EU and U.S. Data Regulations

You have likely already read a great deal more about the implications and requirements of Sarbanes Oxley (SOX) legislation than you would have otherwise liked. The new reporting, data retention and accountability regulations are of obvious import both legally and financially. What is of equal interest, however, for firms that are either multinational or do business overseas is the conceptual differences between this recent U.S. legislation and privacy legislation and regulations adopted in the EU. Essential in understanding where U.S. and EU data regulations conflict or compliment each other is understanding the root motivations behind each set of rules.

U.S.

Created in reaction to the embarrassing corporate defaults and excesses of Enron and WordCom, the U.S. regulations focus on issues of corporate accountability and reporting. Aside from the details about implementation strategies and for SOX compliance, it is important to maintain perspective as to what the intent was of these regulations. Specifically, SOX was about augmenting corporate transparency. The perception had been that a veil of 'deniability' had grown between senior corporate officers and shareholders. SOX strives to remove this veil and ensure that traceable document trails could be preserved regarding all material corporate decisions and forecasts. One may debate the efficacy of the legislation, but the core intent was to increase accountability, preserve a data/document trail, and more rigidly link individuals in a corporate structure to outward communications and actions.

EU

On a completely different stage, EU regulations evolved with the intent of preserving personal privacy in a distinctly multi-jurisdictional environment. As businesses became more interdependent and fluid in a more economically integrated “Euroland,” the concern grew that different morays on privacy might enable personal information to be exploited. The perceived risk was that, without additional restrictions, information collected in a jurisdiction with strict privacy regulations could be transmitted to a jurisdiction with fewer limitations on the use of personal data. Again, the core intent of these regulations are of most import, and that intent centers around holding data about the individual in the strictest confidence unless otherwise released by the individual. It is further worth emphasizing that the privacy restrictions are meant to preserve the information of all individuals, whether employees, contractors or customers.

Conflict

On the surface, these two movements do not seem in conflict. Corporate reporting seems to bear little in common with personal information — that is until one begins to examine how intertwined personal information is with corporate accountability. Take as one example a financial report for a services company. One of the significant Cost of Goods Sold in the P&L, whether a forecast or history, is the commission structure for sales representatives. Most service firms have a fairly mechanistic commission structure, so it would be simple to take an employee directory and infer approximate salary levels for sales staff. This level of detail, and more, is required under U.S. regulations to ensure accurate reporting. However, this same level of detail would likely run afoul of EU regulations intending to protect personal information of employees. Take another example, in which an audit trail is needed to preserve the sequence of those who reviewed and approved a particular financial forecast. Implicit in this kind of trail are the names, emails and other personal contact information associated with the individual. This same personal information is exactly of the type that EU regulations protect from disclosure without the expressed acquiescence of the individual parties. In fact, in most corporate situations where the number of key actors is limited in number, the chance of U.S. disclosure regulations coming in conflict with EU privacy regulations is very high.

Resolution: Short Term

There are any number of workarounds that can be done ad hoc in order to skirt these conflicts, however each is a matter for delay and cost in order to properly address concerns of all parties. In order to minimize the impact related to such potential conflicts on your litigation or investigation:

Work with your client to identify up front specific documents that are likely to contain the most personal information and have their review segregated from the general collection. Employee directories, compensation plans and policies, and customer Relationship Management (CRM) systems are all “hot button” document types that should be treated with special care.

Conduct privacy tests during the discovery process to test what personal information might be being transmitted as part of the investigation. If questions arise, highlight them earlier rather than later in the process to reduce the cost of modifying procedures.

Develop and document a rigorous information disclosure and destruction policy for use internally and with all associated suppliers. It may sound obvious., but take the time to get signed documentation from any partner or contractor handling the data regarding disclosure, use and eventual destruction. Ensure that you receive written confirmation after investigative activities that all data has been properly removed from all external systems.

Resolution: Long Term

In the long term, these issues are not going to fade away, but rather will become more prevalent. Trends internationally are for broader acceptance and adoption of EU-type privacy protections. With the rise in identity theft and online fraud, pressures are increasing globally to protect and limit the flow of private information with out the individuals consent. Market forces, however, will similarly force the adoption of U.S. SOX-type requirements on off shore and multinational firms. Thus, the stage is set for a growing data processing issue.

The resolution will eventually lie in the decoupling of traceable, personal data from corporate records and transactions. Interestingly, the technology to allow for full accountability and privacy was proven in the largely failed digital cash ventures of the late 1990s. These technologies, based on proven techniques of public key cryptography, allow validation of a user without disclosure of the individual. In the circumstances of corporate reporting, an electronic token can verify that an individual had the correct authority to approve a document, while not divulging anything about the particular individual. Thus, maintaining correct financial controls.

For situations where individual accountability and traceability must be maintained, these technologies can be combined with encrypted digital signatures to “unlock” an individual's identity where legally required. This would put personal disclosure in the form of an optional part of the discovery process, as opposed the current situation where it is an unintended byproduct.

Summary

Conflicting forces are simultaneously putting pressure on the disclosure and confidence of information in this digital age. In the short term, significant cost and schedule problems can be avoided by recognizing the inherent conflict and working to mitigate it. In the longer term, look for continued evolution of authentication and data control technologies to adapt to address these concerns.

