|
This white paper explores privacy concerns and what is going on in the world with regard to protecting personal information. It will then go over the challenges that face organizations and what they need to do to protect the privacy of information wherever it is in the world as well as the appropriate actions organizations must take to meet legal and contractual requirements.
What Is Going on in the World?
Differing legal requirements for moving data across borders creates a huge challenge for multinational companies. Many countries have different data protection requirements for moving data across borders than for moving the data within domestic borders. Few countries, such as the United States and China, generally allow for PII to be transferred across borders without restrictions. The laws in different countries are by and large not in harmony. Compliance becomes very tricky for organizations doing business on a multinational level. For example, within the European Union (EU), organizations must contend with differing local interpretations and implementation of the EU Data Protection Directive for such issues as data subject consent and access to their applicable PII. Countries are aggressively pursuing compliance actions for their data protection laws. In various nations, privacy enforcement authorities have stated that they are just getting started and expect enforcement to increase markedly.
In the EU
The EU nations have assessed millions of dollars in fines for noncompliance with the EU Data Protection Directive and applicable country privacy laws, with a couple of the highest to date running at 840,000 Euros (approximately US$900,000) and 1.08 million Euros (approximately US$1.17 million). Many of these actions have been related to moving data over country borders to a receiving country that is not considered as having adequate data protection requirements, such as the United States.
Spain has been particularly vigorous, alone assessing more than 150 penalties just in 1999. This year was the start of Spain's aggressive pursuit for privacy compliance enforcement. In 2001, Spain imposed fines against approximately 500 companies totaling $13 million. France passed the Data Protection Act in 2004. In 2005, the country performed 100 compliance audits. They plan for 2007 joint audits with the other 24 EU countries for data protection in health insurance companies.
In Canada
In 2002, Canada launched 1700 investigations and found many violations across the spectrum of commerce. A huge concern in Canada is the transfer of PII to the United States, where it is feared the USA PATRIOT Act will allow unfettered access to the personal information of Canadian citizens.
In 2003, Canada completed 278 PIPEDA compliance investigations. In 2004, they completed 379 PIPEDA compliance investigations.
In Asia
Statistics from the Korea Information Security Agency show that personal information privacy complaints filed with the agency increased more than tenfold to 21,585 in 2003 from 2035 in 2000. From 2001 through 2002, 483 privacy complaint cases were completed in Hong Kong by the Privacy Commissioner Office (PCO). The cases often involved not obtaining individual consent for the PII, or wrongful transmission or use of PII.
In Hong Kong during 2004, 15,436 enquiries about potential privacy violations and 900 privacy complaints were submitted.
OECD Transborder Data Flow Guidelines
The Organization for Economic Cooperation and Development (OECD) was the first international organization to issue guidelines for data privacy. Their 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data is still recognized as representing an international consensus on privacy standards and providing guidance for the protection of personal information in forms. The guidelines are used as the basis for most international data protection laws. The guidelines cover:
- Collection Limitation - Data Quality - Purpose Specification - Use Limitation - Security Safeguard - Openness - Individual Participation - Accountability
What Are the Challenges?
The biggest challenges facing organizations with regards to international data flow and maintaining data privacy include:
- Defining PII within each organization - Knowing where PII comes from
- Knowing whether all applicable requirements for consent and access are met - Knowing where PII is stored - Knowing where PII is accessed - Tracking PII data flows - Keeping up with all the laws and regulations
|
