Many foreign businesses commence trading in the U.S. without paying a lot of attention to their data privacy policies. Unlike the UK, where the Data Protection Act (which implements the European Data Protection Directive into UK law) applies to all businesses, the U.S. does not have a universal data protection requirement that applies to all businesses in all states. Certain industries and sectors have their own specific data protection requirements, such as healthcare providers (who are covered by the Health Insurance Portability and Accountability Act of 1996) and financial institutions and other finance related businesses (which are subject to the Gramm-Leach-Bliley Act). Data relating to children are subject to the requirements of the Children’s Online Privacy Protection Act of 1998. There are many businesses that do not fall within the requirements of these targeted pieces of legislation.
In addition, foreign businesses should appreciate that, if the data of U.S. based customers and employees is repatriated to the UK, such data should thereafter be handled in accordance with all the provisions of the European Data Protection Directive, as enacted in the UK. This means the foreign company must adhere to the provisions requiring, among other things:
- Notice as to the purpose for which the data is being collected and used;
- Disclosure of any third parties to whom such data may be transferred;
- Rights of access to and correction of errors in such data;
- Compliance with specific requirements regarding sensitive personal data.
While UK entities may be well-versed in compliance requirements with respect to their European-based customers and employees, they may not be aware that such requirements extend to U.S.-based employees and customers.
UK companies starting businesses in the US should, at a minimum, review the data protection policies that they have in place in the UK and make a determination as to whether they want those policies to apply to US-based customers and employees. In addition, they should familiarize themselves with any new requirements that may apply to their particular industry or under state law in the states in which they plan to operate.