I.INTRODUCTION
As multinational companies continue to grow and dominate the world’s economy, their human resource departments have undergone substantial changes in their attempt to perform their role as the employment controller within their respective company. They have not only utilized modern technology to collect and process employee data, but they have also centralized this data in internal databases. However, various international jurisdictions have enacted complex data privacy and transborder protection laws for their citizens that limit, and in some circumstances, prohibit human resource departments from their current employee data collection and processing practices. As a result, many human resource departments of multinational companies are not aware or do not comprehend the complex procedures that they must adhere to in order to transfer employee personnel files within their company.
This Comment argues that strict formalities in global data protection laws must be adhere to in order to transfer personal data within a multinational company. Part II of this Comment explains the evolvement of data protection laws that specifically address data transfer. In this regard, Part II also explains the role of human resource departments within a multinational company and the various issues that it must address when collecting and disseminating personal data. Part III of this Comment analysis various data protection laws and their applicability to three possible scenarios that may arise within a human resource department of a multinational company. Parts IV-VII of the Comment analyzes the data protection laws of the Commonwealth of Australia, the Federal Republic of Brazil, European Union Member State countries and Hong Kong as they apply to these three hypothetical scenarios. Part VIII of this Comment concludes that a multinational company may face both civil and criminal penalties if it fails to implement a data transfer policy that is not in compliance with various jurisdictions data privacy and transborder protection laws.
II.BACKGROUND
A.History of Data Privacy
Over the past thirty years, developments in information technology have jeopardized individual’s fundamental right to privacy. Particularly with the advent of computers and networks, data controllers[1] were able “to collect, store, use and disseminate personal data outside of an individual’s control.”[2] As a result of this modern technology, the transfer of personal data by data controllers accelerated, while individuals right to privacy were drastically jeopardized.[3] Consequently, countries began to implement their own national laws on the transfer of personal data.[4]
The first country to enact a comprehensive data protection law was the German State of Hesse in 1970.[5] In that same decade, the remaining German states, i.e., Austria, Denmark, France, Luxembourg, Norway and Sweden, as well as the United States, soon followed the German State of Hesse’s lead and enacted their own national laws addressing data privacy.[6]
Consequently, many countries thereafter adopted omnibus data privacy laws based upon individual’s fundamental right to privacy.[7] Many of these national laws prohibit data controllers from transferring personal data to countries without equivalent data protection laws.[8] As each country adopted its own data protection measures, disparities arose between these national laws that created potential obstacles to the free flow of information because data controllers were prohibited from transferring personal data to countries that did not provide sufficient protection.[9]
As a result of the disparity in the emerging levels of data protection in various international jurisdictions, initiatives began to take place at a global level. For example, European countries became concerned about the level of protection of their citizen’s personal data when this data was transferred to other countries with less stringent controls. Consequently, in 1980, the Organization for Economic Cooperation and Development (“OECD”), which includes the United States, issued a set of non-binding guidelines stating the privacy norms recognized by the participating states.[10] These guidelines called for individual countries to implement legislation protecting data privacy so that personal data could be shared more easily across boarders by eliminating disparity in the levels of data protection in various jurisdictions. In meeting this goal, the OECD guidelines endorsed a free transborder flow of data between countries that protect data privacy, while calling for restrictions on such exchanges if the receiving country did not have “equivalent protection.” Although the guidelines have no legal force, they served as a valuable model for the Council of Europe, which drafted its own convention a year later.[11] Currently, the 1981 Council of Europe Convention on Data Protection has been ratified by 20 European Union Member State countries.[12] Like the OECD guidelines, it requires participating states to implement domestic legislation, and to block transmission of personal data to other countries that do not offer “equivalent protection.” Both the OECD Guidelines and the Convention, however, allow for great variance in the level of protection that is actually offered. Thus, there was little consistency throughout Europe with regard to personal data legislation, both in substance and in application. This disharmony led the European Commission (i.e., the administrative body of the European Union) to overcome these obstacles and drafted a uniform set of principles on which European Union Member State countries could base their respective national laws.[13]
Specifically, the European Commission’s Council of the European Union (“E.C.”) and the European Parliament adopted its Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“E.U. Directive”) in order to harmonize the national data protection laws of European Union Member State countries.[14] The drafters recognized that if the Directive harmonized the Members States’ laws, then Member State countries could transfer data to other European Union Member State countries while still safeguarding the fundamental rights and freedoms of their citizens.[15] If data controllers in a European Union Member State country transferred data to a third country that failed to protect personal data, however, then the European Union Member State country’s protection of personal data would be effectively lost once the European Union Member State country transferred the data to the third county.[16] Consequently, the E.U. Directive includes provisions on preventing data from being sent to countries without sufficient data protection.[17]
Thereafter, other countries outside of the European community, including the Commonwealth of Australia, the Federal Republic of Brazil, Hong Kong and the United States, also enacted legislation to allow the free flow of information while still protecting personal data. The level of data protection in each jurisdiction varies in some degree, but most jurisdiction that have data privacy laws require personal data to be:
(1)obtained fairly and lawfully;
(2)used only for the original specified purpose;
(3)adequate, relevant and not excessive to accomplish a specified purpose;
(4)accurate and up to date;
(5)kept secure; and
(6)destroyed after its purpose is completed.[18]
These fundamental principles not only must be adhered to by governments, but they must also be adhered to by the private sector, e.g., human resource departments within a multinational company.
