Trade in personally identifiable information (“PII”) is the heart of business process outsourcing. After all, BPO involves data processing of PII.
Some politicians would use PII as a hostage in trade protectionism. In 2004, then Senators Hillary Clinton, John Edwards and Bob Kerry proposed to prohibit the export of personal health information for foreign data processing. Now comes Rep. Christopher H. Smith of New Jersey with a proposal to prevent the transfer of PII to countries that deny Internet freedom to their residents by censorship and spying on Internet traffic to prevent the expression of political freedoms. Such legislation would draw a fine line, perhaps too fine, between prohibited censorship and legitimate police activity, threatening legitimate operations of democratic sourcing countries.
Achieving Internet Freedom via Banning Data Exports to Censoring Countries. Introduced into the U.S. House of Representatives on April 6, 2011, the Global Internet Freedom Act of 2011, 112th Cong., 1st Sess., would, if enacted, prohibit the export of PII to “repressive” countries such as China, Iran, North Korea and Cuba. Its goals would be:
- to prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance,
- to fulfill the responsibility of the United States Government to promote freedom of expression on the Internet, and
- to restore public confidence in the integrity of United States businesses.
It calls for bilateral and multilateral trade agreements to isolate such repressive countries.
Key Political Facts: Censorship and Surveillance of Cyber-Dissidents. As a preamble, the draft law sets the political framework for justifying an export ban on PII to protect the Internet freedoms of expression of cyber-dissidents from foreign countries. By blocking such exports, the U.S. would target “repressive foreign governments” that “block, restrict, otherwise control, and monitor the Internet, effectively transforming the Internet into a tool of censorship and surveillance, in contravention of the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights.” The cooperation of certain U.S. businesses with foreign local censorship and surveillance laws has led to the arrest and imprisonment of the dissidents.
The draft law would prohibit U.S. businesses from “empowering or assisting” “an authoritarian foreign government in its efforts to restrict online access to the Web sites of the Voice of America, Radio Free Europe/Radio Liberty, Radio Free Asia, Al-Hurra, Radio Sawa, Radio Farda, Radio Marti, TV Marti, or other United States-supported Web sites and online access to United States Government reports such as the Annual Country Reports on Human Rights Practices, the Annual Reports on International Religious Freedom, and the Annual Trafficking in Human Persons Reports. Similarly, U.S. businesses would be prevented from helping such governments “identify individual Internet users.”
Non-Governmental Protections. The draft legislation would go beyond the private sector’s efforts, in founding the Global Network Initiative, that seek to provide direction and guidance to IT and telecom companies and others in voluntarily protecting the free expression and privacy of Internet users.
Who Would Be Regulated? The draft law would regulate “Internet communications services,” which are defined as any “method for providing communications services via the Internet, including electronic mail, Internet telephony, online chat, online text messaging, Internet bulletin boards, or Web pages. Such covered services would include “providing Internet access” but would exclude “activities conducted by a financial institution (as such term is defined in section 5312 of title 31, United States Code) that are financial in nature, even if such activities are conducted using the Internet.”
If a U.S. covered business controls a foreign subsidiary or affiliate, the $2.0 million civil penalty would be applied to the U.S. business if it (i) authorizes, directs, controls, or participates in the acts by the foreign entity; or (ii) authorizes, in whole or in part, by license or otherwise, the foreign entity to use the trade name of the United States business in connection with goods or services provided by the foreign entity. Global branding (such as Google) would result in liability for the U.S. parent.
Legitimate vs. Illegitimate Foreign Law Enforcement. The draft law defines “legitimate” foreign law enforcement purposes to cover “the purpose of enforcement, investigation, or prosecution by a foreign official based on a publicly promulgated law of reasonable specificity that proximately relates to the protection or promotion of the health, safety, or morals of the citizens of the jurisdiction of such official.” Illegitimate purposes would include “the control, suppression, or punishment of peaceful expression of political, religious, or ideological opinion or belief.” Protected peaceful expression would be covered by article 19 of the International Covenant on Civil and Political Rights, a UN-sponsored convention opened for signature, ratification and accession by General Assembly resolution 2200A (XXI)
of 16 December 1966 and that entered into force 23 March 1976. It has been ratified by China, Cuba, India, North Korea and many other countries, but the U.S. ratification contains a reservation that the core provisions (articles 1 through 27) are not self-executing. See www2.ohchr.org/english/law/ccpr.htm. [That article 19 provides:
1. Everyone shall have the right to hold opinions without interference.
2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.
