Privacy Law
STARTING AN INTERNATIONAL CORPORATE PRIVACY COMPLIANCE PROGRAM
VOLUME 1, 2024, PRIVACY LAW SECTION JOURNAL
Written by Lothar Determann*
When a multinational company sets out to design and implement a data privacy compliance program, they face several threshold decisions and preparatory tasks, including:
- Putting a person or team in charge of data privacy law compliance;
- Preparing a task list by identifying relevant facts, laws, and requirements;
- Defining priorities based on business objectives, enforcement risk exposure, and ease of compliance;
- Executing the task list;
- Working with internal stakeholders and outside advisors, and;
- Taking Charge.
GOVERNANCE: PUTTING A PERSON OR TEAM IN CHARGE
Someone needs to be in charge. Several individual candidates or departments in multinational companies typically control data privacy compliance, including in-house attorneys, information technology staff, human resources, and internal audit personnel. Each of these groups has different approaches, strengths, and limitations.
In-house attorneys in corporate legal departments usually take an advisory role and inform others in the organization what applicable laws require, including data privacy laws. Depending on the company culture and individual styles, the legal department may advise proactively or upon request. Lawyers interpret and apply rules, including data privacy laws, but not all attorneys are technology-savvy or good project managers.
Members of the information technology (IT) department are technology savvy but may not find it easy to understand and apply laws. IT professionals are trained in deploying and maintaining equipment, software, and services that other groups (human resources, sales, marketing, production, etc.) used to process personal data. The IT department supports these different groups and provides technology that aids other departmentsā business objectives. The IT department usually establishes and implements protocols to protect personal data from unauthorized access (by deploying data security measures) but rarely decides on access privileges for individuals or legal compliance matters.
Some companies have separate compliance or internal audit functions concerned with monitoring and enforcing compliance with laws and internal policies. Auditors focus on verifying that the rules or existing compliance programs are adhered to, but do not typically define the rules. You lose an extra pair of eyes if you have the same person create and audit a program and, when audit personnel conduct investigations, they are at a particularly high risk of violating data privacy laws. Investigators often want to search email boxes, computers and files, interview third parties about suspicious conduct and occasionally intercept live calls and other communications without prior notice to the data subject. Therefore, it can be a bit like letting the fox guard the henhouse if you task audit staff with designing a privacy law compliance program.
Another option is to select individuals from data user groups within a company, such as HR or marketing. Companies that develop or sell IT products consider data privacy not only a compliance challenge, but also a business opportunity. For example, cloud computing service providers and enterprise software and data storage providers increasingly consider data privacy laws in the product development process to ensure that their customers can effectively use the products in compliance with applicable laws. Whether privacy protections are a relevant differentiator for technology providers depends much on the target audience – larger enterprise customers tend to be very focused on compliance features, whereas consumers and smaller companies may be concerned about some features (e.g., end-to-end encryption for smartphones, or online storage) but choose “free” services or convenience over data privacy considerations.
In most businesses, the person in charge of data privacy law compliance usually comes from one of the above departments or areas of specialization. Larger companies with great exposure or interest regarding privacy laws may decide to create a new department or office. Smaller companies may find it sufficient to put someone in charge on a part-time basis. If a company has a legal department, attorneys are usually involved. Often, the legal counsel takes the lead regarding data privacy law compliance. But the ideal candidate for data privacy law compliance does not necessarily have to be a lawyer, particularly if a company views data privacy more as a business opportunity than merely a legal obligation.
TOOLS AND AUTOMATION
A number of “privacy tech” and “legal tech” businesses offer software tools and other technical solutions to help companies address privacy law requirements, such as image blurring software, web cookie managers and online forms to document data protection impact assessments. Companies with mature privacy law compliance programs can benefit from automating recurring tasks, but every company must first assess its specific compliance needs, options and preferences before resorting to technical solutions. For example, a company that receives only a handful of data access requests every year, from different jurisdictions and from different groups of data subjects (e.g., employees and customers), may be better off manually processing such requests, given that initial discretion may be necessary in each case and the configuration of a tool takes up resources, too. Also, companies that have prematurely deployed tools to conduct data protection impact assessments have become suffocated by too many records that are neither legally required or practically helpful, and the superfluous records and activities sometimes conceals situations where a deeper assessment is required. While data security measures have a single goal (prevent unauthorized access to data) and are, therefore, relatively easy to automate, data privacy laws are more nuanced, requiring individual balancing decisions, and thus present much greater challenges to automate.
Even where a technical privacy protection measure offers an undoubtedly effective solution, companies need to determine first whether the technical measure is required and appropriate. For example, face blurring software is effective in protecting privacy, but a newspaper has to carefully balance press freedom and individual privacy interests to decide when blurring is appropriate. Additionally, a developer of self-driving cars must balance safety and privacy interests before opting for face-blurring measures that could render pedestrian identification less effective and hamper evasive maneuvers for safety purposes. Similarly, a company deploying a web cookie manager must first independently determine which cookies are essential to provide online services and which are truly optional and subject to user choices. Moreover, some users of tools for gap assessments, records of processing activities and impact assessments are disappointed when they realize that they still have to gather and enter all relevant information. Therefore, companies should carefully determine at the outset what specific problem a particular tool is intended to solve, whether the solution provided by the tool is legally required, the best option for the company and compare the costs and benefits associated with the tool versus manual or other approaches.
WORKING WITH INTERNAL STAKEHOLDERS AND OUTSIDE ADVISORS
SECURING INTERNAL SUPPORT
To obtain sufficient resources and support from stakeholders within a company, one must answer the “Why” questionāWhy is a data privacy and security program important? For some companies, compliance is a matter of risk management and avoiding sanctions and liability. Others also care about potential reputational risks and opportunities and view privacy law compliance as a differentiator. For some companies, data privacy and security law compliance is a key precondition to selling products and services, for example, data storage or Software-as-a-Service (SaaS). When you start out implementing a compliance program in a company, it can be very helpful to prepare a brief white paper in FAQ format to raise awareness and gain support among key stakeholders within the organization.
SELECTING OUTSIDE ADVISORS
Most companies turn to outside counsel for advice about legal requirements beyond their home jurisdiction. Typically, it is too difficult and time-consuming to determine the exact nature and details of formal and substantive compliance obligations in other countries, where laws may be presented in unfamiliar formats and languages.
Many companies experience one particular challenge when working with outside advisors on compliance matters: every subject matter expert (data security consultant, technology vendor or local lawyer in a particular jurisdiction) is familiar with the risks and possible sanctions in the expert’s area of specialty and takes these particularly seriously, but companies tend to have a limited budget and cannot always address all requirements at once with the same rigor and effort. Companies need to prioritize. If you hire coordinated global teams, they may be able to assist with prioritization among the disciplines they are engaged to cover, but even their abilities are limited and they cannot be expected to take all fundamental considerations into account that can make or break a company, e.g., how to secure operational continuity, revenue and funding. If you hire individual advisors rather than a coordinated team, such individuals are usually not of much help with respect to prioritization and there is a significant risk that the importance of a particular risk or local law requirement is over- or understated. Therefore, it can be helpful to ask outside advisors not only about substantive and formal requirements, but also about practical issues, such as whether particular requirements are observed in practice or only honored in the breach, whether challenges by regulatory or private plaintiffs are common and what risks and problems other companies have run into in connection with the particular requirement at issue. Answers to such questions help put things into perspective and help companies prioritize among tasks.
APPOINTING A PRIVACY OFFICER
People who take charge of designing and implementing data privacy law compliance programs sometimes hold the title “Data Protection Officer” or “Chief Privacy Officer.” The roles associated with these and similar titles can actually be quite different, and you should consider carefully whether your company needs one or the other or both.
GERMAN LAW ORIGINS
One key reason multinational businesses have a data protection officer is because they have a presence in Germany. Most multinational businesses consider Germany an important market. Under German data protection law, companies have been legally required to formally appoint a data protection officer with a watchdog role to supplement supervision by governmental data protection authorities since the 1970’s. Germany was the first country to introduce the concept of a data protection officer in an attempt to force self-regulation via a company-appointed guardian of privacy interests.
Some jurisdictions with early data protection laws, including France, opted instead for government notification and approval requirements. There, companies have to file descriptions of their data basis and processing purposes and seek prior approval before they engage in certain activities, e.g., operating a whistleblower hotline or surveilling employees outside the scope of limited exemptions. Other countries, such as Switzerland, adopted a middle ground approach and gave companies the option to appoint a data protection officer in lieu of submitting more substantive filings to data protection authorities. According to the GDPR, companies in all EEA member states must appoint a data protection officer if they engage in particularly sensitive forms of data processing, including systematic monitoring of data subjects or processing of special categories of personal data on a large scale and as a core activity. Affiliated groups of companies can appoint one person as data protection officer for several or all entities if the person is accessible from all locations.
Some companies model their compliance approach for all jurisdictions where they appoint a local data protection officer after the German rules. This should ensure compliance with the GDPR and other countries’ rules (as the German requirements tend to be the strictest and most comprehensive), but it is not legally required.
Many companies also voluntarily appoint data protection officers or privacy law compliance liaisons for countries where it is not required, incentivized, or even contemplated. In addition, many larger U.S. companies have a Chief Privacy Officer, as well as compliance officers, internal auditors, specialized legal counsel for data privacy law compliance matters, information security officers and trained privacy professionals. The purposes, roles and responsibilities of such positions can, and often should, be quite different. If you decide to create a privacy officer position on a voluntary basis, you could define its rights and duties in reference to the data protection officer role set forth in the GDPR, and carefully decide which aspects of the statute to adopt, modify or omit.
REQUIREMENTS TO APPOINT A DATA PROTECTION OFFICER UNDER THE GDPR
According to the GDPR, companies must designate a data protection officer if they conduct regular and systematic monitoring of data subjects on a large scale or if one of their core activities is processing of particularly sensitive information, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, or health. German law is stricter and requires companies typically to appoint a data protection officer in writing within one month of commencing business. Some exceptions apply, for example, for companies that do not process sensitive data and have fewer than twenty employees.
QUALIFICATION REQUIREMENTS
Candidates must be experienced, knowledgeable or trained regarding data protection legislation, IT and the company’s operations. They must also be reliable and not have conflicts of interest, which typically rules out the appointment of business owners, senior managers, and employees with a strong interest in data collection and usage, such as marketing and HR managers in the EEA (whereas officers and directors of companies can be named as responsible for data protection law compliance under Korean and Singapore law). Finally, the company must enable the data protection officer to perform the statutory obligations; this requires companies to provide information and training and to release internal data protection officers from other work duties (to free up time). Many companies appoint non-managerial employees in their legal, IT or HR departments – or contract with external service providers.
EXTERNAL VS. INTERNAL CANDIDATES
A company can appoint either an employee or an external service provider. Each option has certain advantages and disadvantages. If a German company appoints an employee as data protection officer, the employee becomes entitled to even stronger protections against termination than German labor laws generally afford all employees. Terminating an external data protection officer tends to be relatively easy by comparison, based on the terms of the applicable services contract. Appointing an employee allows the company to keep all relevant information internal and confidential. Appointing an external candidate means opening the company’s systems, processes, security measures and data to someone on the outside. An internal data protection officer tends to be more familiar with actual practices, processes and problems and has better access to information about employee concerns and security weaknesses. External data protection officers may have a better feel for industry standards and more experience and expertise than internal employees who take on the position on a part-time basis. Specialization allows an external data protection officer to focus on the latest developments in data protection law and IT. Companies also consider the costs and response times: external service providers can be paid on an hourly basis (which can incentivize the data protection officer to be particularly active and responsive to inquiries and make it difficult for the company to control costs) or with a monthly or annual fixed fee (which can result in lengthy response times and thus delays in project implementation). Internal data protection officers require the company to consider the impact on the candidate’s other contributions in light of the time the role as data protection officer will take.
