Data Privacy Laws: Dual Compliance Issues for Multi-National Companies
April 3, 2008
European Union And United States Data Privacy Laws
In a very well reasoned and comprehensive article published this month in the Metropolitan Corporate Counsel, the differing approaches taken by the United States and the European Union towards data privacy issues was discussed. The article cautions Multi-National companies based in the United States may be subject to both.
The article points out the fundamental differences in the two regulatory approaches to data privacy. The United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin.”
Potential For Conflict
The article explains that Sarbanes-Oxley law and regulations may conflict with both the requirements of the EU Directive and the law of individual nations. Sarbanes-Oxley, for example, requires public companies to establish a method for employees to report anonymously on possible financial improprieties and to develop a company code of ethical conduct. International application of the resulting policies has created conflicts with the law of various EU nations. Recent decisions in France and Germany have invalidated anonymous reporting hotlines.
The hotlines may also be problematic for the EU Directive to the extent a European employee’s personal data is transferred back to the home office back in the States. Other areas where compliance with U.S. law may create conflicts with EU law is: outsourcing; and efforts to investigate terrorist activities.
Options For Multinational Companies
The Metropolitan Corporate Counsel article discusses several options for companies that must comply with the requirements of several jurisdictions.
One option recommends that companies comply with the U.S. Department of Commerce’s Safe Harbor Privacy Principles. Doing so should provide companies with a presumption of “adequacy” of privacy protection. This presumption should allow them to transfer data from their EU offices to their U.S. offices without violating the EU Directive.
Another option suggested: (1) limiting the reporting requirement to only those employees required to report by Sarbanes-Oxley, including senior financial officers (§ 406) and attorneys (§ 307); (2) limiting the reporting requirement to subjects such as fraud and financial wrongdoing; and (3) promptly notifying any accused employee of the details of any ethics complaint.
One word of caution must be given about the final option suggested in the article, however. This option discussed the implementation of different legal entities, one for European operations, and one for operations in the United States. Before considering this, the company should examine the recent New York federal opinion in O’Mahony v. Accenture Ltd, ___ F.Supp.2d ___, 2008 WL 344710 (S.D.N.Y. 2008), which finds that a foreign subsidiary of a U.S. Company may be subject to SOX regulations in certain situations. The Accenture case will be discussed in greater detail in a subsequent post.
Comments
Got something to say?