International Privacy 0309 - Pillsbury Winthrop Shaw … Ireland, Italy, Latvia, Lithuania,...
Transcript of International Privacy 0309 - Pillsbury Winthrop Shaw … Ireland, Italy, Latvia, Lithuania,...
Pillsbury Winthrop Shaw Pittman LLP
10 March 2009
© 2009 Pillsbury Winthrop Shaw Pittman LLP and Gowlings Lafleur Henderson LLP.
Rafi Azim-Khan – Pillsbury (London)
Catherine Meyer – Pillsbury (Los Angeles)
Ariane Siegel – Gowlings (Toronto)
Cal Slemp – Protiviti (Stamford, CT)
International Privacy Regulations:What Global Companies Need to Know
1 | International Privacy Regulations
Agenda
Overview of European Privacy Regulations
Overview of Canadian Privacy Regulations
Overview of U.S. Privacy Regulations
Cross-Border Data Security
3 | International Privacy Regulations
Privacy Regulations
27 EU Member States: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK
EEA countries: EU + Iceland, Liechtenstein, Norway
4 | International Privacy Regulations
Privacy Regulations
EU Data Protection Directive (95/46/EC)Applies to ‘data controllers’Requires data controllers who are ‘established’ in the EU to:
notify with their applicable MS Data Protection Authorityobserve the 8 data protection principles when ‘processing’ ‘personal data’
principle 7 – personal data must be processed securelyprinciple 8 – personal data must not be transferred outside EEA unless there is adequate protection
Sets up Article 29 Working Party to publish opinions and guidance on issues flowing from the Directive
5 | International Privacy Regulations
Privacy Regulations
Data Controllerestablished in the EUdetermines the purposes for and means of the processing of personal data
Established in the EUestablishment (includes uses of equipment)
Personal Dataany information relating to an identified or identifiable natural person (Data Subject)
Data Processorprocesses personal data on behalf of the data controller
Processingincludes collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
6 | International Privacy Regulations
Privacy Regulations – Triggers –the 8 Data Protection Principles
Data controllers must ensure that personal data is:fairly and lawfully processedprocessed for limited purposesadequate, relevant and not excessiveaccurate and up to datenot kept for longer than is necessaryprocessed in line with data subject’s rightsprocessed securelynot transferred to other countries without adequate protection
7 | International Privacy Regulations
Privacy Regulations – Triggers –Sensitive Personal Data
Extra care must always be taken when processing ‘sensitive personal data’ which is data relating to:
racial or ethnic originpolitical beliefstrade union membershipphysical or mental health or conditionsexual lifecommission or alleged commission by him of any offence
8 | International Privacy Regulations
Privacy Regulations – Enforcement
The Directive is a Minimum Harmonisation Directive
So procedure and penalties differ from Member State to Member State
A few examples follow…
9 | International Privacy Regulations
Privacy Regulations – Enforcement - UK
Law – Data Protection Act 1998
Data Protection Authority – Information Commissioner’s Office (ICO)
Applicable penalties for breach:maximum fine of £5K on summary conviction or an unlimited fine on conviction on indictment
these penalties tend to be applied to data theft or traffickingBUT
government is due to increase the penalties to include (yet to be introduced):more intrusive inspection powers for the ICOICO power to impose substantial financial penalties for deliberate or reckless breaches
Personal liability for directors6 months imprisonment on summary conviction or 2 years on indictment and/or fines
10 | International Privacy Regulations
Privacy Regulations – Enforcement – France
1978 Act (Loi Informatique et Liberte) – modified to implement the EU DirectiveData Protection Authority – Commission Nationale de I’Informatique et des Libertes (CNIL)Applicable penalties for breach:
up to five years imprisonment and fines of up to EUR300K for individuals and EUR1.5 million for companies
The CNIL is also given a range of powers, including:the imposition of administrative remedies (e.g. warning notices) and fines of up to EUR300Kthe imposition of provisional sanctions, such as the cessation of the data processingthe institution of summary proceedings with a view to obtaining a provisional order ensuring the safeguard of data subjects’ rights and freedoms
11 | International Privacy Regulations
Privacy Regulations – Enforcement - Germany
Law – the amended German Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG)
Data Protection Authority:there is a single national data protection authority for the public sectorin the non-public sector there are several data protection authorities within each of the different German states
Applicable penalties for breach:Fines
minor infringements – up to EUR25Kmajor infringements – up to EUR250K
Other can halt all compromised data processing until compliance establishedorder data protection audits
12 | International Privacy Regulations
Privacy Regulations – Opt In/Opt Out
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations2003
CAP Code
13 | International Privacy Regulations
Privacy Regulations – Opt In/Opt Out –E-Privacy Directive
Electronic Communications
Individualsconsent needed so no contact unless person has opted in.
