Structure of Foreign Data Privacy Laws and Regulations
So we’ve talked about the US but what about privacy obligations in the rest of the world? Remember data isn’t static and you will need to think about the country in which the PII is collected and how it moves from country to country (foreign office, outsourcing), and what your obligations may be in each country in which you hold PII. Well unfortunately, like in the US, there is no uniform mechanism to regulate the collection, dissemination and use of private information outside of the US. Each country has its own set of privacy laws and regulations. In addition, the European Union is set up much like the US Federal/State system. Members of the EU have a uniform set of laws, but these laws are implemented separately by each EU members. And just to make things more complicated, if you decide to move data from the EU to another country that movement out of the EU is governed by EU privacy regulations. What if you collect PII in the US and use a foreign company to process that data? Well, be prepared to understand how the US Federal and State laws and regulations apply to the data collected in the US, how the foreign laws and regulations apply to the data resident in the foreign country and whether or not there are then restrictions on moving the data out of that foreign country and back to the US. Be ready to call for “Help” http://www.youtube.com/watch?v=0ApstMKNEMI. OK, I just couldn’t resist, but the truth is the use of PII has become a mine field and it’s hard to find a business which doesn’t have privacy obligations. There are headlines everyday around the world and enforcement actions are becoming more prevalent so sticking your head in the sand is not the answer. Next installment, Wrapping it all Up, and remember, ALWAYS CONSULT AN ATTORNEY FIRST.