Getting Started
Because of the differences in data protection standards, laws, and practices from country to country, you should consult with an attorney that is familiar with the laws of each of the foreign countries in which you do business.Checklists
When talking to your attorney consider asking the following questions:- What types of information are protected in the foreign country?
- Are there any restrictions on how information can be collected in the foreign country?
- Are there any restrictions on how information must be stored in the foreign country?
- Are there any restrictions on how information can be used in the foreign country?
- Are there any laws limiting how long information can be stored once it is collected?
- Can information collected by my business in the foreign country be transferred to the United States, or does it have to be stored and used in that country?
- If I transfer information to the United States, am I restricted from providing that information to other parties, such as companies that assist my business with administrative support?
- Do any restrictions apply to information that I maintain about employees that I hire in foreign countries?
- What data security standards apply to data collected in a foreign country—if the data is stored there, or in the United States?
U.S. Legal Requirements for Overseas Transactions
Different countries take different approaches to data protection and information security.For example, the European Union considers any information relating to an identified or identifiable person to be protected "personal information."
Among other things, privacy laws in the European Union restrict companies from transferring personal information from member states of the European Union to countries, like the United States, that the European Union considers to have inadequate data protection laws.
As a result, a small business may have to take special steps to transfer personal information from the European Union to the United States — even if that information is being transferred within the small business. It will have to consider how to maintain the security of that information in accordance with applicable laws of the EU and its member states, as well as the United States.
One simple method for a US companies to receive multiple data transfers from all member states of the European Union, plus Switzerland, is to join the US-EU and US-Swiss Safe Harbor programs operated by the US Department of Commerce. Participating businesses must self-certify their compliance with seven Safe Harbor Privacy Principles, including a security principle that requires “organizations creating, maintaining, using or disseminating personal information” to take “reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.”
