DATA TRANSFER BETWEEN COMPANIES FROM THE UNITED …



I. INTRODUCTION

As multinational companies continue to grow and dominate the world’s economy, their human resource departments have undergone substantial changes in their attempt to perform their role as the employment controller within their respective company. They have not only utilized modern technology to collect and process employee data, but they have also centralized this data in internal databases. However, various international jurisdictions have enacted complex data privacy and transborder protection laws for their citizens that limit, and in some circumstances, prohibit human resource departments from their current employee data collection and processing practices. As a result, many human resource departments of multinational companies are not aware or do not comprehend the complex procedures that they must adhere to in order to transfer employee personnel files within their company.

This Comment argues that strict formalities in global data protection laws must be adhere to in order to transfer personal data within a multinational company. Part II of this Comment explains the evolvement of data protection laws that specifically address data transfer. In this regard, Part II also explains the role of human resource departments within a multinational company and the various issues that it must address when collecting and disseminating personal data. Part III of this Comment analysis various data protection laws and their applicability to three possible scenarios that may arise within a human resource department of a multinational company. Parts IV-VII of the Comment analyzes the data protection laws of the Commonwealth of Australia, the Federal Republic of Brazil, European Union Member State countries and Hong Kong as they apply to these three hypothetical scenarios. Part VIII of this Comment concludes that a multinational company may face both civil and criminal penalties if it fails to implement a data transfer policy that is not in compliance with various jurisdictions data privacy and transborder protection laws.

II. BACKGROUND

A. History of Data Privacy

Over the past thirty years, developments in information technology have jeopardized individual’s fundamental right to privacy. Particularly with the advent of computers and networks, data controllers[1] were able “to collect, store, use and disseminate personal data outside of an individual’s control.”[2] As a result of this modern technology, the transfer of personal data by data controllers accelerated, while individuals right to privacy were drastically jeopardized.[3] Consequently, countries began to implement their own national laws on the transfer of personal data.[4]

The first country to enact a comprehensive data protection law was the German State of Hesse in 1970.[5] In that same decade, the remaining German states, i.e., Austria, Denmark, France, Luxembourg, Norway and Sweden, as well as the United States, soon followed the German State of Hesse’s lead and enacted their own national laws addressing data privacy.[6]

Consequently, many countries thereafter adopted omnibus data privacy laws based upon individual’s fundamental right to privacy.[7] Many of these national laws prohibit data controllers from transferring personal data to countries without equivalent data protection laws.[8] As each country adopted its own data protection measures, disparities arose between these national laws that created potential obstacles to the free flow of information because data controllers were prohibited from transferring personal data to countries that did not provide sufficient protection.[9]

As a result of the disparity in the emerging levels of data protection in various international jurisdictions, initiatives began to take place at a global level. For example, European countries became concerned about the level of protection of their citizen’s personal data when this data was transferred to other countries with less stringent controls. Consequently, in 1980, the Organization for Economic Cooperation and Development (“OECD”), which includes the United States, issued a set of non-binding guidelines stating the privacy norms recognized by the participating states.[10] These guidelines called for individual countries to implement legislation protecting data privacy so that personal data could be shared more easily across boarders by eliminating disparity in the levels of data protection in various jurisdictions. In meeting this goal, the OECD guidelines endorsed a free transborder flow of data between countries that protect data privacy, while calling for restrictions on such exchanges if the receiving country did not have “equivalent protection.” Although the guidelines have no legal force, they served as a valuable model for the Council of Europe, which drafted its own convention a year later.[11] Currently, the 1981 Council of Europe Convention on Data Protection has been ratified by 20 European Union Member State countries.[12] Like the OECD guidelines, it requires participating states to implement domestic legislation, and to block transmission of personal data to other countries that do not offer “equivalent protection.” Both the OECD Guidelines and the Convention, however, allow for great variance in the level of protection that is actually offered. Thus, there was little consistency throughout Europe with regard to personal data legislation, both in substance and in application. This disharmony led the European Commission (i.e., the administrative body of the European Union) to overcome these obstacles and drafted a uniform set of principles on which European Union Member State countries could base their respective national laws.[13]

Specifically, the European Commission’s Council of the European Union (“E.C.”) and the European Parliament adopted its Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (“E.U. Directive”) in order to harmonize the national data protection laws of European Union Member State countries.[14] The drafters recognized that if the Directive harmonized the Members States’ laws, then Member State countries could transfer data to other European Union Member State countries while still safeguarding the fundamental rights and freedoms of their citizens.[15] If data controllers in a European Union Member State country transferred data to a third country that failed to protect personal data, however, then the European Union Member State country’s protection of personal data would be effectively lost once the European Union Member State country transferred the data to the third county.[16] Consequently, the E.U. Directive includes provisions on preventing data from being sent to countries without sufficient data protection.[17]

Thereafter, other countries outside of the European community, including the Commonwealth of Australia, the Federal Republic of Brazil, Hong Kong and the United States, also enacted legislation to allow the free flow of information while still protecting personal data. The level of data protection in each jurisdiction varies in some degree, but most jurisdiction that have data privacy laws require personal data to be:

1) obtained fairly and lawfully;

2) used only for the original specified purpose;

3) adequate, relevant and not excessive to accomplish a specified purpose;

4) accurate and up to date;

5) kept secure; and

6) destroyed after its purpose is completed.[18]

These fundamental principles not only must be adhered to by governments, but they must also be adhered to by the private sector, e.g., human resource departments within a multinational company.

B. History of Human Resource Departments

The human resource departments of multinational companies handle voluminous amounts of data about its employees each day.[19] The increase in technology has allowed these companies to transfer this data across national borders with minimum time and effort. However, due to the recent emergence of data protection laws in various countries around the world, these multinational companies are now forced to address the various data protection principles contained within these national laws.[20]

Data protection laws hamper a multinational company’s ability to process employee data, due to the fact that many multinational companies centralize their human resource data.[21] These laws affect the routine data flows of a multinational company, such as the distribution of a phone list, as well as the transfer of sensitive data to its centralized human resource database.[22] Therefore, a company must provide its employees with various data protection safeguards before transferring data to its centralized human resource database in another country without similar data protection laws.

A multinational company must first provide its employees with a private right to sue for any violations of privacy or errors in their personal data.[23] Additionally, the company must delete all employee data that is no longer needed for the purpose for which it was collected,[24] and only collect data that is necessary for employment purposes.[25] Human resource departments must also inform employees what data they are collecting,[26] obtain consent from employees before collecting this data,[27] and allow the employees access to their data in order to maintain its accuracy.[28] Finally, if the multinational company centralizes this data, it must enter into legally binding contracts with the individuals responsible for maintaining this centralized database within its company in order to ensure compliance with the data protection principles in the respective countries.[29] If a multinational company fails to provide any of the above-mentioned protections to its employees and their data, it must rectify this problem before transferring data from jurisdictions that have enacted data protection laws.

III. ANALYSIS

My understanding of the rule that has emerged from prior decisions is that there is a two fold requirement, first that a person has exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.”

John M. Harlan (1899-1971),

Katz v. United States, 389 U.S. 347, 361 (1967) (concurring)

A. Data Privacy Protection In The United States

The United States (“U.S.”) has traditionally favored a self-regulatory approach with limited government intervention for data privacy protection.[30] Moreover, with the emergence of the Internet as a powerful business tool, the Clinton administration continued to endorse self-regulation, stating that the privacy rights of individuals must be balanced with the free flow of data.[31] Despite the existence of some domestic legislation, it is, however, industry specific, and limited in scope so that it does not cover the vast majority of existing personal data. Although numerous pieces of legislation involving data privacy are currently under consideration in Congress, they continue to be limited to particular industries.[32]

Moreover, to understand the strong endorsement by U.S. of self-regulation for data privacy protection, an overview of the development of privacy law in the U.S. will help explain the current domestic approach of self-regulation.

1. Public Sector

The United States Supreme Court has recognized a Constitutional right to privacy.[33] This right, however, applies only to the protection of privacy from governmental interference, and does not extend to the private sphere. Likewise, nine states specifically protect the right to privacy in their constitutions.[34] Of these, only California, through its courts, has expanded this constitutional protection to the private sector. A number of congressional enactments likewise limit the government’s intrusion into the personal affairs of U.S. citizens. For example, the Privacy Act of 1974 regulates how the federal government collects and uses personal data in its databanks.[35] Under the Privacy Act of 1974, individuals about whom data is compiled (“data subjects”) have the right to access their personal data maintained by the government, and request that any inaccurate data be corrected.[36] The Computer Matching Act of 1988, which established procedures for government agencies that compare automated personal data, subsequently amended this act.[37] Additionally, the Right to Financial Privacy Act of 1978 controls the circumstances under which the federal government may access an individual’s financial data.[38] These regulations, along with several others, control the government’s collection, use and disclosure of personal data.[39] However, these regulations do not cover the vast majority of transborder data flows.

2. Private Sector

As in the public realm, there is no single source of privacy law that governs the private sector. Since the 1970’s, a patchwork of federal legislation has been enacted to deal with industry-specific privacy issues. The first formal privacy regulation in this area was the Fair Credit Reporting Act of 1970 (“FCRA”), which controls the use of personal data in consumer reports by credit reporting agencies. Although extensive, the FCRA only covers the disclosure of personal data by narrowly defined “credit reporting agencies” and does not regulate the use of data for purposes such as direct marketing. The FCRA does, however, protect employee’s personal data when an employer decides not to hire an individual based upon a requested credit report.[40] The FCRA requires that the employer notify the individual of the report that it received and the name of the credit reporting agency and if the employee requests, the agency must reveal the content of the report.[41] Another protection related to the banking and finance industry requires notice to the data subject when account data will be regularly disclosed to third parties.[42] In the 1980’s, both the Cable Act[43] and the Video Act[44] augmented the specific rights of data subjects. These acts require data controllers to inform data subjects when their data is being collected, and requires consent before certain data can be released to third parties. Mailing lists, however, may be shared for purposes of direct marketing unless the subject “opts out.” Both acts leave ample room for entities that collect and use data to maneuver, even when consent is not required, if disclosure is for a “legitimate business activity.” The use of personal data is further monitored under the Telephone Consumer Protection Act of 1991, which gives the Federal Communications Commission authority to regulate telephone solicitations.[45]

Recent trends have likewise moved towards greater personal data privacy protection in the employment context. This arena presents a unique tension between the employer’s interest in efficient business practices and the employee’s right to individual privacy. Prior to Congressional intervention, employees generally sought protection of their privacy interests through common law tort claims such as intrusion upon seclusion and intentional infliction of emotional distress. While these are still viable claims, federal statutory enactments addressing electronic communications have had specific relevance and applicability to the private employment sector. The Electronic Communication Privacy Act of 1986 (“ECPA”) makes it illegal to intentionally intercept, use or disclose any oral, wire or electronic communications without the prior consent of the employee.[46] There are important exceptions allowing employer interception in the “ordinary course of business.” Similarly, the Stored Communications Act governs the intentional access of electronic communication service facilities.[47] Again, significant exceptions, such as authorization by the service provider or the service user, give considerable flexibility to the employer.

