What You Need to Know About Data Privacy
In an exclusive interview, Brian Hengesbaugh, partner in the Chicago office of the law firm Baker & McKenzie, discusses:
Hengesbaugh provides advice to a wide range of global manufacturers, financial institutions, pharmaceutical companies, healthcare providers, sourcing providers, retail companies, online businesses and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology and related restrictions on data collection and movement. He focuses on these issues in the context of: litigation, internal investigations and government inquiries; sourcing and corporate transactions; and global company operations and applications.
Formerly Special Counsel to the General Counsel of the U.S. Department of Commerce, Hengesbaugh played a key role in the development and implementation of the U.S. Government's domestic and international policy in the area of privacy and electronic commerce. In particular, he served as the lead attorney on the U.S. side negotiating the U.S.-EU Safe Harbor Privacy Arrangement. He also served as a U.S. delegate to the Electronic Commerce Working Group of the United Nations, where he helped negotiate the UN Model Law on Electronic Signatures.
TOM FIELD: What are some of today's top global data privacy issues? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm talking today with Brian Hengesbaugh, a partner with Baker & McKenzie in Chicago.
BRIAN HENGESBAUGH: Great to be with you, Tom.
FIELD: Just to get us started, why don't you tell us a little bit about yourself and your work, please?
HENGESBAUGH: Thank you. Yes, I am a partner here with Baker & McKenzie. I'm in the Chicago office of Baker -- we're a large global law firm. I'm on the firm's global privacy steering committee, so among all the countries around the world, we have a handful of us who sit on a steering committee for the firm. Prior to joining Baker & McKenzie, I was with the U.S. Department of Commerce, where I was Special Counsel to the General Council. And among the things that I did there, I was the lead attorney negotiating the Safe Harbor Privacy Agreement with the European Union, on behalf of the U.S. government, negotiating with the European Commission, in particular, around the Safe Harbor privacy rules. It's one way for a U.S. company to address transfers of European data back to the United States.
FIELD: So, Brian, we talked about security and privacy issues up front; there are a few of them these days. What are the ones that you're currently tracking?
HENGESBAUGH: Well, looking first at the States, you have to say that the biggest thing moving, still, in the United States, is data security breach notification. So, if a company loses Social Security numbers, or credit card numbers, other types of sensitive data, there is an obligation to notify affected individuals, as well as state agencies, and others. It's a very big dollar value issue. The Ponemon Institute estimates that the cost of the data security breach is around $204 per record, which translates to about $6.65 million per incident, itself. So, real money, and not just liability issues, but reputational issues for companies. So, that's, by far, the biggest issue in the States, and as these things go, other countries are starting to adopt data security breach laws, as well. So, that is something to watch. Outside the United States, I think the biggest thing moving is this proliferation of privacy laws. So, for years now we have been dealing with the fact that the European Union has some pretty strict privacy laws. But, now we are starting to see them increasingly in Latin America. So, Argentina has had quite a rigorous privacy law for a couple of years now, Chile, and just a couple of weeks ago, Mexico adopted a privacy law. In Asia, interesting developments: China just adopted a privacy law, which is kind of interesting. China, for years, we have known, the government is all concerned about encryption and making sure that data doesn't come into the company that they can't see, and now it looks like they are also getting into adopting privacy rules for citizens, in Malaysia, and elsewhere.
FIELD: Well, Brian, you're headed into an area that I want to talk to you about, which is global data privacy. What do you find to be the greatest challenges now for U.S.-based organizations?
HENGESBAUGH: Well, a lot of challenges, a lot of challenges. A lot of laws out there. A lot of different requirements. A lot of requirements that are a lot stricter than they are, even, in the United States, on the books. I think the first challenge is just awareness. A lot of U.S. companies haven't yet realized how strict these privacy laws are, and what it is that they really require. Another challenge is what I increasingly see are conflicts. In many respects, you have a global company, and you might want to do something like put a global HR database in the United States, or move customer data back to the United States. Or, maybe it's something more serious than that. Maybe you're implementing a whistle-blowing hotline for Sarbanes-Oxley purposes. You know, one of those anonymous and confidential mechanisms people can report violations of internal accounting rules. Or, maybe you're actually running an internal investigation on a matter, or responding to a government inquiry, where you need data and documents from foreign sources, to pull that back here. Another good example is litigation, as well. And, privacy laws really get in the way of that like no other laws do. Privacy laws are laws that regulate the flow of information, and in the information economy they are first and foremost the things you've got to address. And it's important for U.S. companies to address them because there are serious consequences for noncompliance. Maybe the best recent example is out of Italy. Three Google executives were recently found guilty of a criminal law violation by virtue of some of the content that was posted on a Google subsidiary's website in Italy. So, fortunately, the sentences were commuted by virtue of the fact that none of them had prior convictions in Italy, so they didn't actually have to serve six months of jail time, but it just shows that these rules are pretty serious.
