#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Data Without Borders
1. Data Without Borders Page 1 of 3
( Sign In/Register for Account | Help ) United States Communities I am a... I want to... Secure Search
Products and Services Solutions Downloads Store Support Training Partners About Oracle Technology Network
About Profit Magazine Features
Profit Magazine For More Information
Features Oracle Governance, Risk, and
Compliance Solutions
Opinion Oracle Master Data Management
Solutions
Multimedia
Gaining Customer Consent
Partner News Close
Oracle Magazine Archives
Profit Magazine Archives
Subscribe
Write the Editors
Data Without Borders
With employees and customers in multiple countries, IT
Submit an Article
managers must answer to a web of privacy laws to keep
Advertise international data legal.
by Minda Zetlin, February 2012
A company that provides online wellness services landed a contract with a major company with offices
in Spain, Germany, and France. It was the kind of sale every executive dreams of. But it came with
some very big headaches, too. “Now they’ve got this problem where they have to abide by the privacy
regulations in each of these three countries and register with the regulators there,” says Stuart Buglass,
director of human capital consulting at Nair & Co., which advises companies on international expansion.
The wellness company had walked right into one of the most challenging aspects of international
business today: data and privacy laws across international borders.
The challenges are considerable. Throughout the
world, an evolving mosaic of privacy laws dictate
how data must be handled. At issue is personally
identifiable information (PII) that can be traced to
an individual person (such as name, address, ID
number, and job title). Most experts agree that the
most-stringent data protection laws are found in
the European Union (EU), where the Data Privacy
Directive governs all PII use. In general, a
company able to deal effectively with the
provisions of the EU directive will likely be able to
handle privacy laws in other jurisdictions as well.
Although the provisions of the Data Privacy
Directive hold across the EU, anyone collecting
data on European residents must follow the laws
of an individual’s country of residency as well—and those laws differ among EU member states. It might
seem logical to find the strictest EU privacy laws and comply with those, but the laws are different
enough to make that approach impractical.
“You can’t have a broad sweep of standards that will satisfy all the different types of legislation,”
Buglass says. “You have to actually identify where the data subjects are and which specific legislation
applies to them.”
Complex Relations
One of the EU’s eight “enforceable principles” for privacy protection is that data must not be transferred
to countries without adequate legal protection. But that raises the question of what constitutes a data
transfer. From a privacy and security standpoint, it makes little difference whether an employee’s name
is sent through a network and stored on a server in, say, Russia, or whether a hacker from Russia goes
through that same network to view the data while it resides on a server in France. And indeed, the EU
defines access to data as a form of transfer, for privacy purposes.
While many experts recommend leaving European data in Europe, that strategy is not sufficient to
ensure compliance with the law. And it can create unexpected challenges for Americans accustomed to
different privacy rules. “Something as innocuous as a personnel directory that can be accessed by
company staff outside of Europe can create a problem,” notes Lisa Sotto, head of the privacy and
information management practice at Hunton & Williams, a law firm with expertise in intellectual property
and international business.
To make matters worse, international laws may conflict with each other, especially when it comes to
keeping data. In general, European laws require companies to destroy PII as soon as its utility has
expired. But in the United States, laws may dictate a different retention period. “If you’ve got a U.S.-
based company dealing with data from another country, there may be a conflict,” says Jimma Elliott-
Stevens, director of risk assurance services at PwC, a global professional services firm.
Meanwhile, the list of nations with strict laws governing the use of PII is growing. In 2011, Costa Rica
became the seventh Latin American country to regulate this data. India’s data privacy laws, amended in
2008, are strong enough to draw criticism from U.S. multinationals.
But for nations outside the EU, stricter data privacy laws can be good for business. The European
Commission has recognized a handful of countries with adequate data privacy protections—among
http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012
2. Data Without Borders Page 2 of 3
them Canada and Argentina. Data can be transferred to (or accessed from) countries with laws that
offer similar protections to the EU directive.
E-mail this page Printer View
“It’s interesting to note that a lot of countries coming up with robust sets of legislation are those where
there’s a lot of offshoring,” Buglass notes. “India’s privacy law is probably even more robust than that in
the EU. It isn’t yet a trusted third country, but if India’s government can prove it can actually enforce
these rules, it may be soon.”
However, the chance of the U.S. gaining the status of a trusted third country are virtually nil. The
American approach is to have different regulations apply in different industries (for instance, the
healthcare industry is subject to the Health Insurance Portability and Accountability Act, more commonly
known as HIPAA) and different states.
“I think the U.S. would have to crumble and be rebuilt to change its entire sectoral approach to
regulations,” Elliott-Stevens says. “The U.S. cares about data privacy, and we do have strict laws and
regulatory bodies in place. But the way we deal with it is to find commonalities and start there. We
negotiate and leverage relationships.”
Crossing Borders
So what are the options for U.S. companies with employees in countries with stricter privacy laws? One
way is to keep all personal data within the country or jurisdiction where it is obtained and prevent any
access from outside. Another would be to find a way to certify that data transferred outside the
jurisdiction will adhere to local legal strictures. (See “Gaining Customer Consent.”)
