The air is hot and stale in his 8×8 cell in Colombia, and the constant sounds of prison unrest make sleeping difficult. For the last three months his company has consisted of a resident rat named Rata, who looks better fed than him, and his cellmate, Chismoso, who became a guest of the prison after he was caught transporting bags of drugs at the airport.
As far as the Colombian government was concerned, Spencer Davis was also smuggling. But instead of plastic bags in a briefcase, Spencer’s contraband was stored in five hard drives. His firm was hired by an international bank’s U.S.-based attorneys to perform a forensic collection, data processing, and culling onsite. After processing the data for an onsite privilege review he was to transfer the data back to the United States for additional searching and hosting for review.
That’s when it happened. While searching Spencer’s carry-on luggage at the airport, security found the hard drives and asked what they were for. He explained the situation and showed them the data privacy and consent agreements he’d received from the bank’s compliance officer. What he didn’t know was that every database containing personal information created in Colombia must be registered with the federal government, and that consent for the processing of data must come freely from each individual – not from the data holder’s corporate legal team. Although Spencer was acting as an agent of his firm, he was still responsible for failing to comply with the law.
This seemingly small oversight was enough for the officers to arrest Spencer at the airport and him to be sentenced to 96 months in jail.
The above example story is fictitious, but the punishment – as harsh as it may appear – is a very real possibility for professionals who collect and process personal data internationally. With all the attention that the European Union has received, it is a good reminder that professionals must be aware of the legal requirements in any foreign jurisdiction in which they work.
General Data Protection Regulation (GDPR) is the new buzz word in data privacy and consulting, having gone into full effect in the E.U. on May 25. The financial penalties for non-compliance are tremendous (up to the greater of €20 million or 4 percent of global annual revenue) and have on some level scared the business world “straight.” It’s made U.S.-based companies look at data privacy like never before. It even inspired the American public to petition politicians to take a new look at increased privacy laws at home.
As eDiscovery practitioners, consultants, and forensic experts, we mustn’t forget that GDPR only applies to organizations located within the European Union and foreign organizations that offer goods or services to, or hold data of E.U. citizens. More than 80 countries have data privacy laws, some of which were inspired by GDPR regulations. In spite of their similarities, however, there are still considerable differences that must be recognized and understood to avoid potentially steep penalties.
Countries throughout the world enforce similar data privacy regulations as the E.U., some of them much stricter and with more severe penalties. In the example country, Colombia, the right to intimacy, good name or reputation, and data protection, are all guaranteed by Article 15 of the country’s constitution. The Colombian Criminal Code allows offenders to be sentenced to prison terms of 48 to 96 months, and can levy fines equivalent to over $270,000 USD. Similar regulations exist in other countries, such as Hong Kong, Morocco, Japan, and Venezuela.
In Brazil, the Brazil Internet Act was passed in 2014, which created policies about collecting and using personal data via the internet. Brazil added an additional step by ruling that minors under 16 years of age could not legally give consent for the use of their personal information, and that young adults between 16 and 18 years of age required assistance from a legal guardian to give consent.
The Data Privacy Act of 2012 in the Philippines is the country’s first-ever overarching data privacy legislation, and was heavily influenced by Directive 95/46/EC of the European Union. The Act introduces the concept of ‘sensitive personal information’, a class of personal information which is subject to more stringent requirements for processing. Those found guilty of processing such data – even data stored outside the Philippines – without the proper consent may be subject to prosecution and jail time of two to seven years.
The goals of each of these countries’ policies are similar, but the mechanism by which appropriate consents can be given will vary depending on which country you are in. Further, transferring data from one country to another may compound the requirements, so never simply assume that everything is in place. Be proactive, ask difficult questions before, you begin collecting and processing data.
When working in any country or even at home on a foreign citizen’s data, it’s prudent to perform your due diligence and consult with a data privacy expert familiar with the laws of that country to ensure you’re in compliance with local and national data collection and processing law. It’s important to understand that consent is only valid when it is obtained freely and willingly from the appropriate party, and how the law defines the appropriate party may vary from country to country. The penalties for incomplete or inappropriate data privacy consent can include personal liability up to, and including, prison sentences.