When Information Governance and Data Privacy Collide

The so-called “Big Data” problem has caused many organizations to breathe new life into their record-retention programs. A whole new discipline ' information governance ' has emerged as a framework to govern the creation, use, retention and disposition of information, as well as the technical platforms on which the information resides. While storage may still be cheap, with the ever-increasing data volumes, even traditional infrastructure organization is being challenged. As a result, more multinational corporations are moving to the cloud as a cost-savings mechanism for everything from e-mail to database storage and document creation, such as Google Docs. In addition, while corporate IT may have been driven by a goal to decentralize over the past several years, the current trend toward centralization of company information to achieve cost savings carries the day today. This all sounds like a great first step in an organization's attempt to get its hand around its own Big Data issues. But what happens when what makes the most business sense might actually be putting the company at risk?

Global Consolidation

The ever-growing framework of privacy protection laws around the world directly impacts how a multinational corporation can store, move and handle the personal data of its employees and business partners. So while it may make perfect business sense to consolidate your global e-mail system in one region or country, say the United States, the movement and transfer of the personal data outside the home countries of your employees, even for valid business purposes, is not without risk. A multinational corporation can easily run afoul of the privacy laws in a myriad of countries in the name of cost savings.

For example, data stored in overseas data centers may no longer be outside the reach of U.S. law. Earlier this year, U.S. Magistrate Judge James C. Francis of the Southern District of New York ruled in In re Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft, __ F. Supp. 2d. __ (S.D.N.Y. Apr. 25, 2014), that Microsoft must hand over a user's e-mails stored on a server in Dublin to federal prosecutors. Francis ruled that as long as a company remains in control of the data, access to data does not mean having the physical ability to walk into a data center to see the servers holding the data. Instead, access to data transcends borders, so if a company has the “practical ability” to collect the data, even if the server resides outside the United States, the data is not outside the reach of the United States. This decision is in direct conflict with the 1995 European Union Data Protection Directive.

The Directive regulates the processing of personal data, defines baseline requirements for companies possessing the personal data, and specifies what can or cannot be done with that data, including cross-border transfer. Assuming a valid business purpose or specific exception, data can be transferred only to countries that afford an adequate level of privacy protection, as in the home country. While the United States does have various legislation with some elements of privacy protection targeted toward specific industry sectors (i.e., the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA)), the private sector, for the most part, implements its own privacy policies, and individuals self-regulate. Although offering some level of privacy protection, these measures have been deemed “not adequate protection” by the European Union and other countries. Fortunately, to navigate around this impediment, the U.S. Department of Commerce and the European Commission developed the safe-harbor framework, through which companies could demonstrate voluntary adherence to an adequate privacy-protection standard.

But wait, there's more. If navigating a region like the EU wasn't hard enough, regional protections like the Directive are merely a floor setting the minimum standard of protection. Member countries are free to enact and enforce more stringent protections or sanctions in each member country. Around the world, more than 70 countries currently have privacy laws in place that have differing requirements and penalties imposed for violations.

Why does it matter? Violations of the Directive and other privacy laws can carry severe penalties, both civil and criminal. Depending on the country, these sanctions may take the form of fines or imprisonment. For companies, officers and directors of a noncompliant company can also face personal criminal liability for failure to comply with the privacy laws, even if the violation was unintentional. For example, if the current draft European General Data Protection Regulation becomes effective in early 2016 as anticipated, it will provide for potential business fines of up to 2% of annual income. See, http://bit.ly/1s9hpRf.

Is Consolidation Off the Table?

So does this all mean multinational corporations are out of luck and cannot consolidate data for business efficiency? No. It does mean, however, that corporations must appropriately plan any consolidation strategy to take into account the privacy laws in affected jurisdictions. As a general rule, a company should consider the following when approaching a consolidation plan:

• Can the company credibly articulate the valid business purpose for the consolidation necessitating the transfer of personal data?
• Be mindful of certain overarching privacy principles.
• Notice: Will your plan inform individuals that their data is being collected and detail how the data will be used?
• Option: Will your plan provide individuals with the option to opt out of the collection or transfer of the data?
• Controlled transfer: Does your plan allow for transfer of data to third parties? If yes, do those third parties also follow adequate data-protection principles?
• Security: Does your IT infrastructure at the consolidated location have adequate safeguards against loss or breach of collected information?
• Access: Will your plan allow individuals to have access to the information held about them and allow them to correct or delete it if it is inaccurate?
• Enforcement: Are the data-protection requirements incorporated into the overall company compliance program such that the company has an effective means of enforcing these rules?

Conclusion

Some final points:

• If you are considering the United States for the consolidated infrastructure, consider seeking safe-harbor certification, use of model contract clauses or binding corporate rules, coupled with a comprehensive corporate training program.
• Don't forget to investigate the back-door access IT professionals often build in as an administrative safeguard when creating IT frameworks ' this can directly impact the kind of practical ability analysis that Francis looked to in the Microsoft case.
• Consider not just one consolidated infrastructure and examine if a regional approach could achieve the same level of efficiency and savings without bringing everything to one country.

Laura Kibbe is Of Counsel in Morgan, Lewis & Bockius' e-data practice, resident in the firm's New York office. Tara Lawler is a senior attorney in the firm's e-data practice, resident in its Philadelphia office. This article originally appeared in The Legal Intelligencer, the Philadelphia-based newspaper ALM sibling of e-Commerce Law & Strategy.

