I.
INTRODUCTION
As multinational companies continue to grow and dominate the world’s
economy, their human resource departments have undergone substantial
changes in their attempt to perform their role as the employment controller within
their respective company. They have not only utilized modern technology to
collect and process employee data, but they have also centralized this data in
internal databases. However, various international jurisdictions have enacted
complex data privacy and transborder protection laws for their citizens that limit,
and in some circumstances, prohibit human resource departments from their
current employee data collection and processing practices. As a result, many
human resource departments of multinational companies are not aware or do not
comprehend the complex procedures that they must adhere to in order to
transfer employee personnel files within their company.
This Comment argues that strict formalities in global data protection laws
must be adhere to in order to transfer personal data within a multinational
company. Part II of this Comment explains the evolvement of data protection
laws that specifically address data transfer. In this regard, Part II also explains
the role of human resource departments within a multinational company and the
various issues that it must address when collecting and disseminating personal
data. Part III of this Comment analysis various data protection laws and their
applicability to three possible scenarios that may arise within a human resource
department of a multinational company. Parts IV-VII of the Comment analyzes
the data protection laws of the Commonwealth of Australia, the Federal Republic
-1-
of Brazil, European Union Member State countries and Hong Kong as they apply
to these three hypothetical scenarios. Part VIII of this Comment concludes that a
multinational company may face both civil and criminal penalties if it fails to
implement a data transfer policy that is not in compliance with various
jurisdictions data privacy and transborder protection laws.
II.
A.
BACKGROUND
HISTORY OF DATA PRIVACY
Over the past thirty years, developments in information technology have
jeopardized individual’s fundamental right to privacy. Particularly with the advent
of computers and networks, data controllers1 were able “to collect, store, use and
disseminate personal data outside of an individual’s control.”2 As a result of this
modern technology, the transfer of personal data by data controllers accelerated,
while individuals right to privacy were drastically jeopardized.3 Consequently,
countries began to implement their own national laws on the transfer of personal
data.4
Under the E.U. Data Privacy Directive, “data controllers” are legal entities, e.g.,
employers, that “alone or jointly with others determin[e] the purposes and means of the
processing of personal data.” Council Directive 95/46/ED on the Protection of Individuals with
Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J.
(L 281)(1995) [hereinafter “E.U. Data Privacy Directive”], art. 2.
1
2
Electronic Privacy Information Center & Privacy International, Privacy & Human Rights
1999 – An International Survey of Privacy Laws and Developments, PRIVACY INTERNATIONAL
<http://www.privacyinternational.org/survey/Overview.html#Heading6> (visited Mar. 19, 2000)
[hereinafter “EPIC Survey”].
3
Id.
4
Id.
-2-
The first country to enact a comprehensive data protection law was the
German State of Hesse in 1970.5 In that same decade, the remaining German
states, i.e., Austria, Denmark, France, Luxembourg, Norway and Sweden, as
well as the United States, soon followed the German State of Hesse’s lead and
enacted their own national laws addressing data privacy.6
Consequently, many countries thereafter adopted omnibus data privacy
laws based upon individual’s fundamental right to privacy. 7
Many of these
national laws prohibit data controllers from transferring personal data to countries
without equivalent data protection laws.8 As each country adopted its own data
protection measures, disparities arose between these national laws that created
potential obstacles to the free flow of information because data controllers were
prohibited from transferring personal data to countries that did not provide
sufficient protection.9
As a result of the disparity in the emerging levels of data protection in
various international jurisdictions, initiatives began to take place at a global level.
For example, European countries became concerned about the level of
protection of their citizen’s personal data when this data was transferred to other
countries with less stringent controls. Consequently, in 1980, the Organization
5
Id.
6
Id.
7
See Patrick J. Murray, The Adequacy Standard Under Directive 95/46/EC: Does U.S.
Data Protection Meet This Standard?, 21 FORDHAM INT’L L.J. 932, 933-35 (Mar. 1998).
8
Id.
9
Id.
-3-
for Economic Cooperation and Development (“OECD”), which includes the
United States, issued a set of non-binding guidelines stating the privacy norms
recognized by the participating states.10 These guidelines called for individual
countries to implement legislation protecting data privacy so that personal data
could be shared more easily across boarders by eliminating disparity in the levels
of data protection in various jurisdictions.
In meeting this goal, the OECD
guidelines endorsed a free transborder flow of data between countries that
protect data privacy, while calling for restrictions on such exchanges if the
receiving country did not have “equivalent protection.” Although the guidelines
have no legal force, they served as a valuable model for the Council of Europe,
which drafted its own convention a year later.11 Currently, the 1981 Council of
Europe Convention on Data Protection has been ratified by 20 European Union
Member State countries.12 Like the OECD guidelines, it requires participating
states to implement domestic legislation, and to block transmission of personal
data to other countries that do not offer “equivalent protection.” Both the OECD
Guidelines and the Convention, however, allow for great variance in the level of
protection that is actually offered. Thus, there was little consistency throughout
Europe with regard to personal data legislation, both in substance and in
10
Organization for Economic Cooperation and Development, Recommendation of the
Council Governing the Protection of Privacy and Transborder Flows of Personal Data, O.E.C.D.
DOC. C (80) 58 (1980).
11
Council of Europe, Convention for the Protection of Individuals with Regard to Automatic
Processing of Personal Data, ETS No. 108 (1981).
12
States that have ratified the Convention are: Austria, Belgium. Denmark, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal,
Slovenia, Spain, Sweden Switzerland, United Kingdom. Additionally, Cyprus, Moldova, Poland,
Romania, and Turkey have signed but not yet ratified the Convention.
-4-
application.
This disharmony led the European Commission (i.e., the
administrative body of the European Union) to overcome these obstacles and
drafted a uniform set of principles on which European Union Member State
countries could base their respective national laws. 13
Specifically, the European Commission’s Council of the European Union
(“E.C.”) and the European Parliament adopted its Directive on the Protection of
Individuals with Regard to the Processing of Personal Data and on the Free
Movement of Such Data (“E.U. Directive”) in order to harmonize the national data
protection laws of European Union Member State countries.14
The drafters
recognized that if the Directive harmonized the Members States’ laws, then
Member State countries could transfer data to other European Union Member
State countries while still safeguarding the fundamental rights and freedoms of
their citizens.15 If data controllers in a European Union Member State country
transferred data to a third country that failed to protect personal data, however,
then the European Union Member State country’s protection of personal data
would be effectively lost once the European Union Member State country
transferred the data to the third county.16
Consequently, the E.U. Directive
includes provisions on preventing data from being sent to countries without
sufficient data protection.17
13
Murray, supra note 7, at 935-38.
14
Id.
15
Id.
16
Id.
17
Id.
-5-
Thereafter, other countries outside of the European community, including
the Commonwealth of Australia, the Federal Republic of Brazil, Hong Kong and
the United States, also enacted legislation to allow the free flow of information
while still protecting personal data.
The level of data protection in each
jurisdiction varies in some degree, but most jurisdiction that have data privacy
laws require personal data to be:
(1) obtained fairly and lawfully;
(2) used only for the original specified purpose;
(3) adequate, relevant and not excessive to accomplish a
specified purpose;
(4) accurate and up to date;
(5) kept secure; and
(6) destroyed after its purpose is completed.18
These fundamental principles not only must be adhered to by governments, but
they must also be adhered to by the private sector, e.g., human resource
departments within a multinational company.
B.
HISTORY OF HUMAN RESOURCE DEPARTMENTS
The human resource departments of multinational companies handle
voluminous amounts of data about its employees each day. 19 The increase in
technology has allowed these companies to transfer this data across national
borders with minimum time and effort. However, due to the recent emergence of
data protection laws in various countries around the world, these multinational
18
EPIC Survey, supra note 2, at <http://www.privacyinternational.org/survey/
Overview.html#Heading6>.
19
This information may include: performance evaluations; personnel files; attendance
records; employee benefit data including health and life insurance; pension data; stock option
records and other benefit accounts; and records that disclose employees’ salary, ethnicity, sexual
data, and trade union membership. Angela R. Broughton et al., International Employment, 33
INT’L LAW. 291, 293 (1999).
-6-
companies are now forced to address the various data protection principles
contained within these national laws.20
Data protection laws hamper a multinational company’s ability to process
employee data, due to the fact that many multinational companies centralize their
human resource data.21
These laws affect the routine data flows of a
multinational company, such as the distribution of a phone list, as well as the
transfer of sensitive data to its centralized human resource database. 22
Therefore, a company must provide its employees with various data protection
safeguards before transferring data to its centralized human resource database
in another country without similar data protection laws.
A multinational company must first provide its employees with a private
right to sue for any violations of privacy or errors in their personal data. 23
Additionally, the company must delete all employee data that is no longer needed
for the purpose for which it was collected,24 and only collect data that is
necessary for employment purposes.25 Human resource departments must also
inform employees what data they are collecting,26 obtain consent from
20
See generally E.U. Data Privacy Directive, supra note 1; Hong Kong Personal Data
(Privacy) Ordinance, available in <http://www.pco.org.hk> [hereinafter “Hong Kong Ordinance”].
21
Broughton, supra note 19, at 293.
22
Id.
23
Id. at 295-296.
24
Id. at 296.
25
Id.
26
Id.
-7-
employees before collecting this data,27 and allow the employees access to their
data in order to maintain its accuracy.28 Finally, if the multinational company
centralizes this data, it must enter into legally binding contracts with the
individuals responsible for maintaining this centralized database within its
company in order to ensure compliance with the data protection principles in the
respective countries.29 If a multinational company fails to provide any of the
above-mentioned protections to its employees and their data, it must rectify this
problem before transferring data from jurisdictions that have enacted data
protection laws.
III.
ANALYSIS
My understanding of the rule that has emerged from prior decisions
is that there is a two fold requirement, first that a person has
exhibited an actual (subjective) expectation of privacy and, second,
that the expectation be one that society is prepared to recognize as
“reasonable.”
John M. Harlan (1899-1971),
Katz v. United States, 389 U.S. 347, 361 (1967) (concurring)
A.
DATA PRIVACY PROTECTION IN THE UNITED STATES
The United States (“U.S.”) has traditionally favored a self-regulatory
approach with limited government intervention for data privacy protection. 30
Moreover, with the emergence of the Internet as a powerful business tool, the
27
Id.
28
Id.
29
Id.
30
The FTC recently issued a report to Congress endorsing self-regulation and concluding
that legislation is “not appropriate at this time.” FEDERAL TRADE COMMISSION, SELF-REGULATION
AND PRIVACY ONLINE: A REPORT TO CONGRESS (July 1999).
-8-
Clinton administration continued to endorse self-regulation, stating that the
privacy rights of individuals must be balanced with the free flow of data. 31
Despite the existence of some domestic legislation, it is, however, industry
specific, and limited in scope so that it does not cover the vast majority of existing
personal data. Although numerous pieces of legislation involving data privacy
are currently under consideration in Congress, they continue to be limited to
particular industries.32
Moreover, to understand the strong endorsement by U.S. of self-regulation
for data privacy protection, an overview of the development of privacy law in the
U.S. will help explain the current domestic approach of self-regulation.
1.
Public Sector
The United States Supreme Court has recognized a Constitutional right to
privacy.33 This right, however, applies only to the protection of privacy from
governmental interference, and does not extend to the private sphere. Likewise,
31
A Framework for Global Electronic Commerce (July 1, 1997)
<http://www.ecommerce.gov/framewrk.htm>.