Throughout the years, these federal legislative initiatives have been complimented by industry self-regulation. Individual companies and associations have developed, adopted and publicly disclosed their privacy policies relating to personal data of both their employees and their customers. The industry specific approach of federal law mixed with private self-regulation that has emerged in the U.S. is quite different from that taken by Europe, as well as the Commonwealth of Australia, the Federal Republic of Brazil and Hong Kong.[48]

B. Hypothetical Scenarios

In order to analyze transborder data laws in various jurisdictions as they apply to human resource departments within multinational companies, this Comment presents and answers three common hypothetical scenarios as they apply to transborder laws in the Commonwealth of Australia, the Federal Republic of Brazil, the European Union, Hong Kong and the U.S.

Privacy Haven, Inc. (“Privacy Haven”) intends to collect personal data from their employees in the above-mentioned jurisdictions and transmit this data to a centralized human resource database located in the U.S. The employee data would only be accessed and reviewed by senior management at Privacy Haven. Based on this hypothetical situation, how do the various data protection laws apply to the following situations:

1. Employee File Transfer

2. Transfer of Data on a Lap Top Computer

3. The Merger of Privacy Haven with Another Company

IV. COMMONWEALTH OF AUSTRALIA

A. The Right To Privacy Under Australian Law

Neither the Australian Constitution nor the Constitutions of the six states contained within Australia provide its residents with the explicit guarantee of privacy.[49] However, the Australian federal government has passed legislation regulating the data privacy and data processing of an individual’s personal data.[50] The Privacy Act 1988 was passed in response to protests in the mid-1980’s against the Australian Card Scheme[51] and is the principle piece of legislation governing the privacy of personal data in the public sector of Australia.[52] The Act created eleven Information Privacy Principles (“IPPs”), which are based on the Guidelines adopted by the OECD[53] for the Protection of Privacy and Transborder Flows of Personal Data, [54] and established the Office of the Privacy Commissioner.[55] Although the Act and the IPPs contained within the Act do not govern the use of personal data by the private sector with the exception of Tax File Numbers (“TFNs”) and credit reporting agencies,[56] the IPPs govern all processing of personal data by public entities.[57] These IPPs establish standards for the collection, use, disclosure, and security of personal data, and allow for the access to and correction of this data by individuals to which it pertains.[58] In addition to the Privacy Act, Australia has also enacted the Telecommunications Act 1997[59] and the Privacy Commissioner has issued Tax File Number Guidelines (“Guidelines”) to regulate the privacy concerns in these specific areas.[60]

The possession and use of TFNs[61] is widespread throughout the private sector because the failure to provide employers with TFNs results in tax being deducted at the highest tax rate.[62] Therefore, the Privacy Commissioner has issued Tax File Number Guidelines pursuant to Section 17 of the Privacy Act.[63] These legally binding Guidelines are provided to restrict the use of TFNs and protect the personal privacy of individuals. They prohibit the use or disclosure of TFNs to establish or confirm the identity of an individual, to obtain data about the individual for any purpose, or to directly or indirectly match personal data about an individual.[64] Additionally, recipients of TFNs are required to prohibit the unauthorized access to these numbers, and provide adequate safeguards to prevent the loss, misuse, modification, and disclosure of this information.[65] Any person who feels that a person or entity has violated any of these Guidelines relating to his or her personal TFN may file a complaint with the Privacy Commissioner.[66]

The Telecommunications Act provides specific rules governing the use and disclosure of personal data stored by carriers, carriage service providers and other database operators in Australia.[67] Additionally, the Telecommunications Act allows industries to develop codes relating to various consumer protection and privacy issues, which are registerable with the Australian Communications Authority (“ACA”).[68] Although these codes lack legislative force, failure to observe the standards contained in these codes may result in the ACA issuing a legally binding standard.

As mentioned earlier, there is currently no legislation that governs the use of personal data in the private sector of Australia, with the exception of portions of the Privacy Act that relate to credit reporting agencies[69] and TFNs.[70] However, the Australian government has recently introduced the Privacy (Private Sector) Bill 1999 (“PPSB”), which will amend the Privacy Act.[71] This bill is based on the National Principles for the Fair Handling of Personal Information issued by the Privacy Commissioner in February of 1998, and later revised in January of 1999.[72] Many have referred to the bill as a “light tough legislative regime,” which is based on industry codes.[73] This legislation will apply across the private sector to organizations,[74] as well as individuals, such as sole traders or consultants.[75] However, the legislation does not apply to personal data collected and used in a domestic capacity, employee records, or personal data collected, used and disclosed by the media for the purpose of informing the public.[76] Therefore, this legislation may not apply to the transfer of employee records in the hypothetical scenarios introduced in this Comment.

1. Employee File Transfer

One of the most common human resource activities in a multinational company is the transferring of files to another country. This is usually the result of multinational companies centralizing their human resources activities in one specific location, and thus transferring employee files to this country. However, with new data protection laws emerging throughout the world, the transfer of these files is becoming increasingly difficult.

As mentioned above, Australia has similar data protection standards to the U.S. Like the sectoral approach of the U.S., the Australian Privacy Act governs data retained by governmental agencies and the Privacy (Private Sector) Bill, if enacted, will govern the use of data by the private sector. When transferring an employee file, an issue that must be addressed by Privacy Haven’s human resource department is the transferring of the employee’s TFN.[77] The Privacy Commissioner has issued legally binding Guidelines regarding the use of TFNs pursuant to Section 17 of the Privacy Act.[78] These Guidelines prohibit the use of a TFNs to establish or confirm the identity of an individual for any purpose not authorized by taxation, assistance agency or superannuation law.[79] Additionally, the human resource recipient in the U.S. Privacy Haven office must ensure that adequate safeguards are in place to prevent the loss, misuse, modification and disclosure of TFNs, and restrict access to this information to authorized persons within the office.[80]

Therefore, since it is likely that the files being transferred to Privacy Haven’s U.S. based location contain the TFNs of Privacy Haven’s Australian employees, Privacy Haven must comply with the conditions contained in the Guidelines. This would require the company to maintain a secure database in the U.S. and only allow authorized individuals, such as those who require access to carry out the taxation responsibilities, to access this data.[81] If Privacy Haven complies with the above Guidelines, then it will be in compliance with the private sector provisions contained in the Privacy Act. However, the Australian government is proposing amendments to the Privacy Act that may be enacted as soon as the end of this year. Thus, Privacy Haven must also examine the principles contained in this document to ensure compliance with the amended Privacy Act.

The Privacy (Private Sector) Bill is described as a legislative regime that will be based on industry codes.[82] The bill is based on the National Privacy Principles and differentiates personal data according to its sensitivity.[83] It applies to the private companies within Australia and restricts the transfer of data from these companies to entities or individuals in another country.[84] However, the bill will not apply to personal data collected and used in a domestic capacity, personal data collected, used and disclosed by the media, or employee records.[85] The bill does not cover employee records because the government feels that employee records should be dealt with as part of the Workplace Regulations legislation. Therefore, Privacy Haven may be subject to more stringent standards in the near future, but it must currently focus on compliance with the Privacy Act and the potential passage of the Privacy (Private Sector) Bill. The combination of this bill and the Privacy Act requires that Privacy Haven have adequate safeguards in place in the U.S., and that the company restrict access to the TFNs of its employees. Besides the strict requirements regarding TFNs, the company may transfer an employee file to its centralized database in the U.S. with relative ease.

2. The Transfer of Data on a Lap Top Computer

The transborder data transfer on a lap top computer is a scenario that does not receive much attention from lawmakers around the world. However, as the use of technology increases within multinational companies, this form of data transfer is becoming more and more prevalent. The transfer of data out of Australia on a lap top computer is not directly addressed in any of the Australian privacy laws or Information Privacy Principles. Therefore, Privacy Haven must analogize this situation to the transfer of an employee’s file discussed above.

Employee data stored on a lap top computer is subject to the same private sector regulations as a regular file transfer from Privacy Haven’s branch in Australia to the centralized database in the U.S.[86] Although the Privacy Act does not apply to the private sector, with the exception of TFNs and credit reporting agencies, the Privacy Commissioner has the power to encourage companies to develop programs for the handling of personal data that are consistent with the IPPs contained with the Privacy Act.[87] Pursuant to this duty, Privacy Haven should establish a program for the handling of their employee’s personal data.

Under this program, Privacy Haven should prohibit the storage of employee data on a lap top computer. In addition to the strict standards required for the storage and transfer of TFNs, any transfer of personal data must be protected by adequate safeguards and should only be accessed by authorized parties.[88] The use of a lap top containing an employee’s personal data, and even an employee’s TFNs, will not meet the security safeguards that must be adhered to by Privacy Haven under the Privacy Act and accompanying amendments.[89] Thus, by placing restrictions on the storing of personal data on a lap top computer, Privacy Haven will be able to comply with requirements of the Act, and an employee’s data will not be compromised by the insufficient security of a lap top computer.

