One Size Won’t Fit All: Multinational Corporations’ Compliance with Privacy Regulations (Part 3 of 3)

Part 3: Proposed Solutions

This is the third and final post in a three-part blog post examining privacy issues confronting multinational corporations in a global economy. The first post explored privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. The second post assessed the experiences of Google and McDonald’s in adhering to privacy regulations while operating on a global level in attempting to comply with the three privacy regimes described in the first post.  This post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.

 

Introduction

“The establishment of good privacy and data security practices, backed by a commitment of resources, and assignment of responsibility for implementing such practices, may be some of the best insurance the company can buy.”Steven Bennet.[1]

Target breach
The recent breach at Target shows how vulnerable large companies are to hackers (USA Today)

The recent high-profile privacy breaches at Target and at Neiman Marcus demonstrate the consequences of failing to take privacy issues seriously. Companies with greater presence on the world stage expose themselves as even greater targets for privacy attacks. Similarly, companies operating in multiple jurisdictions have to comply with varied privacy regimes. The Google and McDonalds examples from the second post in this series indicate how difficult it can be to adhere to multiple privacy demands. As these examples illustrate, privacy is a difficult, but essential, component to any company’s operations. This final post seeks to provide some proposals companies operating on a global level should consider when implementing or reviewing their privacy policies.

Proposals

Understanding

The most important thing for any multinational corporation to do is to have an understanding of privacy in every jurisdiction in which it operates. The thorough understanding of privacy laws I propose is multifaceted. It is, or should be, obvious that companies must adhere to privacy regulations that currently exist; to have a good compliance program, “one must first know the rules.” Whether it is the Sarbanes-Oxley (“SOX”) requirements McDonald’s was attempting to comply with or Google executives being found guilty for not adequately protecting an individual’s privacy rights, companies must have an understanding of the privacy laws that are presently in place in the jurisdictions in which they operate. Google’s timely action of removing the video helped to ensure its executives were ultimately relieved of liability. Similarly, McDonald’s France’s request for approval of its professional integrity plan came prior to implementation, which was prudent given the fact that the plan was found to be in violation of France’s privacy policies. The two cases illustrate the necessity of complying with laws and regulations that are currently in place.

In tandem with compliance of existing laws, companies also have to stay current on any new regulations or laws that come into force. This is likely axiomatic to most companies, but it is well worth consideration. A globalized economy requires that companies keep up to date with any new regulations in every country in which they operate. For instance, the SOX requirements of providing whistleblower hotlines and ensuring anonymity of whistleblowers definitively apply to American companies operating exclusively in the U.S. It is unclear, however, if those same requirements apply to every country in which U.S. companies operate.[2] Because the SOX requirements might apply in every country in which they operate, companies have to be alert to any new amendments to the SOX requirements in the U.S. as well as any new developments in foreign jurisdictions, such as France, in which SOX compliance might violate privacy laws. What this means for multinational companies is that being up to date on the latest privacy regulations requires keeping abreast of privacy developments both domestically and abroad.

The greatest difficulties in keeping up-to-date with both domestic and foreign developments in privacy laws are undoubtedly the expertise required and the costs associated with maintaining that expertise. One way to offset these costs involves the third facet of a thorough understanding of privacy concerns; understanding the cultures in which privacy laws develop.

Brandeis and Privacy
From the first post, Louis Brandeis was one of the first jurists to write about the concept of privacy in the law

Laws reflect society’s values.[3] Privacy laws have developed out of cultural norms that contrast according to a wide variety of actors, including philosophy, religion, history, and culture. Thus, it comes as no surprise that no two privacy regimes are identical. In the U.S., the sectoral model of privacy laws traces its development to a strong mistrust of a strong central government. In the E.U., on the other hand, privacy is equated to personal dignity, and personal dignity is manifest when all Europeans are treated equally before the law. The concept of personal equality lends itself toward omnibus regulations that exist in the E.U. and China. However, the omnibus regulations in China stem from its socialist development. Because of the different contexts from which modern privacy regimes arose, it is important to understand privacy regimes in their greater cultural context. Understanding the bigger picture in how particular privacy regimes evolved will allow for a degree of predictability in how the regimes will develop.

The fact that it is best to incorporate a privacy policy in a prospective rather than a reactive manner is largely agreed upon to be the best course for companies to take. Yet, pursuing such a course is fraught with difficulty because of the changing nature of today’s changing marketplace. However, a thorough understanding of how a privacy regime has developed in the past will provide insight into how it will evolve in the future.

The Google case provides a perfect example of how understanding where privacy law developed from will help predict how it will evolve. Google may or may not have been aware that an Italian court would find that its activities in China exposed its executives to liability, but Google certainly knew that such a decision was not in keeping with E.U. privacy laws. Knowledge that the E.U. privacy directive precluded content providers from liability unless the content provider controlled the information, Google was able to successfully argue that, despite its activities in China arguably to the contrary, it did not host the content. As a result of Google’s thorough understanding of where the E.U.’s privacy laws stem from, it was therefore able to convincingly show that it was not liable.

