technology law forum - us and eu data protection and privacy laws
TRANSCRIPT
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
1/84
Technology Law ForumSeminar on Certain US and EU Data
Protection and Privacy Laws
Poorvi Chothani, Esq.Correspondent to Cyrus D. Mehta & Associates, PLLC,New York
(US Immigration & Nationality Law)
[email protected]:022 6654 1671
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
2/84
Monday, April 15,2013 2
Need for Protection Technological readiness of the Indian BPO industry is
very high
Regulatory frame work is inadequate
BPOs deal with sensitive and/or private data that needsprotection
Internet instrument in flattening of the world level
playing field for knowledge and access to ideas* Ref. Thomas Friedmans The World is Flat
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
3/84
Monday, April 15,2013 3
Legal Lag Following Technology
Outsourcing Industry Great EconomicAdvantage to India
Other, competing outsourcing destinations
are gaining importance
Need for Protection
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
4/84
Monday, April 15,2013 4
The US and the EU do not have ComprehensivePrivacy or Data Protection Laws
Intellectual property
Corporate secrets
Confidential CustomerHealth Information
Financial Information
Trade Secrets
Personal Identifiable
Information Name
Addresses
National IdentifyingNumbers
Telephone Numbers
Birth Date
Drivers Licenseinformation
Credit History
Court, and Trafficviolation records
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
5/84
Monday, April 15,2013 5
Sensitive PersonalInformation
the racial or ethnic origin of the data subject, his political opinions his religious beliefs or other beliefs of a similar
nature, whether he is a member of a trade union
(within the meaning of the Trade Union andLabor Relations (Consolidation) Act 1992,
his physical or mental health or condition, his sexual life, the commission or alleged commission by him
of any offence, or any proceedings for any offence
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
6/84
Monday, April 15,2013 6
Privacy Development Multilateral discussions and Initiatives:
Organization for Economic Cooperation and Development (OECD)
Developed 1980 Privacy guidelines
Working Party on Information Security and Privacy
Privacy also an issue within other OECD working parties:telecommunications, consumer protection, small businesses etc.
India is a Member of OECD
In the US the US Supreme Court interpreted the Constitutionand found a right to privacy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
7/84
Monday, April 15,2013 7
Introduction
US v EU
United States and the European Union share the goal ofenhancing privacy protection for their citizens
Different approach to Privacy:The United States uses a sectoral approach that relies on amix of legislation, regulation, and self regulation.The European Union relies on comprehensive legislation that,for example, requires creation of government data protection
agencies, registration of data bases with those agencies, andin some instances prior approval before personal dataprocessing may begin.
Effect: hampered U.S. companies ability to engage in manytrans-Atlantic transactions.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
8/84
Monday, April 15,2013 8
US and EU DifferentApproaches
The United States System is based on: Self Regulation
Sector specific Legislation
Enforcement (FTC) Outreach and Awareness
The European Unions System Based on Common Legislation
Covering all industry sectors and almost all personaldata
EU authorities could legally stop data flows at any time
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
9/84
Monday, April 15,2013 9
Council of European Convention Established a committee of experts on data protection that
reported its findings in early 1979.
Was enacted for the Protection of Individuals with regard toAutomatic Processing of Personal Data, 1981.
Came into force on 1985 after five States ratified it.
Set forth the individual data subjects right to privacy
Enumerates a series of basic principles for data protection
Provides for transborder data flows
Finally lead to the European Union Directive 95/46/EC
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
10/84
Monday, April 15,2013 10
The EC Data ProtectionDirective 95/46/EC
(EU Directive)
Data processing systems are designed to serve humanbeings
Respects fundamental rights and freedoms, the right to
privacy
Lays down conditions which must be fulfilled for legallyprocessing personal data
The European Parliament confirmed the existence of anetwork of supercomputers operated by the secretiveUnited States National Security Agency, an agencyresponsible for intercepting communications across theworld for the benefit of American business andGovernment.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
11/84
EU Data Protection Directive
The EU Directive Each EC Member State has to enact laws in
keeping with the EU Directive
For e.g. the EU Directive implemented by theUnited Kingdom Data Protection Act 1998.
