For multinational organizations in an increasingly global economy, privacy law compliance can be bewildering these days. There is a tangle of international privacy laws of all shapes and sizes, with strict new laws popping up at a staggering speed. Federal US law continues to fade in its influence, with laws and regulators from abroad taking the lead role in guiding the practices of multinational organizations. These days, it is the new General Data Protection Regulation (GDPR) from the EU that has been the focus of privacy professionals’ days and nights . . . and even dreams.
As formidable as the GDPR is, only aiming to comply with the GDPR will be insufficient for a worldwide privacy compliance strategy. True, the GDPR is one of the strictest privacy laws in the world, but countries around the world have other very strict laws. The bottom line is that international privacy compliance is incredibly hard.
This is what Lothar Determann focuses on. For nearly 20 years, Determann has combined scholarship and legal practice. In addition to being a partner at Baker & McKenzie, Lothar has taught data privacy law at many schools including Freie Universität Berlin, UC Berkeley School of Law, Hastings College of the Law, Stanford Law School, and University of San Francisco School of Law. He has written more than 100 articles and 5 books, including a treatise about California Privacy Law.
Hot off the press is the new third edition of Lothar Determann’s terrific guide, Determann’s Field Guide to Data Privacy Law: International Corporate Compliance. Determann has produced an incredibly useful synthesis of privacy law from around the globe. Covering so many divergent international privacy laws could take thousands of pages, but Determann’s guide is remarkably concise and practical. With great command of the laws and decades of seasoned experience, Determann finds the common ground and the wisest approaches to compliance. This is definitely an essential reference for anyone who must navigate privacy challenges in the global economy.
DANIEL SOLOVE: What are the toughest challenges to international privacy compliance?
LOTHAR DETERMANN: Think 3D. The top 3 toughest challenges start with the letter “D:” data security, deletion and documentation.
Data Security: Data security requirements follow not only from data privacy laws, but also cybersecurity regulations, trade secret law, customer contracts and consumer protection statutes. Compliance is tough as threats increase from military, terrorists, criminals, pranksters as well as security researches with white, black and grey hats.
Deletion: Companies could protect information better if they had less of it, and if they had more knowledge and control over what information they collect, retain and delete. But, record retention and information deletion programs are difficult to design and even harder to implement and enforce. Businesses, employees and consumers alike are amassing huge amounts of data with modern software and storage systems. Analytics and big data applications are increasing the value of data. At the same time, minimum record and data retention periods vary across statutes and jurisdictions. Deletion is tougher and more expensive than retention. Consequently, most businesses are not complying with the EU data protection law mandate to delete personal data when they no longer need it for legitimate purposes. And, they are increasing their exposure to data security and misuse risks.
Documentation: Keeping up with documentation requirements is also becoming more and more challenging, particularly for global businesses. Companies are required to issue and update privacy notices, consent forms, policies, protocols, records of processing activities, self-assessments, data processing agreements, government filings and numerous other types of documents – in response to statutes prescribing different details, formats and languages. Vendor agreements are a particular challenge – as they require not only preparation and updating from the company itself, but negotiations with independent third parties and various prescribed terms and clauses, including EU SCC 2010, HIPAA BAA, PCI Standards, etc. Within the United States, companies face different requirements in each state and on a federal level. In other countries, documentation requirements vary to an even greater extent. My Field Guide offers checklist and practical recommendations on how to tackle the documentation challenge – which tends to be more jurisdiction-specific than the data security challenge.
SOLOVE: If an organization is compliant with GDPR, will that largely make the organization compliant in all other jurisdictions? Are there some areas where the laws of the US, Canada, or countries in Latin America and Asia are stricter than the GDPR? Can you provide some notable examples?
DETERMANN: First of all – that’s a big “if.” Few organizations, if any, can ever be comfortable that they are fully compliant with GDPR due to the unrealistically expansive definitions of “personal data” and “processing.” Any Excel spreadsheet ever created in an organization technically requires capture in “records of processing activities” under Article 30 and separate justifications under Art. 6 of the GDPR. Any inadvertent deletion of any data relating to an identifiable individual arguably requires a breach notification to a data protection authority. Few organizations have enough resources to even fully understand – leave alone: comply – with all requirements in the extremely wordy and detailed statute (88 pages of highly complex and legalese small print in the Official Journal of the European Union).
