worldwide laws privacy presentation 2006

Privacy Law Abroad:A Primer

Kimberly A. Verska

The EU Data Directive

EU Data Directive

• Data Protection Directive 1995/46/EC• Effective November 23, 1995• Radically different approach from U.S.

• Based on idea that control over personal data is founded in the human right to privacy

• Self-regulation is out, government regulation is in• Bold approach to exports of data from EU led to adoption of

laws based on the Data Directive worldwide• Currently implemented by all European Member States,

except France • National laws were to be adopted by November 23, 1998 • 9 of 15 Member States missed deadline, 5 by more than 4 years

EU Data Directive

• General principles

• Data quality: Collected data must be adequate, relevant, accurate, up to date and not be excessive in relation to the intended purpose of collection

• Overall fairness: Data must be processed fairly, and collected only for specified legitimate purposes, not used inconsistently with those

• Data processing is, inter alia, legitimate, if

• Consent was unambiguously given; or• Processing is necessary for the performance of a contract to which the data

subject is party; or• Processing is necessary for compliance with legal obligation; or• Processing is necessary for the purposes of the legitimate interests pursued

by data processing entity

EU Data Directive

• Data processing of sensitive data only permitted with explicit consent• Racial/ethnic origin, political opinion, religious or philosophical belief,

trade union membership, health/sex life, criminal record

• Information requirements• Identity of controller and its representative• Purpose of the processing• Recipients of data• Right of access to data and right to rectify data

• Right of access to and rectification, erasure and blocking of the data

• Prior right to object to use of data for direct marketing (opt-out) or to disclosure to third parties including affiliates

EU Data Directive

• Confidentiality and security of processing• Technical and organizational measures to protect personal data

against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access

• Guarantees of compliance by third parties involved in the processing procedure

• Registration (“notification”) with Data Protection Authority (“DPA”)• Format varies widely• Permissions needed for certain activities

• Right not to be subject to automated decisions with respect to credit, work performance

EU Data Directive

Transfers of Data From EU• Groundbreaking approach: “adequacy of protection” to be

decided by EU • Transfers to inadequate destinations only allowed in limited

circumstances, including inter alia:• Data subject has given his consent unambiguously to the

proposed transfer• Transfer is necessary for the performance of a contract

between the data subject and the controller [or in the interest of the data subject between controller and third party]

• Authority to block data transfers in violation of these laws

EU Data Directive

Oversight and Enforcement Regime• DPA representatives make up Article 29 Working Party, makes

recommendations on EU-wide policies• Enforcement Structure

• EU Commission at EU level (Microsoft Passport)• DPAs in the Member States

• Powers range from direct imposition of civil penalties to court-based enforcement of civil and criminal penalties, to ombudsman model

• Direct right of action in courts (class action unavailable)

EU Data Directive

Enforcement Picture and Trends• Slow to implement, slow to enforce

• In 2001, more than half of websites of EU companies did not allow choice for marketing or third party disclosures

• Key DPAs show preference for dialogue over sanction• Hot spots for enforcement

• Direct marketers, telecom, state agencies popular targets• Spain and Portugal impose many fines, sometimes very high ($9M in 1999)

• Trend is toward more enforcement• Consumer awareness campaigns bring more complaints• Finland arrests executives who monitored employee phone calls (2003)

EU Data Directive

• Moving personal data from the EU to the U.S. and other countries without “adequate protection”

• Safe Harbor (US only)

• Model Contracts

• DPA Case-by-Case Approvals (often not available)

• Codes of Conduct

Data Transfer MechanismsUS/EU Safe Harbor

• Agreement entered into in 2000 between EU and U.S. Dept. of Commerce

• U.S. companies who participate are given presumption of “adequate protection”

• Does not preclude EU residents’ private actions

• Safe Harbor program available since November 2000


When the US/EU Safe Harbor

Is NOT Available • Financial services

• Telecommunications

• Non-profit organizations

• Processing involving countries beyond the U.S. (EU-US-Canada, EU-US-Japan, etc. involving onward transfer)

US/EU Safe Harbor RequirementsQualifying for the Safe Harbor

In order to qualify for the Safe Harbor, an organization must self-certify to the Department of Commerce that:

(1)

It has joined a self-regulatory organization that adheres to the Principles

(2)

It has implemented privacy policies that conform with the privacy principles of the Directive

(3)

It is subject to a statutory, regulatory, administrative or other body of law that effectively protects personal privacy consis-tent with the Directive

