Wise business decisions hinge on dependable data and information, but wars, political agendas, local customs, and individual privacy expectations can make gathering that data a big challenge. The rules vary significantly from location to location, making a homogeneous data collection effort impossible.
An inability to collect necessary information is just the first problem. Do it wrong and you could incur hefty fines, jail time, or both. Smart organizations will make an effort to understand and honor the nuances in an ongoing endeavor, because nothing is static. To help in that effort we've put together this overview of some of the rules, customs, and issues.
[Looking for help to understand data privacy rules? Read Insider Threats, Data Privacy Are Overlooked By Businesses.]
For example, since 2000, the US-EU Safe Harbor Framework has enabled US companies with "adequate" privacy practices to collect personal information from EU citizens under certain conditions. The vagueness of the word, "adequate" has been a major point of contention over the last few years. As a result, the US and the EU have been negotiating stronger protections. However there is speculation that the Safe Harbor may be in jeopardy as a result of the "Snowden Effect" (evidence of US National Security Agency surveillance) and concern over EU citizens' lack of recourse when their personal data has been misused. The European Court of Justice is expected to decide whether or not it will invalidate the US-EU Safe Harbor on October 6, 2015. If it is invalidated, the current flow of data will be disrupted, which will have a negative impact on thousands of American businesses.
With or without the Safe Harbor, members the EU nevertheless approach data protection differently. Soft opt-ins are an example. (A soft opt-in occurs when a person does not expressly opt in or opt out of receiving marketing messages from a company.) Across Europe, there is a presumption that a company may communicate offers similar to a purchase in the case of a soft opt-in, and that the data can be used for the purpose of marketing analysis, David Ray, director at Huron Legal, said in an interview.
"Two years ago, France issued a change that said you must delete the information after three years. You can reach out to the customer and ask them to opt in, but if they don't opt in, you have to delete all their personal information. All of a sudden you have a hole on your data," he said.
Other EU countries are less specific about the acceptable data retention period. Also, the "transaction" that initiates the beginning of the retention period is defined differently in different jurisdictions. A "transaction" could mean an actual purchase or simply logging into a website, Ray said. Fundamentally, the EU and the US differ in that personal information is considered the property of the individual in the EU, unlike in the US.
In addition, the EU now requires companies with more than 250 employees to have a chief privacy officer on staff. There is also a proposal to increase EU fines from up to €300,000 to up to €1 million or 2% of a company's annual revenue. An FTC action may result in fines of $16,000 per violation.
"The €300,000 fine is the one most of my clients worry about these days," said Ray. Meanwhile, a lot of individuals in the EU are veering away from companies they perceive don't protect their data."
The Landscape Is Complex
As of September 1, 2015, companies collecting, storing, and processing personal data pertaining to Russian citizens must maintain that information on a database that resides in Russia.
"You can move data out of Russia subject to the rights and protections-type clauses, but the company has to keep a copy of that data inside the borders of Russia, so they can be inspected by the Russian authorities," said Andrew Jennings, chief analytics officer and head of FICO Labs.
China is considering something similar. In the near future, all service providers may be required to store personal information about Chinese citizens within China's borders, which, like Russia, is assumed to be as much or more about government surveillance as it is about individual privacy. In the meantime, China has stepped up penalties, including criminal liability.
India, Greece, and Bermuda require telecom operators to keep their telecom switches in the country because they contain information about network traffic and subscribers, according to Ann LaFrance, who co-leads the Data Privacy & Cybersecurity practice at law firm Squire Patton Boggs.
"A lot of governments are saying we will not do business with you, or we will not use a cloud provider that is not local, because we don't want our information to be sitting in another country," said LaFrance. "They want to make sure the data is somewhere they know is safe and within their borders, so at least they have some control over it. There's concern about industrial espionage or government industrial espionage by a foreign cloud provider."
There are certain types of data that may never see the light of day because the information is censored to begin with.
"[Qatar's] government is working with the service providers and telcos to check the keywords. If there's anything that would be worrisome from a security perspective or anti-Islamic from a cultural perspective, it will be blocked," LaFrance said.
Interestingly, even when a company has lawfully collected data, not everyone in the organization may be able to access it due to local laws.
"If you're a global company with a server in San Francisco, you'll have situations where countries will say that American people can access the data, but people in India or China can't because accessing and viewing information are considered the same as transferring information, so you have to be careful about who has access to data," said FICO's Jennings.
Business Information Availability Also Varies
In the US, credit card companies, utilities, and other organizations collect payment information and report it to the credit bureaus, but only public companies file public financial statements. In Europe, the reverse is true. Companies must file financial accounts with their country's trade registry but payment information is generally not available.
"[European] credit managers and finance professionals are less dependent on payment information to make decisions," said Matthew Debbage, president of CreditSafe.
In Japan, about 20,000 businesses file their financial accounts and payment information is not available from two of the main players, Debbage said. In contrast, about 2 million companies in China file accounts -- several of them, in fact.
"Lots of Chinese businesses tend to file three sets of accounts, depending on who they're talking to, so one set of accounts goes to the tax office, another set of accounts goes to the trade office, and another set of accounts goes to their bank, and they all may be a bit different," Debbage said.
Whether companies are in the habit of paying their bills is one important piece of data. When they pay is also important, and that varies country to country.
"Palestine is the worst at paying its bills on time. The Middle East is slow, 65-75 days late. In Sweden, everyone pays their bills on time. In the UK, there's a cultural understanding it will take 20 days, but you'll always get your money, so it's important to understand local payment behaviors," Debbage said.
The data is available. How it can be used changes all the time. Meanwhile, privacy protections are becoming stricter in certain jurisdictions. Missteps can result is substantial fines, lawsuits, and even jail time, which why it's important to be vigilant and have the appropriate legal expertise to navigate the ever-changing landscape.