You have likely already read a great deal more about the implications and requirements of Sarbanes Oxley (SOX) legislation than you would have otherwise liked. The new reporting, data retention and accountability regulations are of obvious import both legally and financially. What is of equal interest, however, for firms that are either multinational or do business overseas is the conceptual differences between this recent U.S. legislation and privacy legislation and regulations adopted in the EU. Essential in understanding where U.S. and EU data regulations conflict or compliment each other is understanding the root motivations behind each set of rules.

U.S.

Created in reaction to the embarrassing corporate defaults and excesses of Enron and WordCom, the U.S. regulations focus on issues of corporate accountability and reporting. Aside from the details about implementation strategies and for SOX compliance, it is important to maintain perspective as to what the intent was of these regulations. Specifically, SOX was about augmenting corporate transparency. The perception had been that a veil of 'deniability' had grown between senior corporate officers and shareholders. SOX strives to remove this veil and ensure that traceable document trails could be preserved regarding all material corporate decisions and forecasts. One may debate the efficacy of the legislation, but the core intent was to increase accountability, preserve a data/document trail, and more rigidly link individuals in a corporate structure to outward communications and actions.

EU

On a completely different stage, EU regulations evolved with the intent of preserving personal privacy in a distinctly multi-jurisdictional environment. As businesses became more interdependent and fluid in a more economically integrated “Euroland,” the concern grew that different morays on privacy might enable personal information to be exploited. The perceived risk was that, without additional restrictions, information collected in a jurisdiction with strict privacy regulations could be transmitted to a jurisdiction with fewer limitations on the use of personal data. Again, the core intent of these regulations are of most import, and that intent centers around holding data about the individual in the strictest confidence unless otherwise released by the individual. It is further worth emphasizing that the privacy restrictions are meant to preserve the information of all individuals, whether employees, contractors or customers.

Conflict

On the surface, these two movements do not seem in conflict. Corporate reporting seems to bear little in common with personal information — that is until one begins to examine how intertwined personal information is with corporate accountability. Take as one example a financial report for a services company. One of the significant Cost of Goods Sold in the P&L, whether a forecast or history, is the commission structure for sales representatives. Most service firms have a fairly mechanistic commission structure, so it would be simple to take an employee directory and infer approximate salary levels for sales staff. This level of detail, and more, is required under U.S. regulations to ensure accurate reporting. However, this same level of detail would likely run afoul of EU regulations intending to protect personal information of employees. Take another example, in which an audit trail is needed to preserve the sequence of those who reviewed and approved a particular financial forecast. Implicit in this kind of trail are the names, emails and other personal contact information associated with the individual. This same personal information is exactly of the type that EU regulations protect from disclosure without the expressed acquiescence of the individual parties. In fact, in most corporate situations where the number of key actors is limited in number, the chance of U.S. disclosure regulations coming in conflict with EU privacy regulations is very high.

Resolution: Short Term

There are any number of workarounds that can be done ad hoc in order to skirt these conflicts, however each is a matter for delay and cost in order to properly address concerns of all parties. In order to minimize the impact related to such potential conflicts on your litigation or investigation:

Work with your client to identify up front specific documents that are likely to contain the most personal information and have their review segregated from the general collection. Employee directories, compensation plans and policies, and customer Relationship Management (CRM) systems are all “hot button” document types that should be treated with special care.

Conduct privacy tests during the discovery process to test what personal information might be being transmitted as part of the investigation. If questions arise, highlight them earlier rather than later in the process to reduce the cost of modifying procedures.

Develop and document a rigorous information disclosure and destruction policy for use internally and with all associated suppliers. It may sound obvious., but take the time to get signed documentation from any partner or contractor handling the data regarding disclosure, use and eventual destruction. Ensure that you receive written confirmation after investigative activities that all data has been properly removed from all external systems.

Resolution: Long Term

In the long term, these issues are not going to fade away, but rather will become more prevalent. Trends internationally are for broader acceptance and adoption of EU-type privacy protections. With the rise in identity theft and online fraud, pressures are increasing globally to protect and limit the flow of private information with out the individuals consent. Market forces, however, will similarly force the adoption of U.S. SOX-type requirements on off shore and multinational firms. Thus, the stage is set for a growing data processing issue.

The resolution will eventually lie in the decoupling of traceable, personal data from corporate records and transactions. Interestingly, the technology to allow for full accountability and privacy was proven in the largely failed digital cash ventures of the late 1990s. These technologies, based on proven techniques of public key cryptography, allow validation of a user without disclosure of the individual. In the circumstances of corporate reporting, an electronic token can verify that an individual had the correct authority to approve a document, while not divulging anything about the particular individual. Thus, maintaining correct financial controls.

For situations where individual accountability and traceability must be maintained, these technologies can be combined with encrypted digital signatures to “unlock” an individual's identity where legally required. This would put personal disclosure in the form of an optional part of the discovery process, as opposed the current situation where it is an unintended byproduct.

Summary

Conflicting forces are simultaneously putting pressure on the disclosure and confidence of information in this digital age. In the short term, significant cost and schedule problems can be avoided by recognizing the inherent conflict and working to mitigate it. In the longer term, look for continued evolution of authentication and data control technologies to adapt to address these concerns.