A thorough understanding of privacy regimes takes three forms: knowledge of what the laws currently are, an up-to-date knowledge of laws as they develop, and comprehensive knowledge of how the laws advanced in the past to help predict how they will progress in the future. This understanding should form the bedrock of a company’s approach to privacy; without it, a company is missing vital pieces of the picture that could have severe implications.

Nuanced Policies

After a thorough understanding of the privacy regimes in which a company operates, the next logical step is to develop nuanced privacy policies. As both the Google and McDonald’s experiences highlight, a company cannot simply develop a one-size-fits-all mentality when it comes to privacy. Google’s censorship activities in China created complications for its operations in Italy. SOX compliance in the U.S. was potentially implicated by McDonald’s activities in France. These are but two examples of how privacy policies must be narrowly tailored to comply with each jurisdiction’s privacy laws. The privacy regimes in world’s largest economies are simply too divergent to allow for a single prophylactic privacy compliance program.[4]

The simple solution to divergent privacy schemes is to create privacy policies specific to each jurisdiction, or a common approach to jurisdictions with similar privacy policies like the E.U., in which the company operates. This allows for adopting privacy policies that adhere to each jurisdiction’s unique privacy regulatory system, including the powers of each jurisdiction’s regulatory bodies.[5] Adopting a whistleblower hotline in France that meets that nation’s whistleblower directive permitted McDonald’s France to comply with French law while still following the SOX requirements in the U.S. Similarly, Google was able to filter the content accessible in China while still providing unfiltered material elsewhere.

Companies operating in multiple jurisdictions have to think domestically before they think globally. Each jurisdiction requires adherence to their privacy laws, and such adherence requires nuanced privacy policies that apply a thorough understanding of each jurisdiction’s privacy scheme. Companies likely view complying with every jurisdiction’s particular laws as natural as breathing, but compliance with each jurisdiction’s regulations is impossible if obedience to the laws of one nation creates violations in a second country. Both the McDonald’s and Google examples illustrate this point; it can be seemingly impossible to obey laws if doing so violates another. The solution requires a global awareness in terms of thinking about privacy policies.

Global Awareness

Crafting nuanced privacy policies in each jurisdiction creates the potential for conflict with the regulations of a second state. To overcome this conflict, companies need to have an awareness of how privacy policies developed for compliance with U.S. or E.U. laws will be interpreted in China or vice versa. Developing nuanced privacy policies while considering their global ramifications is a tight line to walk to be sure, but it is essential in today’s globalized market.

viviane reding
European Justice Commissioner Viviane Reding – The E.U.’s stricter data protection laws require companies to pay greater attention to compliance

Each jurisdiction in which a multinational company operates will have different requirements for privacy. When Google altered its search algorithm in order to comply with China’s “Great Firewall,” it moved itself from being in a position of a passive purveyor of information to a content provider. This approach allowed Google access to China’s massive population of internet users, but it also exposed Google to liability in Italy. It is debatable whether Google could have prevented this occurrence; Google likely could not have perceived that an Italian court would deviate from the commonly understood interpretation of the E.U. Privacy Directive based on Google’s activities in China. The debate over the efficacy of potential preventative measures should not take away from the need for a global awareness of privacy regimes, however; only through an awareness that its actions in China could have ramifications in other jurisdictions would allow Google to more ably predict the best policies to implement. Such an awareness of the risks involved in filtering the content available in China allowed Google to weigh the potential compliance issues against the potential benefits of access to the Chinese market.

McDonald’s France’s experience in attempting to comply with SOX regulations reinforces the need to have a global awareness of privacy regimes. Attempting to comply with U.S. whistleblower hotlines and protections by requiring every McDonald’s subsidiary to implement a one-size-fits-all global whistleblower hotline scheme would have resulted in privacy violations in France if it had been executed. Although McDonald’s would have been relieved of any SOX liability in the U.S., the potential damages in France could have been severe. Breaking consumer trust from privacy breaches or violations from mishandling personal information can cost millions and the loss of goodwill associated with such mishandling is “immeasurable.” This is especially true in places where data collection is carefully scrutinized and where regulators are willing to impose hefty fines for improper data collection practices.

Understanding the current privacy context in every jurisdiction is obviously necessary for every multinational company, but the benefits of such understanding are diminished unless companies think globally. As the Google and McDonald’s examples illustrate, actions in one country will have ramifications in others. As a result, multinational companies should implement nuanced privacy policies for each jurisdiction while simultaneously ensuring that the policies will not fun afoul of competing privacy regulations. Balancing nuanced privacy strategies with global awareness of privacy regulations requires creativity and meticulousness. Such a juggling act nearly mandates that multinational companies retain one or more privacy experts.

Increased Reliance on Privacy Experts

Privacy has increasingly become a “C-Suite issue” for many companies, highlighting privacy’s role in the broader context of a company’s business strategy. The proposals outlined above—a thorough understand of privacy regimes, nuanced privacy policies, and a global awareness of privacy policy implications—are meaningless if there is not some person or group of individuals responsible for overseeing a company’s privacy program. This is where the importance of privacy experts comes in.

