A Bird's Eye View Of International Consumer Data Protection Laws

Monday, May 1, 2006 - 00:00

Strengths And Weaknesses In Global Consumer Data Protection: Balancing Laws, Awareness And Enforcement

Approximately nine million American adults were identity-fraud victims last year. While the total number of victims has decreased over the last three years, losses per victim have increased to about $6,000. The average resolution time has also grown to about 40 hours.

High profile cases at companies like Ameritrade, Bank of America, Lexis Nexis and Ralph Lauren have justifiably spooked consumers and pressured law makers in the U.S. and around the world to enact privacy legislation which creates uniform rules for data processing.

Here's a bird's eye view of how three regions are attempting to address consumer protection and the relative strengths and weaknesses of their approaches.

Europe: The European Union was the first collective body to enact a uniform law focused on consumer data protection, enacting its Data Protection Directive in 1995 (which went into effect in October 1998). The Directive prohibited the transfer of personal data to non-EU nations that failed to meet the standards for privacy protection. Many have criticized the Directive as being a tough piece of legislation on paper that falls down in enforcement. Some have gone so far to say the Directive accomplished little more than frightening businesses, universities and other countries when it erected a steel door prohibiting data transfers to other countries that lack adequate levels of data protection. In essence, the EU made the statement "meet our standards or don't conduct business with our citizens."

As of the end of last year, only Argentina, Canada, Guernsey, Hungary, and Switzerland's data protection have been declared adequate by the EU. An adequacy declaration presumes that all transborder data flows between these countries and the EU are in compliance with the Directive. The United States was able to obtain a "safe harbor" exemption in 2000 that allows certifying businesses to come through the back door and participate in data transfers. The Safe Harbor provides a compliance framework and a means for U.S. companies to continue business dealings with the EU. Companies must certify to the U.S. Department of Commerce their compliance with the Safe Harbor provisions and adhere to requirements of notice, choice, onward transfer, access, security, data integrity, and enforcement, some of the same provisions found in the Directive. The decision by U.S. organizations to enter the Safe Harbor is entirely voluntary. Organizations that decide to participate in the Safe Harbor must comply with the Safe Harbor's requirements and publicly declare that they do so.

One problem with the Directive is that it is an extraordinarily broad piece of legislation which applies to all data and all organizations holding personal data. Among other provisions, strict requirements are established for notice to customers and the processing, collection, confidentiality, and possession of personal data. An individual's social security number, credit card information, or address and phone number can no longer be unnecessarily stored on a computer. Personal information may be kept only for specified purposes and must be disposed of after the specified purposes cease to exist. If a company breaches any provisions of the Directive it could find itself confronting the data subject face to face in court and paying compensatory damages.

While the Directive has been the framework for a number of countries, enforcement has been less than optimal. Compliance levels are low by data controllers due to the low risk of being caught, and the Directive fails to align with the real world methods of data processing. Also, consumers are not well informed regarding avenues for resolution. EU officials counsel patience and argue that the Directive is an ongoing process and the kinks will be worked out over time.

Latin America: There is both good and bad news coming out of Latin America. Argentina and Chile, for example, were among the first to enact extensive and uniform data privacy laws. However, in some countries that regulate personal data through constitutional provisions and numerous independent regulations, like Brazil and Mexico, legislative bodies proposed uniform data protection bills years ago that have yet to be enacted.

The seriousness with which many Latin American countries have addressed consumer privacy are additional signals of the maturity and emergence of these nations economically. Many of the provisions that are in place may actually exceed those of Europe and the U.S. For example, in Argentina, Brazil, Chile, Peru and Colombia, constitutional provisions declare the right to a judicial hearing on personal data and many of those same countries address the rights of individuals to access and correct information in the possession of any data controller. No such provisions are yet on the books in the U.S. or Europe.

Like the EU, however, Latin American nations have not performed well in effective compliance and enforcement. Sufficient resources for monitoring business compliance and breaches, prioritization of government and regulatory bodies to enforce laws and, again, to inform consumers of their rights are lacking.

U.S.A.: While the United States shares the goal of enhancing privacy protection for its citizens, it has lagged the EU in promulgating comprehensive legislation to address concerns over loss of privacy. Although the federal government has adopted some legislation, there is still an enormous reliance on self-regulation.

Motivation toward more aggressive self-regulation has recently received a boost thanks to the impact, if not the number, of high-profile enforcement cases in the United States by the Federal Communications Commission (FCC), Federal Trade Commission (FTC) and other regulatory bodies. These cases have given, at the very least, the appearance of a tough enforcement environment.

For example, when data company ChoicePoint disclosed last year that it accidentally sold sensitive personal information on 163,000 to scam artists, it ultimately and recently agreed to pay $15 million to settle FTC charges, the largest penalty ever assessed by the FTC. That was followed by FCC fines levied on AT&T and Alltel for failing to comply with consumer information protection rules. The attendant bad publicity about these companies also had an adverse impact with customers and this was not lost on other companies managing personal data.

However, the complexity of businesses that use data for marketing purposes, from phone companies to mortgage lenders to dating services, makes uniform law difficult and potentially ineffective. Lawmakers have had to take a more ad hoc approach to address specific problems.

For example, the United States Senate and House Judiciary Committees approved bills that would prohibit the unauthorized sale of call detail information and ban the pretexting of phone records (pretexting is the act of obtaining consumers' personal data under false pretenses).

The Law Enforcement and Phone Privacy Protection Act of 2006 and the Consumer Telephone Records Protection Act of 2006 received unanimous support in the committee and may be taken up soon by the full House and Senate. Several other bills protecting phone records are also under consideration.

In addition to efforts at the Federal government level, many states are enacting data privacy laws, and limiting access to social security numbers and other personal information in public records. Many states also require notification to consumers affected by inadvertent disclosures of personal information.

Most likely, resolution of data breaches, however, will come from an industry push as they react to consumer concerns and published surveys that indicate a significant majority of consumers would avoid doing business with companies that fail to properly safeguard their personal information. Businesses are also motivated to address these issues as they typically absorb 93 percent of the cost of all identity theft and fraud cases. For example, Bill Gates recently said that security will get most of Microsoft's development attention going forward. However, most of the products on the market are less promising regarding prevention and more focused on alerting consumers quickly if there is a potential problem and how to deal with theft after the fact.

It may be difficult to find a "one size fits all" solution. Telecommunications, retail, financial services, online marketing and other data-intensive businesses have such complexity and varying standards that enacting uniform data privacy laws in the U.S. does not appear practical.

The best tactic in protecting consumers and balancing laws, enforcement and awareness would appear to be informing citizens of their rights and creating uniform channels to respond to data and identity theft, ideally through state and other localized channels. Currently, residents of 12 states in the United States can freeze their credit lines making it impossible for anyone to apply for credit unless the consumer opts to unfreeze the file. Another good example of informing and mobilizing the public was the establishment of the "Do Not Call" list.

Law enforcement can't catch all the crooks. The courts can't provide a remedy for everyone whose information has been breached. And the legal code is not likely to keep up with changing technology on both the prevention side and the tactics scammers. The best and most efficient remedy is to effectively "deputize" the public and provide them with the understanding and tools to protect themselves.

Luis A. Aguilar is a Partner in the Atlanta office of McKenna Long & Aldridge LLP. His broad-based practice concerns general corporate and business law. He can be reached at (404) 527-8470. Leah D. Jackson is an Associate in the firm's Atlanta office. Her practice is focused on IP and technology. She can be reached at (404) 527-4957.

Please email the authors at laguilar@mckennalong.com or ljackson@mckennalong.com with questions about this article.