Data Protection, on an International Scale


Data protection in the U.S. is different from data protection in the UK. And because every government does things differently, it should not come as a surprise that data protection in other countries, like Germany, looks different than in either the UK or the U.S. But as law.com pointed out on Friday, it's where those different laws overlap and contradict each other that a lot of global companies trip up. (I've made similar observations before in the e-discovery context.)


Writer Erik Sherman says determining a "common denominator" that will keep all of the regulators happy is not easy to do. Though Lyndon Group's Ruth Horazcko says the first step to data protection is deciding where the data resides, and thus, which law applies, the answer is not always evident. Hunton & Williams privacy and information management practice head Lisa Sotto points out that even countries in the same region will have different requirements. According to law.com, "They can differ on what can count as user permission to use data, what security requirements are necessary and even how long the information can be retained."


The same is true in the U.S. Outside of the data breach notification law that is part of the HITECH portion of the American Recovery and Reinvestment Act, there are no broad federal data protection laws, but various states have taken stabs at legislating the issue. And each of the state laws is a little bit different.


So how should companies go about crafting a data protection compliance plan? Adam Smith, deputy legal counsel at IT infrastructure services provider Terremark Worldwide says, "I don't think anyone in the IT department is thinking, 'We're in Amsterdam and have capacity in Germany, so let's move this over there and move some to the U.S.' [and then consider the legal issues]."


And if the companies don't want government authorities breathing down their necks, so to speak, to enforce data protection requirements, Smith says the legal department has to "insert [itself] in a risk management role."


I'm not sure IT will appreciate legal "inserting itself" into IT processes if it's not handled properly, but if it's done in a spirit of cooperation and teamwork... After all, legal and IT are gettng better at working together, it seems.