Abstract
Personal data privacy has recently surfaced as a prominent issue in offshore outsourcing. Concern about the security of data transferred to offshore outsourcing destinations with weak or non-existent information privacy laws has enabled a new industry of trustmark providers, which offer accreditation and monitoring services to companies that seek self-regulation with respect to data privacy. However, a uniform international approach is vital to ensure that a minimal level of protection attaches to data transferred in the outsourcing business. Through its “adequacy requirement,” the European Union Data Directive has emerged as the predominant working model of a uniform standard for cross-border data transfer privacy protection. Yet a fully international adoption of the Directive has been frustrated by sovereignty concerns, differing cultural perceptions of privacy, and bargaining power disparity. This has enabled the United States to negotiate a bypass of the adequacy requirement altogether. An audited self-regulatory trustmark industry would be a more effective approach that preserves the United States’ sector-specific and self-regulatory system. Businesses wishing to outsource would apply and receive certification from a trustmark provider, which would guarantee that the business has undertaken contractual mechanisms and implemented internal practices to comply with the EU Data Directive standard of data protection. The trustmark providers would audit such businesses for continual compliance, and in turn be subject to regulation by a single agency under European Commission oversight.