32
Traditionally, comprehensive, nationwide data privacy legislation initiatives have always
failed. Currently, the following bills that touch on data privacy issues have been introduced: The
Consumer Internet Privacy Protection Act of 1999, H.R. 313, 106th Cong. (1999); The Internet
Growth and Development Act of 1999, H.R. 1685, 106th Cong. (1999); The Wireless Privacy
Enhancement Act of 1999, H.R. 514, 106th Cong. (1999); and The Financial Information Privacy
Act of 1999, S. 187, 106th Cong. (1999).
33
See Griswold v. Connecticut, 381 U.S. 479, 484 (1965)(Justice Douglas wrote that
although the right to privacy is not specifically mandated by the Constitution, the Third, Fourth,
Fifth and Ninth Amendments create a “constitutional zone of privacy”); Whalen v. Roe, 429 U.S.
589, 599 (1977)(stating that there is a constitutional interest in “avoiding disclosure of personal
matters).
-9-
nine states specifically protect the right to privacy in their constitutions. 34 Of
these, only California, through its courts, has expanded this constitutional
protection to the private sector. A number of congressional enactments likewise
limit the government’s intrusion into the personal affairs of U.S. citizens. For
example, the Privacy Act of 1974 regulates how the federal government collects
and uses personal data in its databanks.35
Under the Privacy Act of 1974,
individuals about whom data is compiled (“data subjects”) have the right to
access their personal data maintained by the government, and request that any
inaccurate data be corrected.36
The Computer Matching Act of 1988, which
established procedures for government agencies that compare automated
personal data, subsequently amended this act.37
Additionally, the Right to
Financial Privacy Act of 1978 controls the circumstances under which the federal
government may access an individual’s financial data.38
These regulations,
along with several others, control the government’s collection, use and disclosure
34
See ALASKA CONST. art. I, § 22; CAL. CONST. art. I, § 1; FLA. CONST. art. I, § 23; HAW.
CONST. art. I, § 6; ILL. CONST. art I, § 6; LA. CONST. art. I, § 5; MONT. CONST. art II, § 10; W ASH.
CONST. art. I, § 7.
35
The Privacy Act of 1974, 5 U.S.C. § 552a (1996).
36
The Privacy Act also mandated a Privacy Protection Study Commission, which proposed
the formulation of comprehensive federal privacy legislation in its 1977 report. Congress,
however, never pursued the recommendation.
37
The Computer Matching Act and Privacy Protection Act of 1988, 5 U.S.C. § 552a(a)(8)(13), (e)(12), (o), (r), (u) (1996).
38
The Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401-3422 (1998).
- 10 -
of personal data.39 However, these regulations do not cover the vast majority of
transborder data flows.
2.
Private Sector
As in the public realm, there is no single source of privacy law that
governs the private sector. Since the 1970’s, a patchwork of federal legislation
has been enacted to deal with industry-specific privacy issues. The first formal
privacy regulation in this area was the Fair Credit Reporting Act of 1970
(“FCRA”), which controls the use of personal data in consumer reports by credit
reporting agencies. Although extensive, the FCRA only covers the disclosure of
personal data by narrowly defined “credit reporting agencies” and does not
regulate the use of data for purposes such as direct marketing. The FCRA does,
however, protect employee’s personal data when an employer decides not to hire
an individual based upon a requested credit report.40 The FCRA requires that
the employer notify the individual of the report that it received and the name of
the credit reporting agency and if the employee requests, the agency must reveal
the content of the report.41 Another protection related to the banking and finance
industry requires notice to the data subject when account data will be regularly
disclosed to third parties.42 In the 1980’s, both the Cable Act43 and the Video
See e.g., The Driver’s Privacy Protection Act of 1994, 18 U.S.C.A. § 2721 (1997); I.R.C.
§§ 7609-7610 (1998).
39
40
15 U.S.C. § 1681a(k)(1)(B) & § 1681m(a).
41
15 U.S.C. § 1681g(a)(1) & (3).
42
Electronic Fund Transfer Act of 1978, 15 U.S.C. § 1693 (1997).
43
Cable Communication Policy Act, 47 U.S.C.A § 551 (1998).
- 11 -
Act44 augmented the specific rights of data subjects. These acts require data
controllers to inform data subjects when their data is being collected, and
requires consent before certain data can be released to third parties. Mailing
lists, however, may be shared for purposes of direct marketing unless the subject
“opts out.” Both acts leave ample room for entities that collect and use data to
maneuver, even when consent is not required, if disclosure is for a “legitimate
business activity.”
The use of personal data is further monitored under the
Telephone Consumer Protection Act of 1991, which gives the Federal
Communications Commission authority to regulate telephone solicitations.45
Recent trends have likewise moved towards greater personal data privacy
protection in the employment context. This arena presents a unique tension
between the employer’s interest in efficient business practices and the
employee’s right to individual privacy.
Prior to Congressional intervention,
employees generally sought protection of their privacy interests through common
law tort claims such as intrusion upon seclusion and intentional infliction of
emotional distress.
While these are still viable claims, federal statutory
enactments addressing electronic communications have had specific relevance
and
applicability
to
the
private
employment
sector.
The
Electronic
Communication Privacy Act of 1986 (“ECPA”) makes it illegal to intentionally
intercept, use or disclose any oral, wire or electronic communications without the
44
Video Privacy Protection Act, 18 U.S.C. § 2710 (1988).
45
Telephone Consumer Protection Act, 47 U.S.C.A. § 227 (1998).
- 12 -
prior consent of the employee.46
There are important exceptions allowing
employer interception in the “ordinary course of business.” Similarly, the Stored
Communications Act governs the intentional access of electronic communication
service facilities.47 Again, significant exceptions, such as authorization by the
service provider or the service user, give considerable flexibility to the employer.
Throughout the years, these federal legislative initiatives have been
complimented by industry self-regulation. Individual companies and associations
have developed, adopted and publicly disclosed their privacy policies relating to
personal data of both their employees and their customers. The industry specific
approach of federal law mixed with private self-regulation that has emerged in
the U.S. is quite different from that taken by Europe, as well as the
Commonwealth of Australia, the Federal Republic of Brazil and Hong Kong.48
B.
HYPOTHETICAL SCENARIOS
In order to analyze transborder data laws in various jurisdictions as they
apply to human resource departments within multinational companies, this
Comment presents and answers three common hypothetical scenarios as they
apply to transborder laws in the Commonwealth of Australia, the Federal
Republic of Brazil, the European Union, Hong Kong and the U.S.
Privacy Haven, Inc. (“Privacy Haven”) intends to collect personal
data from their employees in the above-mentioned jurisdictions and
46
Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2522 (1998).
47
Stored Wire and Electronic Communications and Transactional Records Access Act, 18
U.S.C. §§ 2701-2711 (1998).
48
Certainly, different countries around the world have divergent views regarding privacy.
Many, however, have made efforts at the national level to bring their laws into conformity with the
E.U. Directive.
- 13 -
transmit this data to a centralized human resource database
located in the U.S. The employee data would only be accessed
and reviewed by senior management at Privacy Haven. Based on
this hypothetical situation, how do the various data protection laws
apply to the following situations:
1.
Employee File Transfer
2.
Transfer of Data on a Lap Top Computer
3.
The Merger of Privacy Haven with Another Company
IV.
A.
COMMONWEALTH OF AUSTRALIA
THE RIGHT TO PRIVACY UNDER AUSTRALIAN LAW
Neither the Australian Constitution nor the Constitutions of the six states
contained within Australia provide its residents with the explicit guarantee of
privacy.49 However, the Australian federal government has passed legislation
regulating the data privacy and data processing of an individual’s personal
data.50 The Privacy Act 1988 was passed in response to protests in the mid1980’s against the Australian Card Scheme51 and is the principle piece of
legislation governing the privacy of personal data in the public sector of
49
EPIC Survey, supra note 2, at <http://www.privacyinternational.org/survey/contries-a-
g.htm>.
50
Additionally, Australian States and Territories have introduced or enacted various data
privacy laws. In New South Wales, the Privacy and Personal Information Act of 1998 governs the
collection and use of personal data in the public sector, but not the private sector. Victoria
introduced the Data Protection Bill on May 26, 1999. It is based on the “National Privacy
Principles for the Fair Handling of Information,” which are not legally binding, but were issued by
the Privacy Commissioner in February of 1998 to guide the private sector in handling personal
data. The Data Protection Bill governs both the private and public sector, but is prefaced on the
fact that the Victorian Government supports the regulation of private sector privacy at the national
level.
51
The Australia Card Scheme was a proposal for a universal national identification number
and card. Even though the proposal was eventually dropped, the use of the tax file number was
altered to allow for the tracking of income from different sources, and this data would later be
protected by the Privacy Act. EPIC Survey, supra note 2, at
<http://www.privacyinternational.org/survey/contries-a-g.htm>.
- 14 -
Australia.52
The Act created eleven Information Privacy Principles (“IPPs”),
which are based on the Guidelines adopted by the OECD53 for the Protection of
Privacy and Transborder Flows of Personal Data, 54 and established the Office of
the Privacy Commissioner.55 Although the Act and the IPPs contained within the
Act do not govern the use of personal data by the private sector with the
exception of Tax File Numbers (“TFNs”) and credit reporting agencies,56 the IPPs
govern all processing of personal data by public entities.57 These IPPs establish
standards for the collection, use, disclosure, and security of personal data, and
52
Privacy Act 1988, available in <http://www.austlii.edu.au/au/legis/cth/consol_act/
pa1988108>.
53
There are 24 member nations of OECD: Australia, Austria, Belgium, Canada, Denmark,
Finland, France, West Germany, Greece, Iceland, Ireland, Italy, Japan, Luxembourg, the
Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, Turkey, United
Kingdom, and the United States.
The Act was a result of Australia’s agreement to adopt these Guidelines, which were
adopted in 1980, as well as its obligations under Article 17 of the International Covenant on Civil
and Political Rights. The Government’s Proposed Legislation for the Protection of Privacy in the
Private Sector (visited February 21, 2000) <http://law.gov.au/infopaper/infopaper.html>
[hereinafter “Private Sector Information Paper”].
54
The Office of the Privacy Commissioner’s duties includes handling complaints, auditing,
encouraging community awareness, and advising federal and state governments on privacy
matters. In 1998-1999, the Office “received 128 complaints, closed 90 complaints, and
conducted 20 audits." EPIC Survey, supra note 2, at
<http://www.privacyinternational.org/survey/countries-a-g.htm>.
55
56
However, the private sector is subject to the Act is two ways: (1) Credit reporting
agencies must be in compliance with the credit reporting rules contained in the Act, as well as
accompanying code of conduct, when handling credit data of individuals; and (2) Entities that
handle tax file number data must comply with the guidelines pertaining to tax file numbers issued
by the Privacy Commissioner pursuant to Section 17 of the Act. Additionally, the Privacy
Commissioner may, pursuant to Section 27 of the Act, encourage companies to develop privacy
standards for the processing of personal data that are in accordance with the OECD Guidelines.
Privacy Act 1988, § 27 (1988).
57
The Act has two objectives: (1) Protection of personal data by departments and agencies
of the federal government; and (2) Providing safeguards for the collection and use of tax file
number data. Private Sector Information Paper, supra note 54, at <http://law.gov.au/infopaper/
infopaper.html>.
- 15 -
allow for the access to and correction of this data by individuals to which it
pertains.58
In addition to the Privacy Act, Australia has also enacted the
Telecommunications Act 199759 and the Privacy Commissioner has issued Tax
File Number Guidelines (“Guidelines”) to regulate the privacy concerns in these
specific areas.60
The possession and use of TFNs61 is widespread throughout the private
sector because the failure to provide employers with TFNs results in tax being
deducted at the highest tax rate.62 Therefore, the Privacy Commissioner has
issued Tax File Number Guidelines pursuant to Section 17 of the Privacy Act.63
These legally binding Guidelines are provided to restrict the use of TFNs and
protect the personal privacy of individuals. They prohibit the use or disclosure of
TFNs to establish or confirm the identity of an individual, to obtain data about the
individual for any purpose, or to directly or indirectly match personal data about
an individual.64
Additionally, recipients of TFNs are required to prohibit the
unauthorized access to these numbers, and provide adequate safeguards to
58
See Privacy Act 1988, § 14 (1988). See also Private Sector Information Paper, supra
note 54, at <http://law.gov.au/infopaper/infopaper.html>.
59
Telecommunications Act 1997, available in <http://www.austlii.edu.au/au/legis/cth/
consol_act/ta1997214/index.html>.
60
Privacy Act 1988, § 17 (1988).
61
Issued by the Australian Tax Office, Tax File Numbers are unique numbers issued to
individuals, companies and anyone else filing income tax returns with the office. Private Sector
Information Paper, supra note 54, at <http://law.gov.au/infopaper/infopaper.html>.
62
See Privacy Act 1988, § 17 (1988).
63
See id.
64
See id.
- 16 -
prevent the loss, misuse, modification, and disclosure of this information.65 Any
person who feels that a person or entity has violated any of these Guidelines
relating to his or her personal TFN may file a complaint with the Privacy
Commissioner.66
The Telecommunications Act provides specific rules governing the use
and disclosure of personal data stored by carriers, carriage service providers and
other database operators in Australia.67 Additionally, the Telecommunications
Act allows industries to develop codes relating to various consumer protection
and privacy issues, which are registerable with the Australian Communications
Authority (“ACA”).68
Although these codes lack legislative force, failure to
observe the standards contained in these codes may result in the ACA issuing a
legally binding standard.
As mentioned earlier, there is currently no legislation that governs the use
of personal data in the private sector of Australia, with the exception of portions
of the Privacy Act that relate to credit reporting agencies 69 and TFNs.70 However,
the Australian government has recently introduced the Privacy (Private Sector)
65
See id.
66
In addition, the unauthorized use or disclosure of this data is an offense under the
Telecommunications Administration Act of 1953, which may result in a monetary penalty,
incarceration, or both.
67
Under the Telecommunications Act, the Privacy Commissioner is given the authority to
monitor the record-keeping and disclosures of personal data by carriers, carriage service
providers and number database operators. See generally Telecommunications Act 1997.
68
Telecommunications Act 1997, § 107 (1997).
69
See generally Privacy Act 1988, Part IIIA (1988).
70
See Privacy Act 1988, § 17 (1988).
- 17 -
Bill 1999 (“PPSB”), which will amend the Privacy Act. 71 This bill is based on the
National Principles for the Fair Handling of Personal Information issued by the
Privacy Commissioner in February of 1998, and later revised in January of
1999.72 Many have referred to the bill as a “light tough legislative regime,” which
is based on industry codes.73 This legislation will apply across the private sector
to organizations,74 as well as individuals, such as sole traders or consultants.75
However, the legislation does not apply to personal data collected and used in a
domestic capacity, employee records, or personal data collected, used and
disclosed by the media for the purpose of informing the public.76 Therefore, this
legislation may not apply to the transfer of employee records in the hypothetical
scenarios introduced in this Comment.
71
Privacy (Private Sector) Bill 1999, available in <http://law.gov.au>.
72
National Principles for the Fair Handling of Personal Information, available in
<http://law.gov.au>. The National Principles for the Fair Handling of Personal Information
delineate standards regarding the collection, use, and disclosure of personal data by businesses
and other private sector organizations. The Principles also address the necessary measures that
an organization must implement to ensure the accuracy and security of this data, as well as
providing the individual with access to the data to maintain its accuracy and completeness. The
Principles also discuss the use of pension and Medicare numbers by governmental agencies,
transfers of personal data outside Australia, and the collection of sensitive data. Private Sector
Information Paper, supra note 54, at <http://law.gov.au/infopaper/infopaper.html>.
73
EPIC Survey, supra note 2, at <http://www.privacyinternational.org/survey/contries-a-
g.htm>.
An “organization” is defined to mean a body corporate, an unincorporated association, a
partnership, a trust and an individual. Overview of Key Provisions of Privacy (Private Sector) Bill
(visited February 10, 2000) <http://law.gov.au/ privacy/overview.html>.
74
75
Private Sector Information Paper, supra note 54, at <http://law.gov.au/infopaper/
infopaper.html>. Additionally, the Act will apply to Commonwealth bodies and governmental
businesses that are not, due their commercial nature, covered by the existing Privacy Act. Id. at
<http://law.gov.au/infopaper/infopaper.html>.
76
Id. at <http://law.gov.au/infopaper/infopaper.html>.
- 18 -
1.
Employee File Transfer
One of the most common human resource activities in a multinational
company is the transferring of files to another country. This is usually the result
of multinational companies centralizing their human resources activities in one
specific location, and thus transferring employee files to this country. However,
with new data protection laws emerging throughout the world, the transfer of
these files is becoming increasingly difficult.
As mentioned above, Australia has similar data protection standards to the
U.S. Like the sectoral approach of the U.S., the Australian Privacy Act governs
data retained by governmental agencies and the Privacy (Private Sector) Bill, if
enacted, will govern the use of data by the private sector. When transferring an
employee file, an issue that must be addressed by Privacy Haven’s human
resource department is the transferring of the employee’s TFN. 77 The Privacy
Commissioner has issued legally binding Guidelines regarding the use of TFNs
pursuant to Section 17 of the Privacy Act. 78 These Guidelines prohibit the use of
a TFNs to establish or confirm the identity of an individual for any purpose not
authorized by taxation, assistance agency or superannuation law. 79 Additionally,
the human resource recipient in the U.S. Privacy Haven office must ensure that
adequate safeguards are in place to prevent the loss, misuse, modification and
77
Privacy Act 1988, § 17 (1988).
78
See id.
79
See id.
- 19 -
disclosure of TFNs, and restrict access to this information to authorized persons
within the office.80
Therefore, since it is likely that the files being transferred to Privacy
Haven’s U.S. based location contain the TFNs of Privacy Haven’s Australian
employees, Privacy Haven must comply with the conditions contained in the
Guidelines. This would require the company to maintain a secure database in
the U.S. and only allow authorized individuals, such as those who require access
to carry out the taxation responsibilities, to access this data.81 If Privacy Haven
complies with the above Guidelines, then it will be in compliance with the private
sector provisions contained in the Privacy Act.
However, the Australian
government is proposing amendments to the Privacy Act that may be enacted as
soon as the end of this year.
Thus, Privacy Haven must also examine the
principles contained in this document to ensure compliance with the amended
Privacy Act.
The Privacy (Private Sector) Bill is described as a legislative regime that
will be based on industry codes.82 The bill is based on the National Privacy
Principles and differentiates personal data according to its sensitivity. 83 It applies
80
See id.
81
See id.
82
Private Sector Information Paper, supra note 54, at <http://law.gov.au/infopaper/
infopaper.html>.
83
The Bill contains a broad definition of “sensitive information.”
Sensitive information means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
- 20 -
to the private companies within Australia and restricts the transfer of data from
these companies to entities or individuals in another country. 84 However, the bill
will not apply to personal data collected and used in a domestic capacity,
personal data collected, used and disclosed by the media, or employee
records.85 The bill does not cover employee records because the government
feels that employee records should be dealt with as part of the Workplace
Regulations legislation.
Therefore, Privacy Haven may be subject to more
stringent standards in the near future, but it must currently focus on compliance
with the Privacy Act and the potential passage of the Privacy (Private Sector) Bill.
The combination of this bill and the Privacy Act requires that Privacy Haven have
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual preferences or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual.
Privacy (Private Sector) Bill 1999, § 1 (1999).
84
See id. at Principle # 9.
85
Employee record, in relation to an employee, means a record of personal data about the
employment of the employee. An example of personal data about the employment of the
employee is personal data about all or any of the following: (a) the engagement, training,
disciplining, resignation of the employee; (b) the termination of the employment of the employee;
(c) the terms and conditions of employment of the employee; (d) the employee’s personal and
emergency contact details; (e) the employee’s performance or conduct; (f) the employee’s hours
of employment; (g) the employee’s salary or wages; (h) the employee’s membership of a
professional or trade association; (i) the employee’s trade union membership; (j) the employee’s
recreation, long service, sick, personal, maternity, paternity or other leave; (k) the employee’s
health data; (l) and the employee’s taxation, banking and superannuation affairs. Private Sector
Information Paper, supra note 54, at <http://law.gov.au/infopaper/infopaper.html>.
Additionally, Section 41 of the Bill provides: “Exemption in respect of employee records. An act
done, or practice engaged in, by an organisation that is or was an employer of an individual, is
exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to: (a) a
current or former employment relationship between the employer and the individual; and (b) an
employee record held by the organisation and relating to that individual. Privacy (Private Sector)
Bill 1999, § 41 (1999).
- 21 -
adequate safeguards in place in the U.S., and that the company restrict access
to the TFNs of its employees. Besides the strict requirements regarding TFNs,
the company may transfer an employee file to its centralized database in the U.S.
with relative ease.
2.
The Transfer of Data on a Lap Top Computer
The transborder data transfer on a lap top computer is a scenario that
does not receive much attention from lawmakers around the world. However, as
the use of technology increases within multinational companies, this form of data
transfer is becoming more and more prevalent.
The transfer of data out of
Australia on a lap top computer is not directly addressed in any of the Australian
privacy laws or Information Privacy Principles. Therefore, Privacy Haven must
analogize this situation to the transfer of an employee’s file discussed above.
Employee data stored on a lap top computer is subject to the same private
sector regulations as a regular file transfer from Privacy Haven’s branch in
Australia to the centralized database in the U.S.86 Although the Privacy Act does
not apply to the private sector, with the exception of TFNs and credit reporting
agencies, the Privacy Commissioner has the power to encourage companies to
develop programs for the handling of personal data that are consistent with the
IPPs contained with the Privacy Act.87 Pursuant to this duty, Privacy Haven
should establish a program for the handling of their employee’s personal data.
86
See generally Privacy Act 1988; Privacy (Private Sector) Bill 1999.
87
Privacy Act 1988, § 27 (1988).
- 22 -
Under this program, Privacy Haven should prohibit the storage of
employee data on a lap top computer. In addition to the strict standards required
for the storage and transfer of TFNs, any transfer of personal data must be
protected by adequate safeguards and should only be accessed by authorized
parties.88 The use of a lap top containing an employee’s personal data, and even
an employee’s TFNs, will not meet the security safeguards that must be adhered
to by Privacy Haven under the Privacy Act and accompanying amendments. 89
Thus, by placing restrictions on the storing of personal data on a lap top
computer, Privacy Haven will be able to comply with requirements of the Act, and
an employee’s data will not be compromised by the insufficient security of a lap
top computer.