Approved set of standard contractual clauses
may be used
EU Directive applies to the processing ofpersonal data
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
12/84
Monday, April 15,2013 12
Data Protection Principle
General Prohibition on collection and processing ofpersonal data
Subject to limited exceptions
Burden of proof is on the data controller
Restricts the transfer of personal data outside theEU Countries unless the other country ensures anadequate level of protection
The data controller or data aggregator is liable forensuring that these principles are adhered to
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
13/84
Monday, April 15,2013 13
Principles of DataProtection - UK
The Data Protection Act 1998 requires that data controllers processpersonal data in accordance with Eight Principles. These requirethat personal data is:
1. Fairly and lawfully processed;
2. Processed for limited purposes;
3. Adequate, relevant and not excessive;
4. Accurate;
5. Not kept longer than necessary;
6. Processed in accordance with individuals' rights;
7. Kept secure;
8. Not transferred to countries outside the European Economic Areawithout adequate protection.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
14/84
Monday, April 15,2013 14
The EU Directive
Applies tp personal data includes customer,employee and coded data
Corresponding obligations of data controllers (need togive notice, choice, access, rectification, etc.)
Protection obligations (notification to government
agencies)
Covers all sectors of industry and commerce
T f f D t
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
15/84
Transfer of DataUnder the EU Directive
Transfer to Countries with AdequateProtectionwithout additional adequacyrequirements
Switzerland, Canada, Argentina and
the UK territories of Guernsey and theIsle of Man, all recognized by the EUas offering adequate data protection.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
16/84
Options to transfer restrictions
under the EU Directive Adopt Standard Contract Clauses
Obtain Unambiguous Consent to transfer from affectedindividuals
Negotiated Protections acceptable in the UK
Codes of Conduct
Direct Compliance/registration with EU Authority
Some EU countries require that a copy of the executedagreement with the standard clauses be deposited with theregulatory authority this is not the case in the UK.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
17/84
US Safe Harbor Framework to
Facilitate Business with EU StatesSafe Harbor" Framework bridges the different privacy approaches
Is a streamlined means for US organizations to comply with the Directive
The U.S. Department of Commerce created the Safe Harbor Framework inconsultation with the European Commission
The Safe Harbor -- approved by the EU in 2000-- important for U.S. companiesto avoid interruptions to dealings with entities in the EU or facing prosecution inthe EU
Certifying to the Safe Harbor assures EU organizations that the US company
provides "adequate" privacy protection, as defined by the Directive.
More than 933 members registered with the Department of Commerce (someregistrations are not current)
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
18/84
Monday, April 15,2013 18
Safe Harbor
Result of the US and EUs expressed commitment tobridging different approaches to privacy whilemaintaining data flows and high level of privacyprotection.
FTC Act permitted each side to maintain theirposition
U.S Companies made voluntary commitments.
EU Satisfied because FTC Act made thosecommitments legally binding.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
19/84
Monday, April 15,2013 19
Safe Harbor
It recognizes and implements principles of the EU Data
Directive.
Creates a system of notice, opt-out, opt-in for certain sensitiveinformation, control of subsequent transfers, data security andintegrity systems.
Safe Harbor framework includes:
- 7 privacy principles
- 15 FAQs
- EUs adequacy determination
- Letters between Doc and European Commission
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
20/84
Other options Model ( standard) Contracts:
EU-based exporters or U.S by including
privacy clauses contracts they sign with
each other.
The EC has approved two based importers ofpersonal data can also satisfy the adequacy
requirements types of clauses:
Transfers: controller-to-controller
controller-to-processor transfers
The latter concerns transfers between data
controllers based in the EU and processors outside
the EU.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
21/84
Monday, April 15,2013 21
Model Contracts Enforcement is in Europe
Potentially different interpretation andenforcement approaches in different memberstates
Potential for member states to add contractualrequirements
Joint and Several Liability
Higher Standards than the Safe Harbor
Penalties Under the
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
22/84
Monday, April 15,2013 22
Penalties Under theEU Directive
Each Member States national laws willdetermine the penalty
For Instance Under The UK DataProtection Act 1998 The RegulatoryAuthority who is The InformationCommissioner also imposes the penalty Fines; and Document that infringes privacy to be forfeited,
destroyed or erased.