B.History of Human Resource Departments
The human resource departments of multinational companies handle voluminous amounts of data about its employees each day.[19] The increase in technology has allowed these companies to transfer this data across national borders with minimum time and effort. However, due to the recent emergence of data protection laws in various countries around the world, these multinational companies are now forced to address the various data protection principles contained within these national laws.[20]
Data protection laws hamper a multinational company’s ability to process employee data, due to the fact that many multinational companies centralize their human resource data.[21] These laws affect the routine data flows of a multinational company, such as the distribution of a phone list, as well as the transfer of sensitive data to its centralized human resource database.[22] Therefore, a company must provide its employees with various data protection safeguards before transferring data to its centralized human resource database in another country without similar data protection laws.
A multinational company must first provide its employees with a private right to sue for any violations of privacy or errors in their personal data.[23] Additionally, the company must delete all employee data that is no longer needed for the purpose for which it was collected,[24] and only collect data that is necessary for employment purposes.[25] Human resource departments must also inform employees what data they are collecting,[26] obtain consent from employees before collecting this data,[27] and allow the employees access to their data in order to maintain its accuracy.[28] Finally, if the multinational company centralizes this data, it must enter into legally binding contracts with the individuals responsible for maintaining this centralized database within its company in order to ensure compliance with the data protection principles in the respective countries.[29] If a multinational company fails to provide any of the above-mentioned protections to its employees and their data, it must rectify this problem before transferring data from jurisdictions that have enacted data protection laws.
III.ANALYSIS
My understanding of the rule that has emerged from prior decisions is that there is a two fold requirement, first that a person has exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.”
John M. Harlan (1899-1971),
Katz v. United States, 389 U.S. 347, 361 (1967) (concurring)
A. Data Privacy Protection In The United States
The United States (“U.S.”) has traditionally favored a self-regulatory approach with limited government intervention for data privacy protection.[30] Moreover, with the emergence of the Internet as a powerful business tool, the Clinton administration continued to endorse self-regulation, stating that the privacy rights of individuals must be balanced with the free flow of data.[31] Despite the existence of some domestic legislation, it is, however, industry specific, and limited in scope so that it does not cover the vast majority of existing personal data. Although numerous pieces of legislation involving data privacy are currently under consideration in Congress, they continue to be limited to particular industries.[32]
Moreover, to understand the strong endorsement by U.S. of self-regulation for data privacy protection, an overview of the development of privacy law in the U.S. will help explain the current domestic approach of self-regulation.
1.Public Sector
The United States Supreme Court has recognized a Constitutional right to privacy.[33] This right, however, applies only to the protection of privacy from governmental interference, and does not extend to the private sphere. Likewise, nine states specifically protect the right to privacy in their constitutions.[34] Of these, only California, through its courts, has expanded this constitutional protection to the private sector. A number of congressional enactments likewise limit the government’s intrusion into the personal affairs of U.S. citizens. For example, the Privacy Act of 1974 regulates how the federal government collects and uses personal data in its databanks.[35] Under the Privacy Act of 1974, individuals about whom data is compiled (“data subjects”) have the right to access their personal data maintained by the government, and request that any inaccurate data be corrected.[36] The Computer Matching Act of 1988, which established procedures for government agencies that compare automated personal data, subsequently amended this act.[37] Additionally, the Right to Financial Privacy Act of 1978 controls the circumstances under which the federal government may access an individual’s financial data.[38] These regulations, along with several others, control the government’s collection, use and disclosure of personal data.[39] However, these regulations do not cover the vast majority of transborder data flows.