3.
The Merger of Privacy Haven with Another Company
The merging of two companies raises significant privacy issues relating to
an employee’s personal data. If Privacy Haven merges with another company, it
must determine which human resource department is going to handle the
personal data of the employees within both companies, as well as where this
data is going to be stored. If Privacy Haven chooses to store the records of the
other company with its own, they must then be in compliance with the Privacy Act
and should adhere to the IPPs issued by the Privacy Commissioner when
handling this data.90
88
See id. at § 14.
89
See id. at §§ 14-15.
90
See id.
- 23 -
In complying with the standards delineated in this legislation as well as the
IPPs, Privacy Haven must ensure that the company it’s merging with has
adequate safeguards in place to protect the personal data of its employees.
Although the Privacy Act and the Privacy (Private Sector) Bill do not cover
employee records, a company is still required to protect the TFNs of its
employees.91 This requires a company to adequately safeguard this data, as
well as prevent unauthorized access to this data.92 Therefore, if Privacy Haven
merges with another company, it must store its employee’s records in its
centralized database in the U.S. that has adequate safeguards and restricted
access. This will prevent the misuse of this data by Privacy Haven, and will allow
Privacy Haven to be in compliance with the self-regulatory approach to the
privacy of personal data in the private sector that has been taken by the
Australian government.
V.
A.
FEDERAL REPUBLIC OF BRAZIL
THE RIGHT TO PRIVACY UNDER BRAZILIAN LAW
Brazilian citizen’s have the constitutional right to privacy that is set forth in
Article 5, X of the Brazilian Federal Constitution, which provides as follows: "the
privacy, private life, honor and image of persons are inviolable, and right to
compensation for material or moral damages resulting from violation thereof is
ensured."93 If a data controller discloses a data subject’s personal or private data
91
See id. at § 17.
92
See id.
93
See EPIC Survey, supra note 2, at http://www.privacyinternational.org/survey/countriesa-g.html#Heading6> (citing The Constitution of Brazil (1988)).
- 24 -
to a third party, then the data controller may face civil actions for moral damages
(e.g., damages for pain and suffering or loss of reputation) as well as criminal
actions. Moreover, in the employment context, if an employer discloses personal
or private data of its employees to third parties, then the employee has the legal
right to terminate the employment relationship. Furthermore, the principals of the
employer may not only face civil actions but may also be criminally liable for
violating the employee’s right to privacy.
Additionally, the Brazil Senate has introduced a bill that seeks to promote
“the privacy of personal data in conformance with the OECD guidelines.” This
bill, if enacted, will affect both the public and private sector databases in that:
[n]o personal data nor [data] shall be disclosed,
communicated, or transmitted for purposes different than
those that led to structuring such data registry or database,
without express authorization of the owner, except in case of
a court order, and for purposes of a criminal investigation or
legal proceedings . . . It is forbidden to gather, register,
archive, process, and transmit personal data referring to:
ethnic origin, political or religious beliefs, physical or mental
health, sexual life, police or penal records, family issues,
except family relationship, civil status, and marriage system .
. . Every citizen is entitled to, without any charge; access
his/her personal data, stored in data registries or databases,
and correct, supplement, or eliminate such data, and be
informed by data registry or database managers of the
existence of data regarding his/her person.94
Although this bill was introduced in 1996, the Senate has yet to vote on it. 95
However, many expect this bill to be enacted once comparable legislation is
approved in neighboring countries such as Argentina and Chile.96
94
See id. at <http://www.privacyinternational.org/survey/countries-a-g.html#Heading6>
(citing Federal Senate Bill No. 61 (1996)).
95
Id. at <http://www.privacyinternational.org/survey/countries-a-g.html#Heading6>.
- 25 -
The Brazilian 1990 Code of Consumer Protection and Defense97 provides
consumers with the right to:
access any [data] derived from personal and consumer data
stored in files, archives, registries, and databases, as well as
to access their respective sources. Consumer files and data
shall be objective, clear, true, and written in a manner easily
understood, and shall not contain derogatory [data] for a
period over five years. Whenever consumers find incorrect
data and files concerning their person, they are entitled to
require immediate correction, and the archivist shall
communicate the due alterations to the incorrect [data] within
five days.
Consumer databases and registries, credit
protection services, and similar institutions are considered
entities of public nature. Once the consumer has settled
his/her debts, Credit Protection Services shall not provide
any [data] that may prevent or hinder further access to credit
for this consumer.98
The Brazilian Informatics Law of 198499 “protects the confidentiality of
stored, processed and disclosed data, and the privacy and security of physical,
legal, public, and private entities.”100 This law entitles Brazilian citizens with the
right “to access and correct their personal [data] in private or public
databases.”101
Finally, Brazilian law provides citizens with the “constitutional
96
See id.
97
See id. (citing Law No. 8078 (Sept. 11, 1990)).
98
Id.
99
See id. at <http://www.privacyinternational.org/survey/countries-a-g.html#Heading6>
(citing Law No. 7.232 (Oct. 29, 1984)).
100
Id. at <http://www.privacyinternational.org/survey/countries-a-g.html#Heading6>.
101
Id. at <http://www.privacyinternational.org/survey/countries-a-g.html#Heading6>.
- 26 -
right of Habeas Data to access [data] about themselves held by public
agencies.”102
B.
TRANSBORDER DATA LAWS AND ITS AFFECT ON MULTINATIONAL COMPANIES
In analyzing the Brazilian privacy law’s affect on transborder data flows as
it applies to human resource departments within multinational companies, this
Comment now answers three possible hypothetical scenarios previously
presented.
1.
Employee File Transfer via Computers and Networks
There is no specific restriction that would apply to the transborder data
flows in the form intended by Privacy Haven (provided that Privacy Haven
protects their employees' personal data from unauthorized disclosure to third
parties). However, violation of Brazilian constitutional guarantees of privacy
would allow the employee to terminate legally the employment relationship, and
could also result in civil damages for economic loss, including loss of reputation,
as well as criminal actions against the company's principals.
However, if Privacy Haven violates their employee's right to privacy, the
employee would then be allowed to legally terminate the employment
relationship, and could also result in civil actions for moral damages (e.g.,
damages for pain and suffering or loss of reputation) as well as criminal actions
against the company's principals.
Moreover, it is Privacy Haven’s responsibility not to disclose the personal
or private data of its employees to third parties. Privacy Haven, therefore, should
102
See id. at <http://www.privacyinternational.org/survey/countries-a-g.html#Heading6>
(citing LEI Nº 9.507, DE 12 DE NOVEMBRO DE 1997).
- 27 -
take all necessary precautionary measures to avoid disclosures of its employees’
personal or private data when processing or transmitting data from Brazil to the
U.S. Encrypting the data prior to transmitting it to the U.S. would be mandatory
to evidence that Privacy Haven has taken the necessary steps to prevent
disclosure.
2.
The Merger of Privacy Haven with Another Company
Like employee personal file transfers, there is no specific restriction that
would apply if Privacy Haven merged with another company (provided that
Privacy Haven protects their employees' personal data from unauthorized
disclosure to third parties). However, if Privacy Haven violates their Brazilian
employee’s constitutional guarantees of privacy by disclosing their personal data
to unauthorized third parties, the employee, again, would have the legal right to
terminate the employment relationship. If this occurs, Privacy Haven, again, may
face civil damages for economic loss, and its principals may face criminal liability
for the unauthorized disclosure of personal data to a third party.
VI.
A.
EUROPEAN UNION
THE EU DATA PRIVACY DIRECTIVE
The European Union (“E.U.”) issued its Directive to the European
community on October 24, 1995, and provided three years to each of the twenty
E.U. Member State countries to enact conforming domestic legislation. When
the E.U. Directive became effective in October 1998, all of the E.U. Member
State countries had either adopted, amended, proposed, or began drafting data
- 28 -
privacy legislation that is compliant with the E.U. Directive’s specifications.103
The fundamental purpose of the E.U. Directive is to provide specific rights to data
subjects, and mandate certain responsibilities for data controllers. In doing so,
the E.U. Directive broadly defines the elements of data protection in order to
provide data subjects with comprehensive privacy protection. “Personal Data” is
any data relating to an identified or identifiable natural person.
Thus, data
relating to legal persons or entities, such as corporations, are not included.
Identification is realized through a number of factors specific to the subject’s
physical,
physiological,
mental, economic,
cultural or
social
identity. 104
“Processing” is any operation performed upon personal data, whether or not
automatic, including but not limited to, collection, recording, use, organization,
storage, alteration, retrieval, disclosure, or dissemination.105 Consequently, the
E.U. Directive’s scope encompasses almost all conduct relating to personal
data.106
In providing specific rights to data subjects, the E.U. Directive places
rigorous requirements on data controllers. Personal data may only be processed
by data controllers in a limited number of situations:
(1) with unambiguous
consent from the data subject; (2) for contractual performance in which the data
103
A complete list of the status of data privacy legislation in E.U. member countries is
available at <http://www.europa.eu.int/comm/dg15/en/media/dataprot/law/impl.htm>. For country
reports of both E.U. and non-E.U. members, see <http://www.gilc.org/privacy/survey>.
104
E.U. Data Privacy Directive, art. 2(a).
105
See id. at art. 2(b).
106
On a technical note, the E.U. Directive explicitly excludes from its scope the processing
of personal data “by a natural person in the course of a purely personal or household activity”. Id.
at art. 3(2).
- 29 -
subject is a party; (3) for compliance with a legal obligation to which the data
controller is subject; (4) in protection of the vital interests of the data subject; (5)
for performance of a task carried out in the public interest or in the exercise of
official authority; and (6) for the “legitimate interests” of the data controller, or
third party, except where such interests are overridden by the interests for
fundamental rights and freedoms of the data subject.107
Furthermore, data controllers may only collect personal data for specified,
explicit and legitimate purposes, and may not further process personal data in a
way incompatible with those purposes.108 These data collection purposes must
be disclosed to the data subject.109 Only relevant data and not data excessive in
relation to the purpose for which it was collected may be obtained.110 The data
collected by data controllers must also be accurate and kept up-to-date.111
Additionally, the data controller must disclose to the data subject its identity, and
the identity of any third party to which the data will be disclosed. 112 The E.U.
Directive also provides a higher level of protection for “special categories” of
personal data. These special categories include processing of personal data that
reveals:
(1) racial or ethnic origin; (2) political opinions; (3) religious or
philosophical beliefs; (4) trade-union membership; and (5) health or sex-life. The
107
See id. at art. 7.
108
See id. at art. 6(b).
109
See id. at art. 10(b).
110
See id. at art. 6(c).
111
See id. at art. 6(d).
112
See id. at art. 10(a) and (c).
- 30 -
collection and process of any data in these special categories is prohibited
unless the data subject explicitly consents or it is necessary in order to carry out
certain obligations or “legitimate activities.”113 Again, although the prohibition is
comprehensive, there are vague exceptions, such as “legitimate” employment
activities, that create a great deal of leeway in favor of data controllers.