Setting this aside, yes, many laws in other countries are more specific and stricter than the GDPR in particular areas. Colombia, for example, requires data subject consent for pretty much anything – alternative means of justifying data processing, such as legitimate interests or necessity under contract, are unavailable. California has enacted numerous laws requiring specific disclosures differently from the GDPR, for example, the California Online Privacy Protection Act requires that companies disclose how they respond to “do not track” signals. The California Confidentiality of Medical Information Act requires handwritten signatures on authorizations printed in 14 point font size (or larger). Under the California “Shine the Light Law,” companies have to add text links to their home pages labeled “Your California Privacy Rights.” Another example is the California Song-Beverly Credit Card Act of 1971 according to which merchants must not collect information from credit card holders except as necessary for the transaction, not even with consent. Also, on a U.S. federal level, the Fair Credit Reporting Act of 1970 imposes very specific notice and consent requirements on companies that create, contribute to and use consumer reports, including a duty to provide credit scores and adverse decision notices to consumers. The U.S. Video Privacy Protection Act requires companies to obtain consent to disclosures of video rental history either for every disclosure separately, or every two years for more general disclosures. My other book – California Privacy Law: Practical Guide and Commentary (2nd Ed. 2017) has numerous examples of specific requirements that companies have to address separately from GDPR requirements.
From a practical perspective, it is worth noting that these stricter requirements do not conflict with the GDPR. Companies can – and must – comply with the stricter requirement. When counsel clients on GDPR compliance, I point out these additional requirements and help companies take care of all requirements at the same time.
SOLOVE: What parts of GDPR are the most difficult to comply with?
DETERMANN:: Paperwork. All companies struggle with the extreme documentation requirements following from Art. 5.2, 24, 30 and other articles. Companies will have to “demonstrate compliance” on requests from authorities.
Other requirements will hit some companies more than others. For example, companies that are headquartered or doing business outside the EU will find compliance Art. 48 of the GDPR difficult: Companies are prohibited from complying with data access requests by “[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country” unless such requests comply with EU law. Companies that limit themselves to doing business within fortress Europe, on the other hand, will find this easy to comply with (and offer protection from international competition).
SOLOVE: After GDPR, to what extent will there be compliance challenges posed for compliance by individual EU countries?
DETERMANN: Within the GDPR framework, EU member states have reserved 50+ opportunities to further specify or exceed GDPR requirements in national legislation. For example, national requirements to appoint data protection officers will remain in force and the threshold age for parental consent will be different from country to country.
SOLOVE: What are some of the aspects of international privacy law that many people would find surprising?
DETERMANN: More and more countries are including requirements in data privacy laws that have nothing to do with privacy – or actually affect privacy adversely. Examples including the Russian, Chinese and Indonesian data residency laws which require companies to store data on local territory so local police and intelligence agencies have better access to personal data. The ‘data portability principle’ in Art. 20 of the GDPR seems intended to increase competition and redistribute benefits from investments in platforms.
SOLOVE: In the US, one can point to specific laws as being the most significant to look out for. These are laws such as HIPAA, FCRA, and others, as well as the laws of a few key states such as California and others. At the global level, can you list some of the most notable laws to look out for and explain what makes them so significant?
DETERMANN: Russia, Kazakhstan, China and Indonesia have enacted data residency laws that require multinationals to set up local data bases and servers in these jurisdictions. Germany requires electronic communications metadata to be stored on German territory. Brazil has not yet enacted an EU-style data protection law, but stringent consumer protection laws and an Internet law that holds every company in a multinational group responsible for what any company in the group does – corporate shields are completely disregarded. Australia does not differentiate between data processors and data controllers. My California Privacy Law Guide and Commentary is full of other examples.
SOLOVE: With so many jurisdictions, so many laws, and so much change, how is it possible to comply with all these different privacy laws? Are there tips and techniques that you recommend for tackling compliance?
DETERMANN: Companies have to prioritize based on their resources, locations, business focus, customer expectations and risk profile. For many tech companies, privacy law compliance is as much a sales factor as a compliance topic. The first chapter of my Field Guide provides practical suggestions, checklists and considerations.
SOLOVE: Thanks, Lothar, for your terrific insights. The book is Determann’s Field Guide to Data Privacy Law. It is wonderfully concise and informative. Go get a copy!
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the International Privacy + Security Forum (Feb. 26-27, 2018 in Washington, DC), an annual event designed for seasoned professionals.