HB Ad Slot
HB Mobile Ad Slot
Personal Data of U.S. Citizens Transferred Abroad Needs Protection
Tuesday, July 30, 2019

The U.S. legal system addresses hacks by individuals and foreign governments, but if personal data of a U.S. citizen resides outside of the country, those same protections do not always apply. The U.S. needs to adequately protect the personal data of its citizens when it is transferred abroad.

The risk here is real. As evidence, foreign governments or their representatives have committed some of the most recent and largest data breaches (likely including the MarriottEquifaxAnthem, and Yahoo! breaches). If these governments were committing petty theft with stolen credit card numbers, existing domestic and international legal frameworks fully address this, but this is not what is happening.

With information on hotel stays, credit reports and the health of tens of millions of Americans, a foreign government gains valuable intelligence on human rights activists, government officials, and executives at key technology companies (and their assistants), and this is a much more complex issue to address.

The U.S. does try to protect its citizens. As an example, Anthem notified, provided credit protection, and settled a lawsuit (with costs of respectively $31M, $112M and $115M) in connection with a data breach of 78.8 million individuals’ data. However, there was not a single instance of identity theft that was proven to be caused by the breach.

Except as a financial penalty for having security practices inadequate to prevent a breach, these costs make little or no sense for hacks linked to foreign governments gathering intelligence (and not committing financial fraud). 

Few Restrictions on Transfer of Personal Data

The real issue here is that the U.S. imposes few, if any, restrictions on transferring personal data outside of the country in the normal course of business. If Anthem stored the personal data of 78.8 million people in the country that committed a breach, the intelligence agencies of such country could have access to the same data pursuant to the applicable law of the country in which such data resides. In this event, it is very unlikely that Anthem (or anyone in the U.S.) would ever be notified of the disclosure.

The U.S. is not alone in this risk—every country is exposed to it. Both China and Russia have enacted legislation restricting the transfer of personal data of their citizens outside of their respective countries, and for many years, the European Union has prohibited the transfer of personal data of EU citizens outside of the EU without adequate protection, including appropriate contract terms.

While the EU system does not fully resolve the issue of conflict between EU and foreign law, it is a real restriction, and after Edward Snowden’s revelations regarding the PRISM mass surveillance program, the EU revised its data protection laws and agreements with the U.S. 

Personal Data of U.S. Citizens Unprotected

The U.S. does not likewise protect the personal data of its citizens outside of its borders. To mitigate such risks, savvy U.S. lawyers do often prohibit the transfer of key data outside of the country, impose view-only access abroad, or limit the disclosure of sensitive data to reliable democracies, including India; however, this piecemeal approach does not provide comprehensive protection.

The world is only becoming more interconnected, and more attention needs to be paid to where personal data of U.S. citizens is being stored and transmitted; otherwise, foreign governments will continue to have unfettered access to the personal data of U.S. citizens stored abroad.

As Congress continues to debate federal privacy legislation, it should (like the EU) require adequate safeguards to protect the personal data of U.S. citizens transferred abroad.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Reproduced with permission. Published June 25, 2019. Copyright 2019 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins