Doing business abroad or with individuals who reside in a foreign country requires a US based business to meet some, or all, of the legal requirements that apply to the foreign countries where it is doing business. In some cases, this obligation may fall on the subsidiary that it has established in the foreign country. In other cases, the mere fact of receiving personal data that are otherwise protected by a foreign data protection laws may require the US based company to adopt specific policies and procedures that meet the unique requirements of the foreign data protection laws that protect the personal data of these foreign-based individuals.
Not surprisingly, each country has adopted its own data protection regime. In general this regime is drastically different from the one with which US based companies are familiar, and there is no “one size fits all” approach to global relationship.
Our two volume treatise Global Privacy and Security Law, © 2010 Aspen Publishing, provides an in depth analysis of the data protection regimes in effect in more than 60 countries located on five continents.
With the assistance of our foreign affiliates, we counsel our clients on compliance with foreign data protection laws. This may include, for example:
- Development of global personal data handling policies;
- Development of information security programs that address foreign law requirements;
- Development of policies and procedures to allow access to, and correction of personal data of foreign residents;
- Assistance with restrictions to the use of commercial messages;
- Explaining restrictions, and defining rules and policies on the use of monitoring devices;
- Addressing the limits to the collection of biometric information;
- Advising clients on the collection and processing of employee data or information related to race or religion;
- Registration or periodic reporting with foreign data protection supervisory authorities;
- Conducting a survey of laws that apply to a fact pattern in order to assist the client in deciding where to establish a business or a processing center.
In addition, significant issues arise in the context of the cross border transfers of personal information, whether in the regular course of commerce, in connection with an acquisition or other corporate combination or divestiture, or as part of the management of the company’s workforce. These transfers often require additional precautions, and unique contracts or structures. In this connection, we may develop personal information transfer procedures and agreements to address the restrictions to data transfer that are imposed by certain countries’ data protection laws.
In this respect, we have assisted businesses with respect to numerous restrictions to the crossborder transfer of personal data, as necessary, to ease the transfer or disclosures of data that originate in a foreign country. This is achieved through:
- The development of personal data handling policies and procedures that are consistent with the requirements of the foreign data protection laws of the country where the contracting counterpart is located in order to address “adequacy” concerns;
- The drafting and negotiation of Data Transfer Agreements;
- The drafting of Standard Contractual Clauses;
- The filing of Safe Harbor self-certification materials;
- The structuring of Binding Corporate Rules;
- The development of training materials and training programs to educate the personnel on the unique requirements and restrictions in effect in the foreign countries where the business operates or with which it interacts.