As seen previously from the OECD guidelines and the Council of Europe
Convention, these data privacy principles are not novel. In fact, the rights that
the E.U. Directive grants to data subjects are akin to intellectual property, i.e., in
order to collect and process data, the data controller must obtain consent from
the data subject through an expressed or in some situations through an implied
license.
In this regard, the data subject has the right to access its data, to
request corrections be made for inaccuracies in the data, and to block data
processing that does not comply with the E.U. Directive.114
Like intellectual
property, an individual’s rights of recourse in the case of improper collection, use
or process of personal data will remain subject to the data subject’s domestic
laws. Moreover, the E.U. Directive mandates a private right to judicial remedy in
such cases where the data controller processes the data inconsistently with its
provisions.115 Additionally, it requires that E.U. Member State countries provide
both compensation to the data subject for damages suffered, and sanctions
against the infringing party.116
113
See id. at art. 8.
114
See id. at art. 12(a) and (b).
115
See id. at art. 22.
116
See id. at art. 23.
- 31 -
B.
TRANSBORDER DATA FLOW UNDER THE E.U. DIRECTIVE
By harmonizing legislation among European Union countries, the E.U.
Directive has facilitated the transborder flow of data within these countries. The
E.U. Directive, in order to maintain a high standard of protection for data
subjects, has also restricted transborder data flows to countries that do not offer
the requisite level of protection. Thus, E.U. Member State countries will not
transfer personal data to countries outside of the E.U. that do not guarantee an
“adequate” level of protection.117 Although the E.U. Directive does not define
“adequate,” the adequate level of protection is evaluated in light of all of the
circumstances surrounding the data transfer, including the nature of the data and
the purpose behind its transfer, the laws of the receiving country, regulations
specific to the industry, and any security policies of the particular data
recipient.118 Where an E.U. Member State country believes that data privacy
protection of a third country is not adequate, it will inform the European
Commission, who will then make an official determination. If the Commission
agrees, the E.U. Member State country is then required to prevent the transfer of
that or similar data to the third country.119
The E.U. Directive’s “adequacy” requirement, however, has provoked
controversial responses because its standard appears to be ambiguous and may
117
See id. at art. 25.
118
See id.
119
See id.
- 32 -
possibly lead to discriminatory application.120
In foreseeing this type of
controversy, Article 29 of the E.U. Directive established a Working Party in order
to examine issues created by the E.U. Directive that need obvious clarification or
further development. Although the Working Party does not have direct decisionmaking authority, it does provide guidance to both the E.U. Member State
countries and the European Commission through written opinions that are highly
influential because the Working Party is comprised of delegates representing
each of the E.U. Member State countries.
In addressing the E.U. Directive’s “adequacy” standard for transborder
data flows, the Working Party reiterated that the E.U. Directive envisions the
assessment of the adequacy of a third country’s data protection as a case by
case analysis.121 It also examined a white list/black list approach. Under such a
scheme, a country could be white listed after several representative cases of
transfers that have been considered and deemed adequate. One difficulty with
this scenario involves those countries such as the U.S. that do not have uniform
protection in all economic sectors.
Thus, acceptable transfers must be
representative of an entire sector or state.
In this way, the Working Party’s
discussion paper proposes that those third countries could be partially white
listed.
120
See e.g., P. Amy Monahan, Deconstructing Information Walls: The Impact of the
European Data Directive on U.S. Businesses, 29 LAW & POL’Y INT’L BUS. 275 (Winter 1998).
121
Working Party on the Protection of Individuals with Regard to the Processing of Personal
Data, First Orientations on Transfers of Personal Data to Third Countries – Possible Ways
Forward in Assessing Adequacy, adopted on June 26, 1997, available in
<http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpDOCs/wp4en.htm>.
- 33 -
In proposing criteria for the assessment of adequacy, the Working Party
outlined a list of minimum conditions, often referred to as the basic content
principles:
1. Purpose - Data should be processed for a specific purpose
and subsequently used in ways compatible with that
purpose.
2. Quality - Data should be accurate, and kept up to date.
3. Transparency/Notice - Data subjects should be notified of
the purpose for the data processing, and the identity of the
data controller and any third party recipient of the data.
4. Security – Data controllers should take security measures
that are appropriate in relation to the risks presented by the
processing.
5. Access - Data subjects should have access to data
collected, and the right to rectification of inaccurate data.
6. Restrictions on Subsequent Transfers - Subsequent
transfers of data to third countries should be allowed only in
the case that such third country offers adequate protection.
7. Sensitive Data - The processing of sensitive data122 should
require the explicit consent of the data subject.
8. Direct Marketing - The data subject should be allowed to optout of having data processed for the purpose of direct
marketing.
9. Automated Decisions - Individuals shall not be subject to a
decision that produces legal effects, which is based solely on
automated processing of personal data.
Third country data protection, however, does not need to be identical in order to
be considered adequate, but it must, at the very least, adhere to these principles.
Recall that “sensitive data” means personal data concerning racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership, health, or sex-life.
122
- 34 -
Despite the E.U. Directives apparent high standard and strict restrictions
on transborder data flows, there are, as always, exceptions. Data transfers to
third countries with inadequate levels of protection may occur if one of the
following conditions are satisfied: (1) the data subject has given unambiguous
consent; (2) it is necessary for performance of a contract between the data
subject and controller, or for performance of a contract that is in the interest of
the data subject, but between the controller and a third party; (3) it is legally
required on important public interest grounds or in the defense of legal claims; (4)
to protect the vital interests of the data subject; or (5) if it is data that is already
open to the public.123
Additionally, an E.U. Member State country may authorize transfers to a
third country with inadequate protection when the data controller “adduces
adequate safeguards” from the specific recipient, with respect to the privacy of
the data.124
It is of particular relevance to private businesses that the E.U.
Directive expressly allows these safeguards to come in the form of “appropriate
contractual clauses.”125 Some observers have noted that this will give non-E.U.
businesses great latitude in structuring contractual arrangements that give
sufficient privacy guarantees, thereby avoiding restrictions on transborder flows
of data.126 The Working Party has stated that if a contractual solution is sought
123
See E.U. Data Privacy Directive, art. 26.
124
Id.
125
Id.
See James Harvey, An Overview of the European Union’s Personal Data Directive, 15
NO. 10 COMPUTER LAW 19, 22 (Oct. 1998).
126
- 35 -
to transfer data to a third country, it must then encompass all of the basic content
principles that it has set forth for assessing the adequacy of protection.127
Additionally, any contractual arrangement must contain an enforcement
mechanism. The Working Party suggests that contracts should be used as a
means by which the entity transferring the data can retain decision-making
control of the processing of the data in the third country. It has also identified two
areas in which the use of contracts is most highly suited.
The first is large
international networks (such as credit cards and airline reservations), which are
characterized by large quantities of repetitive data transfers of a similar nature,
and by a small number of large operators in industries already subject to public
scrutiny. The second area is intra-company transfers between different branches
of the same company.
The Working Party, however, stated in an official opinion in January 1999,
that the patchwork of legislation and self-regulation currently in effect in the U.S.
does not offer an adequate level of protection. 128 Realizing that the standards of
data privacy protection varies across industries, the U.S. Department of
Commerce (“DOC”) has issued a set of Safe Harbor principles aimed at
127
Working Party, Preliminary views on the use of contractual provisions in the context of
transfers of personal data to third countries, adopted on April 22, 1998, available in
<http://www.europa.eu.int/comm/dg/em/media/dataprot/wpDOCs/wp9en.htm>.
128
Working Party, Opinion 1/99 concerning the level of data protection in the U.S. and the
ongoing discussions between the European Commission and the U.S. Government, adopted on
January 26, 1999, available in <http://www.europa.eu.int/comm/dg15/en/media/dataprot/
wpDOCs/wp15en.htm>.
- 36 -
diminishing uncertainty, and providing a more predictable framework for data
transfers.129
1.
Notice - The data subject130 must be given notice, in
clear language, when first asked for personal data, of the
purpose of data collection, the identity of the data
controller, the kinds of third parties with whom the data
will be shared, how to contact the organization collecting
or processing the data, and the choices available for
limiting use of disclosure of the data.
2.
Choice - The data subject must be given clear,
affordable mechanisms by which he or she can “opt out”
of having personal data used in any way that is
inconsistent with the stated purposes of collection.
3.
Onward Transfer - Where the data controller has
adhered to the principles of Notice and Choice, it may
transfer personal data if it ascertains that the receiving
party also complies with the Safe Harbor principles, or if it
enters into a contractual agreement that the receiving
party will guarantee at least the same level of data
protection as the transmitting party.
4.
Security – Data controllers must take reasonable
measures to assure the data’s reliability for its intended
use, and to protect it from loss, misuse or other
unauthorized uses.
5.
Data Integrity - Data controllers should take
reasonable steps to ensure that data is accurate,
complete and current.
6.
Access - Data subjects must have reasonable access
to their personal data and an opportunity to correct
inaccurate data.
7.
Enforcement - At a minimum, enforcement
mechanisms must include readily available and
affordable recourse for the investigation of complaints
129
Department of Commerce, International Safe Harbor Privacy Principles Draft, April 19,
1999, available in <http://www.ita.DOC.gov/ecom/shprin.html>.
The terms “data subject” and “data controller” are not always used in the U.S.
publications, but are used here for the sake of consistency with the E.U. Directive.
130
- 37 -
and disputes, damages awarded where applicable,
procedures for verifying the truthfulness of statements
made by data controllers regarding their privacy
practices, obligations on the data controller to remedy
problems arising out of non-compliance, and sanctions
sufficiently rigorous to ensure compliance.
Ultimately, the European Commission will make the official determination
whether the Safe Harbor principles are adequate under the E.U. Directive. If the
European Commission passes the U.S. Safe Harbor principles, then E.U.
Member State countries would be prohibited from preventing data transfers to
those controllers that qualify for the Safe Harbor. Currently, the Principles are in
draft form, and although the Working Party has consistently endorsed the safe
harbor approach as a means of bringing uniformity to data privacy protection in
the U.S., it has expressed concerns regarding specific language and
enforcement mechanisms.131
The U.S. government and the European
Commission have been involved in on-going discussions with the hope of
reaching some kind of agreement on an adequate standard of privacy for the
Safe Harbor principles.
During the latest round of negotiations, both sides
announced that they have reached a tentative agreement on the U.S. Safe
Harbor principles. In separate press releases, both sides have indicated that
substantial progress had been made, and that the U.S. Safe Harbor arrangement
should be finalized by the autumn of 2000.132
Working Party, Opinion 2/99 on the Adequacy of the “International Safe Harbor
Principles” issued by the U.S. Department of Commerce on 19th April 1999, adopted on May 3,
1999, available in <http://www.europa.eu.int/comm/dg15/en/media/dataprot/
wpDOCs/wp19en.htm>.
131
132
Joint Report on Data Protection Dialogue to the E.U./U.S. Summit, 21 June 1999,
available in <http://www.europa.eu.int/comm/dg15/en/media/dataprot/news/summit.htm>.
