Workday Supports Comprehensive Privacy Legislation in the US and Globally

Jim Shaughnessy, senior vice president, general counsel, and secretary at Workday, explains why now is the time for the U.S. and other countries to adopt privacy laws based on the OECD Fair Information Principles. A law based on the OECD principles will ensure fair treatment of individuals and their personal information, regardless of where they live or with whom they interact.

With the EU’sGeneral Data Protection Regulation(GDPR) having just come into force and discussions on the use of personal data increasing in frequency and intensity, privacy is taking center stage in the U.S. At Workday, we believe privacy is of such vital importance—particularly in an era of rapid technological innovation—that government and industry together need to honor it, including by protecting individuals’ privacy proactively through a legal framework.

At Workday, privacy protections have been a fundamental component of our services from the very beginning. Ourthird-party audit reports and standards certificationsprovide tangible evidence of how we protect our customers’ data. When we develop new offerings we implementprivacy by designfrom the very beginning. We have received approval from EU privacy regulators for ourBinding Corporate Rulesand wereamong the first companiesto certify to the EU-U.S. Privacy Shield protecting personal data transferred from the EU. And we’vebuilt featuresthat enable our customers to comply with GDPR.

Our efforts are complemented by legal frameworks in the U.S., EU, and elsewhere. As my colleague Jason Alberthas explained,美国有着悠久的隐私法的传统,stretching back to the 19th century and providing the doctrinal foundation for the Organization for Economic Cooperation and DevelopmentFair Information Principles. In addition to this heritage, the U.S. currently has a number of strong sector-specific privacy laws governingfinancial institutions,health providers,educational institutions, andchildren, in addition toall 50 states’ data breach notification laws. Overlaying all of these, the Federal Trade Commission enforces prohibitions on unfair and deceptive trade practices.

Together these provisions create a U.S. privacy framework that is stronger than it is often given credit for. However, from the outside, the disparate structure of U.S. privacy law makes it difficult for other countries to determine whether gaps exist in protection. As a result, the EU requires U.S. companies to certify to thePrivacy Shieldor enter into other arrangements to ensure data transferred to the U.S. benefits from substantially similar protections as under European privacy law.

In our view, now is the time for a different—more comprehensive—approach that will benefit customers by creating more clarity for the global community. The U.S. and other countries around the world should adopt privacy laws based on the OECD Fair Information Principles. As privacy is a fundamental value around the globe as well as in the U.S., it is incumbent on the U.S. to lead by having a modern legal framework protecting the privacy of its citizens. While U.S. privacy law must reflect our legal and political traditions, the OECD principles are sufficiently flexible to support country-to-country variation and sufficiently strong to provide international harmonization to ensure that personal data can flow freely across borders in a cloud-enabled world.

A law based on the OECD principles will ensure fair treatment of individuals and their personal information, regardless of where they live or with whom they interact.

The OECD principles provide a widely-shared common baseline for the 35 countries that are OECD members. The voluntary OECD principles cover all the core tenets of data privacy rights—data collection, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. Enacting these principles in U.S. national legislation should result in U.S. law being deemed adequate by the EU and will facilitate the continued free flow of personal data.

Most importantly, a law based on the OECD principles will ensure fair treatment of individuals and their personal information, regardless of where they live or with whom they interact. For all these reasons, we call upon the U.S. and other countries around the world to enact comprehensive privacy legislation. We look forward to continuing to work with other companies, members of Congress, and administration officials to achieve this goal.

More Reading