A multinational business could appoint an employee of one of its entities outside of Germany or from another of its German subsidiaries as data protection officer if it has one. Such person could qualify as an “external” data protection officer under German law, thus avoiding the implications of German labor laws. Some German data protection authorities are skeptical about the appointment of persons who reside outside of Germany and may argue that such persons are not able to adequately perform their statutory obligations. However, German statutory law does not strictly require the appointment of an employee in Germany, and companies with headquarters and data centers outside of Germany have good reason to appoint someone outside of Germany if the person is closer to the company’s regional or global systems. Multinational companies may prefer to have only one person in the role of data protection officer for any jurisdictions where the appointment is required, so that consultations on multinational projects can be conducted efficiently, quickly and without the risk of conflicting opinions and requests. In jurisdictions where the appointment must be notified to data protection authorities, companies have to be prepared to answer questions and handle resistance to the appointment of a data protection officer who does not reside in the respective country or who does not speak the local language. In most cases it is possible to overcome the authorities’ hesitations if the company has good operational reasons. The GDPR expressly allows groups of affiliated companies to appoint one single data protection officer provided that the data protection officer is easily accessible in every company and office.
APPOINTMENT FORMALITIES
Under German law, companies have to appoint data protection officers in writing. Under the GDPR, companies must publish contact details of the data protection officer and notify the data protection authority. Generally, companies prefer to assign and publish aliases (e.g., dataprotectionofficer@ company.com) to avoid a need to update privacy notices whenever a data protection officer is replaced. Companies may impose a time limit on the appointment, so long as the term is not so short that it interferes with the independence of the position. Two to five years seems reasonable. For German companies with a works council (collective labor representation), the works council has a co-determination right regarding changes to the employment contract for an employee is appointed as internal data protection officer. When local law does not require or reward an appointment, companies tend not to formally appoint data protection officers. Companies that do appoint a data protection officer under the GDPRāvoluntarily or notāmust notify the competent data protection authorities, which could be more than 30 authorities for a U.S. company and thus very onerous.
DUTIES
The data protection officer is responsible for monitoring the company’s compliance with applicable data protection law and ensuring that the company documents its data processing activities. Companies must consult with the data protection officer regarding their data processing activities and any contemplated change. The data protection officer makes recommendations and raises awareness and concerns where appropriate but does not have to formally approve measures. If the company does not act despite being formally notified of concerns, the data protection officer has the rightāand in some cases the obligationāto blow the whistle and notify data protection authorities. The data protection officer operates independently and is not subject to orders or instructions from management. Day-to-day duties can include assistance with documenting data processing procedures in a register; evaluating and further developing data protection and security policies; suggesting, selecting and implementing technical security measures; drafting forms and contracts appropriate for data protection; selecting employees, service providers and others to be involved in the processing of personal data; monitoring data privacy and security measures and the proper use of data processing programs; handling complaints relating to data protection and violations of law or policies; and conducting employee training.
PERSONAL LIABILITY
In picking an employee as a candidate for data protection officer, one can expect an inquiry regarding personal liability. In short, all employees can be held liable for misconduct and violation of laws and third-party rights. Most candidates, however, are probably as much or more at risk regarding their other job duties than with respect to the role of data protection officer. German data protection legislation does not specifically address the personal liability of a data protection officer. Under generally applicable laws in most jurisdictions, any individual representative of a company can be held accountable for an act or omission of the company if the representative committed the act at issue or had a responsibility to avoid the omission. On this basis, a data protection officer can be held accountable for direct involvement in illegal data processing activities (e.g., recording of phone calls without consent or court order). Theoretically, a data protection officer could also be liable for failure to stop illegal activities that were conducted without the data protection officer’s direct involvement. However, it is relatively rare that employees are charged because of a failure to act. One data protection officer for multiple jurisdictions. Some companies appoint the same person for several or all jurisdictions where a formal appointment is required. This is expressly permitted under the GDPR and particularly efficient for companies that use global systems and procedures, which can be monitored best by one person.
INFORMAL, VOLUNTARY APPOINTMENTS
Separate and apart from satisfying formal statutory requirements to appoint a data protection officer, larger organizations often see operational advantages in establishing a network of local liaisons for data privacy law and other compliance efforts in order to have specialized local contacts who can help implement and monitor these legal programs. Also, many companies voluntarily appoint a “global privacy officer” or “Chief Privacy Officer” to demonstrate internally and externally that the company takes data privacy law compliance seriously. It may also be beneficial to have one point person who takes ownership and responsibility for privacy law complianceāwhich affects many other functions, including IT, HR, physical security, legal, finance and sales.
For informal and voluntary appointments and for jurisdictions where the role of data protection officer is not defined by statute, it is important that the company define the authority and duties of the privacy officer in a detailed written memo or agreement. In particular, a company must define expectations as to whether the privacy officer will advocate primarily for privacy or company interests; provide advice or make decisions; react or be proactive. Similarly, should the privacy officer coordinate, support, supervise or monitor colleagues in roles with overlapping responsibilities (such as compliance officers, internal auditors, privacy counsel in the legal department and IT and security staff in the IT, marketing and HR departments)? Companies must decide and document the objectives and expectations: should the Chief Privacy Officer be a coordinator, advocate, advisor or guardian of privacy of the company’s interests in data and compliance? Each company must make its own decisions in this respect, and each company should define responsibilities and tasks clearly in writing, so ensure the appointed individual understands the rights, obligations and expectations of the role. When roles are not clearly defined, misalignment of expectations can easily result in uncomfortable conflicts. For example, if a global privacy officer at a U.S. company understands the role as independent and public policy-driven, she might be quick to notify U.S. authorities of concerns. Or, if a member of the legal department is appointed as “Chief Privacy Officer'” and shifts from acting as legal counsel towards a more executive role, this might undermine attorney-client privilege in certain situations. Companies should consider these and other pros and cons before making voluntary appointments and document the role in detail to improve the likelihood of achieving the desired benefits and to reduce the risk of unwanted consequences and conflicts.