3. The Merger of Privacy Haven with Another Company

The merging of two companies raises significant privacy issues relating to an employee’s personal data. If Privacy Haven merges with another company, it must determine which human resource department is going to handle the personal data of the employees within both companies, as well as where this data is going to be stored. If Privacy Haven chooses to store the records of the other company with its own, they must then be in compliance with the Privacy Act and should adhere to the IPPs issued by the Privacy Commissioner when handling this data.[90]

In complying with the standards delineated in this legislation as well as the IPPs, Privacy Haven must ensure that the company it’s merging with has adequate safeguards in place to protect the personal data of its employees. Although the Privacy Act and the Privacy (Private Sector) Bill do not cover employee records, a company is still required to protect the TFNs of its employees.[91] This requires a company to adequately safeguard this data, as well as prevent unauthorized access to this data.[92] Therefore, if Privacy Haven merges with another company, it must store its employee’s records in its centralized database in the U.S. that has adequate safeguards and restricted access. This will prevent the misuse of this data by Privacy Haven, and will allow Privacy Haven to be in compliance with the self-regulatory approach to the privacy of personal data in the private sector that has been taken by the Australian government.

V. FEDERAL REPUBLIC OF BRAZIL

A. The Right To Privacy Under Brazilian Law

Brazilian citizen’s have the constitutional right to privacy that is set forth in Article 5, X of the Brazilian Federal Constitution, which provides as follows: "the privacy, private life, honor and image of persons are inviolable, and right to compensation for material or moral damages resulting from violation thereof is ensured."[93] If a data controller discloses a data subject’s personal or private data to a third party, then the data controller may face civil actions for moral damages (e.g., damages for pain and suffering or loss of reputation) as well as criminal actions. Moreover, in the employment context, if an employer discloses personal or private data of its employees to third parties, then the employee has the legal right to terminate the employment relationship. Furthermore, the principals of the employer may not only face civil actions but may also be criminally liable for violating the employee’s right to privacy.

Additionally, the Brazil Senate has introduced a bill that seeks to promote “the privacy of personal data in conformance with the OECD guidelines.” This bill, if enacted, will affect both the public and private sector databases in that:

[n]o personal data nor [data] shall be disclosed, communicated, or transmitted for purposes different than those that led to structuring such data registry or database, without express authorization of the owner, except in case of a court order, and for purposes of a criminal investigation or legal proceedings . . . It is forbidden to gather, register, archive, process, and transmit personal data referring to: ethnic origin, political or religious beliefs, physical or mental health, sexual life, police or penal records, family issues, except family relationship, civil status, and marriage system . . . Every citizen is entitled to, without any charge; access his/her personal data, stored in data registries or databases, and correct, supplement, or eliminate such data, and be informed by data registry or database managers of the existence of data regarding his/her person.[94]

Although this bill was introduced in 1996, the Senate has yet to vote on it.[95] However, many expect this bill to be enacted once comparable legislation is approved in neighboring countries such as Argentina and Chile.[96]

The Brazilian 1990 Code of Consumer Protection and Defense[97] provides consumers with the right to:

access any [data] derived from personal and consumer data stored in files, archives, registries, and databases, as well as to access their respective sources. Consumer files and data shall be objective, clear, true, and written in a manner easily understood, and shall not contain derogatory [data] for a period over five years. Whenever consumers find incorrect data and files concerning their person, they are entitled to require immediate correction, and the archivist shall communicate the due alterations to the incorrect [data] within five days. Consumer databases and registries, credit protection services, and similar institutions are considered entities of public nature. Once the consumer has settled his/her debts, Credit Protection Services shall not provide any [data] that may prevent or hinder further access to credit for this consumer.[98]

The Brazilian Informatics Law of 1984[99] “protects the confidentiality of stored, processed and disclosed data, and the privacy and security of physical, legal, public, and private entities.”[100] This law entitles Brazilian citizens with the right “to access and correct their personal [data] in private or public databases.”[101] Finally, Brazilian law provides citizens with the “constitutional right of Habeas Data to access [data] about themselves held by public agencies.”[102]

B. Transborder Data Laws and Its Affect On Multinational Companies

In analyzing the Brazilian privacy law’s affect on transborder data flows as it applies to human resource departments within multinational companies, this Comment now answers three possible hypothetical scenarios previously presented.

1. Employee File Transfer via Computers and Networks

There is no specific restriction that would apply to the transborder data flows in the form intended by Privacy Haven (provided that Privacy Haven protects their employees' personal data from unauthorized disclosure to third parties). However, violation of Brazilian constitutional guarantees of privacy would allow the employee to terminate legally the employment relationship, and could also result in civil damages for economic loss, including loss of reputation, as well as criminal actions against the company's principals.

However, if Privacy Haven violates their employee's right to privacy, the employee would then be allowed to legally terminate the employment relationship, and could also result in civil actions for moral damages (e.g., damages for pain and suffering or loss of reputation) as well as criminal actions against the company's principals.

Moreover, it is Privacy Haven’s responsibility not to disclose the personal or private data of its employees to third parties. Privacy Haven, therefore, should take all necessary precautionary measures to avoid disclosures of its employees’ personal or private data when processing or transmitting data from Brazil to the U.S. Encrypting the data prior to transmitting it to the U.S. would be mandatory to evidence that Privacy Haven has taken the necessary steps to prevent disclosure.

2. The Merger of Privacy Haven with Another Company

Like employee personal file transfers, there is no specific restriction that would apply if Privacy Haven merged with another company (provided that Privacy Haven protects their employees' personal data from unauthorized disclosure to third parties). However, if Privacy Haven violates their Brazilian employee’s constitutional guarantees of privacy by disclosing their personal data to unauthorized third parties, the employee, again, would have the legal right to terminate the employment relationship. If this occurs, Privacy Haven, again, may face civil damages for economic loss, and its principals may face criminal liability for the unauthorized disclosure of personal data to a third party.

VI. EUROPEAN UNION

A. The EU Data Privacy Directive

The European Union (“E.U.”) issued its Directive to the European community on October 24, 1995, and provided three years to each of the twenty E.U. Member State countries to enact conforming domestic legislation. When the E.U. Directive became effective in October 1998, all of the E.U. Member State countries had either adopted, amended, proposed, or began drafting data privacy legislation that is compliant with the E.U. Directive’s specifications.[103] The fundamental purpose of the E.U. Directive is to provide specific rights to data subjects, and mandate certain responsibilities for data controllers. In doing so, the E.U. Directive broadly defines the elements of data protection in order to provide data subjects with comprehensive privacy protection. “Personal Data” is any data relating to an identified or identifiable natural person. Thus, data relating to legal persons or entities, such as corporations, are not included. Identification is realized through a number of factors specific to the subject’s physical, physiological, mental, economic, cultural or social identity.[104] “Processing” is any operation performed upon personal data, whether or not automatic, including but not limited to, collection, recording, use, organization, storage, alteration, retrieval, disclosure, or dissemination.[105] Consequently, the E.U. Directive’s scope encompasses almost all conduct relating to personal data.[106]

In providing specific rights to data subjects, the E.U. Directive places rigorous requirements on data controllers. Personal data may only be processed by data controllers in a limited number of situations: (1) with unambiguous consent from the data subject; (2) for contractual performance in which the data subject is a party; (3) for compliance with a legal obligation to which the data controller is subject; (4) in protection of the vital interests of the data subject; (5) for performance of a task carried out in the public interest or in the exercise of official authority; and (6) for the “legitimate interests” of the data controller, or third party, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.[107]

Furthermore, data controllers may only collect personal data for specified, explicit and legitimate purposes, and may not further process personal data in a way incompatible with those purposes.[108] These data collection purposes must be disclosed to the data subject.[109] Only relevant data and not data excessive in relation to the purpose for which it was collected may be obtained.[110] The data collected by data controllers must also be accurate and kept up-to-date.[111] Additionally, the data controller must disclose to the data subject its identity, and the identity of any third party to which the data will be disclosed.[112] The E.U. Directive also provides a higher level of protection for “special categories” of personal data. These special categories include processing of personal data that reveals: (1) racial or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade-union membership; and (5) health or sex-life. The collection and process of any data in these special categories is prohibited unless the data subject explicitly consents or it is necessary in order to carry out certain obligations or “legitimate activities.”[113] Again, although the prohibition is comprehensive, there are vague exceptions, such as “legitimate” employment activities, that create a great deal of leeway in favor of data controllers.

As seen previously from the OECD guidelines and the Council of Europe Convention, these data privacy principles are not novel. In fact, the rights that the E.U. Directive grants to data subjects are akin to intellectual property, i.e., in order to collect and process data, the data controller must obtain consent from the data subject through an expressed or in some situations through an implied license. In this regard, the data subject has the right to access its data, to request corrections be made for inaccuracies in the data, and to block data processing that does not comply with the E.U. Directive.[114] Like intellectual property, an individual’s rights of recourse in the case of improper collection, use or process of personal data will remain subject to the data subject’s domestic laws. Moreover, the E.U. Directive mandates a private right to judicial remedy in such cases where the data controller processes the data inconsistently with its provisions.[115] Additionally, it requires that E.U. Member State countries provide both compensation to the data subject for damages suffered, and sanctions against the infringing party.[116]

B. Transborder Data Flow Under the E.U. Directive

By harmonizing legislation among European Union countries, the E.U. Directive has facilitated the transborder flow of data within these countries. The E.U. Directive, in order to maintain a high standard of protection for data subjects, has also restricted transborder data flows to countries that do not offer the requisite level of protection. Thus, E.U. Member State countries will not transfer personal data to countries outside of the E.U. that do not guarantee an “adequate” level of protection.[117] Although the E.U. Directive does not define “adequate,” the adequate level of protection is evaluated in light of all of the circumstances surrounding the data transfer, including the nature of the data and the purpose behind its transfer, the laws of the receiving country, regulations specific to the industry, and any security policies of the particular data recipient.[118] Where an E.U. Member State country believes that data privacy protection of a third country is not adequate, it will inform the European Commission, who will then make an official determination. If the Commission agrees, the E.U. Member State country is then required to prevent the transfer of that or similar data to the third country.[119]

The E.U. Directive’s “adequacy” requirement, however, has provoked controversial responses because its standard appears to be ambiguous and may possibly lead to discriminatory application.[120] In foreseeing this type of controversy, Article 29 of the E.U. Directive established a Working Party in order to examine issues created by the E.U. Directive that need obvious clarification or further development. Although the Working Party does not have direct decision-making authority, it does provide guidance to both the E.U. Member State countries and the European Commission through written opinions that are highly influential because the Working Party is comprised of delegates representing each of the E.U. Member State countries.

