Friday, October 11, 2013

The international POV on Data Privacy laws

I promised back in July that I would provide some notes about data privacy legal impacts in the cloud. I started writing down such notes - but I came to realize very fast that I could not do so without gaining a better view on where there are specific provisions about data privacy and how these can be in conflict.
That took me some time. I guess it is a work in progress; every day new content is published, new questions seem to arise; but I feel it is a good start, and a necessary one before talking about the cloud.

I am sharing an overview of my findings here, always please bear in mind that this is personal research and I have no claim to any legal title - if in doubt, please do yourself a favor and seek legal counseling.

International law coverage

Lets start by looking at this map. It is based on what I know, and I just updated it with my most recent readings... but even if (IF) it should be complete now, readers beware: it will not be tomorrow, so lets consider it a starting point.

Lets start easy. 

The blue countries are the group of the European Union memberstates (pro memoria: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherland, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK). We tend to expect a common data privacy approach, and indeed there is a common approach: the restrictions and the obligations are in fact the same, the way these are applied can vary quite widely. Spain, Italy, Portugal and Germany are notoriously demanding in terms of data privacy laws - as much in terms of burden of proof or audits, as in terms of penalties for non-compliance.
In addition to the EU countries, the light blue countries are also part of the EEA (European Economic Area), and as such are included in the EU permissible Data Privacy countries: Iceland, Norway and Lichtenstein. 

The green countries are considered safe haven third countries according to the EU regulation: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. So in fact, Personal Data can flow freely in all Blue and green countries... Looking at the map, that's nice, but we are far from a global coverage. 

Now we get to the dicey part, in red. Brutally, as a sequential list, here are the countries that have legislated in the area of Data Privacy Protection. Caveat emptor: this is a work in progress and legislations change continuously. 
Note in particular the hatched areas - Russia and China, where the current existing legislation is not quite "protective", as it covers only the highlights but does not appear to be enforceable.

Costa Rica: Protection in Handling Personal Data of Individuals
Peru: New data protection act, inspired by the Spanish Data Protection Act and the APEC (Asia-Pacific Economic Cooperation)Privacy Framework
Japan: Personal Information Protection Act (2003/2005), limited scope guidelines
Russia: Strasbourg Convention on the Protection of Individuals (2006)
Morocco: Personal Data Protection (2009) laws of generic nature
Mexico: Federal Law on Protection of Personal Data (2010)
India: New Data Protection Act covering IT topics in 2011, striving to become safe haven
South Korea: Act on the Protection of Personal Data 2011
Ukraine: Personal Data Protection (2010-2012)
Taiwan: Personal Data Protection Act (2012)
Philippines: Bill on Data Protection based on EU directive 95/46 (March 2012)
Hong-Kong: Personal Data Amendment (2012), extending Personal Data Privacz Ordinance, with a limited scope, is aligned to the EU directive 95/46/EC
Colombia: Data protection legislation based on the 1995 EU data protection directives (2012)
Chili: Law for the Protection of Private Life (2012)
Brazil: Work in Progress (2012) Data Protection Act based on the EU directives. Privacy is protected by constitutional provisions. 
Singapore: Personal Data Protection (2012, in full force in 2014)
Malaysia: Personal Data Protection Act (2013)
China: Information Security Technology Guidelines for Personal Information Protection (Feb 2013) offers guidelines setting standards. However, the lack of penalties for non-compliance makes it difficult to consider it a strong protection. 
South Africa: Protection of Personal Information Bill (Aug. 2013, in force in 2014)
Australia: Privacy Act (2012, in force 2014)

Each of these countries has produced a law that has a completely distinct flavor, and cannot quite be aligned to the others. Some are very limited in scope, others have subsequently completed the same laws by amendments, others have a quite comprehensive approach - expected to become more complete yet. So a case-by-case verification of requirements is needed. A recent and very complete assessment of the world laws is available HERE

The breach notification requirement is in draft status for European Union legislation inclusion, and is already imposed in some countries (in particular in Latin America).

In the US, there is the Consumer Privacy Bill of Rights - FTC Recommendations privacy on the internet. They cover consumers data protection. However, to be able to better interact with EU countries and businesses, a Safe Harbor policy agreement has been passed between the US Department of Commerce and EU; organizations can join and self-certify on a yearly base. The stipulations of the Safe Harbor agreement makes a US company able to receive and store EU data, but not to further exchange it out of the considered Safe Haven countries.

Such laws ARE in discrepancy, and generate tension internationally; in particular there are too many grey areas, one of them spanning the area of HCM Cloud computing. 

While a private company can overcome the multiple local rules by agreeing to stringent Binding Corporate Rules (BCRs, see my previous post) covering the collection and handling of Human Resources data, how can a service provider hosting HR applications ensure that data is going to remain private, while access to multiple servers cross international lines? Does it mean to provide servers in each national location? is that even enough, knowing that each database MUST have a back up, and that would mean multiple location in each country? 

Another relevant grey area is the contraddiction in terms between the European Union conservative approach, and the Patriot Act. In particular, it is interesting to note that physical residency in the US is not required for the Patriot Act to be enforced - it is sufficient for the service provider to conduct systematic business in the United States.

The puzzle is becoming interesting, isn't it?

Comments are welcome, to correct my research, to provide insight or to propose additions - or perhaps you have heard of a specific question or situation? do share! THANK YOU!


International privacy laws list (outdated, but still useful)

Tensions between different sets of laws
Patriot act applications
Global HR Data Privacy