Recent developments in privacy laws in both the U.S. and abroad have created some unwelcome new potholes for outsourcing transactions. Privacy and its close cousin, data security, are emerging as key new topics that present both legal and business risks. Failure to consider and plan for privacy issues can make for a bumpy ride. Consequences for privacy missteps range from official enforcement actions to fines and penalties to private lawsuits. Even more damaging is the loss of public trust that can result from privacy problems.
The following article provides a brief overview of significant privacy law developments in the U.S. and internationally and offers some tips for paving the way to privacy compliance in business process outsourcing transactions.
U.S. Privacy Landscape
The U.S. historically has favored self-regulation for privacy protections. This meant that, until recently, there was little privacy law to consider in outsourcing transactions. Currently, consumer protection groups and governments are worried that privacy rights are disintegrating as technologies advance, producing bigger and better databases, data mining, CRM tools, cookies and cross-matching of data, Internet use, data sharing, and outsourcing.
To address some of these concerns, Congress recently enacted the following privacy legislation in the areas of personal financial information and information collected online from children under 13.
- The Gramm-Leach-Bliley Act governs personal financial information.
- Health Insurance Portability and Accountability Act (HIPAA) covers health and medical information.
- Children's Online Privacy Protection Act (COPPA) governs information collected online from children under the age of 13.
Apart from the recent laws and a few prior existing ones, many U.S. businesses rely on self-regulation. Protection of information is achieved by voluntary industry guidelines, membership in privacy certification programs such as TRUSTe, or compliance with a self-established privacy statement and program. The Federal Trade Commission (FTC) has taken an increasingly active role in the enforcement of privacy initiatives, as is evidenced by recent enforcement actions against Eli Lilly and ToysRUs, among others. States, too, are beginning to add to the growing body of privacy law and regulation.
Outside of the U.S., privacy regulation is developing at a rapid pace. Multinational companies, or companies that simply receive data from other countries, may be subject to local privacy regulations. The European Union (EU) has been a leader in enacting and enforcing privacy regulation.
- EU Data Privacy Law. The EU privacy law applies to any business that collects and processes personal data on EU residents. You do not have to be located in an EU country to be subject to the EU privacy laws. Many business functions are subject to the EU privacy laws, such as employee data, accounting systems, customer data, and patient data, as well as all other functions involving the collection and processing of personal information. This affects many areas of business process outsourcing, such as the outsourcing of human resource functions and many financial functions. The EU privacy laws also tightly regulate transfer of personal data outside of the EU. Because of these trans-border data flow issues, the EU Data Privacy Law is having a major impact on privacy policies and practices of organizations worldwide.
- Other International Developments. Many other countries are following the EU's lead in regulating data privacy. Some countries that would like to gain admission to the EU are considering adopting laws similar to those of the EU. Other countries such as Canada, Australia, Argentina, and Japan have enacted or are considering their own new data privacy laws.
Who Is Affected by Privacy Laws and Issues?
In a word, everyone. If your business has employees, then you have privacy issues. Employee records, health, medical and insurance information, employee performance data, employee portals, intranets, eLearning facilities, monitoring employee use of technologies, and more are some of the ways businesses collect data on employees - data that is or may be subject to privacy laws and regulations. If you plan to outsource any of your employee or human resources functions or some of your technology functions, you will encounter and be forced to deal with these privacy issues.
If your business is in one of the U.S. regulated industries, such as financial or health care, then you have additional privacy issues to address, and you have additional issues to address with your supplier. If your business collects information from customers, whether in a consumer or business context, then you have privacy issues regarding the collection, use and disclosure of that data. If your business shares data with third parties, whether as service providers, alliance partners, outsourcers or otherwise, then you need to be concerned about the privacy practices of these third parties and how they could impact your business.
What Should You Do?
Understanding the impact of privacy laws on your business is the first step. Businesses should appoint a privacy team that will lead it through the assessment, planning, communication, and eventual compliance steps. For example, an appropriate team might include representatives from the following areas: HR, legal, marketing, communications, technology, finance, corporate strategy, etc. In some cases, corporations like IBM, Microsoft, and AT&T are appointing "Chief Privacy Officers" and privacy teams to lead the effort in helping businesses meet privacy compliance requirements.
What About Your Supplier?
Businesses that outsource activities involving employee, customer, or other personal information must team with legal counsel to ensure that suppliers comply. That's because the privacy laws generally put the burden of compliance on the customer, not the supplier. Consider the following suggestions for managing your supplier:
- Know the Privacy Laws, But Make Sure Your Supplier Knows Them Too. Usually the customer will shoulder most of the direct obligations under the privacy laws. Outsourcing suppliers will seek to shift responsibility and cost for tracking new developments in the law to the customer. This shift may not be appropriate in all cases, especially when the supplier has multiple customers who are subject to privacy laws. You will need to negotiate the proper allocation of responsibility for staying up to date.
- Don't Pay the Supplier's Whole Tab for Compliance. Compliance with privacy laws costs money. You and the supplier may have to consider changes in technology infrastructure, data handling procedures, security measures, data storage, locations of data centers, information sharing policies, and many others. A good outsourcer will already be familiar with the laws applicable to it and its customers and will have taken action to comply. Resist supplier attempts to present you with the whole bill for compliance.
- Get Strong Contractual Assurances. Your outsourcing supplier should agree to a variety of provisions aimed at helping you to comply with privacy laws. These include your control over and access to the data, the use of appropriate data security measures, restrictions on data use, transfer, processing, and sharing, an agreement to make changes as required by changes in privacy laws, facility audit rights, and many other similar topics. In some cases, the privacy laws may require use of specific contractual provisions, as is the case with the EU privacy laws.
Businesses that attempt to go over privacy potholes do so at their own risk. They can make the wheels come off if you don't avoid them. Avoidance takes planning and implementation, which may cost money and take effort. Failure to comply, however, may in the long run cost more.
Lessons from the Outsourcing Journal:
- Work with legal counsel and other business heads to determine privacy requirements for your business.
- Plan for privacy requirements in outsourcing relationships.
- Monitor privacy developments and modify outsourcing arrangements as necessary.
Based in Chicago, attorney Rebecca S. Eisner is a partner in the Information Technology and Outsourcing Practice of Mayer, Brown, Rowe & Maw, an international law firm headquartered in Chicago, Illinois with 13 offices in the United States and Europe. You can reach Rebecca Eisner at [email protected].