Corporatescan object to receiving direct marketing under the DPA
14 | International Privacy Regulations
Privacy Regulations – Opt In/Opt Out –Individuals – Electronic Communications
Consent required to receive electronic marketing message“any freely given specific and informed indication of his wishes by which a data subject signifies his agreement to personal data relating to him being processed”(E-Privacy Directive Article 2(1)(h))beware of pre-ticked opt-in boxes
Soft Opt Inobtained consent in the course of the sale or negotiationsin respect of similar products and servicesgiven an opportunity to opt out (free of charge)
15 | International Privacy Regulations
Privacy Regulations – Opt In/Opt Out –Other Communications
TelephoneE-Privacy Regulations: can contact unless individual has opted outBoth Individuals and Corporates can register on the Telephone Preference Service
FaxE-Privacy Regulations: opt in is needed for individualsBoth Individuals and Corporates can register on the Fax Preference Service
LetterIndividuals can register on the Mail Preference Service – opt outCorporates are not entitled to register on the Mail Preference Service
16 | International Privacy Regulations
Privacy Regulations – Opt In/Opt Out –Enforcement and Penalties - UK
Information Commissioner may issue:information noticesenforcement noticesfines
Aggrieved may seek injunction and damagesMicrosoft v McDonald
ASA sanctions
Public perception is often more important
17 | International Privacy Regulations
Privacy Regulations – International Data Transfer
Data Protection Principle 8 prohibits extra-EEA personal data transfer
Except where there is adequate protection
Adequate protection includes:ConsentUS Safe HarborModel Contract ClausesBinding Corporate RulesAdequate Jurisdictions
18 | International Privacy Regulations
Privacy Regulations – International Data Transfer –US Safe Harbor
E.g. US companies with EU subsidiaries
7 Safe Harbor principlesnotice (tell data subject use and purpose of personal data collection)fair processing (data subject decides whether and how his personal data will be used and disclosed)onward transfer (once in the US, personal data disclosed to 3rd parties based on the notice and fair processing principles)access (data subject can access data to correct it)security (members must take reasonable steps to protect personal data)data integrity (reasonable steps taken to maintain personal data for its intended use)enforcement (members must ensure that data subjects have recourse to solid complaint mechanisms)
19 | International Privacy Regulations
Privacy Regulations – International Data Transfer –Model Contract Clauses/Binding Corporate Rules
The Commission has approved 2 forms of MCCs between a data exporter (EEA-based) and a data importer (outside EEA)
Controller to ControllerController to Processor
permitting extra-EEA transfer of personal data
BCRs are a Working Party initiative that allow a global corporate group to implement a binding inter-group policy that:
sets out criteria for data processing by all the group entities worldwideallows inter-group data transfer within the corporate group
20 | International Privacy Regulations
Privacy Regulations – International Data Transfer –Adequate Jurisdictions
Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Jersey,Switzerland
Other countries for a future possible “adequacy” declaration: Australia, Dubai, Hong Kong, Israel, New Zealand
22 | International Privacy Regulations
Privacy Law in Canada
UNITED STATESThe Legislative Mosaic-SarbanesHIPPA, Penalties
EUROPEThe Data Protection Standard
CANADAThe Comprehensive Approach
23 | International Privacy Regulations
Legislative Background
The Canadian Privacy LandscapeCanada – PIPEDAQuebecManitobaAlbertaSaskatchewanBritish ColumbiaOntarioNova Scotia - Outsourcing
24 | International Privacy Regulations
Sources of Privacy Law in Canada
Collective Agreements
Common Law
Criminal CodeCollective Agreements
Sector specific rules – CRTC, DO NOT CALL, CMA Code of Ethics
Common Law
British Columbia, AlbertaOntario Health Privacy
Charter of Rights
Quebec legislationCriminal Code
PIPEDAPrivacy Act
PRIVATE SECTORPUBLIC SECTOR
25 | International Privacy Regulations
PIPEDA – Application and Exemptions
Applies to personal information collected, used or disclosed:In the course of commercial activities; orAbout employees in the operation of any “federal work, undertaking or business”
PIPEDA will NOT apply to “employee personal information” of non federal works or undertakings
“commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
Very broad e.g. buying, selling, trading, or providing a service for payment or consideration
26 | International Privacy Regulations
PIPEDA – Application and Exemptions
“personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
Includes “cookies”, currently business e-mail addresses
27 | International Privacy Regulations
PIPEDA – Jurisdiction
PIPEDA not long arm statute
What does that mean?