In addressing the E.U. Directive’s “adequacy” standard for transborder data flows, the Working Party reiterated that the E.U. Directive envisions the assessment of the adequacy of a third country’s data protection as a case by case analysis.[121] It also examined a white list/black list approach. Under such a scheme, a country could be white listed after several representative cases of transfers that have been considered and deemed adequate. One difficulty with this scenario involves those countries such as the U.S. that do not have uniform protection in all economic sectors. Thus, acceptable transfers must be representative of an entire sector or state. In this way, the Working Party’s discussion paper proposes that those third countries could be partially white listed.

In proposing criteria for the assessment of adequacy, the Working Party outlined a list of minimum conditions, often referred to as the basic content principles:

1. Purpose - Data should be processed for a specific purpose and subsequently used in ways compatible with that purpose.

2. Quality - Data should be accurate, and kept up to date.

3. Transparency/Notice - Data subjects should be notified of the purpose for the data processing, and the identity of the data controller and any third party recipient of the data.

4. Security – Data controllers should take security measures that are appropriate in relation to the risks presented by the processing.

5. Access - Data subjects should have access to data collected, and the right to rectification of inaccurate data.

6. Restrictions on Subsequent Transfers - Subsequent transfers of data to third countries should be allowed only in the case that such third country offers adequate protection.

7. Sensitive Data - The processing of sensitive data[122] should require the explicit consent of the data subject.

8. Direct Marketing - The data subject should be allowed to opt-out of having data processed for the purpose of direct marketing.

9. Automated Decisions - Individuals shall not be subject to a decision that produces legal effects, which is based solely on automated processing of personal data.

Third country data protection, however, does not need to be identical in order to be considered adequate, but it must, at the very least, adhere to these principles.

Despite the E.U. Directives apparent high standard and strict restrictions on transborder data flows, there are, as always, exceptions. Data transfers to third countries with inadequate levels of protection may occur if one of the following conditions are satisfied: (1) the data subject has given unambiguous consent; (2) it is necessary for performance of a contract between the data subject and controller, or for performance of a contract that is in the interest of the data subject, but between the controller and a third party; (3) it is legally required on important public interest grounds or in the defense of legal claims; (4) to protect the vital interests of the data subject; or (5) if it is data that is already open to the public.[123]

Additionally, an E.U. Member State country may authorize transfers to a third country with inadequate protection when the data controller “adduces adequate safeguards” from the specific recipient, with respect to the privacy of the data.[124] It is of particular relevance to private businesses that the E.U. Directive expressly allows these safeguards to come in the form of “appropriate contractual clauses.”[125] Some observers have noted that this will give non-E.U. businesses great latitude in structuring contractual arrangements that give sufficient privacy guarantees, thereby avoiding restrictions on transborder flows of data.[126] The Working Party has stated that if a contractual solution is sought to transfer data to a third country, it must then encompass all of the basic content principles that it has set forth for assessing the adequacy of protection.[127] Additionally, any contractual arrangement must contain an enforcement mechanism. The Working Party suggests that contracts should be used as a means by which the entity transferring the data can retain decision-making control of the processing of the data in the third country. It has also identified two areas in which the use of contracts is most highly suited. The first is large international networks (such as credit cards and airline reservations), which are characterized by large quantities of repetitive data transfers of a similar nature, and by a small number of large operators in industries already subject to public scrutiny. The second area is intra-company transfers between different branches of the same company.

The Working Party, however, stated in an official opinion in January 1999, that the patchwork of legislation and self-regulation currently in effect in the U.S. does not offer an adequate level of protection.[128] Realizing that the standards of data privacy protection varies across industries, the U.S. Department of Commerce (“DOC”) has issued a set of Safe Harbor principles aimed at diminishing uncertainty, and providing a more predictable framework for data transfers.[129]

1. Notice - The data subject[130] must be given notice, in clear language, when first asked for personal data, of the purpose of data collection, the identity of the data controller, the kinds of third parties with whom the data will be shared, how to contact the organization collecting or processing the data, and the choices available for limiting use of disclosure of the data.

2. Choice - The data subject must be given clear, affordable mechanisms by which he or she can “opt out” of having personal data used in any way that is inconsistent with the stated purposes of collection.

3. Onward Transfer - Where the data controller has adhered to the principles of Notice and Choice, it may transfer personal data if it ascertains that the receiving party also complies with the Safe Harbor principles, or if it enters into a contractual agreement that the receiving party will guarantee at least the same level of data protection as the transmitting party.

4. Security – Data controllers must take reasonable measures to assure the data’s reliability for its intended use, and to protect it from loss, misuse or other unauthorized uses.

5. Data Integrity - Data controllers should take reasonable steps to ensure that data is accurate, complete and current.

6. Access - Data subjects must have reasonable access to their personal data and an opportunity to correct inaccurate data.

7. Enforcement - At a minimum, enforcement mechanisms must include readily available and affordable recourse for the investigation of complaints and disputes, damages awarded where applicable, procedures for verifying the truthfulness of statements made by data controllers regarding their privacy practices, obligations on the data controller to remedy problems arising out of non-compliance, and sanctions sufficiently rigorous to ensure compliance.

Ultimately, the European Commission will make the official determination whether the Safe Harbor principles are adequate under the E.U. Directive. If the European Commission passes the U.S. Safe Harbor principles, then E.U. Member State countries would be prohibited from preventing data transfers to those controllers that qualify for the Safe Harbor. Currently, the Principles are in draft form, and although the Working Party has consistently endorsed the safe harbor approach as a means of bringing uniformity to data privacy protection in the U.S., it has expressed concerns regarding specific language and enforcement mechanisms.[131] The U.S. government and the European Commission have been involved in on-going discussions with the hope of reaching some kind of agreement on an adequate standard of privacy for the Safe Harbor principles. During the latest round of negotiations, both sides announced that they have reached a tentative agreement on the U.S. Safe Harbor principles. In separate press releases, both sides have indicated that substantial progress had been made, and that the U.S. Safe Harbor arrangement should be finalized by the autumn of 2000.[132]

Throughout the negotiations period, the DOC has developed a set of Frequently Asked Questions (“FAQs”) that are intended to clarify certain aspects of the Safe Harbor principles. As of March 16, 2000, a list of fifteen topics has been developed, covering: (1) Sensitive Data; (2) Journalistic Exceptions; (3) Secondary Liability; (4) Investment Banking, Audits and Headhunters; (5) The Role of Data Protection Authorities; (6) Self-Certification; (7) Verification; (8) Access; (9) Human Resources Data; (10) Article 17 Contracts; (11) Dispute Resolution and Enforcement; (12) Choice – Timing of Opt-Out; (13) Airline Passenger Reservations; (14) Pharmaceuticals; and (15) Public Record and Publicly Available Information.[133] Similar to its response to the Safe Harbor principles, the Working Party has endorsed the FAQ’s as an explanatory tool, but has also expressed reservations regarding specific wording. In general, the FAQ clarifications are as follows: [134]

1. Data controllers need not provide explicit opt-in choice with respect to sensitive data in certain circumstances including, if processing of the data is necessary to carry out the organization’s obligations in the field of employment law.

2. Data that is gathered for publication or other legitimate journalistic purposes, or that is already in the public domain, is not subject to the Safe Harbor requirements.

3. Secondary liability does not extend to organizations (such as ISP’s and Telecom’s) acting merely as a conduit for data.

4. The activities of investment bankers and auditors are legitimate interests permitted by the Safe Harbor principles.

5. U.S. organizations receiving personal data from the E.U. must provide recourse for data subjects, verification that assertions about their privacy practices are true, and obligations to remedy problems arising out of non-compliance.

6. Self-certification for the Safe Harbor requires a letter to the DOC, signed by a corporate officer, containing the specifics of the organization’s compliance with the principles.

Moreover, the FAQs clarifications in regards to human resource departments are as follows:

1. Human resource departments do not need to provide explicit opt-in choice with respect to sensitive data in certain circumstances including, if processing of the data is necessary to carry out the multinational company’s obligations in the field of employment law.

2. U.S. human resource departments receiving personal data from the E.U. must provide recourse for data subjects, verification that assertions about their privacy practices are true, and obligations to remedy problems arising out of non-compliance.

3. Human resource Human resource departments must make reasonable efforts to accommodate employee’s privacy preferences, including restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.

4. Human resource Human resource departments do not need to offer notice and choice to the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments or other similar employment decisions.

5. Where E.U. employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint and appeal procedures, such employees are directed to the state or national data protection or labor authority in the jurisdiction where the employee works.

C. The E.U. Directives Affect on Multinational Companies

In analyzing the E.U. Directive’s affect on transborder data flows as it applies to human resource departments within multinational companies, this Comment now answers the three hypothetical scenarios previously introduced in this Comment.

As a general rule for collecting data from its employees domiciled in an E.U. Member State country, Privacy Haven must first obtain the data that they collect and process directly from its applicant or actual employee.[135] Second, the data collected by Privacy Haven should only be used for employment purposes; thus the processing of this data must be for the particular type of employment.[136] Third, Privacy Haven’s employees must be regularly informed on the character of the data stored, the purposes of the processing, the addresses of those to whom it is regularly communicated and the legal basis of the transactions.[137] Fourth, Privacy Haven’s employees must be granted the right to access all data collected and processed by the company.[138] Fifth, Privacy Haven should only their keep employee’s data for the relevant time period that it has been processed for and it must delete all data of applicants as soon as it becomes clear that they will not be offered the job for which they applied.[139]

Furthermore, Privacy Haven must also stay informed of the changes in U.S. laws and the progress of the E.U. Directive implementation in order to minimize the potential impact. It is vital that Privacy Haven assess the risk for each segment within its human resource department and determine which operations rely on personal data. The restrictions on transfers of employee data from foreign branches or subsidiaries could severely hinder Privacy Haven’s overall business performance. Therefore, for those areas at risk, Privacy Haven must dedicate itself to taking appropriate action, and assign accountability to individuals within the company for establishing a privacy policy and for complying with international standards.

1. Employee File Transfer via Computers and Networks

a. U.S. Safe Harbor Principles

First, if the U.S. and the European Commission come to agreement on the Safe Harbor principles, then the Commission can certify that such principles meet the E.U. Directive’s adequacy standard. If Privacy Haven’s data privacy protection is in conformity with the agreed upon principles, it will then qualify for the Safe Harbor and thus be free from restrictions on employee personnel transfers imposed by E.U. Member State countries.

