Organizing and managing data protection: legal framework and practical challenges for global players
By Dr. Klaus-Peter Weber Nina Füssel
Electronic transfers of data constitute an integral part of corporate mass communication, a phenomenon reaching truly global dimensions in the digital age. In fact, collecting, storing and transferring data packages at a high speed, on a large-scale, and at all hours of the day has become an indispensable business tool for any company that conducts business across national borders or is based on multijurisdictional legal entity structures. Consequently, data protection is gaining more and more attention. While the protection of personal data has been on the agenda of national and EU legislators for decades, the regulation of it has reached new legal and political dimensions. Rapid technological developments, the overall effects of globalization and the ongoing public debate on data protection are keeping the topic prominently on the corporate agenda. Adequately addressing the issue requires growing attention from legal departments as well as management. Significant corporate effort must be made to organize the collection, storage, use and transfer of personal data effectively and legally. Juggling data while protecting personally identifiable information and complying with all applicable rules is becoming an increasing challenge for organizations, especially in a multijurisdictional business arena. On top of regulatory and public attention, historical and cultural differences over the concept of data protection tend to complicate matters further, especially when it comes to aligning EU and U.S. style implementation within a group.
Regulatory landscape in Germany and the EU
The birthplace of formalized legal data protection is Germany—who knew? It all began with the first data- –> 34 – Data protection/compliance – BLM – No. 1 – June 26, 2014 The increasing cross-border transfer of electronic data has brought data protection into the limelight. © Thinkstock/Getty Imagesprotection act of the German state of Hesse in 1970. The German Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) followed in 1977 as the first data-protection act in Germany. Today, the BDSG is still valid and supplemented by state-level dataprotection acts in each German state. To harmonize data-protection laws in the EU, the European Parliament and Council adopted a general dataprotection directive in 1995, specifically Directive 95/46/EC dated 24 October 1995. This directive has been regarded as milestone in the history of personal data protection; its basic principles are as valid today as they were 19 years ago. However, a revision in the form of a new regulation is currently being negotiated by EU authorities. One of the highlights will be a significant increase in the penalties for noncompliance with data-protection rules. There are two main reasons for the revision. First, variances in the way that each member state implemented or applied the directive have led to an uneven level of protection of personal data. Second, the current rules need to be modernized due to technological advancements and the effects of globalization in order to future-proof data-protection rules and make them fit for the digital age. Enforcement of these coexisting laws are dealt with by a number of different authorities at the federal level, the state level and the EU level. In the end, the various regulatory levels and jurisdictions make for a highly diverse and complex regulatory landscape.
Processing personal data internationally
The EU directive contains certain key terms like “personal data,” “processing,” “controller” and “processor,” and the way that these terms are defined is crucial. In order to manage data protection effectively, corporate associates would be welladvised to familiarize themselves with these definitions and their specific scope. Each processing of personal data must be legitimate and follow the general dataprotection principles established by the EU. The highly technical language of these core concepts makes them not easily put into practice, which further contributes to the complexities of the legal landscape.
Is your level of data protection adequate?
If a company intends to (a) transfer personal data to a country outside the EU or European Economic Area (EEA), (b) store such data on a database hosted on a server located outside the EU or EEA or (c) grant individuals located in a country outside the EU or EEA access to such data, data protection gets even more burdensome. Companies operating in the EU are generally not allowed to transfer personal data to a country outside the EU or EEA unless that country ensures an adequate level of protection. This protection could either already be established at the national level if the country’s laws are deemed adequate or at an organizational level, for example if a corporation establishes and documents its internal means of data protection. Unfortunately, there is no automatic intragroup exemption for data transfers or global access rights for companies in the same corporate group. This renders the sharing of personal data within a group or the storage of personal data in global databases all the more onerous. With a bit of luck, a country that is to be the recipient of transferred personal data can be found on the EU Commission’s list of countries deemed to have an adequate level of data protection. For all non-listed third countries, additional legal requirements have to be met.
Crossing into the U.S
With regard to transfers of personal data into the United States, an adequate level of data protection can be achieved if the U.S. recipient body is Safe Harbor-certified. The Safe Harbor certification process was developed by the U.S. Department of Commerce in consultation with the EU. U.S. companies can self-register their certification if they comply with the general data-protection principles established by the EU. >> The digital age is here to stay, and so is data protection << The Safe Harbor concept itself, however, has been intensely debated and criticized in the past. In particular, questions have arisen as to whether the certification concept is sufficient for data-protection purposes and if it is generally being executed in a satisfactory fashion. Registering and receiving a certificate may not be enough to actually ensure the protection of personal data and compliance with the data-protection principles.