The so-called “Big Data” problem has caused many organizations to breathe new life into their record-retention programs. A whole new discipline ' information governance ' has emerged as a framework to govern the creation, use, retention and disposition of information, as well as the technical platforms on which the information resides. While storage may still be cheap, with the ever-increasing data volumes, even traditional infrastructure organization is being challenged. As a result, more multinational corporations are moving to the cloud as a cost-savings mechanism for everything from e-mail to database storage and document creation, such as Google Docs. In addition, while corporate IT may have been driven by a goal to decentralize over the past several years, the current trend toward centralization of company information to achieve cost savings carries the day today. This all sounds like a great first step in an organization's attempt to get its hand around its own Big Data issues. But what happens when what makes the most business sense might actually be putting the company at risk?

Global Consolidation

The ever-growing framework of privacy protection laws around the world directly impacts how a multinational corporation can store, move and handle the personal data of its employees and business partners. So while it may make perfect business sense to consolidate your global e-mail system in one region or country, say the United States, the movement and transfer of the personal data outside the home countries of your employees, even for valid business purposes, is not without risk. A multinational corporation can easily run afoul of the privacy laws in a myriad of countries in the name of cost savings.

For example, data stored in overseas data centers may no longer be outside the reach of U.S. law. Earlier this year, U.S. Magistrate Judge James C. Francis of the Southern District of New York ruled in In re Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft, __ F. Supp. 2d. __ (S.D.N.Y. Apr. 25, 2014), that Microsoft must hand over a user's e-mails stored on a server in Dublin to federal prosecutors. Francis ruled that as long as a company remains in control of the data, access to data does not mean having the physical ability to walk into a data center to see the servers holding the data. Instead, access to data transcends borders, so if a company has the “practical ability” to collect the data, even if the server resides outside the United States, the data is not outside the reach of the United States. This decision is in direct conflict with the 1995 European Union Data Protection Directive.

The Directive regulates the processing of personal data, defines baseline requirements for companies possessing the personal data, and specifies what can or cannot be done with that data, including cross-border transfer. Assuming a valid business purpose or specific exception, data can be transferred only to countries that afford an adequate level of privacy protection, as in the home country. While the United States does have various legislation with some elements of privacy protection targeted toward specific industry sectors (i.e., the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA)), the private sector, for the most part, implements its own privacy policies, and individuals self-regulate. Although offering some level of privacy protection, these measures have been deemed “not adequate protection” by the European Union and other countries. Fortunately, to navigate around this impediment, the U.S. Department of Commerce and the European Commission developed the safe-harbor framework, through which companies could demonstrate voluntary adherence to an adequate privacy-protection standard.

But wait, there's more. If navigating a region like the EU wasn't hard enough, regional protections like the Directive are merely a floor setting the minimum standard of protection. Member countries are free to enact and enforce more stringent protections or sanctions in each member country. Around the world, more than 70 countries currently have privacy laws in place that have differing requirements and penalties imposed for violations.

Why does it matter? Violations of the Directive and other privacy laws can carry severe penalties, both civil and criminal. Depending on the country, these sanctions may take the form of fines or imprisonment. For companies, officers and directors of a noncompliant company can also face personal criminal liability for failure to comply with the privacy laws, even if the violation was unintentional. For example, if the current draft European General Data Protection Regulation becomes effective in early 2016 as anticipated, it will provide for potential business fines of up to 2% of annual income. See, http://bit.ly/1s9hpRf.

Is Consolidation Off the Table?

So does this all mean multinational corporations are out of luck and cannot consolidate data for business efficiency? No. It does mean, however, that corporations must appropriately plan any consolidation strategy to take into account the privacy laws in affected jurisdictions. As a general rule, a company should consider the following when approaching a consolidation plan:

• Can the company credibly articulate the valid business purpose for the consolidation necessitating the transfer of personal data?
• Be mindful of certain overarching privacy principles.
• Notice: Will your plan inform individuals that their data is being collected and detail how the data will be used?
• Option: Will your plan provide individuals with the option to opt out of the collection or transfer of the data?
• Controlled transfer: Does your plan allow for transfer of data to third parties? If yes, do those third parties also follow adequate data-protection principles?
• Security: Does your IT infrastructure at the consolidated location have adequate safeguards against loss or breach of collected information?
• Access: Will your plan allow individuals to have access to the information held about them and allow them to correct or delete it if it is inaccurate?
• Enforcement: Are the data-protection requirements incorporated into the overall company compliance program such that the company has an effective means of enforcing these rules?

Conclusion

Some final points:

• If you are considering the United States for the consolidated infrastructure, consider seeking safe-harbor certification, use of model contract clauses or binding corporate rules, coupled with a comprehensive corporate training program.
• Don't forget to investigate the back-door access IT professionals often build in as an administrative safeguard when creating IT frameworks ' this can directly impact the kind of practical ability analysis that Francis looked to in the Microsoft case.
• Consider not just one consolidated infrastructure and examine if a regional approach could achieve the same level of efficiency and savings without bringing everything to one country.

Laura Kibbe is Of Counsel in Morgan, Lewis & Bockius' e-data practice, resident in the firm's New York office. Tara Lawler is a senior attorney in the firm's e-data practice, resident in its Philadelphia office. This article originally appeared in The Legal Intelligencer, the Philadelphia-based newspaper ALM sibling of e-Commerce Law & Strategy.