Even if Privacy Haven qualifies for the Safe Harbor, it may also elect to cooperate with E.U. data protection authorities (“DPAs”).[140] In doing so, Privacy Haven must declare its commitment to the relevant DPA in its Safe Harbor Notification to the DOC. Once committed, Privacy Haven must assist the DPA in the investigation and resolution of complaints filed against it by employees. Additionally, the DPA may require Privacy Haven to take additional action to conform to the Safe Harbor principles, including compensating employees affected by its non-compliance. This option works particularly well for human resource departments that may find it difficult to locate a self-regulatory organization that addresses their particular needs. Additionally, Privacy Haven can avoid the relatively lengthy and costly private dispute resolution process in the U.S. because disputed complaints filed by its employees will be submitted before the relevant DPA for a final determination. Such an approach works particularly well for U.S. companies hoping to resolve personal data issues arising out of employment relationships in their European branches.

b. Contractual Safeguards

In the event that a Safe Harbor agreement is not imminently forthcoming, there are several strategies that Privacy Haven can generally follow in order to comply with the E.U. Directive, and protect itself from transborder data blockages. Privacy Haven may rely on contracts as a means to address employee personal data transfers. The Working Party has specifically endorsed this mechanism as a viable solution for transfers to entities located within third countries that do not have adequate levels of protection.[141] In order for Privacy Haven’s contractual provisions to be deemed sufficient by the E.U., they must contain the basic content principles as well as those additional factors suggested in the Working Party’s approach to self-regulation, mandatory compliance, institutional support for the data subject and appropriate means of redress. Essentially, the basis for assessing the adequacy of contractual safeguards will be the same as that for assessing the general level of adequacy in a third country.

As part of Privacy Haven’s contractual safeguards for an employee personal file transfer, it must also obtain unambiguous expressed consent for its employee in order to transfer the employee’s personal file across international borders.[142] In this regard, Privacy Haven must inform its employee which country that it intends to transfer the individual’s data to and whether this country provides adequate protection of privacy.[143] If the employee gives unambiguous expressed consent, the company then can make the transborder transfer of the employee’s personal file.[144] However, if the employee does not give unambiguous expressed consent, Privacy Haven then must develop internal procedures to ensure that the employee’s data are retained in Europe.[145] Moreover, since the E.U. Directive’s scope is comprehensive, the unambiguous expressed consent requirement equally applies to transborder transfers of the employee’s personal file from the U.S. to Europe.

Privacy Haven, therefore, must obtain the employee’s unambiguous expressed consent at the time immediately preceding the transborder transfer of the employee’s personal file.[146] Previous unambiguous expressed consent by an employee, e.g., a global waiver for unspecified use at the employee’s time of hiring,[147] most likely will not be sufficient unambiguous expressed consent under Article 6(1)(b) of the E.U. Directive because the personal data is now being used for a different purpose for which it was collected.[148] This consent argument equally applies to all categories of employee’s transborder data transfers, such as Privacy Haven’s global list of employees.

If Privacy Haven transfers its employee’s personal data across international borders via a personal lap top computer, it again must contractually ensure its employees that the transfer will meet the E.U. Directive’s adequate levels of protection standard and obtain specific unambiguous expressed consent from the employee for this type of transfer.

Information technologies, such as intranets, have accelerated the ease at which the free flow of data within a multinational organization. However, intranets, which are internal networks that may be used by human resource departments within multinational companies for employee directories or job skills databases, may not be suitable in Europe for human resource purposes because the E.U. Directive’s consent requirement may be too burdensome.[149] Moreover, if Privacy Haven uses human resource software, runs a server from the U.S. or routinely create databases containing employee data, these practices may likely be illegal under the E.U. Directive because each transfer requires specific unambiguous expressed consent.[150]

2. The Merger of Privacy Haven with Another Company

A foreseeable problematic scenario may occur if Privacy Haven mergers with another company. Privacy Haven must first determine which human resource department will handle the personal data of the employees within both companies, as well as where this data will be stored. If the personal data of the employees are going to be transferred, then the transfer, collection and process of such data must be in compliance with the E.U. Directive. A second factor that Privacy Haven must identify is whether the merger is a friendly or hostile takeover. If the merger is friendly, Privacy Haven will likely be allowed to transfer its employee’s data under Article 26(1)(c), which allows data transfers to third countries if it is ultimately “in the interest of the data subject.”[151] The treatment, of course, of such data in the third country must be “adequate.” If the merger is a hostile takeover, Privacy Haven will likely be prohibited from conducting such transfers because the hostile environment will not be “in the interest of the data subject.”[152] Moreover, if the data transfer is blocked by E.U. authorities, then Privacy Haven may be forced to develop internal procedures to ensure that the employee’s data are retained in Europe and restrict access to such data to only senior human resource management within the new company.

VII. HONG KONG

A. The Right to Privacy Under Hong Kong Law

The constitutional protections of privacy that Hong Kong residents currently enjoy are contained in the Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China.[153] Article 29 provides "[t]he homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident’s home or other premises shall be prohibited."[154] Article 30 provides "[t]he freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offenses."[155]

In September of 1995, Hong Kong enacted its Personal Data (Privacy) Ordinance (“Ordinance”), which went into effect in December of 1996.[156] The Ordinance does not differentiate between public and private sectors, and contains a broad definition of “personal data” to cover all forms of data in all mediums that may be personally identifiable to an individual.[157] However, the Ordinance does not differentiate data based on its “sensitivity.” The six data protection principles contained in the Ordinance, which are based on the OECD principles, govern the collection,[158] use,[159] and security of personal data,[160] and require data users to provide data subjects with access and the ability to correct their personal data.[161] Additionally, Section 33 of the Ordinance places restrictions on the transfer of data out of Hong Kong that are modeled after those in the E.U. Directive.[162]

In addition to the data protection principles discussed above, the Ordinance established the Office of the Privacy Commissioner[163] to govern and enforce the provisions contained in the Ordinance.[164] The powers of the Commissioner,[165] which are based on those contained in the United Kingdom Data Protection Act, include investigating complaints,[166] initiating an investigation and conducting audits.[167] In addition to these duties, the Privacy Commissioner may also issue codes of conduct to guide specific sectors on compliance with the Ordinance.[168] Although a breach of these codes is not considered a violation of the Ordinance, it provides a presumption against a party involved in a proceeding that alleges a breach of the Ordinance.[169] Due to the voluminous amount of personal data that human resource departments process everyday, the Privacy Commissioner issued a Draft Code of Practice on Human Resources Management (“Draft Code”) for public comment in September of 1999.[170]

Currently, the Privacy Commissioner is in the final drafting stages of the Code of Practice on Human Resources Management, which is expected to be released in the third quarter of 2000.[171] It will be the third code of practice issued by the Commissioner and will provide guidance to human resource departments to ensure compliance with the requirements of the Ordinance.[172] It governs the collection,[173] use, retention,[174] and security[175] of personal data obtained and processed by human resource departments.[176] In this regard, the Draft Code specifically addresses the use of a “Personal Information Collection Statement,” which is required by Data Protection Principle 1 of the Ordinance, to inform the data subject of the purpose, retention and use of the personal data.[177]

1. Employee File Transfer

The Ordinance is a comprehensive piece of legislation that has a significant impact on companies attempting to transfer an employee’s file out of Hong Kong.[178] Of the six data protection principles contained within the Ordinance, principles one through three require companies to inform employees of the purpose for which their personal data is being collected and to whom this data will be transferred.[179] Privacy Haven can accomplish this by providing the employee with a Personal Information Collection Statement (“PICS”). Although there is no specific checklist for PICS, it must inform the employee of the purpose and manner of data collection, the accuracy and duration of retention of such data, the use of the data collected, and any other requirements contained within Data Protection Principle 1 of the Ordinance.[180]

After providing employees with a PICS, Privacy Haven must also comply with Section 33 of the Ordinance, which restricts the transfer of personal data outside of Hong Kong.[181] Section 33 also provides a specific exemption from the prohibition on transferring data outside of Hong Kong – when an employee gives written consent.[182] Additionally, the Ordinance allows the transfer of data in limited circumstances without prior written consent. First, Privacy Haven may, without written consent, transfer data to a place specified in a notice issued in the Gazette by the Privacy Commissioner.[183] Second, Privacy Haven may transfer data if it feels that there are reasonable grounds that there is laws in place that are substantially similar to, or serves the same purpose as the Ordinance.[184] Finally, Privacy Haven may transfer data if it has taken reasonable precautions and exercised due diligence to ensure that the data will not be collected, processed or used in a manner, that if the place were Hong Kong, would be a contravention of the Ordinance.[185]

Therefore, if Privacy Haven wishes to transfer employee data to the centralized database in the U.S., it must comply with one of the three requirements above. Since the U.S. does not have laws that are substantially similar to the Ordinance, Privacy Haven will have to obtain the data subjects written consent, or take reasonable precautions and exercise due diligence when transferring the data to the U.S.

In addition to the Ordinance, Privacy Haven will soon have to address the issues discussed in the Code of Practice on Human Resources Management. Although the Code requires that Privacy Haven must inform the employee of the purpose of the data collection,[186] any possible third-party transferees,[187] and the right to access and correct data,[188] the Code explicitly states that there is no requirement to inform employees of the possible transfer to internal departments.[189] However, for the purposes of obtaining the employee’s consent, Privacy Haven should inform its employees that it will be transferring the employee’s data to the U.S. for the purpose of obtaining the employee’s consent. Although the Code of Practice may not require this, it will allow Privacy Haven to obtain the written consent of its employees and transfer the data to the U.S. knowing that it is in compliance with the Ordinance, as well as the Code of Practice on Human Resources Management.

2. The Transfer of Data on a Lap Top Computer

A lap top containing an employee’s data is subject to similar requirements as discussed above. If the employee has given prior consent to the transfer of data outside of Hong Kong, then Privacy Haven is not in violation of the Ordinance.[190] However, with a lap top computer carrying the data, the question arises as to where and to whom did the employee consent to have his or her data transferred. Presumably, the employee would not consent to data being transferred to various jurisdictions on a lap top computer, and thus, Privacy Haven should ultimately eliminate this practice.

