• TRADE Act

• WTO

• Fast Track

• Peru, Panama & Colombia FTAs
• NAFTA
• CAFTA
• NAFTA Expansion Agreements

• WTO Role in the Financial Crisis
• Trade as an Election Issue
• Imported Food & Product Safety
• Immigration
• Offshoring
• State and Local Governance
• Harmonization
• Other Issues

• Español
• Portugues

• NAFTA Job Loss Data
• Congressional Voting Records
• Take Action!
• BLOG

Fair Trade Archive: GTW E-Newsletters, Action Alerts, and Updates

Offshoring and Privacy Protection

In This Section:
1. Health Care Records
2. Financial Information
3. The Legislative State of Play

Serious privacy issues surrounding offshored work have been highlighted through numerous high-profile incidents and accusations. While these privacy concerns unquestionably also plague outsourcing of government work to private companies in general, they are particularly problematic with regard to overseas providers. U.S. law does not apply overseas and obtaining redress in the U.S. civil justice systems in cases of abuse involving overseas companies is potentially very difficult. Even though increased offshoring by U.S. companies means that an unprecedented amount of sensitive personal data is being shipped overseas, U.S. privacy protections effectively end at our borders. In sharp contrast, European consumers are afforded considerably greater protection by a European Union (EU) law that permits personal data to be sent offshore only to countries whose privacy laws have been deemed to provide equivalent privacy protections and that have been found to have strong enforcement capabilities. Because most countries cannot meet these "safe harbor" requirements, European jobs that involve the handling of confidential information have been offshored at a far slower rate than in the United States.

There are already numerous examples of confidential information being mishandled in offshore situations:

• In Ohio, allegations that citizens’ birth records had been sent to a facility in Sri Lanka led to the U.S. company that had offshored the work (and thus exposed the confidential information) being barred from state contract work for 15 months.
• In 2003, a medical transcriber in Pakistan threatened to post patients’ records online unless the University of California San Francisco (UCSF) Medical Center paid the wages owed to her by the U.S. subcontractor that had sent the work to her.
• Indian workers at Heartland Information Services, an Ohio-based company that offshores medical records work to India, threatened to release confidential records unless they received a cash payoff from the company.

Further Reading:

• "Mishandling birth records gets company barred from state business," Associated Press (4/19/02)
• "Missent Birth Data Were For Adults, Not Babies," The  Columbus Dispatch (9/7/01)
• "A Tough Lesson on Medical Privacy," San Francisco Chronicle (10/22/03)
• "Extortion Threat to Patient' Records," San Francisco Chonicle (4/02/04)

Health Care Records

In 2001, the federal Department of Health and Human Services adopted nationwide privacy protections for medical information in the "Privacy Rule," mandated by the Health Insurance and Portability and Accountability Act (HIPAA) of 1996. This law prevents health care companies from selling information to third parties, such as telemarketing firms. However, the protected health information of a patient can be processed internally by a HIPAA-regulated "Covered Entity." These entities can transfer protected health information to certain third-party service providers, such as insurance companies, research facilities, transcriptionists or radiologists, with no requirement that the patient’s prior consent be obtained. The offshoring of such information was most likely not contemplated when HIPAA was designed; nothing in the statute forbids the transfer of information to overseas locations for third-party services.

Financial Information  

Other work that involves sensitive personal information has also been offshored in financial sectors, most prominently accounting. An estimated 150,000-200,000 individual tax returns, both federal and state, will be prepared in India in 2004. Tax returns contain personal information including Social Security numbers, addresses, employer information, stock holdings and credit information. In response to questions about security, some firms such as Massachusetts-based Datamatrix have established self-enforced security measures such as not permitting writing materials, printers, or even e-mail access in offshore offices where tax preparation is done. But none of these measures are required of firms that offshore work – or are necessarily sufficient to prevent violations of consumer privacy.

Tax preparation, and any consumers’ financial transactions and information are afforded some protection in the United States under the Title V of the Gramm-Leach-Bliley Act, the 1999 law that protects personal financial information held by banks, securities firms and insurance companies, as well as non-traditional financial institutions such as credit reporting agencies. As with HIPAA protections, Gramm-Leach-Bliley does not prevent financial institutions from sending customers’ personal information to overseas vendors. This omission is particularly troublesome in light of the large number of major financial institutions that already have outsourced a significant proportion of their operations overseas. Recent press reports also indicate that two of the three major credit-reporting agencies in the United States are planning to outsource operations abroad.

Further reading:

• "Foreign Accountants Do U.S.Tax Returns," Associated Press (2/22/04)
• "Known Around the World; Private Records May be at Risk," Boston Herald (11/30/03)

The Legislative State of Play  

Bills are pending in several states that would prohibit overseas outsourcing where personal information is involved. Personal information is typically defined as including, but not limited to, Social Security numbers, medical and financial information, dates of birth, and names of relatives.

At the federal level, an amendment submitted by Sen. Hillary Clinton (D-NY) to the “Jumpstart Our Business Strength” (JOBS) Act on March 23, 2004, would regulate the transmission of personally identifiable information (including bank account information, Social Security numbers, addresses, phone numbers, passwords, mother’s maiden name and age) to foreign affiliates and subcontractors both before and after a customer relationship is established. The amendment would require businesses and private, nonprofit organizations to obtain prior consent from an existing customer or potential customer before their information is sent to a foreign affiliate or subcontractor.  Second, such entities would be held liable for any misuse of a customer’s personal information by a foreign affiliate or subcontractor. In addition, the amendment requires that the Federal Trade Commission certify countries and make available to the public a list of countries that have adequate privacy laws. Sen. Clinton also introduced this proposal as a separate bill, co-sponsored by Sen. Dayton on April 9, 2004.

On the House side, Rep. Edward Markey (D-MA), co-chair of the congressional Privacy Task Force, has been a prominent advocate of extending privacy protections to offshored service contracts. He introduced H.R. 4366, a companion bill to the Senate version described above, on May 13, 2004.

In letters to the Comptroller of the Currency and sevaral major banks, Sen. Diane Feinstein (D-CA) noted how third-party vendors abroad technically are subject to U.S. privacy laws but expressed concern over the "unique regulatory challenges" involved in overseas enforcement. She asked the Comptroller numerous questions about outsourcing practices and specifically requested that he identify the number of foreign vendors who have gained access to private personal information by banks under the OCC’s jurisdiction.

Further reading:

• "Feinstein Questions Privacy Protections in Outsourcing," Congress Daily (3/04/04)

»	Return to the main Offshoring page

Because Public Citizen does not accept funds from corporations, professional associations or government agencies, we can remain independent and follow the truth wherever it may lead. But that means we depend on the generosity of concerned citizens like you for the resources to fight on behalf of the public interest. If you would like to help us in our fight, click here.