Data Breach Notification And The Multinational Employer: Part 2-00-4384

By Author: 4Ps--Marketing
Total Articles: 4393
Comment this article

But European data law principles become surprisingly sketchy as to specific breach-notification mandates. Perhaps ironically, Europe—which otherwise imposes what are widely recognized as the world's toughest set of general data-protection laws—has, so far, imposed few specific breach-notification requirements (at least outside the telecommunications sector).

This is probably because Europe's tough general data-notification rules (as opposed to its data security rules) are built around notifying "data subjects" and government data agencies up front about data processing systems. In a sense, Europe's general data notice rules are preventive in that they "close the barn door before the horse gets out," but they focus less on post-crisis breach response—mandating special notices "after the horse gets out."

This said, expect European employee data subjects and government data agencies to argue that Europe's broad general rules requiring "data controllers" to notify data subjects and agencies about data processing systems somehow encompass a mandate to provide notice of a specific breach incident. ...
... One argument here may be that unless the data controller had previously disclosed (to data subjects and agencies) that "breaches" are one form of permitted data processing, then the controller must notify data subjects and agencies after an unanticipated breach occurs. Further, a small but growing number of European states now impose state-specific breach-notification obligations. Norway, for example, expressly requires notifying the Norwegian data authority even if just one Norwegian is affected by a breach, and an incoming German law is expected to mandate breach notification to local German data authorities.

A publicized data breach risks drawing close scrutiny from European data subjects and data protection authorities. A multinational's breach-notification strategy in Europe needs to factor in the high stakes. European states can impose onerous penalties for widespread data-law violations, especially where a data-controller is shown not to have followed compliant data processing practices.

In short, breach notification requirements in Europe split into two prongs: First, must the data controller notify affected data subjects? (This prong then splits into two halves: notice requirements to "direct data subjects" like employees, versus notice to "indirect data subjects" like employees' e-mail correspondents.) Second, must the data controller notify government data protection authorities? Where a multinational employer that suffers a breach of employee data decides, for human resources reasons, to notify all affected staff worldwide, the issue of whether laws in Europe compel notice to European employees can for the most part drop out, as a practical matter (where the employer complies anyway). This leaves the issue of whether the multinational must notify European member state data agencies. While a few European states (like Norway and, soon, Germany) do impose clear government-notice mandates, in many cases whether government notice is mandatory is a murkier issue. Often the local advice will be that government notice is "recommended."

Beyond the US and Europe: Going beyond Europe and the US, the breach notification issue follows a broadly-similar analysis. First ask: What is the applicable law? Then ask: Does each applicable country's law impose any breach notification obligations? Often it will not. For example, according to the Australian Office of the Privacy Commissioner's Guide to Handling Personal Information Security Breaches (August 2008, at p.12), Australia's "Privacy Act does not expressly requirean organisation to notify individuals if personal information is subject to a breach." Where laws do compel notification, ask: What are the precise obligations to notify both affected data subjects and government agencies? When a multinational employer makes the business decision to notify all affected employees worldwide, the focus becomes notification obligations to government authorities. Relatively few jurisdictions outside the US and Europe impose direct mandates to notify government agencies about breaches of human resources data, but some may. A chart summarizing breach notification laws around the world appears in a 2009 article by Alana Maurushat, "Data Breach Notification Law Across the World from California to Australia" (Univ. of New South Wales Faculty of Law Research Series paper #11). Where laws do not compel notice, ask: What notice is recommended as a matter of good practice? Are there any obligations to third parties affected by the breach, including employee representatives?

Other legal issues beyond data laws: In many jurisdictions, what breach notification mandates apply will depend on the specific facts. For example, where a breach leaks regulated information about publicly-traded securities, securities laws can kick in—such as the stringent notice requirements under Australia's Corporations Act, mandating notice to the Australian Securities and Investments Commission. A lost laptop in the UK led to a huge fine from the Financial Services Authority, because the laptop contained financial data. In some cases, third party contracts can impose penalties.

About the Author:

http://www.whitecase.com/laboremploymentandimmigrationlaw/ can be a complex subject matter for multinational companies. As a global law firm, White and Case have immense experience of http://www.whitecase.com/laboremploymentandimmigrationlaw/ having represented clients in the US, European Union and Asia.