Multinational companies based in the United States may be subject both to the data privacy laws of the United States as well as those of other countries in which they operate.Complying with these laws may pose difficult challenges for companies, because of fundamental differences in international approaches to data privacy.As the U.S. Department of Commerce has explained:"While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union.The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin."The ease with which companies, operating in the modern information economy, can collect, store, and move personal data via electronic communication makes it increasingly likely that such companies may subject themselves to, and possibly violate, the data privacy laws of one country or another.
The European Union Approach
Companies operating in the EU must abide by both the laws of individual EU member countries, as well as the EU Data Protection Directive (the "Directive").1 The Directive, which took effect in 1998, required each member of the EU to pass data protection laws that comply with the Directive's minimum standards.These standards require, among other things, that companies give consumers access to correct their data, that they use personal data only for the purpose for which it was obtained, and that they not transfer personal data to countries that lack adequate data protection laws.If a company violates these data privacy laws, the Directive allows EU member governments to seek civil fines, injunctions, and even criminal sanctions.In addition, the Directive allows an individual whose data was mishandled to seek compensation.
The United States Approach
Although the United States does not have an EU-style comprehensive data protection law, there are numerous U.S. laws that protect personal data, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and HIPAA.At the same time, however, U.S. regulatory agencies, pursuant to measures such as the Sarbanes-Oxley law, have pushed companies to disclose information and maintain transparent business practices, both of which may involve personal data information.The various requirements of these measures could make it difficult for companies to ensure compliance with both U.S. and European law.
Examples Of Conflict
Potential conflicts in U.S. and European privacy policies readily appear.Parts of the Sarbanes-Oxley law and regulations it inspires, for example, may conflict with both the requirements of the EU Directive and the law of individual nations.Sarbanes-Oxley, for example, requires public companies to establish a method for employees to report anonymously on possible financial improprieties and to develop a company code of ethical conduct.International application of the resulting policies has created conflicts with the law of various EU nations.Recent decisions in France invalidated anonymous reporting hotlines as overbroad and violative of French principles of individual privacy, human rights and human dignity.In Germany, a Labor Court invalidated Wal-Mart's ethics code, which required employees to report possible violations of the code to the company, and allowed employees to do so anonymously.The court found that many of the ethics code's requirements, such as the implementation of a telephone hotline, required the approval of the Works Council, and suggested that some provisions might violate German law regardless of the Works Council's agreement.
These decisions did not directly address the substantial conflicts that may exist between whistleblower policies and the EU Privacy Directive.Under the Directive, individuals have rights to know what personal data is collected about them.Such notification is not prohibited by the Sarbanes-Oxley law, but it is possible that such notification to individuals (potentially wrong-doers) could impede an investigation by increasing the opportunity for cover-up.
Anonymous ethics hotlines raise another problem, because many of them automatically relay information to headquarters in the United States.Sending personal data information (such as someone's name and details on their alleged activities) to the U.S. may violate the Directive.The Directive prohibits sending personal data information to any country thatdoes not have adequate data protection laws.The U.S., which lacks comprehensive privacy protection, may be considered such a country.Unless U.S. companies adhere to the U.S. Department of Commerce's Safe Harbor Privacy Principles,2their ethics hotlines may violate the EU Directive.
Another area where compliance with U.S. law may create conflicts with EU law is in outsourcing.The Federal Trade Commission, under the Gramm-Leach-Bliley Act's Safeguards Rule,3requires financial institutions, broadly defined, to implement programs that will minimize risks associated with storage and use of non-public personal data.The requirements of the FTC Safeguards Rule include an obligation to oversee the security practices of service providers, including offshore providers.While these requirements raise the level of data protection obligations for U.S. companies, the requirements do not necessarily ensure compliance with the EU Directive.Thus, although a U.S. company that institutes procedures to comply with the Safeguards Rule could send personal information from the U.S. to a service provider in India, for example, without violating U.S. laws, it is not clear that the company could send personal information from the EU to the same Indian service provider without violating EU laws.