Abika.com/Lawson findings – obligation to investigate
Often companies choose different web sites for US, EU and Canada
Provincial Consumer Protection Acts-can’t contract out
28 | International Privacy Regulations
PIPEDA – Jurisdiction- Abika
Federal Court of Canada ordered the Federal Privacy Commissionerto investigate a U.S. company collecting the personal information of Canadians whose only operations in Canada were conducted througha “dot.com” website without any infrastructure in Canada
Privacy Commissioner vested by Parliament with authority to investigate complaints against foreign organization which collect, use and sell the personal information of Canadians
Privacy Commissioner has jurisdiction to investigate both foreigners who have Canadian sources of information and the Canadian sources themselves
29 | International Privacy Regulations
PIPEDA – Marketing Opt-in Opt-out
Primary and Secondary MarketingForm of Consent:
Opt-in (positive) sensitive information
Opt-out (non sensitive)
Ticketmaster Order, OPC Findings & Alberta OrderTelephone practice-customer’s told collection in line with privacy policy (web). Little information about disclosure.
Online customers told by pressing “Submit Order” button they were consenting to policy of sharing purchaser’s email addresses with partners like venues, teams, fan clubs etc. who would contact them for marketing. Also told third parties could use and disclose the collected information in other ways.
30 | International Privacy Regulations
PIPEDA – Marketing Opt-in Opt-out
“Regardless of whether customer requests are issued on paper, in person, by telephone or via a web site, businesses must effectively communicate to customers in the same consistent manner their practices and policies regarding personal information collection, disclosure and use.”
FindingsNeed consistency telephone v. online
Need opt-out or opt-in – choice must not disadvantage customer re service
Telephone scripts changed. Telephone ticket agent now explains use and sharing and requests verbal consent. Automated transactions, customers invited to press # key to choose
Online, customer can opt out by checking off a box before their ticket payment is remitted
31 | International Privacy Regulations
PIPEDA – Marketing Other
CMA Code-Marketing to Minors
CRTC Administered Do Not Call List
32 | International Privacy Regulations
Data Breach
Data BreachFederal Data Breach Guidelines Pressure to become statutory requirement to report to Privacy CommissionerNo mandatory notification requirements in Canada except for PHIPA in Ontario
12(2). Subject to subsection (3) and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.
33 | International Privacy Regulations
PIPEDA and Cross Border Transfers
No prohibition against the use of third-party service providers outside of Canada for private organizations or federal works and undertakings
Requirement that “an organization [be] responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
Applies equally to cross border transfers
34 | International Privacy Regulations
PIPEDA and Cross Border Transfers
Key: Who collects and controls personal information?
Non Disclosure / Confidentiality Agreement
Prohibition from using personal information
Obligations not to use/ disclose passed on through contract
Transporter Data Flow-Patriot Act – can Canadian data be processed in the U.S.? Yes….safeguard data as above.
Exception data of of B.C. public service
35 | International Privacy Regulations
PIPEDA and Cross Border Transfers
PIPEDA Case Summary #313
Considered data processing in the U.S. with respect to customer information held by a Canadian bank
Although customer consent not necessary for such outsourcing, must notify customers that:
data processing was occurring outside of Canada;personal information would be subject to the laws of that country; andthe potential risks involved under the Patriot Act.
