LPO and the EU Data Privacy Safe Harbor

A recent ComputerWorld article about European Union data privacy safe harbor abuses (hat tip to JFehrman) made me wonder about their potential effect on the LPO industry. To help explain the EU data privacy regime, I spoke with a publicity-shy LPO industry colleague who is a cross-border data management expert. (Though he prefers not to be identified, I still wish to publicly thank him here – you know who you are!)

First, some background on the safe harbor from a U.S. Department of Commerce website:

“The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European ‘adequacy’ standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a ‘Safe Harbor’ framework and this website to provide the information an organization should need to evaluate – and then join – the Safe Harbor.”

The problem, according to the ComputerWorld article, is that:

“The rules and policies of Safe Harbor are as soft as butter and there’s no oversight. The main problem lies with the U.S. Department of Commerce, which administers the Safe Harbor list of companies. Companies put themselves on this list through self-certification, without anybody checking anything.

The department itself is clear on this: ‘In maintaining the list, the Department of Commerce does not assess and makes no representations to the adequacy of any organization’s privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or any other action related to the maintenance of the list.’

The result of this self-regulation is disastrous. Hundreds of U.S. companies claim they are certified, without meeting the necessary conditions. These problems had already surfaced in 2002 and 2004, when the E.U. commissioned two studies.

In 2008 nothing had improved and the independent research and consultancy company Galexia reached shocking conclusions. Of the 1,597 organizations on the Safe Harbor list, only 348 met all seven principles in the most basic way, Galexia reported.”

Computerworld further reports that an updated version of the report found similar problems and that the most recent version may not be published because of its similarly controversial findings.

Given these questions, I asked my colleague about the Safe Harbor and how it is relevant to the LPO industry. He explained:

“The Safe Harbor framework is meant to bridge the differences on privacy protection between the EU and US in order to permit the unimpeded flow of data from the EU to the US.

In the EU, privacy and the protection of personal data are human rights as legislated by Articles 7 & 8 of the EU Charter of Fundamental Rights, while in the US, privacy is still a fragmented concept that depends on a variety of different agencies and self-regulation.

The framework requires member companies to adhere to seven broad principles, namely, notice, choice, transfer, access, security, data integrity and enforcement.

Without Safe Harbor it would be very difficult for US companies and multinationals to conduct business with their EU-based counterparts.”

When asked if he thought the Safe Harbor certification, by itself, is sufficient for legal clients to be confident that their data is safe, he stated:

“Clients need to always perform their own diligence to attain the desired level of confidence about the safety of their data. While certifications, in general are useful, and a good first step, they are not a substitute to a thorough and targeted audit.

Regarding the Safe Harbor certification, I believe that it is not sufficiently prescriptive. For example, when addressing security and data integrity, it uses the terms “reasonable precautions” and “reasonable steps.” What a vendor deems reasonable may not match the reasonable expectations of a client.”

In response to whether or not the requirements of the Safe Harbor overlap with requirements for ISO/IEC 27001:2005 and/or a SAS70, he said:

“SAS70 and ISO/IEC 27001:2005 have a relatively narrow scope and are primarily concerned with data security. The Safe Harbor framework is much broader and covers a wide array of privacy principles, such as giving a person a choice as to whether their data is captured and for what purpose it is used. Note that security is only one of the seven principles outlined by the framework (http://www.export.gov/safeharbor/eu/eg_main_018476.asp).

Curious about the many LPO companies that conduct most of their data review operations in India, and not in the United States, I asked how the Safe Harbor is relevant to their operations? He explained,

“The Indian operations of LPO companies, regardless of where they are headquartered, are not covered by the Safe Harbor framework. The US party that is sharing or transferring to Indian entities must abide by the ‘Onwards Transfer’ principle of Safe Harbor as it applies to an entity acting as an “agent”. The principle states:

‘[…] Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. […]’ http://www.export.gov/safeharbor/eu/eg_main_018475.asp

There is a certain ambiguity however, as to whether the ‘agent’ must reside in the US.”

Focusing on India, I asked if a similar regime exists there. If not, how can clients with European data safely allow Indian-based vendors to work on their data?

The Indian privacy laws are deemed inadequate by the EU data protection authorities, and EU data should not be exported to India, at least a priori. Currently, the only way to export EU data to India is for the data exporter and importer to enter into what is known as the ‘Standard Contractual Clauses of 2001 (2001/497/EC)’ ( http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001D0497:EN:HTML ) or the subsequent ‘Alternative Set of 2004.’

In simple English, this means that both importer and exporter must enter into a standard contract that is approved by the EU Data Protection authorities. This is only possible because the EU recognizes that the Indian Contract Act 1872 is adequate for the enforcement of the standard contracts. As a bit of trivia, the Contract Act 1872 is not applicable to the Indian state of Jammu and Kashmir.”

The Safe Harbor List contains the names of several prominent U.S.-centric LPO companies including Integreon Managed Solutions, Quislex and UnitedLex, but, as of Dec 2010, does not include Pangea3, or Mindcrest. These are all reputable companies and likely to be following reasonable standards. Nonetheless, given the ComputerWorld warnings, clients and potential clients may wish to evaluate them beyond whether or not they have been included on the U.S. Department of Commerce Safe Harbor list.

Comments are closed.

%d bloggers like this: