Global Data Protection: Strategy Instead of Compliance?
Article by Dr. Sebastian Kraska (attorney at law, external Data Protection Officer).
For many corporate managers, data protection law has so far largely been merely a marginal issue in which lawmakers have more or less imposed burdensome regulations on companies. But companies overlook the strategic relevance of data protection regulations.
Background: “Three-pronged development”
It is possible to observe a kind of three-pronged development in the handling of personal data: (1) the requirements of data protection regulations are constantly increasing especially for European companies, (2) at the government level, there is an increasing trend to compile personal data of citizens and (3) at the same time, consumers are increasingly providing personal information on the Internet.
Regulatory status: “Who is permitted to use what data and for what purpose?”
In the field of data protection law, the question is who can use what data and for what purpose? Data protection laws are not just an additional law that people comply with only to avoid fines. Data protection law ultimately governs the possible economic uses of personal data.
Culturally different approaches when handling personal data
Around the world there are cultural differences in the handling of personal data. In Asia, for example, personal data does not enjoy any general protection per se unless the affected party has specifically referred to a legitimate interest separately and deliberately.
Europe: Data protection as a constitutionally protected legal position
In Europe, the prevailing notion is that the protection of personal data is necessarily a constitutionally protected legal position of everyone and companies therefore can only benefit economically from personal data in a limited fashion or while observing the constitutionally protected legal position of the individual.
The situation in the U.S.: Granting extensive usage rights
The approach primarily followed in the U.S. is that companies have nearly comprehensive usage rights with regard to the disclosed personal data of affected parties.
This might have to do with the general character of the U.S. to grant companies as well as individuals broad freedoms with respect to their (economic) activity and to intervene with regulatory measures only to the extent that this is absolutely necessary.
Data protection as a subject of European economic policy
Based on the regulatory approach of European lawmakers that personal data may only be processed by companies that have an appropriate data protection level, data protection law is suitable as a subject for the protection of European economic interests with the increasing digitalization of business processes.
Economic policy (1/8): Appropriate data protection level
While an appropriate data protection level per se is seen to be assured for companies in the member states of the European Union and the European Economic Area due to the validity of relevant EU data protection directives and national regulations based on them, data protection laws allow the transfer of data to companies outside the EU/EAA only if an appropriate data protection level is ensured.
Economic policy (2/8): Export of European data protection policies
Ensuring this “appropriate level of data protection” for the data recipient is possible in many ways. Stated in simple terms, the following options exist: (1) the company receiving the data signs so-called “EU standard contracts” and agrees to comply with European data protection standards, (2) an entire country adopts data protection regulations based on the European model and also enforces them (the EU Commission will specifically decide on the similarity of the regulations and the extent of their enforcement), (3) an association of companies in consultation with the data protection regulatory agencies adopts global company guidelines (so called “Binding Corporate Rules”) that take into consideration European data protection standards with respect to the handling of personal data, or (4) in the case of U.S. companies, they can agree to comply with data protection laws on the European model as part of a self-certifying process (so-called “safe harbor concept”).
Economic policy (3/8): EU standard contracts
The EU standard contracts ultimately export European ideas concerning the handling of the transmitted personal data to all companies receiving the data. Even if in any event the contracts in practice have thus far rarely been completely exhausted primarily with respect to the rights of European data protection regulatory agencies, the foreign companies are in fact subject de facto to European data protection laws with respect to the data being received.
Economic policy (4/8): Appropriate data protection level as a decision from the EU Commission?
The decisions of the EU Commission about the appropriateness of the data protection level also ultimately are relevant in terms of economic policy. This is because the EU Commission’s estimation of whether a third-party country has established data protection regulations similar to the European data protection laws and – what is more important – has also mostly enforced them ultimately decides the question as to whether European companies, in simple terms, can easier exchange data with companies in these countries (of interest in this context might be the insufficient implementation of the European Directive 95/46/EC at the German level to permit data export in only a limited fashion despite a decision upholding appropriateness by the EU Commission, see in detail the article “Germany's Reluctance To Accept European Commission Decisions Concerning The Adequacy Of The Level Of Data Protection In Non-EU/EEA Countries” by Professor Dr. Michael Schmidl).
Economic policy (5/8): Data protection laws are applicable but not (yet) enforceable globally
It is worth mentioning the fact that national data protection regulations are frequently applicable on the Internet but de facto cannot (yet) be enforced. However, there are various efforts primarily at the European level (but most recently also at the G-8 summit), to enforce the data protection laws primarily on the Internet as well.
Economic policy (6/8): “Subsidiary taken hostage”
One interesting development is that subsidiaries are increasingly being held responsible for data processing or are being asked about data processing that is carried out solely by the parent company (which is foreign and located in another legal territory).
Economic policy (7/8): Turning away from any personal reference
As already stated elsewhere, there has been a development to regulate all data processing independent of any reference of data to a natural person in processing areas defined as particularly sensitive.
Economic policy (8/8): Data transfer within the corporate group
The lack (often criticized by companies) of a so-called group privilege ultimately has a bearing on economic policy and this does prefer a certain kind of company structure for data protection law reasons. The (simplified) background: data exchange between affiliates (e.g., two companies in the same corporate group) is regulated under data protection laws as a transfer “between third parties.”
U.S. companies and data protection: Considering strategic aspects
U.S. Internet companies should in fact review their position on the topic of data protection and follow the topic of European regulation tendencies more from a strategic perspective than a compliance perspective.
As stated, U.S. companies consider personal customer data generally to be an asset and something that creates company value, which can be used economically at the discretion of the company without the affected parties being able to exert any substantial rights of influence on the handling of their personal data.
In the U.S., responsibility for one’s actions has great significance with respect to handling one’s own data and is primarily the responsibility of the affected party. In Europe, by contrast, lawmakers are trying to protect the affected party from its own actions.
Conclusion
Given its importance and powers of innovation, the American IT industry itself should review its position on the issue of data protection and not only should follow European regulatory trends from a compliance perspective but also should develop its own strategic positions.