DESIGNATED REPRESENTATIVE
Additionally, and separately from data protection and privacy officers, the GDPR requires companies outside the EEA to designate a representative in the EEA if they process personal data of EU residents and do not maintain an establishment in the EU (such as a branch, representative office or other unincorporated presenceā which most companies try to avoid for tax reasons). With this requirement, the EU wants to increase the chances for data protection authorities to reach and sanction foreign companies. The designated representative can be an individual or legal entity and has a largely passive role. The representative must be identified in privacy notices to be contacted by supervisory authorities and data subjects on all issues related to data processing and represents the non-EU-based company with respect to obligations under the GDPR. In terms of active duties, the representative shall maintain records of processing activities for the non-EU-based company, and the representative shall “cooperate” with data protection authorities on request. Multinationals should consider designating a whollyowned subsidiary in a business-friendly EU member state where they maintain regional headquarters, servers, data processing staff and a data protection officer appointed for all their EU-based subsidiaries. By creating one center of gravity for data processing and protection activities, multinationals may be able to position one subsidiary in the EU as a group-wide “main establishment” for GDPR purposes. This could help to qualify the larger group for “one-stop-shop” treatment and sole jurisdiction of one single EU data protection authority.
Russia, Turkey and other countries have started to follow suit with similar requirements to appoint local representatives or establish presence in their territory in order to increase their chances of enforcing their laws against foreign companies. Companies with social media or other publishing businesses must carefully consider possible repercussions in their home countries if they fully submit to Russian or Turkish media laws and comply with data access and censorship orders. Also, companies should consider the impact of trade embargoes and tax implications associated with establishing presence in jurisdictions that are geo-politically at odds with their home countries.
ACTION ITEMS
- Determine where you have to appoint a data protection officer under local law.
- Consider internal vs. external, in-country vs. regional or global appointments.
- Determine how your company can best achieve and maintain compliance in jurisdictions where you are not legally required to appoint a data protection officer, and whether your company would benefit from the voluntary appointment of a Chief Privacy Officer and local liaisons; if yes, carefully document the job description, authority and duties, and consider relations to similar or overlapping functions, such as corporate legal counsel, information security, HR and marketing managers.
- Identify and consider compliance options regarding duties to appoint local representatives.
PREPARING A DATA PRIVACY COMPLIANCE TASK LIST
Once you have put someone in charge, it is time to prepare a list of tasks and keep track of implementation status and priorities. Creating and monitoring such lists help prioritization, planning (budgets, achievements), management of complex situations (e.g., involving several jurisdictions and different types of databases) and transitioning projects from one employee to another. On a task list, you can keep tabs on formal compliance requirements (e.g., notices, filings, appointment of a privacy officer, data transfer agreements) and substantive tasks (e.g., implementing access controls, deploying encryption technologies, replacing vendors).
SAMPLE TASK LIST
For example, a U.S. company with a few foreign subsidiaries may have the following items on its initial task list – maybe supplemented by columns for status, action items and responsible persons:
- Designate role and prepare appointment documentation for global data privacy officer; appoint local data protection officers where required, e.g., for German subsidiaries.
- Assess where government filings (notifications, application for approvals) are required, prepare and submit.
- Take inventory of databases and data flows.
- Prepare and implement intra-group data transfer agreements based on EU Standard Contractual Clauses and other measures to legitimize international data transfers.
- Review, revise and translate privacy policies and notices directed at consumers, individual representatives of corporate customers and business partners; determine how best to obtain and document consent.
- Review or prepare notices to employees regarding processing of employee data including: a. Global human resources information system (HRIS), b. Monitoring tools and investigations, c. Whistleblower hotline, d. Payroll, benefits, and stock options
- Review or prepare standard templates for data sharing or processing terms in agreements with business partners such as vendors, customers, intermediaries (resellers, sales reps for advertising services) and affiliates, including: a. Template data transfer contracts (intra-group and third party) and intra-group policies, b. Data processing agreements and onboarding protocols
- Review or develop internal protocols and processes for data access, data retention, information security, incident response and response to disclosure requests from law enforcement, regulators, or private litigants.
- Implement global or jurisdiction-specific protocols for opt-in/opt-out processes and data security breach notifications.
- Conduct training and audits.
PREPARATORY ANALYSIS
To define tasks for your company, you must determine what data you have, what laws apply, what the laws require and how your company can best satisfy the requirements (where the law gives you options or where resource limitations force prioritization).
Finding and analyzing all applicable laws and requirements can feel like a Sisyphean task if you work for a large organization or any business with an international scope: by the time you have taken an inventory of existing databases, usage patterns, transfer flows and applicable laws, the company has probably swapped out a few systems, acquired and spun off businesses, entered new jurisdictions and found new opportunities to commercialize data, while several new data privacy laws have been enacted. Given the rapid pace at which data privacy laws and information technology move, it is usually most effective to design and implement the data privacy law compliance program in phases. Focus first on high-risk requirements and low-hanging fruit in both the design and implementation phase. Start with implementing high priority tasks while you are still refining the design of the program. Compile a list of known compliance requirements that your organization and your peers and competitors already try to satisfy, or that are actively enforced. When you identify compliance gaps in high-risk areas, take action immediately. After that, add tasks to the list and turn to prioritization. Companies that start by trying to develop a complete inventory of applicable legal requirements often find the challenge overwhelming and become paralyzed. In such circumstances, “perfect” can become the enemy of “good.”
CHECKLIST
As you prepare your task list, you should:
- Take inventory of your data. At the outset, consider what personal data your business uses. At a minimum, you should prepare a brief summary with basic information about your key databases, including data categories (i.e., data fields populated), primary purposes (e.g., HRIS, customer relations management (CRM), email exchange server), geographical location of servers and who has access (e.g., employees, departments and third party vendors). If you have international operations, you will also need to know names, addresses and headcount of all your legal entities and branches.
