laws implementing Directive 2006/24 EG of 15 March 2006. European countries are considering legislation that would require companies to retain more detailed information than required under the Directive. As regards data transmission, personal data may only be transferred to a non-EU country if that country ensures an adequate level of protection. As the United States does not meet the EU “adequacy” standard for privacy protection, companies that seek to transfer personal data between the European Union and the United States may have to create adequate standards. This can be done by complying with either a standard agreement provided by the European Union or the safe harbour procedures established by the US Department of Commerce.
The privacy provisions also apply to the transfer of data within a group of affiliated companies. European law provides that each organisation must implement technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. In some Member States, the appointment of a personal data protection official is mandatory for many companies.
While it is not mandatory in the United States, many companies have named chief privacy officers responsible for implementing internal procedures to ensure compliance with local, state and federal privacy laws, regulations and company policies. In the United States, the Federal Trade Commission’s (FTC) “safeguards rule” requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information. Although it is directed towards financial institutions, the FTC framework is useful for other industries to consider when looking at data security measures to protect electronically stored data (see box).
The FTC’s “disposal rule” also requires companies that use a consumer report for a business purpose to implement procedures that are reasonable and appropriate to prevent the unauthorised access to, or use of, information in a consumer report. This may include a policy of destroying or erasing electronic files or media.
Electronic data privacy is going to be a high priority in the United States as Congress grapples with new laws seeking to impose more stringent security measures and to require companies to disclose data breaches. In light of high-profile incidents, legislators are proposing to require any organisation holding personal data to notify consumers upon learning of the data breach, to secure data with encryption software or other technologies, and require internet service providers to retain certain customer data and content.
Companies should develop written policies governing use of employerprovided computers and e-mail accounts, routine monitoring of employee electronic communications, and notice to employees of such monitoring through training and employment manuals.
The EU Directives on data protection and privacy also apply to personal data that is processed within an employment relationship. Privacy issues must therefore still be observed in many cases that “merely” involve business correspondence as such correspondence usually contains personal data. Although the use of personal data for regular business purposes is usually covered by the scope of the employment contract, certain limits must be observed, in particular when personal data is sent to third parties in non-EU countries without a clearly defined business purpose. As the very complex legal situation often makes it difficult to implement data retention policies if these measures have never been addressed before, privacy issues should be considered at the very beginning of any business activity in Europe.
Litigation raises its own set of issues for a company’s privacy and data security policies. While most continental European countries do not have formal electronic discovery rules, companies that operate in Europe and elsewhere should be aware of any country-specific rules.
On 1 December 2006, new amendments to the US Federal Rules of Civil Procedure went into effect. They significantly changed how litigants must address the discovery of electronically stored information (ESI). Under the new rules, litigants may seek the production of ESI and can specify the form in which it should be produced, including sound recordings and other data compilations.
Parties need to be aware of the limits on seeking discovery of ESI. For example, it is not necessary to produce ESI from sources that are not reasonably accessible due to excessive burden or cost. The new rules include a safe harbour that protects a party from court-imposed sanctions for failing to provide ESI lost as a result of the routine, goodfaith operation of an electronic information system. Ideally, however, an assessment of how these new rules will affect the company’s overall privacy and data retention polices should be made before litigation arises.
The framework includes measures such as:
- Develop a written information security plan to protect customer information
- Assign one or more employees to oversee the program
- Conduct a risk assessment
- Design and implement a safeguards program, and regularly monitor and test it
- Require service providers, by written contract, to protect customers’ personal information
- Periodically update the security program in light of relevant circumstances