However, if Privacy Haven feels it is necessary to carry some employee data on lap top computers, such as contact information, etc., then it must comply with the requirements contained in Section 33 of the Ordinance, as well as the Code of Practice on Human Resources Management. Since the U.S. does not have substantially similar data protection laws as the Ordinance, Privacy Haven will have to obtain the employees consent, or take all reasonable precautions and exercise due diligence to ensure that the data will not be collected, processed or used in a fashion, that if the place were Hong Kong, would be a violation of the Ordinance.[191] As mentioned earlier, it is unlikely that Privacy Haven would be able to obtain consent from the employee to allow this data to travel throughout the world on a lap top computer. Therefore, Privacy Haven must take reasonable precautions and exercise due diligence that this data will not be collected, used, or processed in a manner that would be a violation of the Ordinance if it occurred in Hong Kong. This may be accomplished by the use of a contract, made available by the Privacy Commissioner, between the transferor and transferee of the data.[192]

In the contract, Privacy Haven must first address the applicable law to the contract, which preferably would be the Ordinance. Next, the contract must delineate the obligations of the transferor. These obligations include that: (1) the data has been collected in accordance with Data Protection Principle 1 of the Ordinance; (2) steps have been taken to ensure the accuracy of the data; (3) the data is being held only as long as needed to fulfill the purpose of collecting the data; and (4) the transfer is permitted by the Ordinance.[193] Additionally, the contract must address the rights and obligations of the transferee. These obligations include the duty to: (1) use the data for permitted purposes only; (2) to hold the data securely; (3) to destroy the data when it is not needed any longer for the permitted purpose; (4) not transfer the data to any other natural person; and (5) immediately rectify or delete the data upon receiving such instructions from the transferor.[194] Finally, the contract should address how disputes will be settled, as well as how to terminate the contract.[195]

By creating a contract containing the terms and conditions discussed above with any employee storing employee data on his or her lap top computer, Privacy Haven will be able to protect itself from violating the Ordinance. Since Privacy Haven is liable for any actions of its employees under the Ordinance and the Code of Practice on Human Resources Management, this contract will allow its employees to store data on a lap top computer, while providing adequate safeguards for this information.

3. The Merger of Privacy Haven with Another Company

The merger of Privacy Haven with another company subjects the other company, as well as Privacy Haven, to the provisions contained in the Ordinance and the Code of Practice on Human Resources Management. Privacy Haven can easily comply with these provisions by obtaining the consent of the employee before transferring any data to the merging company. Absent such consent, companies contemplating a merger may transfer employment related data to key officers in the respective organizations, as long as the transfer complies with the general requirements contained in the Code of Practice on Human Resources Management.[196] The Code requires Privacy Haven to ensure that the data are transferred for a permitted purpose, accurate and protected by practicable measures to secure them while being transmitted.[197] Additionally, Privacy Haven must only transfer data for the permitted purpose of the merger and not transfer any data that is excessive to accomplish this purpose.[198] Once these requirements are met, Privacy Haven and the merging company should establish a single set of privacy policies and practices for the combined employment related data of the organizations.[199] By fulfilling the above requirements and establishing such a policy after the merger, Privacy Haven will ensure that it is in compliance with the Ordinance and ensure its employees against the misuse of their personal data.

CONCLUSION

As a result of current and emerging data privacy and transborder protection laws throughout the world, the human resource departments within multinational companies must address various issues relating to the personal data of their employees. If multinational companies do not adhere to these data privacy laws, then their business activities within these jurisdictions may be prevented and they may also face both civil and criminal liability as a result of breaching their employee’s fundamental right to privacy. Therefore, multinational companies must enact internal compliance strategies corresponding to the jurisdiction(s) in which their employees conduct their business activities.

First, if multinational companies have employees domiciled in E.U. Member State countries, then they must adhere to the E.U. Directive. If E.U. and U.S. governmental officials reach a compromise with the U.S. Safe Harbor principles that are certified by the European Commission, then multinational companies whose data privacy protections are in conformity with the agreed upon principles will qualify for the Safe Harbor and will be free from restrictions on data transfers imposed by E.U. Member State countries. Multinational companies may also seek self-certification for the Safe Harbor that requires a letter to the DOC, signed by a corporate officer, containing the specifics of the company’s compliance with the principles.[200]

Alternatively, multinational companies, even those with good computer security, should conduct an internal audit on their data privacy protection, and ask themselves the following seven questions:

(1) Do we give employees a private right of action to sue us for breaches of privacy and errors in personal data?;

(2) Do we religiously delete all employee data as soon as it becomes obsolete or is no longer needed?;

(3) Do we ensure we collect no employee data that are not strictly necessary?;

(4) Do we give our employees a right of access to data about themselves and a viable way to challenge it if it is wrong?;

(5) Do we refrain from all automated decision making (such as processing job applications and credit applications by computer)?;

(6) Do we tell employees what data about them we collect, and do we get their consent to process it?; and

(7) Do we have written contracts (or equivalent protections) in place with our [Australia, Brazil, E.U., or Hong Kong] subsidiaries, which legally bind us to adhere to [the data protection laws in these countries]?[201]

If a multinational company cannot answer yes to all of the above questions, then it must make appropriate changes to its human resource practices.

Multinational companies should also join an industry specific association that has established self-regulatory procedures that are compliant with the jurisdiction(s) in which its employees are conducting their business activities. Moreover, multinational companies should cooperate with the data protection authorities in the jurisdiction(s). By complying with the recommendations contained in this Comment, a multinational company will be able to comply with the most stringent data protection laws in the world, and protect themselves from liability for the misuse of their employee’s data in these various jurisdiction(s).

-----------------------

[1] Under the E.U. Data Privacy Directive, “data controllers” are legal entities, e.g., employers, that “alone or jointly with others determin[e] the purposes and means of the processing of personal data.” Council Directive 95/46/ED on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281)(1995) [hereinafter “E.U. Data Privacy Directive”], art. 2.

[2] Electronic Privacy Information Center & Privacy International, Privacy & Human Rights 1999 – An International Survey of Privacy Laws and Developments, Privacy International (visited Mar. 19, 2000) [hereinafter “EPIC Survey”].

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] See Patrick J. Murray, The Adequacy Standard Under Directive 95/46/EC: Does U.S. Data Protection Meet This Standard?, 21 Fordham Int’l L.J. 932, 933-35 (Mar. 1998).

[8] Id.

[9] Id.

[10] Organization for Economic Cooperation and Development, Recommendation of the Council Governing the Protection of Privacy and Transborder Flows of Personal Data, O.E.C.D. DOC. C (80) 58 (1980).

[11] Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, ETS No. 108 (1981).

[12] States that have ratified the Convention are: Austria, Belgium. Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Slovenia, Spain, Sweden Switzerland, United Kingdom. Additionally, Cyprus, Moldova, Poland, Romania, and Turkey have signed but not yet ratified the Convention.

[13] Murray, supra note 7, at 935-38.

[14] Id.

[15] Id.

[16] Id.

[17] Id.

[18] EPIC Survey, supra note 2, at .

[19] This information may include: performance evaluations; personnel files; attendance records; employee benefit data including health and life insurance; pension data; stock option records and other benefit accounts; and records that disclose employees’ salary, ethnicity, sexual data, and trade union membership. Angela R. Broughton et al., International Employment, 33 Int’l Law. 291, 293 (1999).

[20] See generally E.U. Data Privacy Directive, supra note 1; Hong Kong Personal Data (Privacy) Ordinance, available in [hereinafter “Hong Kong Ordinance”].

[21] Broughton, supra note 19, at 293.

[22] Id.

[23] Id. at 295-296.

[24] Id. at 296.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] The FTC recently issued a report to Congress endorsing self-regulation and concluding that legislation is “not appropriate at this time.” Federal Trade Commission, Self-Regulation and Privacy Online: A Report to Congress (July 1999).

[31] A Framework for Global Electronic Commerce (July 1, 1997) .

[32] Traditionally, comprehensive, nationwide data privacy legislation initiatives have always failed. Currently, the following bills that touch on data privacy issues have been introduced: The Consumer Internet Privacy Protection Act of 1999, H.R. 313, 106th Cong. (1999); The Internet Growth and Development Act of 1999, H.R. 1685, 106th Cong. (1999); The Wireless Privacy Enhancement Act of 1999, H.R. 514, 106th Cong. (1999); and The Financial Information Privacy Act of 1999, S. 187, 106th Cong. (1999).

[33] See Griswold v. Connecticut, 381 U.S. 479, 484 (1965)(Justice Douglas wrote that although the right to privacy is not specifically mandated by the Constitution, the Third, Fourth, Fifth and Ninth Amendments create a “constitutional zone of privacy”); Whalen v. Roe, 429 U.S. 589, 599 (1977)(stating that there is a constitutional interest in “avoiding disclosure of personal matters).

[34] See Alaska Const. art. I, § 22; Cal. Const. art. I, § 1; Fla. Const. art. I, § 23; Haw. Const. art. I, § 6; Ill. Const. art I, § 6; La. Const. art. I, § 5; Mont. Const. art II, § 10; Wash. Const. art. I, § 7.

[35] The Privacy Act of 1974, 5 U.S.C. § 552a (1996).

[36] The Privacy Act also mandated a Privacy Protection Study Commission, which proposed the formulation of comprehensive federal privacy legislation in its 1977 report. Congress, however, never pursued the recommendation.

[37] The Computer Matching Act and Privacy Protection Act of 1988, 5 U.S.C. § 552a(a)(8)-(13), (e)(12), (o), (r), (u) (1996).

[38] The Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401-3422 (1998).

[39] See e.g., The Driver’s Privacy Protection Act of 1994, 18 U.S.C.A. § 2721 (1997); I.R.C. §§ 7609-7610 (1998).

[40] 15 U.S.C. § 1681a(k)(1)(B) & § 1681m(a).

[41] 15 U.S.C. § 1681g(a)(1) & (3).

[42] Electronic Fund Transfer Act of 1978, 15 U.S.C. § 1693 (1997).

[43] Cable Communication Policy Act, 47 U.S.C.A § 551 (1998).

[44] Video Privacy Protection Act, 18 U.S.C. § 2710 (1988).