h S f b
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
23/84
Monday, April 15,2013 23
The Safe HarborPrinciples
An organization entering the Safe Harbormust adhere to 7 principles:
- Notice
- Choice
- Onward transfer
- Security
- Data integrity
- Access
- Enforcement
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
24/84
Monday, April 15,2013 24
Safe Harbor Pros/Cons Public attention/positive privacy image
Added liability
Increased compliance flexibility
EU-wide solution
Response to customer concerns
Dispute jurisdiction
Unavailable to financial services firms
f f f
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
25/84
Monday, April 15,2013 25
Enforced by US government agencies
One set of rules
Less specific standards, only principlesspecified
Eliminates model contract burdens andonerous negotiations
Enforcement of SafeHarbor Principles
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
26/84
Monday, April 15,2013 26
Some US Laws
Graham-Leach-Bliley Act (GLBA)
Fair Credit Reporting Act
The Sarbanes-Oxley (SOX) Act
Right to Financial Privacy Act
The Health Insurance Portability and Accountability Act(HIPAA)
The Childrens Online Privacy Protection Act (COPPA)
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
27/84
Monday, April 15,2013 27
Some More US Laws The Electronic fund transfer Act Right to Financial Privacy Act Provisions of the Federal Trade Commission
The Drivers Privacy Protection Act:-
Restricts the ability of Motor Vehicle Department to disclosemotor vehicle operator permits, motor vehicle titles andmotor vehicle registrations.
Information on accidents, driving violations and drivers
status is expressly excluded from the federal disclosure rules.
Violations are punishable by a criminal fine or by civil fineagainst the Department of Motor Vehicles.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
28/84
Monday, April 15,2013 28
The Privacy Act of 1974
Establishes citizens rights against the Government
to know what information the Government collects from them,
why it is collecting,
who has accessed the information
Allows to receive a copy of the information.
Governs the activities of federal agencies with regard to whythey may or may not collect certain pieces of data.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
29/84
Monday, April 15,2013 29
Graham-Leach-BlileyAct (GLBA)Applies to Financial Institutions
National BanksBanks Financial and Operating SubsidiariesAffects how institutions share information
Restricts Transmission to Third Parties
Exceptions disclosure to affiliated thirdparties
Transfer of Data
Prohibits Disclosures for Marketing Purposes.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
30/84
Monday, April 15,2013 30
GLBA
Organizations must: Deliver Privacy Policies to each customer
Provide a Reasonable Opportunity to Opt-Out of certain
information sharing arrangements
Develop,Implement and maintain a comprehensiveinformation security Program.
Program must include administrative, technical andphysical safeguards appropriate to the
The Fai C edit Repo ting
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
31/84
Monday, April 15,2013 31
The Fair Credit ReportingAct (FCRA)
Applicable to: Credit Rating Agencies and in some instances to Banks
and other financial service providers
Affects customers Credit Report pertaining to: credit worthiness,
credit standing,
credit capacity,
character, general reputation,
personal characteristics or
mode of living
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
32/84
Monday, April 15,2013 32
FCRA
FCRA sets standards for: Collection;
Communication; and
Use of credit related information
FCRA requirements include:
Furnishing consumer reports only forpermissible purposes
Maintaining high standards
Ensuring accuracy
Enabling individuals to correct misinformation
Resolving customer disputes
The Sarbanes-Oxley (SOX)
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
33/84
The Sarbanes Oxley (SOX)Act
Reactionary measure to US corporatescandals, has a significant impact on UScompanies as well as auditing firms.
To strengthen corporate governance andrestore investors confidence.
Companies must attest that outsourcingfirms have internal controls in place tocomply with SOX and other regulations.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
34/84
Sarbanes Oxley
Legislation is wide ranging and establishesnew or enhanced standards for all USpublic company Boards, Management, andpublic accounting firms.
Contains 11 titles, or sections, rangingfrom additional Corporate Boardresponsibilities to criminal penalties.
Requires Security and ExchangeCommission (SEC) to implement rulingson requirements to comply with the newlaw.
The Health Insurance
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
35/84
The Health InsurancePortability and
Accountability Act (HIPAA)
Establishes privacy protection for healthcare information.
HIPAA provisions apply to organizations thatoffer health plans, doctors, hospitals andother health care providers and in turn theMedical Transcription Industry
Limits the use of patient information
In most cases would extend to the
Offshored activity of the organizations
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
36/84
HIPAA Contd.
Information may be disclosed to abusiness associate if
The data owner obtains satisfactoryassurance in a written agreement that
the information will be safeguarded
Data Owner will most likely require
business associates to agree to thesame obligations that apply to thecovered entity.
HIPAA C li
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
37/84
HIPAA Compliance Self-assessments, employee training, and
increased technological capacities
Administrative, technical, and physical safeguardsMust reasonably safeguard from any intentionalor unintentional use or disclosure that is inviolation of the standard
Implementation specifications or otherrequirements of (Companys Privacy Rules).
Business associate would have to comply too.
Th T l h C
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
38/84
Monday, April 15,2013 38
The Telephone ConsumerProtection Act, (TCPA)
Restricts the use of the telephone andfacsimile machine to deliver unsolicitedadvertisements.
Prohibits the delivery of artificial orprerecorded messages to residences
Once a consumer asks not to receive callsfrom a particular company, that companymay not call that consumer.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
39/84
Monday, April 15,2013 39
TCPA & Related FCC Rules
Exempts autodialed calls to emergency telephonelines, health care facilities, paging services, cellulartelephones, and any service for which the calledparty is charged for the call
Enforcement A National Do-Not-Call registry It includes all telemarketers (with the exception of certain nonprofit
organizations)
Covers both interstate and intrastate telemarketing calls Consumers can place their telephone numbers on the registry
through one telephone call or one Web click.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
40/84
Monday, April 15,2013 40
Other US laws
The Fair and Accurate Credit Transactions Actof 2003 Disposal of Records (affects almostevery business in the US.
US Patriot Act Affects bank secrecy to
combat money laundering, terrorism andcriminal behavior.
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
41/84
Monday, April 15,2013 41
More US Laws
The Video Privacy Protection Act Forbids a video rental or sales outlet from disclosing
information concerning what tapes a person borrows/buys orereleasing identifiable information.
Enforced through civil liability action.
Electronic Communication Privacy Act Prohibits the unauthorized interception or disclosure of many
types of electronic communications including telephoneconversations and electronic mail, although disclosure y one of
the parties to the communication is permitted. Applies both to the Government and private persons and
entities. Violations are subject to civil and criminal penalties.
Data Protection
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
42/84
Monday, April 15,2013 42
Data ProtectionLaws in the US.Electronic Funds Transfer Act
Requires institutions which deal withelectronic banking services to inform theirconsumers of the circumstances underwhich automated bank account informationwill be disclosed to third parties, in theordinary course of business.
Violators are subject to civil and/or criminalpenalties.
Enforced by the Federal Revenue Board.
Data Protection Laws in the
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
43/84
Monday, April 15,2013 43
Data Protection Laws in theUS.
Right to Financial Privacy Act
Mandates that the Federal Government present proper legal processor formal written request to inspect an individual financial recordskept by a financial institution including credit card companies
Gave simultaneous notice to the consumer to provide him/her with
the opportunity to object. Provides for civil liability.
The Cable Communication Policy Act as amended by theCable Television Consumer Protection Act
Establishes written disclosure requirements regarding the collection
and use of personally identifiable information by cable televisionservice providers
prohibits the sharing of such information without prior consent.
Communications Act
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
44/84
Monday, April 15,2013 44
Communications Act
Requires the Telecommunication Commission toprotect the confidentiality of customer proprietarynetwork information
Includes the destinations and numbers of calls made
by customers
Except as required to provide the customerstelecommunications service or pursuant to consumerconsent.
Penalties may include attorneys fees and punitivedamages and reasonable litigations cots in addition toactual damages
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
45/84
Monday, April 15,2013 45
Penalties
Each violation of (COPPA) The ChildrensOnline Privacy Protection Act invokes apenalty of $11,000.
Penalty actual damages, statutorydamages up to $1000, punitive damagesper violation (no cap on class action
damages, attorney fees and civil penaltiesup to $2,500
Penalties-HIPAA violations
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
46/84
Monday, April 15,2013 46
Penalties HIPAA violations
Certain violations attract a US$100 penalty for each violation
Total amount imposed on the person for all violations of anidentical requirement or prohibition during a calendar year
may not exceed US$25,000.
Knowing wrongful disclosure invokes penalty of US$ 50,000and/or imprisonment up to one year
False pretenses, the offender may be fined up to US$
1000,000 and/or imprisoned up to 5 years, the penalty isincreased respectively to US$ 250,000, and 10 years if theoffense is committed with intent to gain commercialadvantage for violating HIPAA.