For privacy and data protection professionals to obtain a certificate in privacy matters, the International Association of Privacy Professionals (“IAPP”) requires an understanding of the following topics: (1) the U.S. legal system: definitions, sources of law and sectoral model for privacy enforcement; (2) U.S. federal laws for protection of personal data: FCRA and FACTA, HIPAA, GLBA, COPPA and DPPA; and (3) U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA. And that list is only to become certified as an Information Privacy Professional for the U.S.; it does not entail certification as an expert on other privacy regimes. The IAPP certification process simply shows how much information there is to cover in each jurisdiction. If a company wishes to operate on the global stage and to implement a privacy policy that is thorough, nuanced, and globalized, companies cannot afford to not hire privacy experts.

privacy professionals
Privacy professionals meet for a summit in 2012 (U.S. Dept. of Commerce)

Privacy experts are critical to any global company. The Google and McDonald’s cases focus specifically on how essentially important it is for companies to know not only what the laws are, but how those laws affect companies’ operations. A privacy expert blends knowledge of the legal aspects of privacy with the demands of the particular business. Further, privacy experts, working in conjunction with security experts, can help make or break a company’s reputation; the loss of goodwill resulting from security breaches or non-compliance with privacy regulations has the potential of creating “major backlash from customers.”

Privacy experts also allow for a focal point of privacy responsibility. Complying with the numerous existing and evolving laws, not to mention any future compliance issues resulting from increases in technology or changes in the economy, is difficult. Ensuring compliance in a piecemeal fashion, with each department myopically focusing on their own compliance issues, is nearly impossible. A privacy expert allows for a single, comprehensive source for all of the privacy issues a company confronts. Further, a single repository for privacy issues allows that expert to assist the company in making the most economically desirable decisions. The decision to ask the French privacy agency’s permission before enacting whistleblower hotlines likely saved McDonald’s France from a disaster, and a privacy expert can help facilitate that discussion.

Conclusion

The proposals outlined in this blog post represent some common sense steps multinational companies can take to maximize privacy compliance. The first step is to thoroughly understand what the laws are, to keep up to date with any new laws that might impact a company’s business, and to know the context from which privacy laws and regulations result. A thorough understanding of the laws then allows for the next step, which should be to create nuanced privacy policies tailored to each jurisdiction in which a company operates. The nuanced privacy policies company’s implement cannot be viewed in isolation, but must instead be viewed holistically with a mind toward how they impact the privacy regimes in other jurisdictions. Such a global awareness will save the company time and, most importantly, will shield the company from liability. It is incumbent on privacy experts to guide companies through this process and to be the focal point of a company’s privacy strategy.

Rather than shying away from privacy in the hopes that their privacy compliance procedures are adequate, companies should take a proactive role in embracing privacy. It is undoubtedly better to think in advance of how a company will ensure compliance with privacy regulations than to suffer the consequences of learning that its privacy policy is inadequate after the fact. And privacy cannot be ignored; the high profile cases of McDonald’s and Google, not to mention other instances of privacy breaches, indicate how serious an issue privacy currently is as well as how critical it will be in the future. As one vice president of information protection and privacy stated, “[g]ood privacy is good business.” Bad privacy is, by implication, bad business.

 

Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.

 

[1] Partner of Jones Day’s New York office and  professor of Privacy Law at Hunter College. 53 No. 1 Prac. Law. 17, 19.

[2] There has been an administrative law decision that found SOX to have no extraterritorial reach. See Villanueva v. Core Labs. NV, ARB No. 09-108, ARB’s Final Decision and Order (Dept. of Labor, Dec.22, 2011), available at http://www.oalj.dol.gov/PUBLIC/ARB/DECISIONS/ARB_Decisions/SOX/09_108.SOXP.HTM. For an analysis of the implications of this decision, see Anthony J Oncidi & Jeremy M Mittman, New US Decision Limiting Extraterritorial Scope of ‘Whistleblowing’ Provides Welcome Clarification to US Multinationals, 22 No. 1 Emp. & Indus. Rel. L. 15 (2012).

[3] Francisco M. Ugarte, Reconstruction Redux: Rehnquist, Morrison, and the Civil Rights Cases, 41 Harv. C.R.-C.L. L. Rev. 481, 507 (2006).

[4] See Dennis D. Hirsch, In Search of the Holy Grail: Achieving Global Privacy Rules Through Sector-Based Codes of Conduct, 74 Ohio St. L.J. 1029, 1035 (2013)  (“The important differences among national systems occur, not with respect to these broad principles, but in how countries interpret and apply them. Examples abound. Some nations define “personally identifiable information” (PII) more broadly than others. Some exclude certain types of personal information, even if it falls within the definition of PII. Countries disagree on what constitutes adequate notice.”) (citations omitted).

[5] See Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 Stan. L. Rev. 1315, 1334 (2000) (“Oversight of information privacy is also handled in many different ways. Data protection supervisory agencies are a common feature in democracies, but agency powers are often specific to each country. Some countries, for example, established regulatory enforcement agencies and licensing boards, while others adopted an ombudsman position.”) (citations omitted).

Leave a Comment