- 38 -
Throughout the negotiations period, the DOC has developed a set of
Frequently Asked Questions (“FAQs”) that are intended to clarify certain aspects
of the Safe Harbor principles. As of March 16, 2000, a list of fifteen topics has
been developed, covering: (1) Sensitive Data; (2) Journalistic Exceptions; (3)
Secondary Liability; (4) Investment Banking, Audits and Headhunters; (5) The
Role of Data Protection Authorities; (6) Self-Certification; (7) Verification; (8)
Access; (9) Human Resources Data; (10) Article 17 Contracts; (11) Dispute
Resolution and Enforcement; (12) Choice – Timing of Opt-Out; (13) Airline
Passenger Reservations; (14) Pharmaceuticals; and (15) Public Record and
Publicly Available Information.133
Similar to its response to the Safe Harbor
principles, the Working Party has endorsed the FAQ’s as an explanatory tool, but
has also expressed reservations regarding specific wording. In general, the FAQ
clarifications are as follows: 134
1. Data controllers need not provide explicit opt-in choice with
respect to sensitive data in certain circumstances including,
if processing of the data is necessary to carry out the
organization’s obligations in the field of employment law.
2. Data that is gathered for publication or other legitimate
journalistic purposes, or that is already in the public domain,
is not subject to the Safe Harbor requirements.
3. Secondary liability does not extend to organizations (such as
ISP’s and Telecom’s) acting merely as a conduit for data.
133
See International Trade Administration Electronic Commerce Task Force, U.S.
Department of Commerce Electronic Commerce Task Force (visited March, 19, 2000)
<http://www.ita.doc.gov/td/ecom/menu1.html>.
134
For the specific wording and responses of the FAQs see: Working Party, Opinion 4/99 on
the Frequently Asked Questions to be issued by the U.S. Department of Commerce in relation to
the proposed “Safe Harbor Principles”, adopted on June 7, 1999, available in
<http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpDOCs/wp21en.htm>.
- 39 -
4. The activities of investment bankers and auditors are
legitimate interests permitted by the Safe Harbor principles.
5. U.S. organizations receiving personal data from the E.U.
must provide recourse for data subjects, verification that
assertions about their privacy practices are true, and
obligations to remedy problems arising out of noncompliance.
6. Self-certification for the Safe Harbor requires a letter to the
DOC, signed by a corporate officer, containing the specifics
of the organization’s compliance with the principles.
Moreover, the FAQs clarifications in regards to human resource
departments are as follows:
1. Human resource departments do not need to provide explicit
opt-in choice with respect to sensitive data in certain
circumstances including, if processing of the data is
necessary to carry out the multinational company’s
obligations in the field of employment law.
2. U.S. human resource departments receiving personal data
from the E.U. must provide recourse for data subjects,
verification that assertions about their privacy practices are
true, and obligations to remedy problems arising out of
non-compliance.
3. Human resource departments must make reasonable efforts
to accommodate employee’s privacy preferences, including
restricting access to the data, anonymizing certain data, or
assigning codes or pseudonyms when the actual names are
not required for the management purpose at hand.
4. Human resource departments do not need to offer notice
and choice to the extent and for the period necessary to
avoid prejudicing the legitimate interests of the organization
in making promotions, appointments or other similar
employment decisions.
5. Where E.U. employees make complaints about violations of
their data protection rights and are not satisfied with the
results of internal review, complaint and appeal procedures,
such employees are directed to the state or national data
- 40 -
protection or labor authority in the jurisdiction where the
employee works.
C.
THE E.U. DIRECTIVES AFFECT ON MULTINATIONAL COMPANIES
In analyzing the E.U. Directive’s affect on transborder data flows as it
applies to human resource departments within multinational companies, this
Comment now answers the three hypothetical scenarios previously introduced in
this Comment.
As a general rule for collecting data from its employees domiciled in an
E.U. Member State country, Privacy Haven must first obtain the data that they
collect and process directly from its applicant or actual employee.135 Second, the
data collected by Privacy Haven should only be used for employment purposes;
thus the processing of this data must be for the particular type of employment. 136
Third, Privacy Haven’s employees must be regularly informed on the character of
the data stored, the purposes of the processing, the addresses of those to whom
it is regularly communicated and the legal basis of the transactions. 137 Fourth,
Privacy Haven’s employees must be granted the right to access all data collected
and processed by the company.138 Fifth, Privacy Haven should only their keep
employee’s data for the relevant time period that it has been processed for and it
135
Spiros Simitis, From The General Rules On Data Protection To A Specific Regulation Of
The Use Of Employee Data: Policies And Constraints Of The European Union, 19 COMP. LAB. L.
& POL’Y J. 351, 361-62 (1998).
136
See id.
137
See id.
138
See id.
- 41 -
must delete all data of applicants as soon as it becomes clear that they will not
be offered the job for which they applied.139
Furthermore, Privacy Haven must also stay informed of the changes in
U.S. laws and the progress of the E.U. Directive implementation in order to
minimize the potential impact. It is vital that Privacy Haven assess the risk for
each segment within its human resource department and determine which
operations rely on personal data. The restrictions on transfers of employee data
from foreign branches or subsidiaries could severely hinder Privacy Haven’s
overall business performance. Therefore, for those areas at risk, Privacy Haven
must dedicate itself to taking appropriate action, and assign accountability to
individuals within the company for establishing a privacy policy and for complying
with international standards.
1.
Employee File Transfer via Computers and Networks
a.
U.S. Safe Harbor Principles
First, if the U.S. and the European Commission come to agreement on the
Safe Harbor principles, then the Commission can certify that such principles
meet the E.U. Directive’s adequacy standard. If Privacy Haven’s data privacy
protection is in conformity with the agreed upon principles, it will then qualify for
the Safe Harbor and thus be free from restrictions on employee personnel
transfers imposed by E.U. Member State countries.
Even if Privacy Haven qualifies for the Safe Harbor, it may also elect to
cooperate with E.U. data protection authorities (“DPAs”).140 In doing so, Privacy
139
See id.
- 42 -
Haven must declare its commitment to the relevant DPA in its Safe Harbor
Notification to the DOC. Once committed, Privacy Haven must assist the DPA in
the investigation and resolution of complaints filed against it by employees.
Additionally, the DPA may require Privacy Haven to take additional action to
conform to the Safe Harbor principles, including compensating employees
affected by its non-compliance. This option works particularly well for human
resource departments that may find it difficult to locate a self-regulatory
organization that addresses their particular needs. Additionally, Privacy Haven
can avoid the relatively lengthy and costly private dispute resolution process in
the U.S. because disputed complaints filed by its employees will be submitted
before the relevant DPA for a final determination.
Such an approach works
particularly well for U.S. companies hoping to resolve personal data issues
arising out of employment relationships in their European branches.
b.
Contractual Safeguards
In the event that a Safe Harbor agreement is not imminently forthcoming,
there are several strategies that Privacy Haven can generally follow in order to
comply with the E.U. Directive, and protect itself from transborder data
blockages.
Privacy Haven may rely on contracts as a means to address
employee personal data transfers. The Working Party has specifically endorsed
this mechanism as a viable solution for transfers to entities located within third
140
See Working Party, Opinion 4/99, adopted on June 7, 1999, available in
<http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpDOCs/wp21en.htm>.
- 43 -
countries that do not have adequate levels of protection.141 In order for Privacy
Haven’s contractual provisions to be deemed sufficient by the E.U., they must
contain the basic content principles as well as those additional factors suggested
in the Working Party’s approach to self-regulation, mandatory compliance,
institutional support for the data subject and appropriate means of redress.
Essentially, the basis for assessing the adequacy of contractual safeguards will
be the same as that for assessing the general level of adequacy in a third
country.
As part of Privacy Haven’s contractual safeguards for an employee
personal file transfer, it must also obtain unambiguous expressed consent for its
employee in order to transfer the employee’s personal file across international
borders.142 In this regard, Privacy Haven must inform its employee which country
that it intends to transfer the individual’s data to and whether this country
provides adequate protection of privacy. 143 If the employee gives unambiguous
expressed consent, the company then can make the transborder transfer of the
employee’s personal file.144
However, if the employee does not give
unambiguous expressed consent, Privacy Haven then must develop internal
procedures to ensure that the employee’s data are retained in Europe. 145
141
See Working Party, Opinion 4/99 on Contractual Provisions, adopted on June 7, 1999,
available in <http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpDOCs/wp21en.htm>.
142
See E.U. Data Privacy Directive, art. 26(1)(a).
143
See PETER P. SWIRE & ROBERT E. LITAN, NONE OF YOUR BUSINESS 92 (Brooking Inst.
1998).
144
See id.
145
See id.
- 44 -
Moreover, since the E.U. Directive’s scope is comprehensive, the unambiguous
expressed consent requirement equally applies to transborder transfers of the
employee’s personal file from the U.S. to Europe.
Privacy Haven, therefore, must obtain the employee’s unambiguous
expressed consent at the time immediately preceding the transborder transfer of
the employee’s personal file.146 Previous unambiguous expressed consent by an
employee, e.g., a global waiver for unspecified use at the employee’s time of
hiring,147 most likely will not be sufficient unambiguous expressed consent under
Article 6(1)(b) of the E.U. Directive because the personal data is now being used
for a different purpose for which it was collected.148
This consent argument
equally applies to all categories of employee’s transborder data transfers, such
as Privacy Haven’s global list of employees.
If Privacy Haven transfers its employee’s personal data across
international borders via a personal lap top computer, it again must contractually
ensure its employees that the transfer will meet the E.U. Directive’s adequate
levels of protection standard and obtain specific unambiguous expressed
consent from the employee for this type of transfer.
Information technologies, such as intranets, have accelerated the ease at
which the free flow of data within a multinational organization.
146
However,
See id.
See id. An example of a global waiver is: “[a]t the time of hiring a person, [the
multinational company obtains unambiguous expressed] consent to use [person’s] personal
information for ‘all internal management purposes.’” Id. at 91.
147
Article 6(1)(b) provides that data must be “collected for specified, explicit and legitimate
purposes and not further processed in a way incompatible with those purposes.” E.U. Data
Privacy Directive, art. 6(1)(b).
148
- 45 -
intranets, which are internal networks that may be used by human resource
departments within multinational companies for employee directories or job skills
databases, may not be suitable in Europe for human resource purposes because
the E.U. Directive’s consent requirement may be too burdensome.149 Moreover,
if Privacy Haven uses human resource software, runs a server from the U.S. or
routinely create databases containing employee data, these practices may likely
be illegal under the E.U. Directive because each transfer requires specific
unambiguous expressed consent.150
2.
The Merger of Privacy Haven with Another Company
A foreseeable problematic scenario may occur if Privacy Haven mergers
with another company.
Privacy Haven must first determine which human
resource department will handle the personal data of the employees within both
companies, as well as where this data will be stored. If the personal data of the
employees are going to be transferred, then the transfer, collection and process
of such data must be in compliance with the E.U. Directive. A second factor that
Privacy Haven must identify is whether the merger is a friendly or hostile
takeover. If the merger is friendly, Privacy Haven will likely be allowed to transfer
its employee’s data under Article 26(1)(c), which allows data transfers to third
countries if it is ultimately “in the interest of the data subject.”151 The treatment,
of course, of such data in the third country must be “adequate.” If the merger is a
149
See SWIRE & LITAN, supra note 143, at 93.
150
See id.
151
E.U. Data Directive, art. 26(1)(c).
- 46 -
hostile takeover, Privacy Haven will likely be prohibited from conducting such
transfers because the hostile environment will not be “in the interest of the data
subject.”152 Moreover, if the data transfer is blocked by E.U. authorities, then
Privacy Haven may be forced to develop internal procedures to ensure that the
employee’s data are retained in Europe and restrict access to such data to only
senior human resource management within the new company.