36 | International Privacy Regulations
PIPEDA and Cross Border Transfers
Security or records stored in electronic and physical forms
Security built into outsourcing agreements – must have comparable safeguards across partnerships
Security in destruction – information needs to be disposed of in a manner that protects confidentiality
37 | International Privacy Regulations
Impact on Organizations and Cross Border Trade
Organizations should:
Identify sources of personal information, by province, to determine whether provincial disclosure and consent requirements apply
May be more practical to implement highest provincial standard to all cross border transfers
Ensure agreements in place with third party service providers toaddress cross border data transfers
Ensure that appropriate disclosure is made regarding cross border transfers
39 | International Privacy Regulations
U.S. Privacy Regulations Overview
Emerging TrendsProtection of personal information in all formats
Security breach legislationSecurity of information
Requirements for encryptionIn transmission and in placePortable devices
Specific data security plan requirementsIdentity Theft Red Flag RuleMassachusetts (Personal Information)Connecticut (Social Security Number privacy policy)PCI Data Security Standards
State regulations to protect residents impact out-of-state businesses
40 | International Privacy Regulations
U.S. Privacy Regulation Overview
Identity Theft Red Flag Rule
Requires a written Identity Theft Prevention Program designed to“detect, prevent, and mitigate identity theft” in connection with “covered accounts”
Implements Section 615(e) of the FCRA, amended by FACTA in 2003, which calls for “establishment of procedures for the identification of possible instances of identity theft.”
41 | International Privacy Regulations
U.S. Privacy Regulations Overview
Massachusetts
“Standards for the Protection of Personal Information of Residents of the Commonwealth”
(201 Mass. Code Regs. § 17.00)
Purpose: To establish “minimum standards to safeguard personal information in both paper and electronic records.”
Compliance Deadline: January 1, 2010General compliance with the new standards, with third-party service provider requirements and encryption of laptopsEncryption of all other portable devices
42 | International Privacy Regulations
U.S. Privacy Regulation Overview
Connecticut
“An Act Concerning the Confidentiality of Social Security Numbers”(Public Act No. 08-167)
“Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.”“Any person who collects Social Security numbers in the course ofbusiness shall create a privacy protection policy which shall be published or publicly displayed.”Effective Date: October 1, 2008Penalties: Provides for fines of $500 per violation not to exceed $500,000.
43 | International Privacy Regulations
U.S. Privacy Regulation Triggers
Personal informationName with Social Security Number, drivers license number, financial account number, medical information, passport number, date of birth, biometrics
CollectionCustomer information, cookies, check and credit card transactions
UseMarketing, behavioral advertising, violation of privacy policies
Disclosure (intended or unintended)Sharing, selling, unauthorized access or misuse, credit card number truncation
Destruction or dispositionRecords, equipment
Imposition of state regulation on out-of-state business
44 | International Privacy Regulations
U.S. Privacy Regulation Enforcement
Federal AgenciesFTCFCCFinancial regulatorsDepartment of Justice
State Attorneys GeneralPrivate right of action – Class ActionsUnfair and Deceptive Practices ActsComputer Fraud and Abuse ActsInvasion of PrivacyIssues include proof of damage where no statutory penaltyCivil and criminal penalties
45 | International Privacy Regulations
U.S. Privacy Regulation Data Security
Federal regulation of public companies, financial institutions, “creditors” and users of consumer report informationState by State regulations are resident-centricObligation to secure “personal information” against unauthorized use, access, destruction (8 states)Obligation to destroy records containing “personal information” by shredding, burning, erasing (23 states)Obligation to provide notice to individuals whose “personal information” has been accessed or acquired by an unauthorized person or has been misused (44 states, Puerto Rico, Guam)Encryption requirements are emerging trend
Nevada (prohibits unencrypted transmission of information outside system)Massachusetts regulation (January 1, 2010) requires encryption in transmission and on portable devices
46 | International Privacy Regulations
U.S. Privacy Regulation Opt-In/Opt-Out
Generally, Opt-Out is the preferred option for US privacy statutesGramm-Leach-Bliley Act requires Opt-Out for financial services providers’ sharing with third partiesFCRA/FACTA requires Opt-Out under Affiliate Marketing Rule for use of information received from affiliate for direct marketingCAN-SPAM and many state anti-spam laws require provision of Opt-Out of future emailsNational “Do-Not-Call” list for Opting-Out of telephone solicitationCalifornia “Shine the Light” Act provides option of disclosing the recipients of informationshared for marketing purposes or providing Opt-Out.Some states require Opt-Out before personal information may be shared or sold.