3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:
(a) For respect of the rights or reputations of others;
(b) For the protection of national security or of public order (ordre public), or of public health or morals. ]
New Regulator of Internet Freedoms. The proposed law would establish, within the Department of State, a new Office of Global Internet Freedom (“OGIF”). The head of OGIF would be a Director appointed by the Secretary of State. The mission would be whatever the President assigns to the OGIF, plus a political mission:
- to “serve as the focal point for interagency efforts to protect and promote abroad freedom of electronic information related to expression of political, religious, or ideological opinion or belief;”t
- to develop and implant a global strategy to combat state-sponsored and state-directed Internet jamming of communications that express political, religious, or ideological opinion or belief and to combat the intimidation and persecution by foreign governments of their citizens who use the Internet for the peaceful expression of such opinion or belief;
- to provide assistance to the Secretary of State in connection with the annual designation of Internet-restricting countries (as required by the proposed law);
- to identify and maintain a database of key words, terms, and phrases relating to human rights, democracy, religious free exercise, and peaceful political dissent, both in general and as specifically related to the particular context and circumstances of each Internet-restricting country; and
- consult with IT and telecom companies that are involved in providing, maintaining, or servicing the Internet; human rights organizations, academic experts, and others to develop a voluntary code of minimum corporate standards related to Internet freedom; and
- to consult with the private sector regarding new technologies and the implementation of appropriate policies relating to such technologies.
Other countries have adopted similar bureaucracies, with limited results. The French “HADOPI” law established a bureaucracy to police the privacy compliance and abuses of the Internet, and, after some years and millions of complaints, has recommended legal action in less than 40 cases.
Prohibited Conduct. Under the draft law, a United States business that creates, provides, or offers to the public for commercial purposes an Internet search engine or that offers to the public for commercial purposes Internet communications services or Internet content hosting services may not locate, within an Internet-restricting country, any electronic communication containing personally identifiable information used to establish or maintain an account for Internet communications services. Waivers would be granted by the U.S. President or by U.S. Department of State for national interest purposes and for situations deemed acceptable by the U.S. government.
Criminal Conduct. A new federal crime would be created making U.S. business entities and their managers into criminals who do not comply with an “order” by the U.S. Attorney General not to comply with a foreign governmental request to provide personally identifiable information through the provision of products or services on the Internet where there is no “legitimate law enforcement purpose.”
Whoever knowingly provides to a foreign official of an Internet-restricting country information in violation of an order issued [by the U.S. Attorney General] under section 202(d), knowing that so providing such information will further a policy on the part of the government of such country of prosecuting, persecuting, or otherwise punishing individuals or groups on account of the peaceful expression of political, religious, or ideological opinion or belief, and with the result that so providing such information leads to the death, torture, serious bodily injury, disappearance, or detention of any individual on such account, shall be fined under title 18, United States Code, or imprisoned not more than 5 years, or both.
Civil Enforcement. In addition to potential criminal liability, U.S. businesses collecting PII on the Internet would become liable to the victims of foreign governmental repression. Such victims could obtain “damages, including punitive damages, or other appropriate relief, without regard to the amount in controversy, and without regard to the citizenship of the parties.” In essence, U.S. Internet businesses would become the puppets of U.S. trade policy and U.S. policies promoting political freedoms outside the U.S.
Impact on Outsourcing. Legislation like the Global Online Freedom Act of 2011, if enacted, would force U.S. search engines and U.S. businesses that collect PII via the Internet to become tools of law enforcement, without the certainty of immunity from liability for honest beliefs in complying activity. This type of legislation would hurt any business that uses the Internet to support its operations (with a friendly exception for “financial institutions”).
Such legislation is not the solution to political repression. The Internet search engine companies would bear the brunt of the regulatory compliance. The scope of the law would still enable trade with the repressive countries for (i) data processing of U.S. PII that is not collected via the Internet, (ii) data processing of U.S. business transactional data, even if collected via the Internet, which does not constitute PII.
A simpler, more honest solution would be to unilaterally withdraw free trade rights and impose sanctions on offending “repressive” foreign governments, as is done under the political retaliatory provisions of Section 301 of the Tariff Act of 1930, for example. This proposed law would hijack the private sector, creating a framework for criminal violations by business, as a tool for persuading foreign governments to stop internal repression. Such a mission is misguided and does more harm than good.