FIELD: We hinted at this some, in talking about investigations. Brian, what are some of the obstacles for U.S. organizations, when they need to gather data from international sources?
HENGESBAUGH: Well, the thing to do when you're looking at the obstacles is you need to understand what all the regulations are that are going to apply to what it is that you're trying to do. So, first and foremost, are those data privacy rules? These are rules that are going to apply any time the data or the documents, the records you're trying to pull back to the U.S. contain personally identifiable information. And that's really broadly defined as any information about an individual outside the U.S. So, quite literally, if you have name and e-mail address and some other light touch information, that's going to be regulated by these laws. So, understanding that the data privacy rules apply first. Second is understand the context, because you may also have employment law issues. So, if you're talking about pulling data back about your employees, you may have some issues to talk to a work counselor or an employee representative body. Or otherwise make sure that what you're doing is consistent with labor law considerations. Another issue that is a pretty significant issue is if what is going on in the background is something like a Securities and Exchange Commission investigation, or U.S. government investigation, you can trigger an additional set of local rules, what are called blocking statutes, or anti investigatory statutes. And there are statutes in places like Switzerland and France, which prohibit anybody on the ground from doing anything to assist a foreign government investigation. And those, as well, are criminal statutes, so something definitely to be mindful of. You need to look at all of the applicable regulations, and design solutions for them, in order to do what you want to do.
FIELD: So, make this real for us, if you can, Brian. Give us a sense of how you have helped your clients overcome some of these obstacles.
HENGESBAUGH: Well, first and foremost, we do what I just mentioned, which is we identify what the applicable regulations are going to be. And I'd say there're two scenarios you have. You have the good scenario that we would like, which is you don't have a Securities and Exchange Commission subpoena in your hand that you need to respond to, but rather you are trying to do the planning to basically put the framework in place, to allow you to do what you want to do with data movement. So, when you are in that first set of examples, we can break down the issues for you and put in place the solutions. So, companies will, on the privacy side, we always talk about there're two big picture issues related to data privacy. One is what we call local compliance issues, obligations that would attach to you in Germany, when you are collecting and using information, and then the second is called cross-border transfer issues, when the data comes back to the United States, how do you make sure that there is adequate protection for that data when it is received here? On that second issue, the second issue is really the strategic issue, the planning issue. What is going to be the mechanism that the company used to provide that adequate protection within the meaning of European or non-U.S. privacy laws? And there are some specific vehicles that have been developed by the European Commission for this purpose, one of which is the Safe Harbor, which is what I negotiated when I was with the U.S. government. Safe Harbor is the set of privacy rules that the U.S. company promises to the U.S. Department of Commerce that it will handle European data in accordance with the Safe Harbor privacy rules. Those are rules about information security, as well as notification and access rights and other things. Then, the U.S. company, once it makes that filing with the U.S. Department of Commerce, will be deemed to provide adequate protection for the data. And if it violates those promises, for example, if it doesn't have appropriate security controls, it can be subject to an action by the Federal Trade Commission. So, that's one option. Another is inter-company agreements. There are certain model privacy forms that have been issued by the European Commission, and if the U.S. company agrees to those terms with its European subsidiaries and covers the data that it wants to be covered, that's another way of addressing adequate protection. Two others. One is an emerging solution called "Binding Corporate Rules." That would be a groupwide policy. You can think of it as a global company policy on information privacy. And the final one is consent. There is still on the books in Europe, and actually in many places around the world, that if you get an express consent from affected individuals, you can then move their data. There's some obvious limitations to that, if you're talking about a setting where, maybe the individuals or employees may not want their data to be moved, and some other limitations, but it's nevertheless on the books.
FIELD: Brian. If you could boil it down -- and I realize I'm asking you to boil the ocean here -- what can organizations be doing now to better navigate through these tricky waters of global data privacy regulations?
HENGESBAUGH: I think, first and foremost, you need to get an understanding of why you need data back from non-U.S. sources. What data is it that we, as a company, need back here in the United States about our employees, about our customers, about our business partners? Really, have an understanding of what you, as a company, need, first and foremost. From there, you build your solutions. So, for example, one of the strategic issues is how are we going to permission the transfer of data? Are we going to join Safe Harbor? Are we going to think about these model contracts? Are we going to think about Binding Corporate Rules? But pick a solution and implement that solution. That's the most important thing you can do. And then, from there, tackle those local compliance issues. You know, do what you need to do locally, in country, to do things like register with the protection authorities, make sure the right privacy notices are out to affected individuals. So, you put the framework in place now, in a flexible way, so that you've got some room to maneuver when you want to actually move data.
FIELD: Brian, great insight. I appreciate your time and your thoughts today.
HENGESBAUGH: Oh, absolutely, Tom, great to be with you.
FIELD: We've been talking about global data privacy. We've been talking with Brian Hengesbaugh, a partner with Baker & McKenzie. For Information Security Media Group, I'm Tom Field. Thank you very much.