Finally, efforts to investigate terrorist activities also may affect a company's treatment of personal data.The European Court of Justice invalidated an agreement through which the European Commission would allow commercial airlines to provide passenger information to the U.S. Customs Service.The decision rested on a finding that the EC lacked a proper legal basis for the agreement.
Significantly, the decision of the European Court of Justice does not mean that airlines must withhold all passenger information.The court found that passenger information, although collected as part of a commercial enterprise, is exempt from the Directive because of its use in national defense.
Options For Multinational Companies
These conflicts and competing obligations in data privacy and disclosure laws raise challenges for companies that must comply with the requirements of several jurisdictions.Courts and counsel also struggle to reconcile such conflicts.
For example, how should U.S. courts treat a suit (or SEC action) alleging that a U.S. company has failed to live up to its Sarbanes-Oxley requirements, where the company has not applied the law to its foreign operations for fear of violating European laws?The answer may depend greatly on the amount of weight that courts give to the concept of "comity."The Supreme Court has defined comity as "the recognition which one nation allows . . . to the legislative, executive or judicial acts of another nation, having due regard both to international duty and convenience, and to the rights of its own citizens or of other persons who are under the protection of its laws."4 While this concept of mutual respect for law may be somewhat elusive and difficult to apply, some U.S. courts have suggested that comity has become an increasingly important concern as nations become more economically interdependent.
How should companies respond to this uncertainty?There is no panacea.Companies must adopt a case-by-case approach, to fashion policies affecting the personal data of employees and customers in a way most likely to produce acceptance in multiple jurisdiction.
One option is that companies could comply with theU.S. Department of Commerce's Safe Harbor Privacy Principles.Doing so should provide companies with a presumption of "adequacy" of privacy protection.This presumption should allow them to transfer data from their EU offices to their U.S. offices without violating the EU Directive.This solution, however, may not ensure compliance with the data privacy laws of all individual European nations, which may be stricter than those set as a baseline by the EU Directive.
Another option is for companies to balance their differing obligations-steering a middle path, so to speak.For example, numerous commentators have suggested that companies can comply with their Sarbanes-Oxley obligations while minimizing the risk of violating European laws by, among other things:(1) limiting the reporting requirement to only those employees required to report by Sarbanes-Oxley, including senior financial officers (§ 406) and attorneys (§ 307); (2) limiting the reporting requirement to subjects such as fraud and financial wrongdoing; and (3) promptly notifying any accused employee of the details of any ethics complaint.
Finally, some companies may choose to create separate legal entities, which may follow separate disclosure and privacy policies.By doing so, a U.S. company might be able to isolate its foreign offices from some U.S. requirements and decrease the likelihood of violating European data privacy laws.
In Carnero v. Boston Scientific Corp. ,5the First Circuit dismissed an action brought by an employee of a foreign subsidiary of a publicly-traded U.S. company.The plaintiff claimed that the company had violated the Sarbanes-Oxley whistleblower protection provision (§ 806) when it discharged him for disclosing his employer's allegedly fraudulent accounting practices.The court held that the protections of § 806 did not apply to the plaintiff because (among other things), he was employed by a foreign subsidiary.
Along these lines, some commentators have suggested that U.S. courts should not apply Sarbanes-Oxley § 301 (anonymous reporting hotlines) extraterritorially.Such rulings suggest that companies might limit conflicting obligations by creating separate foreign subsidiaries and affiliates, with separate functions and separate privacy obligations.
1 Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).
2See www.export.gov/safeharbor ("Safe Harbor List").
3See 16 C.F.R. § 314 (2002) available at www.ftc.gov/privacy/privacyinitiatives/safeguards.
4 Hilton v. Guyot, 159 U.S. 113, 164 (1895).
5 433 F.3d 1 (1st Cir. 2006).
Steven C. Bennett is a Partner at Jones Day in New York City, and teaches Privacy Law at Hunter College.The views expressed, however, are solely those of the author, and should not be attributed to the author's firm or its clients.He has participated in the Sedona Conference Working Group on International Disclosure and Privacy Obligations, which is engaged in study of some of the issues set out in this article.