1 Bender on Privacy and Data Protection § 34.06 (2020)
International outsourcing of various corporate functions
1 is a topic of spirited debate. Some U.S. commentators (and legislators) advocate a restriction on the outsourcing of jobs. Until recently, an easing of privacy compliance was rarely advanced as a rationale for outsourcing. But that may be changing. Consider:
- A large US-based global company, uneasy about laws restricting cross-border personal data flow, commissioned a study of these laws in over 20 nations. As a result, it is considering moving its most important database from the U.S. to the EU.
- A sizeable US-based multinational law firm, apprehensive about cross border transfer of personal data, undertook an analysis of data transfer laws in the jurisdictions in which it had offices. As a result, it considered moving its HR database from the U.S. to the EU.
- An EU-based multinational, which does its HR data processing in the US, sought detailed advice concerning data transfer laws in each jurisdiction in which it has employees. As a result, it considered moving its HR data processing from the U.S. to the EU.
- SWIFT, the leading messaging service for international wire transfers of funds, maintained two “mirror-image” computers (one in the U.S. and one in the EU), and was incensed to learn that, soon after 9/11/2001, the U.S. Treasury Department obtained access to personal data in the U.S. computer. As a result, SWIFT decided no longer to store EU data in the U.S. computer. Instead, it will store it in a second European computer center, built at a cost of $200 million.
In each of these instances, concern resulted from the prospect of complying with an EU data protection law that in practice was perceived to place significant burdens and expense on the export of personal data from the EU. This Treatise takes no position on whether these perceptions represent a correct assessment of those requirements or their ramifications (which in general depend on the nature of a particular organization’s data flow). Rather, note is simply taken of the increasingly common view—whether correct or not—that moving one’s processing operation from outside the EU into the EU
2 will alleviate the problems of complying with the cross-border transfer restrictions of the EU data protection regime.
This situation may be growing worse. In August 2009, a Hewitt Associates survey reported that HR departments were shifting to “more global business models and staffs as globalization and cross-border trade and investment rise.”
3 The base for the survey was some 85 multinationals in the Americas, Europe, and Asia-Pacific. According to that survey, many of these companies have global HR policies in place, and 49 percent of the base stated that their global HR strategy applies worldwide. While only 15 percent of the companies described themselves as “global,” some 30 percent stated they had global HR organizations. The trend toward global HR policies highlights the need for a global data protection strategy, especially in light of the fact that for most HR personal data, consent may not be an acceptable basis for export from the EU and perhaps from other nations.
Footnotes — § 34.06:
1 Data processing and the operation of call centers are two functions often outsourced.
2 The new SWIFT computer center is in Switzerland, which is not an EU member state. However, the EU has formally recognized Switzerland as providing adequate privacy protection.
3 “Firms Shifting to Global HR,” Investor’s Bus. Daily, p. A6 (24 Aug. 2009).