Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Do You Think Privacy Is Really Dead? | Main | Insider Threat and Cowboys: The Wall Street Journal Tells Your Personnel How To Get Around Your Security »

International PII Data Transfers: New Requirements from Spain

In this global economy it is important for you to know, understand and follow the data protection laws in all the countries where you have offices, have customers, store personally identifiable information (PII) and from where PII is accessed. Each country has nuances within their laws that could create quite a big obstacle if you are doing business there and find you must suddenly stop because you are out of compliance with their data protection laws.

Do you have offices, employees, customers, business partners, or are otherwise associated via PII, in Spain? If so you need to know about a new report issued July 18 from the Spanish Data Protection Agency (AEPD), "Report on International Data Transfers."

I find these type of reports very interesting and revealing. You should too, particularly as they relate to data transfer activities that your organization is doing.

Most organizations have not really considered or addressed international PII data transfer issues. However, it is important to know, understand and take actions to be in compliance with applicable laws and regulations.

The report describes the regulatory framework organizations must follow for making international transfers of PII. The report also explains the process for requesting AEPD authorization of data transfers to countries whose data protection practices are considered as being inadequate.

Yes, the U.S. is on that inadequate list.

This regulatory framework process supports Article 33 and Articl 34 of Spain's data protection law, Organic Law 15/1999.

Article 33 generally allows data transfers of PII only to countries with levels of protection considered to be comparable to those provided in Spain.

Article 34 lists 11 exceptions to the general rule, meaning data transfers may be able to be approved despite of the receiving country being considered as having inadequate data protection. These exceptions fall under the following high-level topics:

* Transfers resulting from treaties or agreements

* Judicial requests

* Medical necessity

* Data subject authorization

* Transfers made in the public interest

It is interesting to note that the report provides statistics about data transfer requests that were approved by the agency through July 1, 2007. The AEPD had knowledge of:

* 8,483 data transfers in 2007

* 8,311 data transfers in 2006.

* 2,614 data transfers in 2002

Yes, the trend is upward.

PII data transfers were overwhelmingly made to countries in the European Economic Area, as well as to countries and territories labeled as having adequate data protection laws, such as Switzerland, Argentina, Guernsey and the Isle of Man.

Some data transfers were also approved to specific organizations that were determined by the AEPD to be following Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), as well as to some U.S. organizations within the U.S. Commerce Department's Safe Harbor program.

Some other interesting statistics...

The AEPD received special requests to authorize 236 data transfers under the exceptions outlined in Article 34 from 2000 - 2007.

* 87 of these exceptional transfers were made to the United States

* 15 exceptional transfers were to Chile

* 7 exceptional transfers to Morocco

* 7 exceptional transfers to India

* 7 exceptional transfers to Colombia

* 7 exceptional transfers to Peru

* The rest basically 1 or 2 transfers to other countries


What were some of the reasons for the PII data transfers?

* Management, maintenance and technical support of computer systems

* Management of human resources, customers and suppliers PII

* Administrative help involving PII

* Telecommunications companies for their customer service call centers (22% of the data transfers where to Latin America)

The report indicated the AEPD had a concern particularly for the customer service PII data transfers.

58% of data transfer authorizations were made for multinational organizations with headquarters outside Spain.

Discuss Law 15/1999 with your legal counsel to determine how this impacts your company.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on July 30, 2007 9:00 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/474

Comments

I thought that Safe Harbor was not taken seriosuly anymore. The EU has good reason not to trust us. We are sloppy and don't care.

Posted by: Full of doubt | July 31, 2007 2:30 AM

Well, different people/organizations/countries have various thoughts about the Safe Harbor program and take it seriously to various degrees, but it has been in place for a few years now and is still actively used. As far as the U.S. Dept. of Commerce goes, they take it seriously.

What makes it weak, though, is that it is largely a self-certified program; an audit of an organization for Safe Harbor compliance typically will not occur unless there has been an incident, or the privacy commissioner of an EU country has a complaint.

Posted by: Rebecca | July 31, 2007 9:41 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.