VII.
A.
HONG KONG
THE RIGHT TO PRIVACY UNDER HONG KONG LAW
The constitutional protections of privacy that Hong Kong residents
currently enjoy are contained in the Basic Law of the Hong Kong Special
Administrative Region of the People’s Republic of China.153 Article 29 provides
"[t]he homes and other premises of Hong Kong residents shall be inviolable.
Arbitrary or unlawful search of, or intrusion into, a resident’s home or other
premises shall be prohibited."154 Article 30 provides "[t]he freedom and privacy
of communications of Hong Kong residents shall be protected by law.
No
department or individual may, on any grounds, infringe upon the freedom and
privacy of communications of residents except that the relevant authorities may
152
See SWIRE & LITAN, supra note 143, at 110.
153
EPIC Survey, supra note 2, at <http://www.privacyinternational.org/survey/contries-hn.htm>. This is a result of the Peoples’ Republic of China’s resumption of sovereignty over Hong
Kong on July 1, 1997. Id.
BASIC LAW OF THE HONG KONG SPECIAL ADMINISTRATIVE REGION OF THE PEOPLE’S REPUBLIC
OF CHINA, art. 29.
154
- 47 -
inspect communications in accordance with legal procedures to meet the needs
of public security or of investigation into criminal offenses."155
In September of 1995, Hong Kong enacted its Personal Data (Privacy)
Ordinance (“Ordinance”), which went into effect in December of 1996.156 The
Ordinance does not differentiate between public and private sectors, and
contains a broad definition of “personal data” to cover all forms of data in all
mediums that may be personally identifiable to an individual. 157 However, the
Ordinance does not differentiate data based on its “sensitivity.” The six data
protection principles contained in the Ordinance, which are based on the OECD
principles, govern the collection,158 use,159 and security of personal data,160 and
require data users to provide data subjects with access and the ability to correct
their personal data.161
155
Additionally, Section 33 of the Ordinance places
See id. at art. 30.
156
See generally Personal Data (Privacy) Ordinance (1995). This Ordinance is based on
the recommendations made by the Hong Kong Law Reform Commission as a result of its six-year
study, as well as a draft version of the E.U. Directive. EPIC Survey, supra note 2, at
<http://www.privacyinternational.org/survey/contries-h-n.htm>.
“Personal Data” means any data: “(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the individual to be directly or indirectly
ascertained; and in a form in which access to or processing of the data is practicable.” Personal
Data (Privacy) Ordinance, § 2 (1995). However, the Ordinance does not attempt to differentiate
personal data according to its sensitivity.
157
158
See id. at Schedule 1, § 1.
159
See id. at Schedule 1, § 3.
160
See id. at Schedule 1, § 4.
161
The Personal Data (Privacy) Ordinance, Schedule 1, Data Protection Principle 6
provides:
A data subject shall be entitled to:
(a) ascertain whether a data user holds personal data of which he is the data
subject;
(b) request access to personal data –
- 48 -
restrictions on the transfer of data out of Hong Kong that are modeled after those
in the E.U. Directive.162
In addition to the data protection principles discussed above, the
Ordinance established the Office of the Privacy Commissioner163 to govern and
enforce the provisions contained in the Ordinance.164
The powers of the
(i) within a reasonable time;
(ii) at a fee, if any, that is not excessive;
(iii) in a reasonable manner; and
(iv) in a form that is intelligible;
(c) be given reasons if a request referred to in paragraph (b) is refused;
(d) object to a refusal referred to in paragraph (c);
(e) request the correction of personal data;
(f) be given reasons if a request referred to in paragraph (e) is refused; and
(g) object to a refusal referred to in paragraph (f).
See id. at Schedule 1, § 6.
162
Section 33 of the Hong Kong Personal Data (Privacy) Ordinance provides in part:
(2)A data user shall not transfer personal data to a place outside Hong Kong
unless(a) the place is specified for the purposes of this section in a notice under
subsection (3);
(b) the user has reasonable grounds for believing that there is in force in that
place any law which is substantially similar to, or serves the same purposes as,
this Ordinance;
(c) the data subject has consented in writing to the transfer;
(d) the user has reasonable grounds for believing that, in all the circumstances of
the case(i) the transfer is for the avoidance or mitigation of adverse action against the
data subject;
(ii) it is not practicable to obtain the consent in writing of the data subject to that
transfer; and
(iii) if it was practicable to obtain such consent, the data subject would give it;
(e) the data are exempt from data protection principle 3 by virtue of an exemption
under Part VIII; or
(f) the user has taken all reasonable precautions and exercised all due diligence
to ensure that the data will not, in that place, be collected, held, processed or
used in any manner which, if that place were Hong Kong, would be a
contravention of a requirement under this Ordinance.
See id. at § 33.
163
See id. at § 5.
164
A violation of any provision of the Ordinance, excluding the data protection principles, is a
criminal offense. Additionally, if the violation results in damage to the data subject, the offender
- 49 -
Commissioner,165 which are based on those contained in the United Kingdom
Data Protection Act, include investigating complaints,166 initiating an investigation
and conducting audits.167 In addition to these duties, the Privacy Commissioner
may also issue codes of conduct to guide specific sectors on compliance with the
Ordinance.168 Although a breach of these codes is not considered a violation of
the Ordinance, it provides a presumption against a party involved in a proceeding
may be forced to compensate the data subject. EPIC Survey, supra note 2, at
<http://www.privacyinternational.org/survey/contries-h-n.htm>.
Section 8 of the Hong Kong Personal Data (Privacy) Ordinance provides: “The
Commissioner shall- (a) monitor and supervise compliance with the provisions of this Ordinance. .
. . (e) carry out inspections, including inspections of any personal data systems used by data
users which are departments of the Government or statutory corporations. . .” Personal Data
(Privacy) Ordinance, § 8 (1995).
165
166
Section 37 of the Ordinance delineates the process to file a complaint under the
Ordinance:
(1) An individual, or a relevant person on behalf of an individual, may make a
complaint to the Commissioner about an act or practice(a) specified in the complaint; and
(b) that(i) has been done or engaged in, or is being done or engaged in, as the case
may be, by a data user specified in the complaint;
(ii) relates to personal data of which the individual is or, in any case in which the
data user is relying upon an exemption under Part VIII, may be, the data subject;
and
(iii) may be a contravention of a requirement under this Ordinance (including
section 28(4)).
See id. at § 37.
“As of March 31, 1999, the Office has received 35,968 inquiries (19,994 in 1998-1999),
heard 723 complaints (418 in 1998-1999) and conducted 119 formal investigations, ruling in 62
cases that there was a violation of the Act. The Office has also issued 147 advisory/warning
notices, 14 enforcement notices and has referred 18 cases to the police for prosecution.” EPIC
Survey, supra note 2, at <http://www.privacyinternational.org/survey/contries-a-g.htm>.
167
Section 12 of the Ordinance empowers the Commissioner to issue codes of practice “for
the purpose of providing practical guidance in respect of any requirements under this Ordinance
imposed on data users.” Personal Data (Privacy) Ordinance, § 12 (1995). To date, the Privacy
Commissioner has issued two codes of practice: (1) the Code of Practice on the Identity Card
Number and Other Personal Identifiers, and (2) the Code of Practice on Consumer Credit Data.
168
- 50 -
that alleges a breach of the Ordinance.169 Due to the voluminous amount of
personal data that human resource departments process everyday, the Privacy
Commissioner issued a Draft Code of Practice on Human Resources
Management (“Draft Code”) for public comment in September of 1999.170
Currently, the Privacy Commissioner is in the final drafting stages of the
Code of Practice on Human Resources Management, which is expected to be
released in the third quarter of 2000.171 It will be the third code of practice issued
by the Commissioner and will provide guidance to human resource departments
to ensure compliance with the requirements of the Ordinance.172 It governs the
collection,173 use, retention,174 and security175 of personal data obtained and
169
Draft Code of Practice on Human Resources Management, available in
<http://www.pco.org.hk/info/code.htm> [hereinafter “draft code”].
170
Id. at <http://www.pco.org.hk/info/code.htm>. A total of 86 comments were received from
individuals, organizations, and professional bodies in response to the Draft Code. Most of the
comments were concerned with the retention periods for different types of employment-related
data and the prohibition on the use of “blind” advertisements – advertisements in which
advertisers are anonymous, but yet directly solicit personal data from recipients. Id.
171
Privacy Commissioner Issues Draft Code of Practice on Human Resources Management
for Public Consultation (visited February 25, 2000) <http://www.pco.org.hk/news/
news300999.html>.
172
Stephen Lau, Privacy Commissioner for Personal Data has stated:
The Ordinance is of particular importance to HRM activities because most such
activities involve the handling of personal data, and in fact quite a large number
of the complaints and enquiries handled by the PCO involve employment-related
personal data. We deem it appropriate to provide more detailed guidance in this
area in the form of a Code of Practice. In addition, HRM practitioners often
assume the role of the data protection or privacy officers in their organizations.
Providing detailed guidance on the Ordinance to this profession will assist in the
strengthening of privacy awareness and culture within an organisation.
Id. at <http://www.pco.org.hk/news/news300999.html>.
173
Draft Code, §§ 1.2 – 1.5.
174
See id. at §§ 1.10 – 1.31.
175
See id. at §§ 1.7 – 1.9.
- 51 -
processed by human resource departments.176 In this regard, the Draft Code
specifically addresses the use of a “Personal Information Collection Statement,”
which is required by Data Protection Principle 1 of the Ordinance, to inform the
data subject of the purpose, retention and use of the personal data.177
1.
Employee File Transfer
The Ordinance is a comprehensive piece of legislation that has a
significant impact on companies attempting to transfer an employee’s file out of
Hong Kong.178
Of the six data protection principles contained within the
Ordinance, principles one through three require companies to inform employees
of the purpose for which their personal data is being collected and to whom this
data will be transferred.179 Privacy Haven can accomplish this by providing the
employee with a Personal Information Collection Statement (“PICS”). Although
there is no specific checklist for PICS, it must inform the employee of the purpose
and manner of data collection, the accuracy and duration of retention of such
data, the use of the data collected, and any other requirements contained within
Data Protection Principle 1 of the Ordinance.180
176
See id. at § 1.1.
177
See id. at §§ 1.2 – 1.5.
178
Personal Data (Privacy) Ordinance, § 33 (1995).
179
These principles have been incorporated in the Ordinance from data practices that are
found in various data protection laws from around the world. Principle 1 relates to the purpose
and manner of collection of personal data; Principle 2 addresses the accuracy and duration of
retention of personal data; and Principle 3 discusses the use of personal data. See id. at
Schedule 1.