Opt-In is usually reserved for sensitive information or where cost is a factorHIPAA requires consent for sharing of personal health informationCalifornia Financial Information Privacy Act (SB-1)(Financial Code 4050-4060) requires Opt-In for sharing non-consumer report information with unaffiliated third partiesTelephone Consumer Protection Act provisions for advertising by fax and to mobile phones require Opt-In
Cost to consumer for paper and toner were important in the decision to require consent“Advertising by Theft”Similar restriction for marketing to mobile telephones
State “Junk Fax” statutes require consent; some except existing business relationship
48 | International Privacy Regulations
Data Security and Loss Prevention
Data Security is ultimately about Data Protection(independent of data type or classification)H
ighl
y C
onfid
entia
l D
ata
Business Data - confidential or sensitive business-related data that does not relate to individuals (e.g., pricing information, trade secrets, financials, M&A or other strategic plans, etc.).
Personal Data - any data, which is not publicly available, that can uniquely identify a specific individual (customer, employee, etc.); and
Intellectual Property - any intangible asset that consists of human knowledge and ideas, of which the ownership or right to use is legally protected by the company (e.g., copyright, patent, trademark, etc.);
In MotionWhere is it
going?
At RestWhere is it
stored?
In UseHow is it used, and by who?
49 | International Privacy Regulations
Payment Card Industry – Data Security Standard (PCI DSS)… a global data security requirement
12 comprehensive requirements for enhancing payment account data security, were developed by the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International.
Intended to have organizations proactively protect customer account data
PCI DSS is a multifaceted security standard that includes requirements to:
Build and Maintain a Secure Network (2)Protect Cardholder Data (2)Maintain a Vulnerability Management Program (2)Implement Strong Access Control Measures (3)Regularly Monitor and Test Networks (2)Maintain an Information Security Policy (1)
50 | International Privacy Regulations
Data Security Regulations overlap with Privacy (example)
PCI HIPAA AICPA ISO 27001
1.1 Roles and Responsibilities X X X
1.2 Risk Assessment X X
2.1 Collection and Usage of Personal Data X
2.2 Notice, Consent, and Quality X
2.3 Knowledge Sharing X X
3.1 Access Rights X X X X
3.2 Authentication X X X X
3.3 Storage X X X X
3.4 Transmission X X X X
3.5 Backups X X
3.6 Systems Security X X X X
3.7 Network Security X X X
3.8 Information Disposal X X X
3.9 Application Development and Management X X X
4.1 Physical Security X X X X
4.2 Walkthroughs X X
5.1 Security Breach Response and Reporting X X X
6.1 Initial Training X X X X
6.2 Ongoing Training and Awareness X X X X
6.3 Roll-On and Roll-Off X X X
7.1 Vendor Compliance X X
51 | International Privacy Regulations
Security vs. Privacy
PrivacyConsentLimiting CollectionPurpose SpecificationAccuracyOpenness
Shared PracticesAccountabilityLimiting Use (Auth)Disclosure (Access)RetentionCompliance
Security
Security SafeguardsConfidentialityIntegrityAvailability
Although the specific drivers of focus have a different genesis, the topics will be necessarily intertwined.
You can have good security without privacy. But you cannot have good privacy without security.
52 | International Privacy Regulations
Contacts
Rafi Azim-KhanPartner
Pillsbury Winthrop Shaw Pittman LLP Tower 42, Level 2325 Old Broad StreetLondon EC2N 1HQ
United Kingdom44.20.7847.9500
Catherine MeyerCounsel
Pillsbury Winthrop Shaw Pittman LLP725 South Figueroa Street, Suite 2800
Los Angeles, CA 90017-5406United States of America
Ariane SiegelPartner
Gowlings Lafleur Henderson LLPFirst Canadian Place
100 King Street West, Suite 1600Toronto, Ontario M5X 1G5
Canada416.369.7228
Cal SlempManaging Director
Protiviti Inc.One Stamford Plaza
263 Tresser Blvd., 14th Floor, Suite 1401Stamford, CT 06901
United States of America203.905.2926