[45] Telephone Consumer Protection Act, 47 U.S.C.A. § 227 (1998).

[46] Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2522 (1998).

[47] Stored Wire and Electronic Communications and Transactional Records Access Act, 18 U.S.C. §§ 2701-2711 (1998).

[48] Certainly, different countries around the world have divergent views regarding privacy. Many, however, have made efforts at the national level to bring their laws into conformity with the E.U. Directive.

[49] EPIC Survey, supra note 2, at .

[50] Additionally, Australian States and Territories have introduced or enacted various data privacy laws. In New South Wales, the Privacy and Personal Information Act of 1998 governs the collection and use of personal data in the public sector, but not the private sector. Victoria introduced the Data Protection Bill on May 26, 1999. It is based on the “National Privacy Principles for the Fair Handling of Information,” which are not legally binding, but were issued by the Privacy Commissioner in February of 1998 to guide the private sector in handling personal data. The Data Protection Bill governs both the private and public sector, but is prefaced on the fact that the Victorian Government supports the regulation of private sector privacy at the national level.

[51] The Australia Card Scheme was a proposal for a universal national identification number and card. Even though the proposal was eventually dropped, the use of the tax file number was altered to allow for the tracking of income from different sources, and this data would later be protected by the Privacy Act. EPIC Survey, supra note 2, at .

[52] Privacy Act 1988, available in .

[53] There are 24 member nations of OECD: Australia, Austria, Belgium, Canada, Denmark, Finland, France, West Germany, Greece, Iceland, Ireland, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, Turkey, United Kingdom, and the United States.

[54] The Act was a result of Australia’s agreement to adopt these Guidelines, which were adopted in 1980, as well as its obligations under Article 17 of the International Covenant on Civil and Political Rights. The Government’s Proposed Legislation for the Protection of Privacy in the Private Sector (visited February 21, 2000) [hereinafter “Private Sector Information Paper”].

[55] The Office of the Privacy Commissioner’s duties includes handling complaints, auditing, encouraging community awareness, and advising federal and state governments on privacy matters. In 1998-1999, the Office “received 128 complaints, closed 90 complaints, and conducted 20 audits." EPIC Survey, supra note 2, at .

[56] However, the private sector is subject to the Act is two ways: (1) Credit reporting agencies must be in compliance with the credit reporting rules contained in the Act, as well as accompanying code of conduct, when handling credit data of individuals; and (2) Entities that handle tax file number data must comply with the guidelines pertaining to tax file numbers issued by the Privacy Commissioner pursuant to Section 17 of the Act. Additionally, the Privacy Commissioner may, pursuant to Section 27 of the Act, encourage companies to develop privacy standards for the processing of personal data that are in accordance with the OECD Guidelines. Privacy Act 1988, § 27 (1988).

[57] The Act has two objectives: (1) Protection of personal data by departments and agencies of the federal government; and (2) Providing safeguards for the collection and use of tax file number data. Private Sector Information Paper, supra note 54, at .

[58] See Privacy Act 1988, § 14 (1988). See also Private Sector Information Paper, supra note 54, at .

[59] Telecommunications Act 1997, available in .

[60] Privacy Act 1988, § 17 (1988).

[61] Issued by the Australian Tax Office, Tax File Numbers are unique numbers issued to individuals, companies and anyone else filing income tax returns with the office. Private Sector Information Paper, supra note 54, at .

[62] See Privacy Act 1988, § 17 (1988).

[63] See id.

[64] See id.

[65] See id.

[66] In addition, the unauthorized use or disclosure of this data is an offense under the Telecommunications Administration Act of 1953, which may result in a monetary penalty, incarceration, or both.

[67] Under the Telecommunications Act, the Privacy Commissioner is given the authority to monitor the record-keeping and disclosures of personal data by carriers, carriage service providers and number database operators. See generally Telecommunications Act 1997.

[68] Telecommunications Act 1997, § 107 (1997).

[69] See generally Privacy Act 1988, Part IIIA (1988).

[70] See Privacy Act 1988, § 17 (1988).

[71] Privacy (Private Sector) Bill 1999, available in .

[72] National Principles for the Fair Handling of Personal Information, available in . The National Principles for the Fair Handling of Personal Information delineate standards regarding the collection, use, and disclosure of personal data by businesses and other private sector organizations. The Principles also address the necessary measures that an organization must implement to ensure the accuracy and security of this data, as well as providing the individual with access to the data to maintain its accuracy and completeness. The Principles also discuss the use of pension and Medicare numbers by governmental agencies, transfers of personal data outside Australia, and the collection of sensitive data. Private Sector Information Paper, supra note 54, at .

[73] EPIC Survey, supra note 2, at .

[74] An “organization” is defined to mean a body corporate, an unincorporated association, a partnership, a trust and an individual. Overview of Key Provisions of Privacy (Private Sector) Bill (visited February 10, 2000) .

[75] Private Sector Information Paper, supra note 54, at . Additionally, the Act will apply to Commonwealth bodies and governmental businesses that are not, due their commercial nature, covered by the existing Privacy Act. Id. at .

[76] Id. at .

[77] Privacy Act 1988, § 17 (1988).

[78] See id.

[79] See id.

[80] See id.

[81] See id.

[82] Private Sector Information Paper, supra note 54, at .

[83] The Bill contains a broad definition of “sensitive information.”

Sensitive information means:

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual preferences or practices; or

(ix) criminal record;

that is also personal information; or

(b) health information about an individual.

Privacy (Private Sector) Bill 1999, § 1 (1999).

[84] See id. at Principle # 9.

[85] Employee record, in relation to an employee, means a record of personal data about the employment of the employee. An example of personal data about the employment of the employee is personal data about all or any of the following: (a) the engagement, training, disciplining, resignation of the employee; (b) the termination of the employment of the employee; (c) the terms and conditions of employment of the employee; (d) the employee’s personal and emergency contact details; (e) the employee’s performance or conduct; (f) the employee’s hours of employment; (g) the employee’s salary or wages; (h) the employee’s membership of a professional or trade association; (i) the employee’s trade union membership; (j) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave; (k) the employee’s health data; (l) and the employee’s taxation, banking and superannuation affairs. Private Sector Information Paper, supra note 54, at .

Additionally, Section 41 of the Bill provides: “Exemption in respect of employee records. An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to: (a) a current or former employment relationship between the employer and the individual; and (b) an employee record held by the organisation and relating to that individual. Privacy (Private Sector) Bill 1999, § 41 (1999).

[86] See generally Privacy Act 1988; Privacy (Private Sector) Bill 1999.

[87] Privacy Act 1988, § 27 (1988).

[88] See id. at § 14.

[89] See id. at §§ 14-15.

[90] See id.

[91] See id. at § 17.

[92] See id.

[93] See EPIC Survey, supra note 2, at > (citing The Constitution of Brazil (1988)).

[94] See id. at (citing Federal Senate Bill No. 61 (1996)).

[95] Id. at .

[96] See id.

[97] See id. (citing Law No. 8078 (Sept. 11, 1990)).

[98] Id.

[99] See id. at (citing Law No. 7.232 (Oct. 29, 1984)).

[100] Id. at .

[101] Id. at .

[102] See id. at (citing LEI Nº 9.507, DE 12 DE NOVEMBRO DE 1997).

[103] A complete list of the status of data privacy legislation in E.U. member countries is available at . For country reports of both E.U. and non-E.U. members, see .

[104] E.U. Data Privacy Directive, art. 2(a).

[105] See id. at art. 2(b).

[106] On a technical note, the E.U. Directive explicitly excludes from its scope the processing of personal data “by a natural person in the course of a purely personal or household activity”. Id. at art. 3(2).

[107] See id. at art. 7.

[108] See id. at art. 6(b).

[109] See id. at art. 10(b).

[110] See id. at art. 6(c).

[111] See id. at art. 6(d).

[112] See id. at art. 10(a) and (c).

[113] See id. at art. 8.

[114] See id. at art. 12(a) and (b).

[115] See id. at art. 22.

[116] See id. at art. 23.

[117] See id. at art. 25.

[118] See id.

[119] See id.

[120] See e.g., P. Amy Monahan, Deconstructing Information Walls: The Impact of the European Data Directive on U.S. Businesses, 29 Law & Pol’y Int’l Bus. 275 (Winter 1998).

[121] Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, First Orientations on Transfers of Personal Data to Third Countries – Possible Ways Forward in Assessing Adequacy, adopted on June 26, 1997, available in .

[122] Recall that “sensitive data” means personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex-life.

[123] See E.U. Data Privacy Directive, art. 26.

[124] Id.

[125] Id.

[126] See James Harvey, An Overview of the European Union’s Personal Data Directive, 15 NO. 10 Computer Law 19, 22 (Oct. 1998).

[127] Working Party, Preliminary views on the use of contractual provisions in the context of transfers of personal data to third countries, adopted on April 22, 1998, available in .

[128] Working Party, Opinion 1/99 concerning the level of data protection in the U.S. and the ongoing discussions between the European Commission and the U.S. Government, adopted on January 26, 1999, available in .

[129] Department of Commerce, International Safe Harbor Privacy Principles Draft, April 19, 1999, available in .

[130] The terms “data subject” and “data controller” are not always used in the U.S. publications, but are used here for the sake of consistency with the E.U. Directive.

[131] Working Party, Opinion 2/99 on the Adequacy of the “International Safe Harbor Principles” issued by the U.S. Department of Commerce on 19th April 1999, adopted on May 3, 1999, available in .

[132] Joint Report on Data Protection Dialogue to the E.U./U.S. Summit, 21 June 1999, available in .

[133] See International Trade Administration Electronic Commerce Task Force, U.S. Department of Commerce Electronic Commerce Task Force (visited March, 19, 2000) .

[134] For the specific wording and responses of the FAQs see: Working Party, Opinion 4/99 on the Frequently Asked Questions to be issued by the U.S. Department of Commerce in relation to the proposed “Safe Harbor Principles”, adopted on June 7, 1999, available in .

[135] Spiros Simitis, From The General Rules On Data Protection To A Specific Regulation Of The Use Of Employee Data: Policies And Constraints Of The European Union, 19 Comp. Lab. L. & Pol’y J. 351, 361-62 (1998).

[136] See id.

[137] See id.

[138] See id.

[139] See id.

