04.12.2013 Data Privacy – Know What Rights you are extending to your U.S. Customers and Employees


Many foreign businesses commence trading in the U.S. without paying a lot of attention to their data privacy policies.  Unlike the UK, where the Data Protection Act (which implements the European Data Protection Directive into UK law) applies to all businesses, the U.S. does not have a universal data protection requirement that applies to all businesses in all states.  Certain industries and sectors have their own specific data protection requirements, such as health care providers (who are covered by the Health Insurance Portability and Accountability Act of 1996) and financial institutions and other finance related businesses (which are subject to the Gramm-Leach-Bliley Act).  Data relating to children are subject to the requirements of the Children’s Online Privacy Protection Act of 1998.  There are many businesses that do not fall within the requirements of these targeted pieces of legislation.

In addition, certain states have enacted data protection laws, but such laws are not uniform throughout the states and generally do not provide the level of protection that is mandated by the European Data Protection Directive.  Despite the absence of a generally applicable law, the Federal Trade Commission has taken the position that, if a business voluntarily publishes or publicizes a privacy policy (for example, by attaching a link to the privacy policy on its website), the FTC will enforce such privacy policy and will treat the failure by a business to comply with its own privacy policy as a deceptive act and practice.

As a result, foreign businesses doing business in the U.S. should be mindful of the privacy policies that may be associated with the U.S. trade or business and the unintended consequences that may flow from such policies.  Where a foreign entity is doing business in the U.S. and directing U.S. customers or employees to its UK website, or the website of its foreign parent, and that website contains a data privacy policy, the U.S. business may be subject to compliance with such privacy policy, despite other intentions.  It may be reasonable for both customers and employees that are directed or exposed to such policy to assume that the policy applies to the U.S.  A foreign company, therefore, should make sure that, with respect to inquiries from U.S. employees or customers, it is prepare to fully comply with such policy.  In particular, since many U.S. employees and management are unfamiliar with data protection requirements and adherence to such policies, the U.S. business may be oblivious to the requirement to comply with such a policy and the practicalities of how to do so.

In addition, foreign businesses should appreciate that, if the data of U.S. based customers and employees is repatriated to the UK, such data should thereafter be handled in accordance with all the provisions of the European Data Protection Directive, as enacted in the UK.  This means the foreign company must adhere to the provisions requiring, among other things:

  • Notice as to the purpose for which the data is being collected and used;
  • Disclosure of any third parties to whom such data may be transferred;
  • Rights of access to and correction of errors in such data;
  • Compliance with specific requirements regarding sensitive personal data.

While UK entities may be well-versed in compliance requirements with respect to their European-based customers and employees, they may not be aware that such requirements extend to U.S.-based employees and customers.

UK companies starting businesses in the US should, at a minimum, review the data protection policies that they have in place in the UK and make a determination as to whether they want those policies to apply to US-based customers and employees.  In addition, they should familiarize themselves with any new requirements that may apply to their particular industry or under state law in the states in which they plan to operate.