EU Model Contract and other alternatives
Additional options for establishing an adequate level of data protection also exist. For one, the intended transfer can be authorized by the competent data-protection authority. Implementing binding corporate rules is another alternative. Third, an entity could agree to the EU Model Contract. While the administrative obstacles and effects imposed by the aforementioned alternatives differ, the practical challenge in all cases typically is implementing the required organizational safeguards that adequately protect personal data. Achieving such a protective corporate environment should not be underestimated given the multitude of legal entities and jurisdictions as well as the oft-diverging management cultures of international corporations.
Awareness is key
Besides the legal aspects outlined above, any international company typically faces awareness issues. Naturally, in order to ensure a company’s compliance with applicable data-protection rules, its employees have to be aware of such rules. Implementing and securing awareness can pose a particular challenge as soon as different employees from different departments and different companies in different countries with different historical and cultural backgrounds and different economic objectives come into play. In practical terms, varying levels of sensibility may easily lead to uneven standards of data protection within international groups. Who, then, should be responsible for data protection within a group? As internal responsibilities for securing data protection are often shared between different departments, significant communication, training and internal alignment needs are adding more complexity to the subject.
Personal data vs. HR personal data
A major part of personal data processed by a company is human resources’ data on employees. For that reason, the HR department is often considered the appropriate department for data protection. An increasing number of companies have an internal data-protection officer—mostly an associate from the HR department. However, in day-to-day business it is very likely that a company processes more than only employees’ personal data. HR may often be regarded as the appropriate department for ensuring data protection, but additional input from other departments will typically be needed as well.
IT data protection vs. data security
As processing of personal data usually happens electronically, the IT department should be consulted to understand the data flows and access structures. In this context, data protection is often confused with data security. The latter usually does not concern compliance with legal data-protection rules and the conclusion of specific data-protection contracts, but instead primarily addresses the technical protection of data from destructive forces and unwanted actions of unauthorized users. The fact that modern data protection is a digital endeavor complicates the matter even further. It may not be so easy for the typical in-house lawyer to master the technical architecture and the virtual world to be able to ask the right questions and, on the other hand, for IT specialists to realize the significance of legal ground rules and requirements to provide the relevant answers. Sometimes even the IT department of a company may not have the complete picture of all relevant data flows and data-access options within a corporate group, especially if data are being stored as part of a globalized system or by external service providers. The IT department has the necessary technical knowledge, but typically cannot single-handedly manage the data-protection issues that need to be taken care of from a legal standpoint.
Compliance, compliance, compliance
As data protection can be regarded as part of compliance, it could be included in the compliance program of a company. In this constellation, the compliance –> 36 – Data protection/compliance – BLM – No. 1 – June 26, 2014officer could be directly responsible for data protection. However, all applicable rules or regulations generally require a defined level of compliance, meaning just about any regulatory topic could be regarded as a compliance topic, leading to an impractical ballooning of responsibilities. Data protection does not yet seem to have appeared on the typical compliance agenda.
Everything is legal
After all, since data protection is all about legal rules, the legal department is likely to be involved in organizing and coordinating corporate data protection. However, it generally does not collect personal data at a corporate level, and it also typically does not possess the factual or technical knowledge about all relevant processing activities. Additionally, just about anything can be considered “legal” domain, and many legal departments do not have data-protection specialists within their ranks nor the sheer manpower to act as the sole manager of data-protection matters. Therefore, the legal department, like HR or IT, will also often need the assistance and support of other departments. In some cases, external data-protection specialists might even need to be involved.
Any company regulated by dataprotection rules is responsible for its corresponding compliance. In order to ensure such compliance, the various corporate functions and specialists need to be aware, work together, share their knowledge and align in the many processes involved in the protection of personal data. Typically, joint responsibility should be taken for compliance with data-protection rules. And if complexity becomes more demanding, a company may have to rely on external data-protection specialists.
n the end, will data-protection just be absorbed into the ever-growing body of compliance rules? While this may be hard to predict, preparations should be made for the future development of dataprotection matters in the international in-house context. Companies and their management teams are well advised to give data protection the attention it currently receives in the public. In light of this, as well as technological progress, individuals’ growing privacy needs and compliance developments, data protection is likely to become an even more prominent topic than it already is. It should be expected that both the sanctions for noncompliance and their execution practice will be stiffened, at least in the EU. After all, a similar development has already been witnessed in the past in other areas of the law, such as antitrust, and data protection could well go that same route. Data protection should therefore be solidly embedded in the organizational architecture of any corporate player. The digital age is here to stay, and so is data protection. It is hard to imagine that it will step out of the limelight any time soon