Penalties
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
47/84
Monday, April 15,2013 47
Penalties The penalties for violating GLBA are steep and cost up to
$11,000 per day
Penalties for violation of FACTAs (Fair and AccurateCredit Transactions Act) rule of disposal, which affectsmost businesses, - actual damages, statutory damages,
punitive damages per violation, attorneys fees andpenalties up to US$ 2,500 and imprisonment of not morethan 2 years.
Penalties for violation of FCRA (Fair Credit Reporting Act)- damages of not less than $ 100 and civil penalty of not
more than $2,500 per violation or punitive damages andimprisonment up to 2 years.
US or State Laws andd ll
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
48/84
Pending Bills
US States, laws or pending bills to: Regulate privacy and personal data; Impose obligations on call center
activities; Try to minimize or ban offshoring of state
contracts; Some of these measures are protective of
the US workforce. Many of the bills may fail, be significantly
diluted or be challenged on grounds ofconstitutionality or found to violateinternational trade agreements.
Bills or recent laws that curtail the
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
49/84
Monday, April 15,2013 49
granting of state contracts to Non-USworkers or restrict performance ofstate contracts outside the US
New York;
Massachusetts;
Texas;
Oregon;
Pennsylvania;
Florida;
Maryland;
Missouri; and
Nevada
C lif i P i L
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
50/84
Monday, April 15,2013 50
California Privacy Laws
Law ofNotice of Security Breach: Owner ofpersonal information becomes aware of a breachof security must disclose the breach to everyresident of California whose unencrypted personal
information was, or is believed to have been,accessed by an unauthorized person.
Privacy of financial information: Stricter thanGLBArequires affirmative opt-in for sharing of
information with third parties, provides for opt-out for sharing with affiliates unless in the sameline of business under the same name.
California Privacy Laws
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
51/84
Monday, April 15,2013 51
y
Online Privacy Act
Information sharing disclosure: Business
having personal information of a Californiaresident must give list of categories ofinformation shared with third parties withthe names and contact information of the
third parties, OR provide a conspicuousprivacy statement with a cost free optout prior to the disclosure.
Prohibitions on the
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
52/84
Transmission of Information
Tennessee requires a express writtenpermission of a customer before sending any
financial, credit or identifying information to aforeign country.
In California proposed legislation requiresstrict privacy compliance when sending anindividuals personal information abroad.
Protectionism-Implications
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
53/84
pfor the US and the World
Create friction and hurdles in commercial activities
Effective measures to stifle meaningful outsourcing
US companies will be less competitive and will put evenmore jobs in danger if they cannot benefit from service costarbitrage
Deterrent to American companies from offshoring medical,accounting, financial consulting or other information-basedservices overseas
Absence of legal ramifications does not alleviate theharm to public image
Protectionism-Implications
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
54/84
Protectionism Implicationsfor the US and the World
Legislation banning state awards of grants,loans, or tax credits to companies thatoutsource
Protectionist measures only affect theimmediate future.
Offshoring is a valuable tool for Americanbusiness.
American business men are very innovative
Non-DelegableResponsibilities for Offshored
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
55/84
Responsibilities for OffshoredWork
Data protection laws, that are modeledon the European regime, are aimed atdata controllers or processors withoutregard to any employment relationship.
Customer retains legal responsibility for
transgressions by the sourced processorabroad.
Canada Legislation
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
56/84
g
Legislation similar to the EU Data Privacy Directive.
Canada - The Personal Information and Protectionof Electronic Documents Act, (PIPEDA)
PIPEDA creates a Privacy Commissioner. Citizensmay bring complaints to the Commissioner whohas the power to enforce the Act in CanadianFederal Court.
PIPEDA requires prior consent before disclosure
and prohibits disclosure without consent. A strongopt in provision, the Act clearly covers businessesbased outside of Canada who collect, use, ortransfer data including personal information aboutindividuals within Canada.
