Serious privacy issues surrounding offshored work have been highlighted through numerous high-profile incidents and accusations. While these privacy concerns unquestionably also plague outsourcing of government work to private companies in general, they are particularly problematic with regard to overseas providers. U.S. law does not apply overseas and obtaining redress in the U.S. civil justice systems in cases of abuse involving overseas companies is potentially very difficult. Even though increased offshoring by U.S. companies means that an unprecedented amount of sensitive personal data is being shipped overseas, U.S. privacy protections effectively end at our borders. In sharp contrast, European consumers are afforded considerably greater protection by a European Union (EU) law that permits personal data to be sent offshore only to countries whose privacy laws have been deemed to provide equivalent privacy protections and that have been found to have strong enforcement capabilities. Because most countries cannot meet these "safe harbor" requirements, European jobs that involve the handling of confidential information have been offshored at a far slower rate than in the United States.
There are already numerous examples of confidential information being mishandled in offshore situations:
In 2001, the federal Department of Health and Human Services adopted nationwide privacy protections for medical information in the "Privacy Rule," mandated by the Health Insurance and Portability and Accountability Act (HIPAA) of 1996. This law prevents health care companies from selling information to third parties, such as telemarketing firms. However, the protected health information of a patient can be processed internally by a HIPAA-regulated "Covered Entity." These entities can transfer protected health information to certain third-party service providers, such as insurance companies, research facilities, transcriptionists or radiologists, with no requirement that the patient’s prior consent be obtained. The offshoring of such information was most likely not contemplated when HIPAA was designed; nothing in the statute forbids the transfer of information to overseas locations for third-party services.
Other work that involves sensitive personal information has also been offshored in financial sectors, most prominently accounting. An estimated 150,000-200,000 individual tax returns, both federal and state, will be prepared in India in 2004. Tax returns contain personal information including Social Security numbers, addresses, employer information, stock holdings and credit information. In response to questions about security, some firms such as Massachusetts-based Datamatrix have established self-enforced security measures such as not permitting writing materials, printers, or even e-mail access in offshore offices where tax preparation is done. But none of these measures are required of firms that offshore work – or are necessarily sufficient to prevent violations of consumer privacy.
Tax preparation, and any consumers’ financial transactions and information are afforded some protection in the United States under the Title V of the Gramm-Leach-Bliley Act, the 1999 law that protects personal financial information held by banks, securities firms and insurance companies, as well as non-traditional financial institutions such as credit reporting agencies. As with HIPAA protections, Gramm-Leach-Bliley does not prevent financial institutions from sending customers’ personal information to overseas vendors. This omission is particularly troublesome in light of the large number of major financial institutions that already have outsourced a significant proportion of their operations overseas. Recent press reports also indicate that two of the three major credit-reporting agencies in the United States are planning to outsource operations abroad.
Bills are pending in several states that would prohibit overseas outsourcing where personal information is involved. Personal information is typically defined as including, but not limited to, Social Security numbers, medical and financial information, dates of birth, and names of relatives.
At the federal level, an amendment submitted by Sen. Hillary Clinton (D-NY) to the “Jumpstart Our Business Strength” (JOBS) Act on March 23, 2004, would regulate the transmission of personally identifiable information (including bank account information, Social Security numbers, addresses, phone numbers, passwords, mother’s maiden name and age) to foreign affiliates and subcontractors both before and after a customer relationship is established. The amendment would require businesses and private, nonprofit organizations to obtain prior consent from an existing customer or potential customer before their information is sent to a foreign affiliate or subcontractor. Second, such entities would be held liable for any misuse of a customer’s personal information by a foreign affiliate or subcontractor. In addition, the amendment requires that the Federal Trade Commission certify countries and make available to the public a list of countries that have adequate privacy laws. Sen. Clinton also introduced this proposal as a separate bill, co-sponsored by Sen. Dayton on April 9, 2004.
On the House side, Rep. Edward Markey (D-MA), co-chair of the congressional Privacy Task Force, has been a prominent advocate of extending privacy protections to offshored service contracts. He introduced H.R. 4366, a companion bill to the Senate version described above, on May 13, 2004.
In letters to the Comptroller of the Currency and sevaral major banks, Sen. Diane Feinstein (D-CA) noted how third-party vendors abroad technically are subject to U.S. privacy laws but expressed concern over the "unique regulatory challenges" involved in overseas enforcement. She asked the Comptroller numerous questions about outsourcing practices and specifically requested that he identify the number of foreign vendors who have gained access to private personal information by banks under the OCC’s jurisdiction.