[140] See Working Party, Opinion 4/99, adopted on June 7, 1999, available in .

[141] See Working Party, Opinion 4/99 on Contractual Provisions, adopted on June 7, 1999, available in .

[142] See E.U. Data Privacy Directive, art. 26(1)(a).

[143] See Peter P. Swire & Robert E. Litan, None Of Your Business 92 (Brooking Inst. 1998).

[144] See id.

[145] See id.

[146] See id.

[147] See id. An example of a global waiver is: “[a]t the time of hiring a person, [the multinational company obtains unambiguous expressed] consent to use [person’s] personal information for ‘all internal management purposes.’” Id. at 91.

[148] Article 6(1)(b) provides that data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” E.U. Data Privacy Directive, art. 6(1)(b).

[149] See Swire & Litan, supra note 143, at 93.

[150] See id.

[151] E.U. Data Directive, art. 26(1)(c).

[152] See Swire & Litan, supra note 143, at 110.

[153] EPIC Survey, supra note 2, at . This is a result of the Peoples’ Republic of China’s resumption of sovereignty over Hong Kong on July 1, 1997. Id.

[154] Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China, art. 29.

[155] See id. at art. 30.

[156] See generally Personal Data (Privacy) Ordinance (1995). This Ordinance is based on the recommendations made by the Hong Kong Law Reform Commission as a result of its six-year study, as well as a draft version of the E.U. Directive. EPIC Survey, supra note 2, at .

[157] “Personal Data” means any data: “(a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable.” Personal Data (Privacy) Ordinance, § 2 (1995). However, the Ordinance does not attempt to differentiate personal data according to its sensitivity.

[158] See id. at Schedule 1, § 1.

[159] See id. at Schedule 1, § 3.

[160] See id. at Schedule 1, § 4.

[161] The Personal Data (Privacy) Ordinance, Schedule 1, Data Protection Principle 6 provides:

A data subject shall be entitled to:

a) ascertain whether a data user holds personal data of which he is the data subject;

b) request access to personal data –

(i) within a reasonable time;

(ii) at a fee, if any, that is not excessive;

(iii) in a reasonable manner; and

(iv) in a form that is intelligible;

c) be given reasons if a request referred to in paragraph (b) is refused;

d) object to a refusal referred to in paragraph (c);

e) request the correction of personal data;

f) be given reasons if a request referred to in paragraph (e) is refused; and

(g) object to a refusal referred to in paragraph (f).

See id. at Schedule 1, § 6.

[162] Section 33 of the Hong Kong Personal Data (Privacy) Ordinance provides in part:

(2)A data user shall not transfer personal data to a place outside Hong Kong unless-

(a) the place is specified for the purposes of this section in a notice under subsection (3);

(b) the user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, this Ordinance;

(c) the data subject has consented in writing to the transfer;

(d) the user has reasonable grounds for believing that, in all the circumstances of the case-

(i) the transfer is for the avoidance or mitigation of adverse action against the data subject;

(ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and

(iii) if it was practicable to obtain such consent, the data subject would give it;

(e) the data are exempt from data protection principle 3 by virtue of an exemption under Part VIII; or

(f) the user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under this Ordinance.

See id. at § 33.

[163] See id. at § 5.

[164] A violation of any provision of the Ordinance, excluding the data protection principles, is a criminal offense. Additionally, if the violation results in damage to the data subject, the offender may be forced to compensate the data subject. EPIC Survey, supra note 2, at .

[165] Section 8 of the Hong Kong Personal Data (Privacy) Ordinance provides: “The Commissioner shall- (a) monitor and supervise compliance with the provisions of this Ordinance. . . . (e) carry out inspections, including inspections of any personal data systems used by data users which are departments of the Government or statutory corporations. . .” Personal Data (Privacy) Ordinance, § 8 (1995).

[166] Section 37 of the Ordinance delineates the process to file a complaint under the Ordinance:

(1) An individual, or a relevant person on behalf of an individual, may make a complaint to the Commissioner about an act or practice-

(a) specified in the complaint; and

(b) that-

(i) has been done or engaged in, or is being done or engaged in, as the case may be, by a data user specified in the complaint;

(ii) relates to personal data of which the individual is or, in any case in which the data user is relying upon an exemption under Part VIII, may be, the data subject; and

(iii) may be a contravention of a requirement under this Ordinance (including section 28(4)).

See id. at § 37.

[167] “As of March 31, 1999, the Office has received 35,968 inquiries (19,994 in 1998-1999), heard 723 complaints (418 in 1998-1999) and conducted 119 formal investigations, ruling in 62 cases that there was a violation of the Act. The Office has also issued 147 advisory/warning notices, 14 enforcement notices and has referred 18 cases to the police for prosecution.” EPIC Survey, supra note 2, at .

[168] Section 12 of the Ordinance empowers the Commissioner to issue codes of practice “for the purpose of providing practical guidance in respect of any requirements under this Ordinance imposed on data users.” Personal Data (Privacy) Ordinance, § 12 (1995). To date, the Privacy Commissioner has issued two codes of practice: (1) the Code of Practice on the Identity Card Number and Other Personal Identifiers, and (2) the Code of Practice on Consumer Credit Data.

[169] Draft Code of Practice on Human Resources Management, available in [hereinafter “draft code”].

[170] Id. at . A total of 86 comments were received from individuals, organizations, and professional bodies in response to the Draft Code. Most of the comments were concerned with the retention periods for different types of employment-related data and the prohibition on the use of “blind” advertisements – advertisements in which advertisers are anonymous, but yet directly solicit personal data from recipients. Id.

[171] Privacy Commissioner Issues Draft Code of Practice on Human Resources Management for Public Consultation (visited February 25, 2000) .

[172] Stephen Lau, Privacy Commissioner for Personal Data has stated:

The Ordinance is of particular importance to HRM activities because most such activities involve the handling of personal data, and in fact quite a large number of the complaints and enquiries handled by the PCO involve employment-related personal data. We deem it appropriate to provide more detailed guidance in this area in the form of a Code of Practice. In addition, HRM practitioners often assume the role of the data protection or privacy officers in their organizations. Providing detailed guidance on the Ordinance to this profession will assist in the strengthening of privacy awareness and culture within an organisation.

Id. at .

[173] Draft Code, §§ 1.2 – 1.5.

[174] See id. at §§ 1.10 – 1.31.

[175] See id. at §§ 1.7 – 1.9.

[176] See id. at § 1.1.

[177] See id. at §§ 1.2 – 1.5.

[178] Personal Data (Privacy) Ordinance, § 33 (1995).

[179] These principles have been incorporated in the Ordinance from data practices that are found in various data protection laws from around the world. Principle 1 relates to the purpose and manner of collection of personal data; Principle 2 addresses the accuracy and duration of retention of personal data; and Principle 3 discusses the use of personal data. See id. at Schedule 1.

[180] Data Protection Principle 1(3) addresses the various requirements that an employer must meet when obtaining consent from an employee:

Where the person from whom personal data are or are to be collected is the data subject all practicable steps shall be taken to ensure that:

(a)he is explicitly or implicitly informed, on or before collecting the data, of –

(i)whether it is obligatory or voluntary for him to supply the data; and

(ii)where it is obligatory for him to supply the data, the consequences for him if he fails to supply the data; and

(b)he is explicitly informed –

(i)on or before collecting the data, of

(A)the purpose (in general or specific terms) for which the data are to be used; and

(B)the classes of persons to whom the data may be transferred; and

(ii)on or before first use of the data for the purpose for which they were collected, of –

(A)his rights to request access to and to request the correction of the data, and

(B)the name and address of the individual to whom any such request may be made, unless to comply with the provisions of this subsection would be likely to prejudice the purpose for which the data were collected and the purpose is specified in Part VIII of this Ordinance as a purpose in relation to which personal data are exempt from the provisions of data protection principle 6.

See id. at Schedule 1, § 1(3).

[181] See id. at § 33(2).

[182] See id. at § 33(2)(c).

[183] See id. § 33(2)(a). If the Privacy Commissioner has reasonable grounds to believe that there is, in the place outside of Hong Kong, any law that is substantially similar to, or serves the same purpose as the PDPO, then he may issue a notice in the Gazette. However, the Privacy Commissioner has not yet specified any such places.

[184] See id. at § 33(2)(b).

[185] See Id. at § 33(2)(f). In a fact sheet posted by the Privacy Commissioner, one method that may be used to accomplish the due diligence standard contained in the Ordinance is for the transferor and transferee to enter into a contract that would require the transferee to apply the data protection principles of the Ordinance to the data upon transfer. Fact Sheet # 1, Model Contract (visited February 11, 2000) .

[186] Draft Code, § 1.2.1. The purposes for which employment-related personal data are to be used may be stated in general or specific terms. Id. at § 1.9 (1.1.2). Examples of this include data required: to pay employees and to make compensation benefits and awards, to contact employees when absent from the office, to make tax returns, to assess employees’ performance and training needs, to plan promotion and movement from post to post, and to administer a retirement scheme or provident fund scheme to which employees contribute or from which they may benefit. Id. at § 1.9 (1.1.1).

[187] Id. at § 1.14. An employer is required to explicitly inform the data subject of the classes of third parties to which any personal data from job applications, employees or former employees may be transferred. An employer must do this on or before collecting the data. Id. at § 1.14 (1.1.2).

[188] Id. at § 1.12.

[189] Id. at § 1.14 (1.1.3) provides: “Because the transfer notification requirements only apply to transfers to third parties outside the employing organisation, there is no requirement for employers to name other internal departments or employees of the employer to whom personal data may be transferred for the purposes of employment.” Id.

[190] Personal Data (Privacy) Ordinance, § 33(2)(c) (1995).

[191] See id. at § 33(2)(f).

[192] Fact Sheet #1, supra note 185, at .

[193] Id. at § 1.

[194] Id. at § 2.

[195] Id. at § 3.

[196] Draft Code, § 1.7.1.

[197] Id. at § 6.1.1.

[198] Id. at § 6.1.6.

[199] Id. at § 6.7.9.

[200] The essential elements of self-certification are: (1) awareness; (2) choice; (3) data security; (4) consumer access; (5) consumer recourse; (6) verification; and (7) consequences.

[201] Broughton, supra note 19, at 295-296.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download