The first of these options may be the right choice for many multinational companies. Privacy laws do not
prevent managers from accessing sales and performance data from outside a territory, as long as IT
ensures that PII, such as a customer phone number or employee attendance history, isn’t involved.
“Maintaining local management of data is the perfect solution,” Buglass says. “If you haven’t got the
luxury of doing that, try to limit the data transfers to certain countries. The risk, obviously, is when you
can’t keep track of the data—for instance, if you have a cloud server that jumps from country to country
to take advantage of available storage.” Some companies are coping with this by setting up EU-only
clouds, he adds.
For managers who do need to transfer PII among jurisdictions, there are legal frameworks that make
this possible. One is the Safe Harbor arrangement, in which U.S. companies certify that they will abide,
for example, by the EU directive when handling PII from an EU country. However, since the EU is
counting on the U.S. Federal Trade Commission (FTC) to enforce the Safe Harbor provisions, this
option is only available to companies regulated by the FTC. Safe Harbor has been in place for more
than a decade, and so far roughly 2,000 U.S. companies have signed on.
A second, more difficult option is Binding Corporate Rules, a legal framework in which companies certify
that they have put in place corporate rules protecting the privacy of PII. Though created as an
alternative to Safe Harbor and model contracts (see below), Binding Corporate Rules is a difficult
choice, Sotto says, because it requires getting specific approval for your rules from some individual
countries. While many EU countries’ data protection authorities will recognize the blessing of another
country’s authority, some EU countries will not. “It’s very hard to implement,” she says.
A third solution is to use the model contracts provision of the EU privacy directive. In this case, a
contract between European and non-European entities requires the non-European entity to protect the
privacy of personal data, Sotto says. Since the European subsidiary of a multinational company is
nearly always created as a separate legal entity, the two can sign a binding contract that fulfills the data
transfer requirements of the EU privacy directive.
“For these solutions, you need to understand the relevant data flows within your company,” Sotto says.
“What you’re collecting, the use to which you’re putting the data, and who will have access to it. And
ultimately, how and when you will dispose of it.”
The Role of IT
Inevitably, compliance with global data privacy laws falls to IT—but industry best practices can help.
Know your data. Having a precise understanding of the data you have is an essential first step,
according to Carolyn Holcomb, partner, risk assurance services, at PwC. “Think about every data
element that could be used to identify an individual,” she says. “If you put them all together, there are
somewhere in the neighborhood of 60 different elements that are common across the different privacy
laws. Make a list of all those data points, and then do a data inventory. Find out exactly where the data
resides and what countries it comes from.”
Don’t take what you don’t need. “Another practical solution is not to collect the data,” Holcomb says.
Of course every company collects some PII from customers and employees. But many have the
mindset that the more data they can collect—especially from customers—the better. While that data can
be useful for market research, it will make following international data laws much harder.
Consider privacy when planning cloud implementations. Buglass notes that cloud providers often
move data around among different hosting companies. To address this problem, some are providing EU
-only cloud solutions. But that’s not the only option, he says. “If it’s a U.S.-based cloud company, it
should be a Safe Harbor adherent, and it should certify that the data won’t go beyond U.S. shores. Yet
another option is to bind the cloud vendor with a contract that requires it to treat PII in accordance with
the EU directive. But remember that the company that first accepted the data is still legally responsible
for what happens to it if the vendor fails to abide by the contract.”
Manage international data in a GRC plan. “The same risk tools that help you from being fined for
regulatory violations can also help you with the bottom line for reasons unrelated to compliance,” notes
Sid Sinha, senior director of governance, risk, and compliance (GRC) product management at Oracle.
The same solutions used for compliance with important regulations can also eliminate process errors
like finding incorrect or duplicate payments.
Oracle GRC applications aid compliance with international privacy laws, as well as U.S., local, and
industry regulations and audit requirements. A great time to think about GRC is at the start of a major
deployment or upgrade, Sinha adds. “If you’re implementing a new system and defining business
processes, that is an ideal opportunity not only to minimize the long-term cost of compliance but to
http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012
3. Data Without Borders Page 3 of 3
proactively manage the risk of a global IT project. What we hear from many Oracle GRC customers is
that they wish they had started sooner and incorporated GRC before they rolled their new system out.”
Indeed, tackling international privacy laws in the context of an enterprise resource planning (ERP)
system will make the process as painless as possible, says Michael Baccala, partner, risk assurance
services, at PwC. “When I think about using technology to deal with these challenges, an ERP solution
such as Oracle’s is much better than trying to do it with a legacy or homegrown system,” Baccala says.
“Clients with older or unique systems struggle more, as [those systems] are typically not as well
integrated with each other. With an ERP solution such as Oracle’s, you have more-consistent controls
and more-global enforcement. And once you understand the legally required process, the technology is
there to support it.”
Minda Zetlin is coauthor of The Geek Gap: Why Business and Technology Professionals Don’t
Understand Each Other and Why They Need Each Other to Survive (Prometheus Books, 2006).
Subscribe About Oracle Careers Contact Us Site Maps Legal Notices Terms of Use Your Privacy Rights Oracle Mobile
http://www.oracle.com/us/corporate/profit/features/010312-data-1447091.html 2/3/2012