While the technological world increasingly renders geography meaningless, no one appears to have informed lawmakers of this fact. Data can move easily and seamlessly from Uruguay to Spain to the United States, but in doing so, three separate data privacy and protection regimes are implicated. As more companies, individuals and even governments place their data in the cloud, both customers and providers of cloud computing services must become acutely aware of the burgeoning laws and regulations restricting the collection, storage, disclosure and movement of certain categories of information.
In most instances, data privacy statutes are enacted to protect the personal information of each country's citizens. These laws generally govern the ability of entities and individuals to "process" (i.e., collect, preserve, organize, store, use, etc.) the data of others, and they apply when information is stored, collected, processed or communicated to or from the country. Given the ubiquitous nature of mobile devices being used for business purposes, a Mexican citizen working in Canada whose communications are stored by a cloud computing services provider located in the United States would likely trigger certain provisions within all three countries' statutory schemes. For current or aspiring cloud computer customers and providers, three aspects of data privacy regimes should be of interest.
First, you will need to know when and how you must obtain consent from data owners to process their personal information. For example, under Spanish and Argentinian law, data users must obtain express consent from data owners in writing, and that consent is revocable at any time. Accordingly, if you have employees in Spain or Argentina (or a country with a similarly stringent data privacy statute), you will need to obtain consent from each individual employee and then exercise selectivity in terms of placing any personal information into the cloud.
Second, you will need to understand the security and reporting requirements of a data privacy regime. In Mexico, the 2010 Federal Law on the Protection of Personal Data Held by Private Parties requires maintenance of industry-standard physical, technical and administrative security measures designed to protect personal data from unauthorized damage, alteration, loss or use. In addition, where there has been a breach of personal data, data users must promptly notify each and every data owner whose personal data may have been affected. This is a common requirement, so users of cloud computing services should have communication processes capable of quickly and effectively notifying data owners about any potential breach in security.
Third, you should research the enforcement mechanisms and potential penalties tied to any transgression of an applicable data privacy regime. Argentina has modeled its data privacy enforcement apparatus on Spain's, granting a governmental agency, the Dirección Nacional de Protección de Datos Personales, the power to impose administrative sanctions, including warnings, suspension or cancellation of a data user's right to maintain a database, as well as monetary penalties ranging from approximately US$200 to US$20,000. Even criminal charges may be brought against egregious violators, with terms of imprisonment ranging from one month to up to three years. Cloud computing services customers and providers must understand the potential consequences of communicating, storing, and/or processing information in a given country.
The best, and indeed the only, way to ensure that you or your company does not run afoul of a data privacy statute is first to read and understand each such law that applies to your data. Then you should go about creating forms for data owners' consent for processing of personal data (for business use) and crafting checklists for ensuring that communications are monitored when they cross borders. Finally, recording your efforts to educate employees and to ensure compliance with data privacy regimes is likely to protect you from any harsh consequences for inadvertent missteps.
John C. Eustice is a member at the law firm Miller & Chevalier Chartered in Washington, D.C. His practice focuses on the counseling and representation of businesses and individuals facing complex civil litigation. He is a contributing member of The Sedona Conference and regularly writes about and speaks on technological, cloud computing, and electronic discovery matters. He can be reached at (202) 626-1492 or firstname.lastname@example.org.