2.Private Sector
As in the public realm, there is no single source of privacy law that governs the private sector. Since the 1970’s, a patchwork of federal legislation has been enacted to deal with industry-specific privacy issues. The first formal privacy regulation in this area was the Fair Credit Reporting Act of 1970 (“FCRA”), which controls the use of personal data in consumer reports by credit reporting agencies. Although extensive, the FCRA only covers the disclosure of personal data by narrowly defined “credit reporting agencies” and does not regulate the use of data for purposes such as direct marketing. The FCRA does, however, protect employee’s personal data when an employer decides not to hire an individual based upon a requested credit report.[40] The FCRA requires that the employer notify the individual of the report that it received and the name of the credit reporting agency and if the employee requests, the agency must reveal the content of the report.[41] Another protection related to the banking and finance industry requires notice to the data subject when account data will be regularly disclosed to third parties.[42] In the 1980’s, both the Cable Act[43] and the Video Act[44] augmented the specific rights of data subjects. These acts require data controllers to inform data subjects when their data is being collected, and requires consent before certain data can be released to third parties. Mailing lists, however, may be shared for purposes of direct marketing unless the subject “opts out.” Both acts leave ample room for entities that collect and use data to maneuver, even when consent is not required, if disclosure is for a “legitimate business activity.” The use of personal data is further monitored under the Telephone Consumer Protection Act of 1991, which gives the Federal Communications Commission authority to regulate telephone solicitations.[45]
Recent trends have likewise moved towards greater personal data privacy protection in the employment context. This arena presents a unique tension between the employer’s interest in efficient business practices and the employee’s right to individual privacy. Prior to Congressional intervention, employees generally sought protection of their privacy interests through common law tort claims such as intrusion upon seclusion and intentional infliction of emotional distress. While these are still viable claims, federal statutory enactments addressing electronic communications have had specific relevance and applicability to the private employment sector. The Electronic Communication Privacy Act of 1986 (“ECPA”) makes it illegal to intentionally intercept, use or disclose any oral, wire or electronic communications without the prior consent of the employee.[46] There are important exceptions allowing employer interception in the “ordinary course of business.” Similarly, the Stored Communications Act governs the intentional access of electronic communication service facilities.[47] Again, significant exceptions, such as authorization by the service provider or the service user, give considerable flexibility to the employer.
Throughout the years, these federal legislative initiatives have been complimented by industry self-regulation. Individual companies and associations have developed, adopted and publicly disclosed their privacy policies relating to personal data of both their employees and their customers. The industry specific approach of federal law mixed with private self-regulation that has emerged in the U.S. is quite different from that taken by Europe, as well as the Commonwealth of Australia, the Federal Republic of Brazil and Hong Kong.[48]
B. Hypothetical Scenarios
In order to analyze transborder data laws in various jurisdictions as they apply to human resource departments within multinational companies, this Comment presents and answers three common hypothetical scenarios as they apply to transborder laws in the Commonwealth of Australia, the Federal Republic of Brazil, the European Union, Hong Kong and the U.S.
Privacy Haven, Inc. (“Privacy Haven”) intends to collect personal data from their employees in the above-mentioned jurisdictions and transmit this data to a centralized human resource database located in the U.S. The employee data would only be accessed and reviewed by senior management at Privacy Haven. Based on this hypothetical situation, how do the various data protection laws apply to the following situations:
1.Employee File Transfer
2.Transfer of Data on a Lap Top Computer
3.The Merger of Privacy Haven with Another Company
IV.COMMONWEALTH OF AUSTRALIA
A.The Right To Privacy Under Australian Law
Neither the Australian Constitution nor the Constitutions of the six states contained within Australia provide its residents with the explicit guarantee of privacy.[49] However, the Australian federal government has passed legislation regulating the data privacy and data processing of an individual’s personal data.[50] The Privacy Act 1988 was passed in response to protests in the mid-1980’s against the Australian Card Scheme[51] and is the principle piece of legislation governing the privacy of personal data in the public sector of Australia.[52] The Act created eleven Information Privacy Principles (“IPPs”), which are based on the Guidelines adopted by the OECD[53] for the Protection of Privacy and Transborder Flows of Personal Data,[54] and established the Office of the Privacy Commissioner.[55] Although the Act and the IPPs contained within the Act do not govern the use of personal data by the private sector with the exception of Tax File Numbers (“TFNs”) and credit reporting agencies,[56] the IPPs govern all processing of personal data by public entities.[57] These IPPs establish standards for the collection, use, disclosure, and security of personal data, and allow for the access to and correction of this data by individuals to which it pertains.[58] In addition to the Privacy Act, Australia has also enacted the Telecommunications Act 1997[59] and the Privacy Commissioner has issued Tax File Number Guidelines (“Guidelines”) to regulate the privacy concerns in these specific areas.[60]