180
Data Protection Principle 1(3) addresses the various requirements that an employer must
meet when obtaining consent from an employee:
- 52 -
After providing employees with a PICS, Privacy Haven must also comply
with Section 33 of the Ordinance, which restricts the transfer of personal data
outside of Hong Kong.181 Section 33 also provides a specific exemption from the
prohibition on transferring data outside of Hong Kong – when an employee gives
written consent.182
Additionally, the Ordinance allows the transfer of data in
limited circumstances without prior written consent. First, Privacy Haven may,
without written consent, transfer data to a place specified in a notice issued in the
Gazette by the Privacy Commissioner.183 Second, Privacy Haven may transfer
data if it feels that there are reasonable grounds that there is laws in place that
Where the person from whom personal data are or are to be collected is the data
subject all practicable steps shall be taken to ensure that:
(a)he is explicitly or implicitly informed, on or before collecting the data, of –
(i)whether it is obligatory or voluntary for him to supply the data; and
(ii)where it is obligatory for him to supply the data, the consequences for him if he
fails to supply the data; and
(b)he is explicitly informed –
(i)on or before collecting the data, of
(A)the purpose (in general or specific terms) for which the data are to be used;
and
(B)the classes of persons to whom the data may be transferred; and
(ii)on or before first use of the data for the purpose for which they were collected,
of –
(A)his rights to request access to and to request the correction of the data, and
(B)the name and address of the individual to whom any such request may be
made, unless to comply with the provisions of this subsection would be likely to
prejudice the purpose for which the data were collected and the purpose is
specified in Part VIII of this Ordinance as a purpose in relation to which personal
data are exempt from the provisions of data protection principle 6.
See id. at Schedule 1, § 1(3).
181
See id. at § 33(2).
182
See id. at § 33(2)(c).
183
See id. § 33(2)(a). If the Privacy Commissioner has reasonable grounds to believe that
there is, in the place outside of Hong Kong, any law that is substantially similar to, or serves the
same purpose as the PDPO, then he may issue a notice in the Gazette. However, the Privacy
Commissioner has not yet specified any such places.
- 53 -
are substantially similar to, or serves the same purpose as the Ordinance. 184
Finally, Privacy Haven may transfer data if it has taken reasonable precautions
and exercised due diligence to ensure that the data will not be collected,
processed or used in a manner, that if the place were Hong Kong, would be a
contravention of the Ordinance.185
Therefore, if Privacy Haven wishes to transfer employee data to the
centralized database in the U.S., it must comply with one of the three
requirements above. Since the U.S. does not have laws that are substantially
similar to the Ordinance, Privacy Haven will have to obtain the data subjects
written consent, or take reasonable precautions and exercise due diligence when
transferring the data to the U.S.
In addition to the Ordinance, Privacy Haven will soon have to address the
issues discussed in the Code of Practice on Human Resources Management.
Although the Code requires that Privacy Haven must inform the employee of the
purpose of the data collection,186 any possible third-party transferees,187 and the
184
See id. at § 33(2)(b).
185
See Id. at § 33(2)(f). In a fact sheet posted by the Privacy Commissioner, one method
that may be used to accomplish the due diligence standard contained in the Ordinance is for the
transferor and transferee to enter into a contract that would require the transferee to apply the
data protection principles of the Ordinance to the data upon transfer. Fact Sheet # 1, Model
Contract (visited February 11, 2000) <http://www.pco.org/hk/info/model.html>.
186
Draft Code, § 1.2.1. The purposes for which employment-related personal data are to be
used may be stated in general or specific terms. Id. at § 1.9 (1.1.2). Examples of this include
data required: to pay employees and to make compensation benefits and awards, to contact
employees when absent from the office, to make tax returns, to assess employees’ performance
and training needs, to plan promotion and movement from post to post, and to administer a
retirement scheme or provident fund scheme to which employees contribute or from which they
may benefit. Id. at § 1.9 (1.1.1).
187
Id. at § 1.14. An employer is required to explicitly inform the data subject of the classes
of third parties to which any personal data from job applications, employees or former employees
- 54 -
right to access and correct data,188 the Code explicitly states that there is no
requirement to inform employees of the possible transfer to internal
departments.189 However, for the purposes of obtaining the employee’s consent,
Privacy Haven should inform its employees that it will be transferring the
employee’s data to the U.S. for the purpose of obtaining the employee’s consent.
Although the Code of Practice may not require this, it will allow Privacy Haven to
obtain the written consent of its employees and transfer the data to the U.S.
knowing that it is in compliance with the Ordinance, as well as the Code of
Practice on Human Resources Management.
2.
The Transfer of Data on a Lap Top Computer
A lap top containing an employee’s data is subject to similar requirements
as discussed above. If the employee has given prior consent to the transfer of
data outside of Hong Kong, then Privacy Haven is not in violation of the
Ordinance.190 However, with a lap top computer carrying the data, the question
arises as to where and to whom did the employee consent to have his or her
data transferred. Presumably, the employee would not consent to data being
transferred to various jurisdictions on a lap top computer, and thus, Privacy
Haven should ultimately eliminate this practice.
may be transferred. An employer must do this on or before collecting the data. Id. at § 1.14
(1.1.2).
188
Id. at § 1.12.
Id. at § 1.14 (1.1.3) provides: “Because the transfer notification requirements only apply
to transfers to third parties outside the employing organisation, there is no requirement for
employers to name other internal departments or employees of the employer to whom personal
data may be transferred for the purposes of employment.” Id.
189
190
Personal Data (Privacy) Ordinance, § 33(2)(c) (1995).
- 55 -
However, if Privacy Haven feels it is necessary to carry some employee
data on lap top computers, such as contact information, etc., then it must comply
with the requirements contained in Section 33 of the Ordinance, as well as the
Code of Practice on Human Resources Management. Since the U.S. does not
have substantially similar data protection laws as the Ordinance, Privacy Haven
will have to obtain the employees consent, or take all reasonable precautions
and exercise due diligence to ensure that the data will not be collected,
processed or used in a fashion, that if the place were Hong Kong, would be a
violation of the Ordinance.191 As mentioned earlier, it is unlikely that Privacy
Haven would be able to obtain consent from the employee to allow this data to
travel throughout the world on a lap top computer. Therefore, Privacy Haven
must take reasonable precautions and exercise due diligence that this data will
not be collected, used, or processed in a manner that would be a violation of the
Ordinance if it occurred in Hong Kong. This may be accomplished by the use of
a contract, made available by the Privacy Commissioner, between the transferor
and transferee of the data.192
In the contract, Privacy Haven must first address the applicable law to the
contract, which preferably would be the Ordinance.
Next, the contract must
delineate the obligations of the transferor. These obligations include that: (1) the
data has been collected in accordance with Data Protection Principle 1 of the
Ordinance; (2) steps have been taken to ensure the accuracy of the data; (3) the
191
See id. at § 33(2)(f).
192
Fact Sheet #1, supra note 185, at <http://www.pco.org/hk/info/model.html>.
- 56 -
data is being held only as long as needed to fulfill the purpose of collecting the
data; and (4) the transfer is permitted by the Ordinance.193 Additionally, the
contract must address the rights and obligations of the transferee.
These
obligations include the duty to: (1) use the data for permitted purposes only; (2)
to hold the data securely; (3) to destroy the data when it is not needed any longer
for the permitted purpose; (4) not transfer the data to any other natural person;
and (5) immediately rectify or delete the data upon receiving such instructions
from the transferor.194 Finally, the contract should address how disputes will be
settled, as well as how to terminate the contract.195
By creating a contract containing the terms and conditions discussed
above with any employee storing employee data on his or her lap top computer,
Privacy Haven will be able to protect itself from violating the Ordinance. Since
Privacy Haven is liable for any actions of its employees under the Ordinance and
the Code of Practice on Human Resources Management, this contract will allow
its employees to store data on a lap top computer, while providing adequate
safeguards for this information.
3.
The Merger of Privacy Haven with Another Company
The merger of Privacy Haven with another company subjects the other
company, as well as Privacy Haven, to the provisions contained in the Ordinance
and the Code of Practice on Human Resources Management. Privacy Haven
can easily comply with these provisions by obtaining the consent of the employee
193
Id. at § 1.
194
Id. at § 2.
- 57 -
before transferring any data to the merging company. Absent such consent,
companies contemplating a merger may transfer employment related data to key
officers in the respective organizations, as long as the transfer complies with the
general requirements contained in the Code of Practice on Human Resources
Management.196 The Code requires Privacy Haven to ensure that the data are
transferred for a permitted purpose, accurate and protected by practicable
measures to secure them while being transmitted.197 Additionally, Privacy Haven
must only transfer data for the permitted purpose of the merger and not transfer
any data that is excessive to accomplish this purpose.198
Once these
requirements are met, Privacy Haven and the merging company should establish
a single set of privacy policies and practices for the combined employment
related data of the organizations.199 By fulfilling the above requirements and
establishing such a policy after the merger, Privacy Haven will ensure that it is in
compliance with the Ordinance and ensure its employees against the misuse of
their personal data.
VIII.
CONCLUSION
As a result of current and emerging data privacy and transborder
protection laws throughout the world, the human resource departments within
multinational companies must address various issues relating to the personal
195
Id. at § 3.
196
Draft Code, § 1.7.1.
197
Id. at § 6.1.1.
198
Id. at § 6.1.6.
199
Id. at § 6.7.9.
- 58 -
data of their employees. If multinational companies do not adhere to these data
privacy laws, then their business activities within these jurisdictions may be
prevented and they may also face both civil and criminal liability as a result of
breaching their employee’s fundamental right to privacy. Therefore, multinational
companies must enact internal compliance strategies corresponding to the
jurisdiction(s) in which their employees conduct their business activities.
First, if multinational companies have employees domiciled in E.U.
Member State countries, then they must adhere to the E.U. Directive. If E.U. and
U.S. governmental officials reach a compromise with the U.S. Safe Harbor
principles that are certified by the European Commission, then multinational
companies whose data privacy protections are in conformity with the agreed
upon principles will qualify for the Safe Harbor and will be free from restrictions
on data transfers imposed by E.U. Member State countries.
Multinational
companies may also seek self-certification for the Safe Harbor that requires a
letter to the DOC, signed by a corporate officer, containing the specifics of the
company’s compliance with the principles.200
Alternatively, multinational companies, even those with good computer
security, should conduct an internal audit on their data privacy protection, and
ask themselves the following seven questions:
(1)
Do we give employees a private right of action to sue
us for breaches of privacy and errors in personal data?;
200
The essential elements of self-certification are: (1) awareness; (2) choice; (3) data
security; (4) consumer access; (5) consumer recourse; (6) verification; and (7) consequences.
- 59 -
(2)
Do we religiously delete all employee data as soon as
it becomes obsolete or is no longer needed?;
(3)
Do we ensure we collect no employee data that are
not strictly necessary?;
(4)
Do we give our employees a right of access to data
about themselves and a viable way to challenge it if it is
wrong?;
(5)
Do we refrain from all automated decision making
(such as processing job applications and credit applications
by computer)?;
(6)
Do we tell employees what data about them we
collect, and do we get their consent to process it?; and
(7)
Do we have written contracts (or equivalent
protections) in place with our [Australia, Brazil, E.U., or Hong
Kong] subsidiaries, which legally bind us to adhere to [the
data protection laws in these countries]?201
If a multinational company cannot answer yes to all of the above questions, then
it must make appropriate changes to its human resource practices.
Multinational companies should also join an industry specific association
that has established self-regulatory procedures that are compliant with the
jurisdiction(s) in which its employees are conducting their business activities.
Moreover, multinational companies should cooperate with the data protection
authorities in the jurisdiction(s).
By complying with the recommendations
contained in this Comment, a multinational company will be able to comply with
the most stringent data protection laws in the world, and protect themselves from
liability for the misuse of their employee’s data in these various jurisdiction(s).
201
Broughton, supra note 19, at 295-296.
- 60 -