Data Protection and Outsourcing: What is All the Fuss About?
By Bridget Treacy and Maureen Cooney
Stories concerning the theft of data are commonplace across Europe and the United States. Consumers worry about the security of their data held domestically, and increased awareness of security vulnerabilities fuels concerns over security breaches in offshore locations, where consumers may feel that they have even less control over their data. Some stories are motivated by a genuine concern to protect consumers, while others are the result of concerted attempts to undermine off-shoring and outsourcing markets. Whatever the motivation, these stories still attract adverse publicity for the businesses involved, serving as a reminder of the significance of data protection and information security in an outsourcing context — particularly where data are sent abroad.
Businesses make the mistake of overlooking data protection as a significant legal obligation and risk management issue when devising their outsourcing strategy. Too often, data protection is addressed as an afterthought instead of as a primary component of any offshoring plans. There are key data protection factors to consider when planning an outsourcing transaction.
How the EU Data Protection Directive Affects Outsourcing Transactions
The European Data Protection Directive (1995/46/EC) seeks to regulate the procession of personal data by controllers. "Personal data" is broadly defined to mean any information relating to an identifiable natural person. A business' staff records, customer records and supplier details all constitute personal data. The Directive imposes obligations on controllers—the individuals or entities which determine the purposes and means of the processing of personal data. A business will be the controller in relation to its staff, customer and supplier personal data. If that business decides to outsource some of its functions, whether they be IT or business process activities (such as finance, payroll or human resources), there is every likelihood that personal data will need to be transferred to the outsource vendor as part of that transaction. In most (but not all) circumstances, the business transferring its data will remain the controller; this means that, even though the data will be processed by the outsource vendor, the business remains responsible under the law for how those data are processed.
The Data Protection Directive is by no means unique in the way in which it ensures responsibility remains with the business which has collected personal data. A similar emphasis is evident in the approach of other regulators who, invariably, stipulate that the business entering into an outsourcing arrangement remains responsible for the outsourced function. Specifically, this means that the outsource contract must deal adequately with issues of system security and control.
An example of this is the UK's financial services regulator, the Financial Services Authority (FSA), which states very clearly in its guidance that the businesses it regulates cannot contract out their regulatory obligations and must supervise outsourced functions. Material outsourcing arrangements must be notified to the regulator and all outsourcing arrangements must be the subject of analysis to assess how the outsourced arrangement fits within the business' overall reporting structure, risk profile and ability to discharge its regulatory obligations. Further, the ability to monitor and control operational risk exposure relating to the outsourcing must be specifically covered in the outsourcing contract.
U.S. Privacy Regulation
Similarly, the Federal Trade Commission (FTC) in the U.S., with broad oversight over business activities affecting the U.S. market, and the federal financial services regulators for banks, thrift institutions, securities brokers and other covered entities, take the view that U.S. companies subject to U.S. laws cannot escape their responsibilities under those laws through outsourcing arrangements. In other words, legal accountability for privacy and information security does not shift from the business to the outsourcing vendor.
Consequently, much like the European position, even though data may be processed by an outsourced vendor, compliance with the privacy and information security requirements that exist under U.S. laws remain the responsibility of the business that is the outsourcing organization.
Further, the FTC has advised Congress that its current statutory authority provides sufficient jurisdiction for the FTC to enforce the privacy and information security requirements contained in a range of legislation, including the Children's Online Privacy Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Safeguards Rule and privacy provisions of the Gramm-Leach-Bliley Act (GLBA), irrespective of whether the activity is outsourced to a third party based either locally or abroad.
The extension of the FTC's authority to cooperate across borders on enforcement matters, through recent passage of the U.S. Safe Web Act, could further assist the FTC in exercising enforcement jurisdiction in relation to consumer privacy issues. This could apply to the foreign outsourced activities of a U.S. company, including possible privacy and information security issues using the unfairness or deception doctrines under Section 5 of the Federal Trade Commission Act.
U.S. Federal Financial regulators, including the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision regulate each entity under their respective jurisdictions on an enterprise-wide level, regardless of whether individual offices are located within the U.S. or overseas. They also extend their broad regulatory authority to the outsourced activities of a regulated institution.
In 2004, through the Federal Financial Institutions Examination Council (FFIEC), the regulators collaboratively issued joint examination guidance on Outsourcing Technology Services and included examination for privacy risk management. The guidance provides that U.S. financial regulatory authorities will focus their reviews of a business which has outsourced some of its activities on the adequacy of that business' due diligence efforts, its risk management assessments, and the steps taken to manage those risks throughout the lifecycle of the outsourcing process.
In particular, regulators will consider the effect of the outsourced arrangement upon the business' compliance with applicable laws and its ability to access and safeguard critical information. Reviews by the regulators will assess the business' contract provisions and its ongoing monitoring or oversight program, including any internal and external audits arranged by a foreign-based service provider or other outsource vendor.
Data Protection Issues to Consider When Planning to Outsource
Know your data
Because the business is likely to remain responsible for the personal data it outsources, and because outsource vendors are well aware of their legal obligations in this context, it is crucial that the business identifies which personal data it processes that is about to be outsourced. A degree of due diligence should be undertaken to establish exactly what those data consist of, how they were collected, the sensitivity of the data, what the business is entitled to do with the data (including considering whether there are any constraints on transferring the data to third parties or abroad), how the data are processed in practice and what security measures are in place.
Outsource vendors should require that their customers warrant the quality of the personal data which are transferred to them and to warrant that existing processing activity complies in all respects with the EU Directive, U.S. laws, and with domestic legislative equivalents in specific jurisdictions. Frequently, businesses do not know enough about their internal data protection compliance to readily provide such warranties.
