National Laws Dealing with Privacy Concerns

U.S. Fair Credit Reporting Act. First, keep in mind that the federal Fair Credit Reporting Act (FCRA) ^[12] deals, first and foremost, with reports collected, maintained, sold by, used by consumer reporting agencies, (CRAs). A CRA is very broadly defined as

any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. ^[13]

This raises the next question: What is a consumer report? A consumer report under this law is more than what individuals commonly refer to as a credit report. It is also broadly defined as

any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for

1. credit or insurance to be used primarily for personal, family, or household purposes;

2. employment purposes; or

3. any other purpose authorized under section 604. ^[14]

Over the past few years, the FCRA has been expanded to cover new types of activities, in particular the investigative consumer report. The investigative consumer report is defined as

a consumer report or portion thereof in which information on a consumer's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on or with others with whom he is acquainted or who may have knowledge concerning any such items of information. ^[15]

Thus, under the FCRA, an investigative consumer report is just another type of consumer report.

The FCRA requires that an employer must give to an employee (or a potential employee) a specific notice if an investigative consumer report is used as the basis for certain employment-related decisions. The FTC itself suggests how this process is intended to work. It tells employers the following:

Before you can get a consumer report for employment purposes, you must notify the individual in writing — in a document consisting solely of this notice — that a report may be used. You also must get the person's written authorization before you ask a CRA for the report....

If you rely on a consumer report for an "adverse action"—denying a job application, reassigning or terminating an employee, or denying a promotion—be aware that:

Step 1: Before you take the adverse action, you must give the individual a pre-adverse action disclosure that includes a copy of the individual's consumer report and a copy of "A Summary of Your Rights Under the Fair Credit Reporting Act"—a document prescribed by the Federal Trade Commission. The CRA that furnishes the individual's report will give you the summary of consumer rights.

Step 2: After you've taken an adverse action, you must give the individual notice — orally, in writing, or electronically — that the action has been taken in an adverse action notice. It must include:

• the name, address, and phone number of the CRA that supplied the report;

• a statement that the CRA that supplied the report did not make the decision to take the adverse action and cannot give specific reasons for it; and

• a notice of the individual's right to dispute the accuracy or completeness of any information the agency furnished, and his or her right to an additional free consumer report from the agency upon request within 60 days....

Before giving you an individual's consumer report, the CRA will require you to certify that you are in compliance with the FCRA and that you will not misuse any information in the report in violation of federal or state equal employment opportunity laws or regulations. ^[16]

Since CI professionals are not involved in transactions where credit is being offered or where employment decisions are being made, the only possible application might be in situations when CI is being used to develop profiles on top executives at a key competitor. However, a close reading of the FCRA shows that it does not apply in any way in that situation, either. There are at least two reasons:

• There are no employment decisions involved. This is a competitor, not even an acquisition partner.

• The CI firm is not acting as a CRA or using a consumer report from a CRA

There are, however, at least three situations where the FCRA could be applied to CI-like transactions.

The first situation is when data collection efforts are purposefully taken very close to the defined areas of coverage of the FCRA. For example, assume that a CI professional develops a profile on a company for a client and the report includes information from a consumer report or investigative consumer report, properly obtained from a CRA. Then, assume that this profile is, in turn used, at some later time, as a part of an adverse employment decision, which may not be directly covered by the FCRA. How can that happen? For example, suppose a CI firm is hired to profile the chief financial officer (CFO) of a target company. The CI firm legally acquires an investigative consumer report on the CFO. The client at a later time takes over the targeted company and then fires the CFO, based in part on the firm's report, which includes information from a CRA. Unless all the FCRA's notice provisions have been complied with, there are real problems in this situation. However, it seems, but is not clear, that all of this may not technically violate the FCRA because the employee impacted was not working for the client firm (or seeking to work for the client firm) at the time the profile was generated, and that the CI firm was unaware of its ultimate use when the profile was generated.

For example, if an employee in an employer's personnel department calls former employers of job applicants to check on the applicants' work histories and calls various public agencies or courts to check on the applicants' licenses and criminal histories, the FCRA does not apply to the employer's activities. However, if an employer hires an outside business to similarly investigate and report on job applicants or employees, the FCRA regulates the information gathering and reporting activities of both the employer and the outside business. ^[17]

The third situation is that in which a CI professional actually violates the FCRA. Assume here that a CI professional develops a profile for a client, including an internal corporate end user, which includes information from a consumer report or investigative consumer report. And further assume that this was improperly obtained from a CRA. A client who is unaware of the source of the report, then acts upon it, firing an employee from a newly acquired firm. That could trigger the entire scope of the FCRA.

The lesson to be taken from a review of the FCRA is that, as with the UTSA and EEA, CI professionals must understand that there are numerous laws that might impact them indirectly. However, before you erroneously assume that they do directly impact you, it is best to look closely at them rather than rely on casual comments in the press for such guidance.

European Directive on Protection of Personal Data. It is sometimes said that the 1995 European Directive on Protection of Personal Data ^[18] is the equivalent of the U.S. FCRA. This is not correct, however. First, what CI professionals should be concerned with is not, precisely, the 1995 directive. The Directive is just that, a directive to members of the European Union (EU), telling them to adopt, or to amend, national legislation to guarantee individuals certain rights to protect their privacy and to control the contents of electronic databases that contain personal information.

Second, even though the Directive gave member countries until 1998 to comply, only a few countries have complied completely. The most important one is the United Kingdom which put into place its own Data Protection Act (DPA) implementing the Directive. The Directive itself is a complex document, aimed at bringing together existing national laws and also setting a new, higher, standard. It specifically provides that "This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system." ^[19] And the Directive itself defines these key terms:

1. "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

2. "processing of personal data" ("processing") shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

3. "personal data filing system" ("filing system") shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis ^[20]

Thus, akin to the case in the United States, the triggering event is the operation and maintenance of an ongoing computer (or structured manual) system for collecting and retrieving personal data. ^[21] As the EU itself characterized it:

To prevent abuses of personal data and ensure that data subjects are informed of the existence of processing operations, the Directive lays down common rules, to be observed by those who collect, hold or transmit personal data as part of their economic or administrative activities or in the course of the activities of their association. In particular, there is an obligation to collect data only for specified, explicit and legitimate purposes, and to be held only if it is relevant, accurate and up-to-date....

Under the Directive, data subjects are granted a number of important rights including the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances (for example, individuals will have the right to opt-out free of charge from being sent direct marketing material, without providing any specific reason). ^[22]

To date, there have been no indications that the Directive and implementing legislation have had any significant impact on the collection of data for CI, at least no more of an impact that the FCRA does. However, on recognizing that the Directive and implementing legislation can have an impact on U.S. firms doing business in Europe, the U.S. Department of Commerce, in consultation with the European Union, developed what is now called a "safe harbor" framework. The framework, which was approved by the EU in 2000, is a way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. "Certifying to the safe harbor will assure that EU organizations know that your company provides 'adequate' privacy protection, as defined by the Directive." ^[23]

To the CI professional conducting legitimate CI operations, there appears to be no need to become involved with a safe harbor certification. However, CI professionals should find out whether their own employer has entered into a safe harbor framework. They should then review that commitment to see if it might, indirectly, impact a U.S.-based CI unit's relationship with its European counterparts in the same firm, as well as with other firms providing CI for it in Europe.