Strategies to Optimize
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
57/84
Strategies to OptimizeOpportunities in the Face of
International Laws
Suggested Best Practices for
Working Managers and ChiefExecutives
Compliance
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
58/84
Monday, April 15,2013 58
Compliance Conducting an inventory of information collection and disclosure practices;
Evaluating agreements with third parties that involve the disclosure ofconsumer information
Establishing mechanisms to handle opt-out elections by consumers
Developing or revising existing privacy policies
Determining how to deliver privacy notices to consumers (by the datacontroller in the US)
Establishing employee training and compliance programs
Setting Targets for implementation and regular checks of the compliance
program
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
59/84
Monday, April 15,2013 59
Non-tangible Essentials
Honesty
Flexibility
TransparencySupported by contracts that adequatelyaddress the risks associated with theoutsourced service, be it risk of OSPscapabilities of customers complianceneeds
Contracts
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
60/84
Monday, April 15,2013 60
Effective andComprehensive Contracts
Clear and unambiguouscontracts
Flexibility in Contracts
Service Level Contracts Employee Contracts
Limitations on Liability
Confidentiality Contracts
Third Party Licenses and
Service Contracts Service Level
Breakdown
Transition and ExitProcedures
DisputeResolution
Alternate DisputeResolution
Governing Law andJurisdiction
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
61/84
Monday, April 15,2013 61
Contracts
Aspects of BusinessContinuity
Compliance with
legal and regulatoryrequirementspertaining to the
OSPs country
Customers country
HR TrainingRequirements
Confidentiality
Choice of law(may be morethan one to govern
different aspectsof the contract
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
62/84
Monday, April 15,
2013 62
Contracts Contd. Adopting the EU model contractual provisions in
contracts to mitigate problems with EU Directivecompliance issues
Careful and clear allocation of responsibility of the
OSP and the customer for violations of the rights ofthird parties and, indeed, liability for punitivedamages.
Careful consideration before granting customer
indemnity in the contract.
Any liability agreement should include a cap.
Management Related BestPractices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
63/84
Monday, April 15,
2013 63
Practices
Due Diligence by both parties
Commitment of negotiating representative and SeniorManagement Staff to ensure security and compliance
Regular and frequent monitoring of the relationship
Ensure that knowledge of compliance policies percolatesthrough all operation levels
Technical and Physical Security of Infrastructure
Operational protection measures- No devices to save data locally- Communication restrictions
Management Related Best Practices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
64/84
Monday, April 15,
2013 64
Contd.
Dedicated Physical Security Officer appointed by theOSP
Onsite Manager appointed by the customer
Dedicated and Trained (in the requirements)Compliance Officer
OSPs should configure a complex matrix orcapabilities, scale, skills, language, managementand infrastructure when making commitments.
Management Related BestPractices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
65/84
Monday, April 15,
2013 65
Practices
Contd. Consolidate information for managing business
performance
Improve Business Intelligence
Periodically Asses internal controls
Record Management and Provisions to ExamineAudit Trails
Monitoring, Managing and Transforming theServices
Management Related BestPractices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
66/84
Monday, April 15,
2013 66
Standard Written Internal Company Practices to EnhanceSecurity with Recorded Standard Operating ProceduresManuals
Disaster Recovery Plan
Insurance to cover risks of security breaches and/or loss ofdata
Insurance to cover risk of claims arising out of the quality,timeliness and quantity of services
Employee certified security professionals
Practices
Contd.
Employee Related BestPractices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
67/84
Practices
Employee Background Checks
Centralized Data Bank of all BPO related employees, helpsidentify prior violators (as initiated by NASSCOM)
Need Based Dissemination of Information - Division ofprocess, access and/or control
Technical Limitations on Access or Communication ofdifferent processes
Standard Written Internal Company Practices to EnhanceSecurity with Recorded Standard Operating ProceduresManuals
T h l i l B t P ti
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
68/84
Monday, April 15,
2013 68
Technological Best Practices
Encryption
Installing and Using StandardizedTechnical Measures
Industry Related BestPractices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
69/84
Practices Establishment of an Independent Governing Body to
regulate the industry
Independent Certification About Security StandardsSome Certifying Authorities British Standards Institute (BSI) BS 7799 ISO 1799
Det Norske Veritas (DNV) Standardization Testing Quality Certification (STQC- Govt. of
India) KPMG Ernst & Young
Self-Regulation and Compliance Training
OSP should inform customer about any infractions tomitigate damage
Industry Related BestPractices
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
70/84
Monday, April 15,
2013 70
Practices
Card Holder Information Security Program(CISP)
Payment Card Industry (PCI) Data SecurityStandard, to safeguard sensitive data for allcard brands - result of a collaborationbetween Visa and MasterCard - createscommon industry security requirements
endorsed by other card services
Industry
Industry Related BestP a ti es
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
71/84
Monday, April 15,
2013 71
Practices
Technology Regulation and Certification
COBIT Control Objectives forInformation and related Technology (by
ISACA) based on ITIL
ITIL (the IT Infrastructure Library) -
Office of Government Commerce (UK) isthe most widely accepted approach to ITservice management
Relevance of US Laws toIndian Businesses
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
72/84
Monday, April 15,
2013 72
Indian Businesses
Extraterritorial reach?