Identify Which Data Need to be Transferred, When and How
The next stage is to consider which personal data need to be provided to the vendor as part of the outsource transaction, determine what the capacity of the parties will be in relation to those data (i.e., controller or processor) and consider how the transfer of the data may be undertaken on a lawful basis.
For companies based in the EU, the transfer must comply with the "fair and lawful processing" principle which, in practical terms, requires the business to comply with one of a pre-determined list of conditions. Sometimes, in an outsourcing context, compliance with this requirement can be difficult. Further, in setting up an outsource, there might well be two or more stages of data transfer: at due diligence, and at one or more stages after the contract is signed. Different considerations may apply to each transfer of data.
A further complicating factor is raised by the transfer of employees to the outsource vendor. Within the EU, specific regulations based on the Acquired Rights Directive 2001/23/EC govern the terms and conditions upon which employees transfer to a new employer in circumstances where the business activity transfers to a new entity, such as an outsource vendor. The regulations are intended to ensure that employees' rights are protected and that their pay and conditions are not adversely affected as a result of the transfer. In effecting the transfer, employees' personal data will need to be disclosed to the outsource vendor. This disclosure must be undertaken in compliance with the Acquired Rights Directive as well as the Data Protection Directive.
Transfer of Data Outside the EEA and U.S.
Careful thought must also be given to whether any transfer of personal data to the outsource vendor involves the data being sent to a country outside the EEA. Such transfers are prohibited by Article 25 of the Data Protection Directive unless the importing jurisdiction has adequate data protection, but careful consideration and expert advice should be sought in order to determine which route is the most appropriate for the particular transaction at hand. The particular requirements of individual European jurisdictions vary, and some jurisdictions require that transfers of data to other jurisdictions are notified to individual data protection regulators.
In considering this particular issue, it is important to look at the overall structure of the transaction. Three common scenarios involve either an initial rationalization or transfer of data within the business before the data move to the outsource vendor; data transfers directly to an outsource vendor based off-shore; or a transfer of data to a domestic vendor who subsequently transfers the data to an affiliated or outsourced off-shore operation.
With respect to transfers outside the U.S., financial services regulators emphasize the importance of their examination function and the requirement that their ability to examine a business' books and records, across the organization, should not be impeded. When selecting an offshore vendor, financial institutions must be aware of the existence of any legal impediments in foreign jurisdictions that might prevent financial regulators from having ready access to the books and records of the institution. This includes the ability of the financial institution itself to have full access to documents and to share them with the appropriate regulator upon request.
Vendor Due Diligence and Security
Data protection and security considerations must be featured in the initial vendor due diligence, and are required by regulated businesses. This initial due diligence should be supplemented by the exercise of audit rights during the life of the outsourcing agreement so that the business may reassure itself that personal data is lawfully processed and protected by adequate security.
Not surprisingly, it is increasingly common for businesses to impose detailed security obligations on outsource vendors. This is particularly the case for financial institutions and other regulated entities, especially where the outsource vendor operates from outside the EEA or the U.S. The detailed security requirements may cover technical security measures relating to the systems over which data may be transferred, accessed, manipulated and stored, as well as organizational security measures governing access to premises (such as prohibitions on staff use of data storage devices, including iPods and mobile phones).
For the purposes of compliance with the Data Protection Directive, it is key to establish the capacity in which the outsource vendor will process the data. If the vendor is a mere processor, it will have no obligation to comply with the requirements of the Data Protection Directive and the business must seek to flow down into the outsource contract certain of its obligations as controller. In addition, Article 17 requires the business, as controller, to evidence the processing arrangements by a written contract, to require the vendor to process data only in accordance with the business' instructions, and to ensure that the processor has in place adequate technical and organizational security measures.
Under the Gramm-Leach-Bliley Act, safeguards provisions have similar requirements. The FTC's Safeguards Rule implementing the Gramm-Leach-Bliley Act is now the de facto information security standard for commercial companies, whether or not they are financial entities. Thus, the detailed contractual clauses requiring compliance with EU and U.S. law should be drafted with expert input.
In an outsourcing context it is invariably the case that the vendor will subcontract aspects of the service provision. Contract terms between the business and the outsource vendor should address this possibility and, if permitted, the basis upon which subcontracting may take place. The business must bear in mind that as controller it will retain responsibility at law for the processing of the data, even where the processing is subcontracted or sub-subcontracted. Where the subcontractors are based abroad, it becomes more of a challenge to deal adequately with the data protection requirements; nevertheless, accountability remains with the business that is the outsourcing organization.
Data protection regulators across Europe, and consumer protection and financial services regulators in the U.S., are turning their attention to the issue of the security of oursourced data. Individuals are increasingly aware of their rights and are expressing legitimate concerns for the privacy and security of their personal information. A failure to deal adequately with data protection issues in a systematic manner at the outset of an outsourcing transaction may well result in long lasting reputational damage in the event of breach. A focus on data protection issues at an early stage of the outsourcing transaction can minimize risks and promote beneficial and successful outsourcing relationships, preserving the company's reputation, information assets and customer relationships.
This article does not provide a complete statement of the law. It is intended merely to highlight issues which may be of general interest and does not constitute legal advice.
Bridget Treacy (London) and Maureen Cooney are members of the privacy and information management practice at Hunton & Williams. Treacy is a partner in the firm's Global Sourcing and Privacy practices in London and can be reached at +44 (0)20 7220 5700. Cooney serves as Counsel and as a Senior Policy Advisor for Global Privacy Strategies at the firm's Center for Information Policy Leadership in Washington, D.C. and can be reached at (202) 955-1500.