Interview with Theo Ling

Call today! 1 866 3 NYMITY

Interview with Theo Ling

July 2007

Interviewee: Theo Ling, Partner, Baker & McKenzie

Subject: Cross-Border Data Flows

Nymity: What types of organizations should be concerned about cross-border data flows? Globally, what about 'hot-spots' from a privacy standpoint?

Ling: Any organization that conducts business in multiple countries or engages service providers outside of their jurisdiction to process personal information on its behalf will need to contend with cross-border data flow issues.

On a global level, the current privacy hot spots are centered around security breach notification, the creation of whistler-blower hotlines, and the development of information management programs.

While many organizations are finally coming to grips with their basic privacy obligations and have or are taking steps to put processes and policies in place to fulfil those obligations, most have not yet turned their minds to what happens when something goes wrong and are responding to security breach scenarios in an ad-hoc manner. Some jurisdictions (eg. EU, California) have very clearly outlined steps and procedures that an organization must follow in the event of a breach. Other jurisdictions, including Canada, rely principally on broadly worded privacy principles set forth in privacy statutes supplemented by some guidance from data authorities. Nevertheless, regardless of the existing legal regime in any given jurisdiction, in the next few years greater focus will be placed on how organizations will need to plan for and act in the event of a data security breach.

Many global companies that have had to put in place whistleblower hotlines in compliance with their Sarbanes-Oxley obligations have been contending with how best to implement such programs without violating the EU Data Protection Directive. The central issue is how does a company subject to SOX enhance corporate governance while respecting the privacy rights of those individuals who may be the subject of a hotline report.

The issue of data retention has recently returned as an area of focus for many global organizations. It is being reinvented under the broader term "information management". In large part due to the enhancement of data protection laws around the world, organizations are now devoting considerable energy to update existing "retention" focused programs to include limits on retention as mandated under local privacy laws. Some related issues that are also being addressed as part of an information management program include e-discovery, electronic signatures, media and format of data, data storage, data transfers, etc.

Nymity: Outsourcing has been a issue in Canada for sometime. What are the issues globally?

Ling: For multinational companies, the primary objective in pursuing an outsourcing arrangement is usually the consolidation of a particular set of business functions across the organization so that costs can be rationalized and efficiencies can be enhanced. Given the nature of the global economy, the business functions to be outsourced are typically handled by a sole provider or business partner from one location or a few regional hubs. Therefore, when the outsourced business function (eg. HR, IT, ect.) involves the transfer of large amounts of personal information/data to the provider or business partner, cross-border privacy issues become relevant. The unfortunate business reality however is that many global outsourcing arrangements are put into place without sufficient consideration of the impact that local privacy laws will have on the new arrangement. Even when privacy clauses are included in the contract, the parties often do not take the time to assess the privacy obligations that will be triggered. In this regard, global organizations are well advised to better understand the scope and nature of the data transfers and disclosures and weak links before concluding the contract.

We often go through an exercise with clients to look upstream and downstream with regard to how the impacted data flows. Sometimes I am asked what happens when the outsoucing arrangement has been concluded without such analysis and planning. My advice is usually to be creative, be practical, and be pro-active in initiating a broader privacy review. Since outsourcing arrangements are often involve longer term relationships, it is in the interest of both parties to focus on the issues. It is never too late to one's their privacy house in order. I would also add that many of the solutions to the cross-border privacy issues can be achieved without making material changes to the outsourcing arrangement.

Nymity: What privacy tip would you give an organization that is moving to a global IT infrastructure?

Ling: Over a number of years now I have observed that the source of many privacy-related problems that arise from time to time involving a global IT infrastructure is the lack of communication between the IT department and the operational lines that IT services. While IT managers are usually well able to diagram the network and are responsive to requests to analyze security risks related to a particular initiative or new arrangement, there is often a lack of appreciation of personal data flows and the rationale behind some of the proposed initiatives. Quite often data containing personal information is transferred or stored in a particular manner for no apparent need or reason. At other times, IT's analysis of security risks fail to focus on the right issues from a privacy perspective. For example, procedures to be followed when a privacy breach occurs are often underdeveloped or poorly articulated. The tip that I would pass on is take the time to better understand data flows within an organization and enhance the level of communication between the IT department and other lines of operation that handle or other need to process personal information.

Nymity: What is E-Monitoring? What are some of the challenges that an organization faces in engaging in e-monitoring across its global operations?

Ling: Electronic monitoring is a commonly used term that can simply refer to an organization's active and/or passive monitoring of internet and e-mail usage of its employees within a corporate network. A broader definition would include video surveillance and any other form of review or analysis of digitized data collected or processed by the organization. Given that a large percentage of electronic communications contain some data which would fall within the definition of personal information, privacy laws become relevant to an organization's monitoring activities. In fact, most privacy laws around the globe place some form of restriction on such activities.

On a global level the issue is that the restrictions are not uniform from jurisdiction to jurisdiction and in some cases conflict with one another. Therefore, unless a company is prepared to define a unique approach for each jurisdiction in which it operates, which may not be tenable given the nature of cross-border data flows, it must content with the challenge of developing and implementing a strategy that successfully balances local compliance with the business culture and reality of the organization. A related challenge that many global businesses face is how to determine which local law requirements actually apply. For example, does an organization need to establish a standard based on the location of the sending party or the recipient?

Nymity: In closing, Baker & McKenzie created a Privacy Tip Sheet to help organizations address these concerns. How else can Baker & McKenzie help?

Ling: As an international law firm with very deep and broad privacy expertise in each of offices around the world, Baker & McKenzie's privacy team specializes in helping global organizations extend their privacy initiatives and programs across their operations. For those of your readers who are seeking to better understand the privacy law regimes in other jurisdictions I recommend taking a look at our Global Privacy Law Handbook which we published for the International Association of Privacy Practitioners. We have also recently launch for our clients BakerPrivacy, a web-based portal that consolidates many of the privacy resources of the firm.

To receive a copy of the Global Privacy Law Handbook or sign up for Baker Privacy online please contact Bridget Adrian (bridget.adrian@bakernet.com).