Sunday, November 2, 2014

Data Privacy Acts - Where the World needs to Converge

Data Privacy in today's world has crossed over from a requirement dependent on one agency or organization to be the global phenomenon.  Today the data traverses across the countries as well as continents at the speed unimaginable in past. In a flash of second, the data originating from EU may be transferred to China and may be who knows to another country from where a Hacker might be sitting and listening to the data traffic.

Let's take an example of some other countries say India and Brazil, both being third countries and both engaged in Off-shoring of services.  In this context we will talk about the  scenario where an Indian IT company providing services to a multinational client located in US, Australia and EU would have its service locations in India, US, Brazil and Germany.

In the scenario highlighted above, all the geographies / countries involved do have one or other kind of Data Privacy Law, let's examine them -

  1. European Union - EU Data Privacy Directive - EC/95/46
  2. United States - State Data Privacy Laws (enacted in 48 States), Country level Data Privacy Law pending with Senate
  3. Australia - Privacy Act 1988 (National Security Legislation Amendment Act (No. 1) 2014)
  4. Brazil - No definitive law covering Data Privacy, though Privacy requirements have been dealt with under various different legislation
  5. India - Telegraph Act 1885 amended in 2004, Indian IT Act 2000 (Amendment Act 2008) and few others cover a part of Privacy, but no comprehensive law exists
  6. Germany -  Bundesdatenschutzgesetz (BDSG), The German Federal Data Protection Act in line with EU Data Privacy Directive (Germany for that matter is part of EU and hence the European Data Privacy Directive is the base)
Now if we look at the above list, we will find that there is no commonality among the Privacy Laws across the countries / geographies except for the German Privacy Laws and the EU Data Privacy Directive.  

Coming back to our scenario, there would be no issues of data transfer between any EU nation and Germany, But with the data traversing across multiple borders, the Data Security Officer would have a nightmare to meet the compliance requirements that would include - 
  1. Safe Harbor - to ensure compliance between US State Data Privacy Laws as well as EU Data Privacy Directive
  2. Standard Contractual Clauses (SCCs)- to ensure compliance requirements are addressed when transferring data from EU Nations to India, Brazil and Australia.  It must be noted that SCCs would need to be executed for each EU nation and that would mean multiple SCCs to be executed.
Such scenarios are very much prevalent today and these just add to the complexities.  The organizations though have the options to file for Binding Corporate Rules or BCRs providing them the overall cover to transfer data, but it serves to be an expensive step from Business Perspective and its easier to sign multiple SCCs. All this ends up in complexities to be handled by the Data Security Officers or the Privacy Officers. So, what is the way to handle such complex situation and to avoid complexities to be handled by the Data Security Officers or the Privacy Officers?

If we take a closer look at the current prevailing situation, we will find that it is the disparity in the Privacy and Data Security Laws across the countries / geographies.  Though the Safe Harbor sort of options are available, but then that is also a self certification / attestation case.  

I personally would prefer a better option like the one between EU nations and Switzerland, Guernsey, Isle of Man, Israel etc. In such cases, we see that the EU Commission has identified the adequacy of Data Privacy Laws and adequate Protection of Personal Information / Data. In this scenario, the sole reason of the mutual trust is for the similarity of the Privacy and Data Protection Directives.

Now, if a small group of nations can have the required similarity in the Data Privacy and Protection requirements, why can't the rest of the world follow the suite. With the world converging for the global trade there is a higher degree of requirement for the bilateral trust for the Privacy and Protection of Data and for that common agenda needs to be driven. Organizations like WTO, OECD and other similar organizations may lead this effort to bring the governments together and develop Common Criteria for Data Privacy and Protection.  With the need of the time, the World needs to converge at these Common Criteria and the respective Governments must issue directives to regulate Protection of Personal Data / Information as per these Common Criteria.