We are, perhaps, gradually winning the battle to persuade US lawyers, courts and regulators that the privacy and data protection requirements of other jurisdictions are not to be lightly ignored. When I first started talking about privacy in the US, I would be met with almost incredulous surprise that there were countries which would not fall over backwards to comply with the order of an American court.
Developments are coming thick and fast now, and the next major battleground is to persuade US corporations that the EU General Data Protection Regulation, due to take effect in just under two years time, is likely to affect them. Meanwhile, there is an existing regime, and not just in the EU, which requires attention whenever data is to be collected abroad. That changes as new jurisdictions, particularly in Asia, pass new laws regulating the control of data; it has already changed significantly in Europe with the invalidation of Safe Harbour by the Schrems decision.
What people need is a simple guide to the present data protection regimes by country, something which will give an instant answer at least at a high-level as to the sort of problems which might be faced.
It will be news to some, for example, that the EU consists of 28 separate legal jurisdictions which, whilst all subject to the same overarching restrictions, have their own flavours at a legislation level, even before you start looking at the actual practice within each jurisdiction.
Forrester Research has produced exactly that, a data privacy heat map 2015, and FTI has made it available for us here.
You can tour the world, continent by continent and country by country and get a broad picture of the regimes applicable in each jurisdiction. Some places, the UK included, carry a yellow flag to indicate that “Government surveillance may impact privacy”.
You can obtain a copy of Forrester’s full report from FTI’s page about it.
This is not, of course, a substitute for taking local advice on the specific circumstances of any particular case – advice, that is, both from locally qualified lawyers and from eDiscovery providers who, like FTI, have experience of collecting and processing data in many different locations.