- If you are working for a small or medium-sized company, it should not take you more than a few hours to prepare such an initial summary: you can go to the IT department, open the various software interfaces for the databases and copy basic information from screen shots; the legal department should have a list of subsidiaries and the HR department should know headcount. This is enough to get started.
- If your company is subject to the GDPR, you have to maintain more formal and detailed records of data processing activities, including: a. Names and contact details of your company or companies, their representatives in the EEA and their data protection officer, if any; b. Purposes for the data processing; c. Categories of data and data subjects; d. Categories of recipients to whom you disclose data, including processors (and customers, if your company acts as a processor); e. International transfers and specific safeguards in place; f. Time limits for erasure; and g. Technical and organizational security measures.
- If your company is subject to the CCPA, you must publish detailed lists of information that your company disclosed or sold in the preceding 12 months, applying the categories and terminology prescribed by the statute.
DATA MAPPING
Larger companies sometimes conduct more elaborate assessments and audits of databases and data flows, often with the helpāand sometimes at the initiativeāof outside advisors. This can be beneficial and even necessary to get a solid grip on the status of data privacy law compliance in complex multinational organizations. However, such exercises can also take a long time, use a lot of resources and produce reports with overwhelming details that do not directly translate into improvements of the organization’s compliance status. Consider starting with a high level inventory unless you are fairly sure that your company is past the initial compliance phase, and you can handle a fullblown data flow mapping exercise.
DEFINING OBJECTIVES AND PRIORITIES
Companies have varying objectives regarding data and privacy law compliance. Some companies view data privacy law compliance like any other legal requirement: they want to do only what is legally required (or what is commonly done in their industry and market segment). Other companiesāparticularly companies with IT products or servicesāview data privacy as a potential competitive differentiator; consequently, they want to meet their customersā expectations, and perhaps exceed the competition.
With respect to specific aspects of data processing and compliance, objectives vary. For example, some companies depend heavily on direct marketing and may want to collect and use personal data to the maximum extent in each jurisdiction, whatever the costs may be. Whereas other companies are content to find and comply with the strictest worldwide requirement and implement a uniform compliance protocol in the interest of uniformity and cost savings. It is important to define and communicate these objectives efficiently to employees to ensure appropriate priorities are established.
FINDING THE BEST APPROACH FOR YOUR COMPANY
Based on an initial assessment of applicable requirements and company objectives, you can select an approach that suits your organization and situation:
Should you be proactive or reactive? It is usually less risky, easier and cheaper to take proactive steps to avoid a problem than to cope with a lawsuit, investigation or negative press campaign. However, only a small fraction of potential problems materialize. If cost containment is a key driver and your organization views privacy law compliance as just another legal obligation, you may consider a risk-benefit analysis and the 80-20 rule (Pareto Principle). A relatively smaller percentage of potential problems (perhaps 20% in some cases) is responsible for the vast majority of adverse impacts (perhaps 80% in some casesābut this is just an estimate). Conversely, companies can cover perhaps 80% of their problems with 20% of the budget it would take to address all problems. To address the remaining 20% of problems, which may not even be the most serious problems, the company would have to expend 80% of the total potential budget. Based on these insights, companies first try to find and rectify those problems that are most likely to result in major issues or the problems that require the least amount of effort and resources to fix.
Some problems (e.g., outdated website privacy statements) are easier and cheaper to fix than other problems (e.g., a lack of budget for encryption technology or the need to replace a legacy system that does not allow differentiated data access controls). Companies on a budget may find it easier to start with “low-hanging fruit.” Most companies can quickly assess what their main competitors are doing by reviewing their website privacy statements and processing notices, determine whether particular steps are legally required and then follow suit based on precedents. This approach by no means guarantees full compliance, but it can help a company catch up to an industry standard relatively quickly and with modest resources.
If your company is or wants to become an industry leader, you must consider a more comprehensive assessment of legal requirements and business needs. You might poll stakeholders in various departments (including legal, HR, IT, sales, product management and procurement) to prepare a list of company-specific priorities, subscribe to legal and trade publications and conferences to obtain a broader picture of the compliance landscape, follow guidance from government authorities, possibly even proactively seek guidance from authorities and monitor enforcement and litigation cases.
In terms of following guidance from government authorities, it is important to determine to what extent your business is exposed to action from governments. A regulated entity (e.g., a bank or telecommunications service provider) usually has to take its regulator’s views seriously whether based on law or not because it depends on the goodwill of its regulator in many respects. Entities that are neither regulated nor sell primarily to regulated entities, however, have more freedom to take independent positions and views; such entities will typically ask not only what the views of a particular government entity are, but also if and how such views are enforced. This is particularly important in gauging the relevance of official guidance from government authorities abroad. European data protection authorities, for example, have taken relatively extreme positions on various topics over many years without any enforcement activities that could have resulted in “reality checks” in court. A company that readily follows the official guidance at the expense of missing out on business opportunities may regret doing so if the guidance is not followed in practice or at some point challenged and invalidated in courts.
A company may find different approaches appropriate for a particular jurisdiction or part of its business. For example, a company with a large employee population and a hostile works council in Germany would seem well advised to be particularly proactive with respect to data privacy of German employees, whereas other jurisdictions may present less of a priority. A company with a particularly sensitive IT product (e.g., a repository of online medical records) may go out of its way to achieve or surpass compliance requirements with respect to its products, but it may decide that following industry standards suffices with respect to employee privacy. Employee privacy law compliance may be even less of a concern for a company that is still managed and operated largely by a group of founders who have a significant financial stake in the company and hence a relatively strong interest in minimizing compliance costs and efforts.
IDENTIFYING LEGAL AND OTHER REQUIREMENTS
As one identifies legal requirements for designing and updating a data privacy law compliance program, one will find thousands of laws around the world that address data privacy in one way or another. Even very large and compliance-oriented companies struggle to keep current. Smaller organizations have to establish priorities and systems to ensure they are capable of complying with key requirementsāeven if they may not be able to identify each and every law in detail.
What are data privacy laws? Despite different histories and public policy motivations, there are common themes that help categorize and identify laws that are relevant to data privacy law compliance programs. Data privacy laws in the narrow sense are typically concerned with personal data (i.e., data relating to individuals as opposed to legal entities) and place conditions or restrictions on the collection, use, transfer and retention of personal data. These laws are of primary concern for those designing and maintaining data privacy law compliance programs. There are many of them, but the realm of relevant laws can be narrowed down by applying subject matter and jurisdictional filters.
Some data protection laws apply directly only to certain types of entities. For example, European data protection laws do not typically apply to data processing by national security agencies or private individuals in the course of a purely personal or household activity (e.g., what someone posts about friends on Facebook). Healthcare-related data privacy laws in the United States (e.g., HIPAA) apply only to certain “covered entities” and their “business associates,” such as medical doctors, health insurers and certain service providers. Some laws relating to financial or telecommunications data apply only to banks or telecommunications providers, respectively. Anti-spam laws tend to focus on for-profit, commercial enterprises and contain exceptions for political and non-profit organizations.
If your business isāor could beātypically acting as a processor on behalf of other entities, then your compliance obligations may be much more limited and not extend far beyond following instructions from the controller and keeping data secure from unauthorized access.
Even if a certain law does not apply to your business, it may nevertheless be relevant if it applies to your business partners or clients. Most businesses, though, can remove a significant number of laws from consideration based on subject matter limitations.
INTERNATIONAL APPLICABILITY
There are more than 190 countries in the world and within each country, there may be several different jurisdictions (e.g., 50 states in the U.S.). Companies usually take a hard look at which jurisdictions they primarily must consider. Under customary international law, every sovereign country is free to legislate as it sees fit. There is no “world constitution” or treaty that limits what countries can regulate in their national laws.
Typically, countries apply their data privacy laws to organizations that are incorporated or registered in their territory or that have employees or equipment to the country. Some countries go further and apply their data privacy laws to companies abroad. For example, if a company collects data remotely via targeted websites (as indicated by country-specific URLs, languages, localized content or local phone numbers) or even just on the basis that the foreign company collects data of residents of the legislating country. Internet service providers, multinational enterprises and many other organizations with more or less direct business connections to other countries find that many countries’ privacy laws apply to some of their data processing activities. However, there are also many organizations with a domestic focus which can rule out most countries’ laws because they are not permitted or able to do business in other jurisdictions due to regulatory restrictions (e.g., local banks or hospitals) or resource limitations (e.g., local construction companies).
Under European Union law, member states generally may not apply their national data privacy laws extraterritorially to companies in other member states. This is intended to make it easier for companies based in the EEA to do business everywhere in the Common Market. An EEA-based controller must comply only with the national laws of the EEA member state where it maintains a branch or other significant physical presence, even if it collects data from other EEA member states (over the Internet or otherwise). This privilege is not available to companies outside the EEA. Therefore, a U.S.-based e-commerce company with customers throughout the EEA may have to comply with the laws of numerous different EEA member states. However, if it incorporates a subsidiary to become the sole contracting party and controller for all European customers, then the new subsidiary would only have to comply with the data protection laws of the jurisdiction where it is incorporated. Since the GDPR took effect in 2018, companies have become less concerned with national laws, but some differences remain, and location planning is still necessary. Companies in the United States may be able to invoke similar protections under the U.S. Constitution’s “Commerce Clause” against state laws that discriminate against, or unduly burden, interstate commerce. Such jurisdictional privileges provide some companies with a planning opportunity to actively influence which laws apply to them.
If you apply the above considerations and end up with a shortlist of jurisdictions that are still too long, you can prioritize further by identifying the countries where you should be particularly concerned about enforcement. Concerns tend to be greater in countries where you have a subsidiary, employees, key assets or key customers, or where regulators are particularly active. Aside from business concerns, one should also consider where compliance is particularly easy (e.g., no language hurdles, similar legal system to your home jurisdiction). Based on such practical considerations, most companies can come up with a manageable shortlist of priority jurisdictions.
DATA PRIVACY BY REGIONāAN OVERVIEW FOR ORIENTATION PURPOSES
Before you turn to an analysis of national data privacy laws, it may be helpful to take a brief look at different regional legislative approaches for orientation.
EUROPE
In Europe, data protection laws are worded very broadly and apply to most kinds of private and public sector data processing activities. Some jurisdictions (including Italy and Switzerland) even include information relating to legal entities as “personal data,” but adopted the narrower definition of the GDPR after 2018. The basic premise in most European countries is that the processing of personal data is prohibited, except with valid consent from the data subject or based on another, statutory exception. For example, if a company needs to process personal data to perform a contract with the data subject, to comply with a statutory duty, to protect vital interests of the data subject, to perform a task carried out in the public interest or to pursue its legitimate interests, except where such interests are overridden by the privacy interests of the data subject. This last exception, also known as the “legitimate interest exception,” requires a company to balance its own interests with those of data subjects. Before 2011, European data protection authorities had taken restrictive views on this exception, but recently acknowledged the “legitimate interest exception” as a justification of equal standing and not a matter of only “last resort,” a development that may foster convergence and interoperability with U.S.-style data privacy law focused on protecting reasonable expectations of privacy. Still, consent and notice requirements are relatively stringent, international transfers of personal data outside the European Economic Area is restricted and many jurisdictions require government notification, appointment of data protection officers and other formal steps. Due to broad and undifferentiated prohibitions, companies and regulators have taken interpretative liberties in the past. Additionally, private lawsuits are relatively uncommon. These resulted in lax enforcement and uncertainties in many countries.
Europe has changed since the GDPR took effect in May 2018. This regulation constitutes the first significant update of EU data privacy laws since 1995 and it applies directly to companies and individuals (without a looking to national law). Data protection authorities are now able to levy much higher administrative fines of up to the greater of ā¬20 million or 4% of annual worldwide revenue. Companies have stricter requirements regarding data protection impact assessments, data minimization, deletion and security breach reporting (within 72 hours). The basic default principle under the regulation remains “verboten”: companies must not process personal data unless they can claim an exception from the general prohibition.
UNITED STATES
In the United States, on the other hand, the basic premise is that processing personal data is permissible. Generally, applicable privacy laws impose restrictions only when data subjects have a reasonable expectation of privacy (meaning an actual expectation that society considers reasonable). For the most part, organizations can destroy such expectations relatively easily by issuing notices informing data subjects of data processing practices. When broad, omnibus data protection laws in Europe were passed in the 1970s, legislatures in the United States decided to take a different approach and legislate only around serious problems. Consequently, legislatures passed laws to address specific types of risks and abuses. The United States now has myriad specifically scoped data privacy laws at the federal level and in the 50 states. When such laws apply, the restrictions and liabilities for violations can be surprisingly harsh, particularly for European companies entering the U.S. market expecting no significant privacy laws. For example, the California Song-Beverly Credit Card Act of 1971 prohibits retailers from collecting contact and other information from credit card holders, except as necessary to process the credit card transaction. This prohibition applies absolutely, even if cardholders consent in writing to the data collection, and it subjects merchants to significant liability and exposure to class action lawsuits. Yet the California law places no restrictions on information collected from cash-paying customers. Another example of a very strict but narrowly crafted law, the U.S. Congress enacted the Federal Video Privacy Protection Act in 1988 in reaction to publicity around the videotape rental history of a candidate for judicial office, but the statute’s prohibition against disclosing customers’ video rental information does not apply to books or video games. U.S. federal law for health information privacy (HIPAA) restricts health data collection and use by “covered entities” and their “business associates,” as well as providers of certain “protected health records,” but not by anyone else; as a result, various online service providers are exempt from the law even though they may collect extremely sensitive health information from consumers over the Internet. Similarly, the Gramm-Leach- Bliley Act (GLB) applies only to financial service providers and not to most of the FinTech companies. In addition to U.S. federal privacy laws, organizations must assess state laws and will find that California, for example, has enacted many stringent and detailed privacy laws that close perceived gaps in federal privacy laws. Since January 1, 2020, organizations are now subject to extremely broad and extensive disclosure requirements, data subject rights and sanctions under the CCPA, which was expanded by popular ballot measure in the 2020 election and now also requires the establishment of a California Privacy Protection Agency, the first of its kind in the United States. Nevada, Virginia and other states are following California’s lead and adding elements of EU-style data processing regulation to their state laws.
Consequently, organizations must carefully assess whether their contemplated activities are covered by a sector-specific federal or state law in the United States. If so, organizations may find much more rigid restrictions and exposure to liability than under European laws. However, it is possible that the contemplated activity falls outside the scope of any specific laws (based on the organization’s original plan or conscious policy changes in light of the legal situation), and as a result, the organization only has to post an appropriate notice and comply with it. As in Europe, violations of U.S. law can be sanctioned by government authorities (including the Federal Trade Commission and state attorneys general). Additionally, in the United States, private lawsuits play a much greater practical role, given the possibility of class action lawsuits, punitive damages, civil jury trials and contingency fees for lawyers (who can pocket attorney’s fees and a significant portion of damages awards while plaintiffs do not incur much financial risk if they engage lawyers on a contingency fee basis).
OTHER COUNTRIES
Other countries (e.g., Argentina, Brazil, Colombia, India, Israel, Japan, New Zealand, Russia and Uruguay) have modeled their laws more or less on the European templates or have pursued a hybrid approachāwith some elements of the European legislation but more differentiated or lenient consent and notice requirements and less stringent administrative duties (e.g., Australia, Canada, Hong Kong, Mexico and Singapore). The People’s Republic of China has traditionally focused on national security, local data storage and retention requirements, social scoring and monitoring, as well as support for technological innovation; yet, China is also working on adding EU-style data processing regulations to its national laws.
OTHER LAWS AND COMPLIANCE REQUIREMENTS
Besides data privacy laws in the narrow sense, organizations must consider a variety of other requirements when designing data privacy law compliance programs, including the following:
- Statutory obligations under employment, consumer protection and unfair competition laws, as well as constitutional safeguards, which apply directly to companies in some jurisdictions;
- Contractual obligations (for example, regarding data security standards, breach notifications and incorporation of privacy statements by reference in contract terms),
- Commitments to data subjects in previous privacy policies and notices; and
- Customer expectations and other business needs (what data do you need, for how long, for what purposes?).
Substantive compliance requirements vary significantly in jurisdictions with European-style data protection laws versus the rest of the world. However, there are also requirements that apply globally, e.g., that companies must comply with their published privacy policies.
One universal requirement is: Do what you sayācomply with the limitations you state in notices, policies, website privacy statements and contracts. If a company remains silent about its data processing practices, then this requirement does not have much significance. However, in more and more jurisdictions and industries, companies are forced to issue statements and notices, either as a matter of law, industry practice or technical requirements (e.g., many mobile app stores require developers to post privacy statements). In the United States, for example, the Federal Trade Commission urged Internet companies to publish website privacy statements early on based on unfair competition law theories, and much of the early enforcement focused on failures to comply with promises made in semi-voluntarily issued privacy statements. If companies fail to comply with their own notices, policies and statements, they can be sanctioned in most cases under various legal theories, including unfair competition laws and tort law (misrepresentation). Therefore, companies must focus on keeping their notices, privacy statements, contracts and other privacy-related communications accurate and up to dateāeither by adapting their communications or their practices.
DATA SECURITY
Organizations must maintain reasonable security measures to keep confidential data protected against unauthorized access and dissemination. Security requirements also follow from trade secret laws and confidentiality agreements and extend beyond personal data. The reach of trade secret laws ends once the secret is disseminated. Data protection laws also require reasonable security measures and can apply even to personal data that has become public. Therefore, the typical definitional carve-outs in confidentiality clauses (independently developed information, information in the public domain, or compelled disclosures) may not be used in the data protection law context. Organizations must comply with data protection law requirements separately and in addition to compliance with trade secret laws and contractual confidentiality obligations.
Organizations around the world have been obligated for decades to keep personal data secure under statutes and contracts. In the past, most laws and contract clauses simply set forth a general reasonableness standard and did not prescribe specific safeguards. More recently, after California enacted the world’s first data security breach notification law in 2002 and organizations started reporting security breaches en masse, more and more jurisdictions have passed data security breach notification laws, and lawmakers around the world have started prescribing very specific technical and organizational measures intended to ensure that companies take more comprehensive steps to prevent security breaches and protect the data and privacy of consumers, employees and other individuals.
The extent to which companies collect, store, manipulate, transfer and otherwise process personal data depends on their business needs and legal obligations in collecting and retaining information. All businesses process some personal data. At a minimum, they process the contact information of their own employees, customers and business partners. Most businesses also process more sensitive data, such as payroll information, consumer purchase histories, data from credit card transactions and other financial and medical data. So, as part of implementing a data privacy law compliance program, one must assess the specific requirements of oneās business regarding data security and develop an information security program that is appropriate for oneās organization, considering specific legal requirements of the jurisdiction, oneās risk profile and tolerance, as well as contractual and practical necessities.
Successful data security programs typically involve the following parameters:
- Methods for keeping track of where data is stored and secured and for what purposes and how long it is needed;
- Physical and technical protection for premises, networks and devices (including encryption, firewalls, strong authentication and passwords);
- Access controls within the organization (“need to know”-based restrictions),
- Employee training;
- Secure deletion of data that is no longer needed (e.g., on discarded devices, paper),
- Ongoing monitoring plus random audits and investigations into data security, performed by internal resources or external validation providers;
- Prudent vendor selection, management, monitoring and contracting;
- Proactive privacy impact and security-by-design assessments before any major changes to data processing activities, including the implementation of new products, processes and data uses; and
- Security incident preparedness, based on protocols for how to report and respond to incidents, training, remediation processes, and “dry run” exercises.
As a first step, one should determine whether an organization has written policies or unwritten processes addressing these points and identify the persons in charge of ensuring compliance. As a second step, one might prepare a written summary of existing measures and then assess whether these measures meet legal requirements (legal and contractual) and adequately address risks threatening the organization. Next, one might consider validating the security program by outside advisors to confirm alignment with industry practice. It is important to reach a clear understanding and agreement with the outside advisor on objectives and deliverables. Some organizations experience frustration because they hire data security consultants who deploy an infinite number of scans and tests but are not willing to advise when enough is enough or to issue an opinion regarding the adequacy of the organizationās security efforts.
REGIONAL, SUBSTANTIVE DATA PRIVACY LAW COMPLIANCE REQUIREMENTS
Under European data protection laws organizations must satisfy a number of additional substantive data protection law compliance requirements:
- minimizing data processing and limiting retention times;
- maintaining data integrity by updating, correcting or deleting data;
- granting access to data subjects on request; and
- seeking consent or other justifications. These requirements apply in most European countries but may not apply outside of Europe.
Many countries have consciously opted against data minimization requirements because they constitute a particularly severe restraint on innovation, economic liberties and freedom of information.
FORMAL COMPLIANCE REQUIREMENTS
Several data privacy law compliance requirements are “formal” in the sense that they require generating certain notices, government filings or other paperwork. Such formal compliance obligations do not directly require changing oneās data processing activities. However, if you are not substantively in compliance you are usually unable to issue appropriate notices or government filings, because you would just be notifying everyone that you are not in compliance. Substantive compliance logically comes first. Practically, it is often most efficient to start work on formal compliance tasks because this work will help identify substantive compliance requirements and gaps. Additionally, most companies find it comparatively easy to achieve formal compliance and see a particularly high risk associated with failing to comply with formal requirements, as such failures are especially easy for government investigators, private plaintiffs and other potential adversaries to prove. The question “Did you make the required filing or not?” tends to be more black and white than, for example, “Is a three year data retention time period appropriate for employee records after termination?”
As a general matter, one can expect formal requirements to typically include the following:
- appointing a data protection officer;
- preparing records of data processing activities;
- documenting data security measures;
- concluding appropriate data transfer or processing agreements with affiliates, service providers and other business partners;
- issuing notices to data subjects, obtaining consent;
- submitting notifications to data protection authorities or seeking their approvals; and
- consulting with works councils, labor unions or other employee representative bodies, if any.
CONCLUSION AND EXECUTING TASKS
Once you have prepared a list of concrete tasks to achieve compliance with data protection laws, you should start executing those tasks, perhaps first on lowhanging fruit and tasks that help mitigate major risks. Many companies find it helpful to start preparing the required notices to data subjects because in the process they naturally go over the status quo and can then best address gaps and other issues. An important practical point is: don’t get overwhelmed. It is better to close some compliance gaps than none; and even though many tasks are interconnected, it is often possible to complete tasks in some areas without prejudice to others (e.g., address employee data privacy and security before or after tackling consumer data privacy, and approach compliance for some priority jurisdictions before turning to others).
ENDNOTE
LOTHAR DETERMANN is a Partner at Baker McKenzie, Palo Alto, California. Lothar’s practice is focused on data privacy law compliance, information technology, copyrights, product regulations, and international commercial law. He is the author of California Privacy Law – Practical Guide and Commentary, 4th Edition (2020) and Determannās Field Guide to Data Privacy Law, 5th Edition (2022), which is also available in Chinese, German, Hungarian, Italian, Japanese, Portuguese, Russian, Spanish and Turkish.