Affect conduct of business (both onshore andoffshore).
Stringent reporting requirements and penalties.
Assumption of liability under contract.
Choice of law of a foreign jurisdiction automaticallyextends liability.
Future
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
73/84
Monday, April 15,
2013 73
Future
Indian-US security Forum to shortly sign anMoU formalizing the roadmap for co-operation on information security issues
Industry could lobby with the Government To create an Indian version of the Safe Harbor
To provide regulatory authority and frame work
like SEBI and SEBI guidelines to Protect Privacy The amendments to the IT Act should be in sync
with global laws and trends.
Conclusion
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
74/84
Monday, April 15,
2013 74
Factors that nurture BPOs also spawn crimes.
Elaborate, onerous, technical security measures reduceproductivity and erode employee motivation.
Combination of Best Practices.
US Protectionist Measures likely to have an adverse effectupon both the US and the global economy.
Laws will have to evolve to govern the runawayproliferation of outsourcing.
Fraud and Data Violations can occur anywhere in the world.
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
75/84
Monday, April 15,
2013 75
Data Protection Strategy
Organize
Determine the scope
Assign resources
Separate duties where sensitive dataresides
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
76/84
Monday, April 15,
2013 76
Data Protection Strategy
Assess Data Risk
Identify sensitive and critical data
Perform risk analysis of entire backup process
Conduct a cost/benefit analysis on backup dataencryption
Inform business managers of risk solutions andcosts
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
77/84
Monday, April 15,
2013 77
Data Protection Strategy
Develop an backup Data Protection Program
Devise a multi-layered approach that includes
Authentication
Authorization
Encryption
Auditing
Copy the backup data-get that copy off-site, off-lineand out-of-reach
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
78/84
Monday, April 15,
2013 78
Data Protection Strategy
Develop a Backup Data Protection Program
End-to-end chain of custody
Need a sound method to track backup media when moved
Report daily on tapes sent off-site and those on-site
Reconcile between tapes off-site to tapes on-site to accountfor all media
Destroy all media once it has become obsolete-get a certificateof destruction
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
79/84
Monday, April 15,
2013 79
Data Protection Strategy
Develop a Backup Data ProtectionProgramProtect all the backup data
Consider the use of technologies likeElectronic Vaulting to securely backupdistributed data
Not protecting this data exposes it topotential risk and unauthorized access
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
80/84
Monday, April 15,
2013 80
Data Protection Strategy
Implement the Plan
Execute the plan based on standard
guideline developed Train staff
Communicate the process to the
organization
Data Protection Strategy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
81/84
Monday, April 15,
2013 81
Data Protection StrategyTest the Process
Periodically test the process-understand ifsome backup data is left exposed and where
- Recommend improvements- Decide on corrective actions
Conduct disaster recovery tests to ensureyou can recover the data
Change the data protection process as thebusiness changes
Conclusions
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
82/84
Monday, April 15,
2013 82
Conclusions Data protection Directive was not conceived with e-commerce
in mind and raises numerous problems and legal uncertainty
Government control and discretionary authority areinconsistent with innovative information society and consumerchoice
Data Protection applies even if consumer does not want it,resulting in paternalism.
Privacy protection increases risk of fraud
EC exports its consumer and data protection regime to therest of the world, thus reducing availability of e-commerceservices and making them more expensive.
Conclusions
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
83/84
Monday, April 15,
2013 83
Conclusions
There is cost to privacy protection
In market setting, cost is self-limiting
Governments monopoly over force and absenceof self-limiting mechanism are differences thatshould have consequences
Privacy versus security debate highlightsproblems of quantifying cost of privacy
-
7/28/2019 Technology Law Forum - US and EU Data Protection and Privacy Laws
84/84
Thank YouPoorvi Chothani, Esq.
LawQuest
36, Maker Tower F
Cuffe Parade
Mumbai 400 005
E-mail [email protected] 00 91 22 6654 1671