US companies operating internationally need to be aware of the risks created by foreign data protection laws. Recently, a host of countries in Europe, North America and Asia have introduced new data protection laws or made significant changes to existing ones, and data protection authorities have been ramping up enforcement.
- The European Commission issued a new set of Standard Contractual Clauses to reflect the reality that organizations that process data often subcontract their processing activities to others. This contractual language permits personally identifiable information originating in Europe to be transferred to countries outside of the European Economic Area that have no comprehensive data protection laws (such as the United States). Now, in certain situations, the transfer of personal data from a non-EU service provider to its sub-processors will be automatically covered by the terms of the new contract, subject to the EU entity and the non-EU service provider adhering to some additional contractual and governance requirements.
- On April 29, 2010, the German data protection authorities passed a resolution setting forth the due diligence obligations of companies transferring data from Germany to the U.S. German companies may no longer rely exclusively on the U.S. Department of Commerce’s Safe Harbor List of Self-Certified Entities.
- Germany and Austria recently adopted breach notification requirements. In June of 2010, Ireland’s Data Protection Commission put forth a proposal that Irish organizations which lose personally identifiable data will have to report the data breach to authorities. Likewise, the French Senate is considering adding a breach notification to its data protection law.
- Ukraine adopted a comprehensive data protection law which will come into force on January 2, 2011.
- On July 6, 2010, Mexico adopted its Federal Data Protection Act that regulates, among other things, how private entities can collect, use and disclose the personal data of Mexican citizens. It establishes penalties of up to $1.5 million for violations.
- Canada continues to be vigilant in its approach to data protection, introducing two privacy related bills in May 2010: a breach notification requirement that would amend its national data protection law and an anti-SPAM law.
- In April, the government of the Republic of China (Taiwan) approved significant changes to its principle data protection law, the Computer-Processed Personal Data Protection Act. The amended law, which is expected to be implemented in 2011, will extend protections to all individuals, legal entities and enterprises that collect, use and process personal data. Moreover, the amended law will apply to all personal data, not merely computer-processed personal data.
- A proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission (ALRC) as part of a national privacy review of the Australian Privacy Act. Also, Malaysia passed its Personal Data Protection Act on May 6, 2010.
Spain’s data protection agency conspicuously reported that it had imposed fines of EUR 24.8 million in 2009, and in July 2009 it was widely reported that the UK Financial Services Authority fined three affiliated financial companies £3 million ($5 million) for failing to have adequate systems and controls in place to protect their customers' confidential data.
Data Protection as an Increasing Risk and Business Issue for Doing Business Globally
U.S. companies maintaining a global workforce, collecting and using personal information to produce products and services, or selling to a global marketplace need to understand and manage the risks created by an increasing complex web of foreign data protection laws.