Finding Privacy Abroad

Before deciding on a new international location, companies should perform a thorough analysis of a country's privacy landscape

By Sagi Leizerov

In this competitive global marketplace, where constant growth is not only a business goal but a survival necessity, companies place a great deal of emphasis on expanding their international presence and broadening their consumer base. Whether a company enters Asia, Europe, the Middle East, or any other region in the world, a decision has to be made regarding the country where the company will locate its new facilities.

Traditionally, for making such a decision, companies compare countries across financial issues such as tax rates and the availability of incentives and subsidies for attracting foreign investments. Other common considerations may include the cost of a qualified workforce and the domestic infrastructure for transportation and communications. An issue that has only been recognized in recent years as an important consideration for expanding internationally, however, is the local regulations for protecting personal information.

Changing Privacy Landscape

In the past two decades, many countries have adopted laws and regulations for protecting personal privacy. Today, the eclectic nature of privacy regulations worldwide presents companies with both limitations and opportunities. These regulations are of particular importance to companies that depend on collecting, processing, or transferring personal information to conduct their business; companies should, therefore, consider these regulations carefully before committing to a new location. After all, recognizing the privacy regulatory landscape in hindsight may constrain your company's achievement of its business objectives and strategy.

Before committing to an investment in a new location, you should conduct a thorough analysis of its domestic privacy regulations and compare them against your company's business practices. An analysis of domestic privacy regulations that can serve as a benchmark for comparing potential locations should touch on the following areas:

• The privacy regulatory environment. Understanding the privacy regulatory environment requires examining the current and pending privacy regulations in candidate locations. These regulations may be general in scope in some countries (as in Ireland's case) or target specific issues, such as health and financial information, in others (Australia, for instance, has several issue-specific privacy laws). Privacy regulations that may be of interest to particular companies may include industry-specific and labor laws as well. Do not review only the general laws for data protection.
• Not all personal information is created equal. Privacy regulations in some countries (Hungary and Israel) may distinguish among the types of personal information, applying more limitations on information defined as "sensitive." Although countries may define "sensitive" differently, this term often pertains to information about individuals' financial and health status, sexual orientation, religious affiliation, and even membership in labor organizations. Check the law's definition of sensitive information to see if it has an effect on your plans for data processing.
• Local privacy authorities. Privacy authorities, also known as Data Protection Authorities, are government offices dedicated to enforcing relevant regulations and monitoring the collection and processing of personal information. The extent of the commission's authority and the procedures this office may require companies to follow for creating and maintaining databases within their jurisdiction (such as registering and licensing) are yet another preliminary consideration for the international company. Review the administrative procedures involved, not just the general principles of the regulations, as they can add to the cost of doing business.
• Privacy across borders. The ease with which you can electronically transfer data regardless of physical borders was the catalyst for several international and regional agreements setting limitations on the international transfer of personal information in recent years; the most prominent of which is the European Union's data protection directive. The directive, which sets a high standard for the protection of personal privacy by restricting the transfer of personally identifiable information outside of the Union (including international companies' ability to transfer such data to their own offices around the world), has led to several international agreements that extend beyond Western Europe.
  One of these agreements, which is of particular interest to U.S.-based multinationals, is the Safe Harbor agreement that sets the provisions for transferring personally identifiable information from Europe to the United States. Review the conditions necessary for the transfer of personal information among your operating locations.
• It's not all about consumers. Although much of the discussion about the protection of personal privacy revolves around the processing of consumers' information, privacy regulations also refer to the information companies maintain on their employees as well. In fact, many human resource records contain financial, health, and extensive demographic information that regulators in different countries may consider sensitive.

Rate This Article Rating: 1 (best) 2 3 4 5 (worst) Comments: Optional e-mail address:

Some regions, such as Hong Kong, have even passed regulations protecting the privacy of employees, requiring employers to disclose their monitoring practices and limiting the provisions for sharing employees' personal information with third parties.

The need to compare privacy regulations across countries before branching into new locations doesn't mean that the country with the least restrictive privacy regulations should be the location of choice. Residents of countries with little or no privacy protections may be less inclined to provide companies with accurate personal information, not to mention that such countries may change their ways and adopt more restrictive privacy regulations down the road.

Instead, for identifying the best match between your company and a country, comparing the privacy regulations against your company's business practices is the appropriate approach to take. Privacy may not be the only consideration for the international company, but it is definitely an issue of increasing importance.

Sagi Leizerov, Ph.D. [sagi.leizerov@ey.com] provides privacy assurance and advisory services for Ernst & Young.

RESOURCES

U.S. Department of Commerce Safe Harbor Web site: export.gov/safeharbor

European Union Data Protection Directive 1995: europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html

Australia - Privacy Commissioner and regulations: www.privacy.gov.au

Hong Kong - Office of Privacy Commissioner and regulations: www.pco.org.hk

Hungary - Parliamentary Commissioner for Data Protection and Freedom of Information and regulations: www.obh.hu/adatved/indexek/index.htm

Ireland - Data Protection Commissioner and regulations: www.dataprivacy.ie

Israel - Discussion of Privacy Protection: www.technolawgy.com/fs_lawyers.asp?inner=pu

Links to Data Protection Authorities worldwide: www.privacylaws.co.uk/links.htm

Ernst & Young - Privacy Assurance and Advisory Services: www.ey.com/privacy

Related Articles at IntelligentEnterprise.com:

"To Protect and To Serve," June 29, 2001: www.intelligententerprise.com/010629/feat2_1.jhtml

"Can You Keep a Secret?" January 1, 2001: www.intelligententerprise.com/010101/trust.jhtml