Proposed bill seeks stronger privacy protection for offshore work

Consumer consent and corporate liability are key provisions

Proposed legislation in Congress could have some important privacy and security implications for companies outsourcing work to offshore destinations.

The proposed bill (S1232) is called the Safeguarding Americans From Exporting Identification Data Act (SAFE-ID) and was introduced by Sen. Hillary Rodham Clinton (D-N.Y.) last month. It has been submitted as an amendment to the Foreign Sales Corp./Extraterritorial Income Act legislation.

The bill has been referred to the Senate Committee on Commerce, Science and Transportation.

Calls to Clinton's office seeking comment weren't returned, so it's unclear whether a hearing has yet been scheduled or whether a companion bill has been introduced in the House.

"We don't know if this thing has legs or not yet," said Peter Adler, a partner at Foley & Lardner LLP in Washington. "But I don't think that this will be the last we are hearing of bills such as this." California alone has more than a half-dozen pending bills that seek to impose varied privacy safeguards on outsourced personal information.

Driving interest in such legislation are the growing privacy concerns related to financial and health care information, including medical transcription work being sent offshore, he said.

Several industry groups have already been aggressively lobbying against the SAFE-ID Act, said a source from a large financial services firm who didn't wish to be named. Those protests could force a rethink of the proposed act, the source said.

For instance, the Economic Growth and American Jobs Coalition (EGAJ) posted a letter on its Web site addressed to Clinton and co-sponsor Sen. Mark Dayton (D-Minn.) opposing the measure (download PDF).

"Enactment of this provision would cast aside recently enacted privacy protections and an existing, aggressive regulatory regime and force draconian changes in the way businesses of all sizes provide services to their customers," the letter says. "We stand ready to work with you to ensure that this amendment is not debated in the context of the pending bill, and that it is rejected if forced to a vote."

The EGAJ Web site lists organizations such as the American Bankers Association, Business Roundtable and the National Association of Manufacturers as steering committee members.

SAFE-ID proposes a set of privacy-related conditions that U.S. companies must meet when transmitting personally identifiable information to a foreign affiliate or subcontractor. Under the proposed act, companies could transmit such information to any country deemed by the Federal Trade Commission as having a legal system that provides for "adequate privacy protection."

But companies will need to get specific consent from individual U.S. citizens when transmitting personally identifiable data to any country that does not have such privacy protections. The company will also need to disclose to the individual that the data is being sent to a country judged to be without adequate privacy protections. The proposed bill will hold enterprises liable for damages that result from "improper storage, duplication, sharing, or other misuse of personally identifiable information," by the foreign affiliate or partner.

The measure, as proposed, doesn't address data that has already been transmitted and stored in foreign locations, said Stephen Wu, CEO of Infosec Law Group, a Mountain View, Calif.-based law firm. The proposed bill is also not specific about what happens in situations where data might be retransmitted by subcontractors, said Wu, who is also a co-chair of the American Bar Association's Section of Science and Technology, Information Security Committee.

There is also some ambiguity in situations where a foreign affiliate might be based out of one country but is getting work done, or is backing up data, in another place, he said. "There's going to be a lot of interpretations if this becomes law," he said.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon