At a roundtable discussion yesterday, June 21, 2010, an attorney and representative for the U.S. Federal Trade Commission descried the current patchwork of U.S. privacy laws. Unlike our neighbors across the pond in the European Union, the U.S. approach to privacy protection is arguably lacking in terms of uniformity and effectiveness.
As I described in a previous blog, the U.S. Congress has yet to adopt a federal statutory scheme that would hopefully provide uniformity. The FTC representative echoed the often-heard concern in privacy law circles that the U.S. law needs to adapt to new methods of business data transfer and record retention—in particular, cloud computing. A popular buzzword at present, cloud computing promises to streamline a business’s data processing, record retention, and provide lightning-quick methods of collaboration in a business climate that is seeing a rapid increase in “telecommuting.” At the same time, cloud computing also threatens to expose the personal information of a business’s consumers, customers, and/or website users. Although security measures are available to help make cloud computing secure against intrusions into or inadvertent disclosures of personal information, the retention and transfer of such sensitive information in an online environment certainly raises the specter of increased risk to privacy breaches.
One of the major concerns of the FTC is to require notice and disclosure of privacy breaches. The FTC and most consumers understand that data breaches are inevitable, whether data is stored in a brick-and-mortar building or in on the cloud. The FTC wants to ensure, however, that whenever such a breach occurs, the consumer will be notified of the breach. California already requires businesses to notify California residents of such breaches, but many other states do not. The House of Representatives approved a bill to require such notification for all U.S. consumers, see http://bit.ly/dnmBUr, but it has yet to be approved by the Senate.
In contrast to the U.S., the European Union nearly 15 years ago promulgated a Data Protection Directive; see http://bit.ly/9e4eDt, which provides considerably more protection to its residents. Although many consider this directive to be too onerous on businesses, it does address the notice or “transparency” issue as described above. Beyond just reporting breaches into a consumer’s personal data, the Directive requires notice, and sometimes consent, every time “personal data” is “processed”—which means just about anything you can do with data: transfer, store, etc. Furthermore, such data can be processed only if it meets certain criteria regarding business necessity.
As a U.S. business owner, the important thing to be aware of is that you will become subject to the data privacy laws of whatever jurisdiction in which your customers, clients, or website users reside. For example, if you have customers who reside in Nevada or Massachusetts, and your business is based in California, you will have to comply with stricter privacy laws than you normally would in your home state.
More surprisingly, if you have operations in any country in the European Union or have personal data from an individual who resides in the European Union, the EU Directive could potentially apply to your business operations. Most often, problems occur when such data is transferred “offshore” from the EU country into the U.S., because the EU does not consider U.S. law to be sufficiently protective of its residents. That being said, the EU has certain, limited “safe harbor” exceptions so that U.S. businesses do not have to comply with all of the onerous provisions in the Directive. See http://www.export.gov/safeharbor.
For more information on how what laws apply to your business and how to comply with them, you can contact our law firm at firstname.lastname@example.org.