Alternatively, it may enter into DPA-approved contracts directly with the entities in the US that transfer data to the US

OR

US/EU Safe Harbor Principles

SAFE HARBOR PRINCIPLES

NOTICE PRINCIPLE

Notice must contain: Clear and conspicuous notice of the

purpose for collecting information How to contact your company with

inquiries or complaints Types of third parties to which your

company discloses information Choices and methods available to the

individual for limiting use and disclosure

Notice must be provided: When an individual is first asked to

provide personal information or as soon thereafter as practicable, but in any event prior to using such information for any purpose other than that for which it was originally collected or disclosing it to a third party

Notice not required when disclosing information to an agent

CHOICE PRINCIPLE

Choice (opt out) required prior to: Disclosing an individual’s personal data to

a third party Using personal data for a purpose

incompatible with purpose for which it was originally collected or subsequently authorized by the individual

Choice (opt in) required with respect to ‘sensitive information’ prior to:

Disclosure to a third party Use for purpose other than that for which

it was collected or subsequently authorized by such individual through the exercise of an opt in choice

Limited exceptions to choice requirement for sensitive information (e.g., when disclosure is in vital interests of data subject or another person)

Choice not required when disclosing information to an agent

US/EU Safe Harbor Principles

ACCESS PRINCIPLE

Must provide access to personal information and the ability to correct, amend or delete inaccurate information, except where the burden or expense of providing access is disproportionate to the privacy rights at issue or where the rights of others would be violated

Right of access is not absolute, but is subject to the principle of proportionality or reasonableness

Expense and burden are factors to be taken into account but are not dispositive

Must make a good faith effort to provide access

If access is denied, it must be for a specific reason accompanied by an explanation

ONWARD TRANSFER PRINCIPLE

Notice and Choice Principles apply to: Disclosures of personal data to third parties

Prior to any transfer to agents, must first determine that agent either:

Subscribes to the Principles; or Is subject to the EU Data Directive or another

finding of adequacy

If not, must Include provision in contract with agent

obligating agent to provide at least the same level of privacy protection required by the Principles

DATA INTEGRITY PRINCIPLE

Collect only that information relevant to the purpose for which it will be used

Take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current

SECURITY PRINCIPLE

Take reasonable precautions to protect personal information from loss and misuse and unauthorized access, disclosure, alteration and destruction

SAFE HARBOR PRINCIPLES

US/EU Safe Harbor Principles Enforcement Principle

(1)Readily available and affordable independent recourse mechanisms for investigating complaints, resolving claims by reference to the Principles and awarding damages where applicable law or private sector initiatives so provide

(2)Follow-up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and have been implemented as presented

(3)Obligations to remedy problems arising out of failure to comply with the Principles and consequences for same

Dispute resolution requirements set forth in (1) and (3) above may be satisfied by:

Agreeing to cooperate with Data Processing Authorities (“DPAs”) located in the European Community

Complying with private sector privacy programs that incorporate the Principles into their rules and include effective enforcement mechanisms

Complying with legal or regulatory supervisory authorities that provide for the handling of individual complaints and dispute resolution; OR

Any other mechanism devised by the private sector that meets the requirements of the enforcement principle

Cooperation with the DPAs’ option: Annual fee (not to exceed $500) Agree in self-certification to DOC to cooperate with the

DPAs regarding investigation and resolution of complaints brought under the safe harbor and comply with DPA advice, including remedial or compensatory measures

Legal/Regulatory Authority Option: FTC will review complaints referred by privacy self-

regulatory organizations and EU member nations on a priority basis

If FTC finds a violation, it may seek an administrative cease and desist order prohibiting the challenged practice or file an action

Verification requirement set forth in (2) above may be satisfied by:Self-assessment: an organization must issue an annual written

statement signed by a corporate officer stating: Its privacy policy is accurate, complete, prominently displayed,

fully implemented, accessible and in conformance with the Principles

It has procedures in place to: (i) inform individuals of mechanisms for handling complaints; (ii) train employees; and (iii) conduct periodic compliance reviews

Outside compliance reviews: require an annual review or audit to demonstrate that an organization’s privacy policy conforms to the Principles, that it is being complied with, and that individuals are informed of the mechanisms by which they may pursue complaints


Why have only 308 U.S. companies have joined the safe harbor? • Enforcement

• May subject companies to FTC enforcement (of non-US laws) • U.S. class action lawsuits may be possible

• Jurisdiction in multiple EU countries• Expense of implementation and compliance

• Certification process• Lack of EU enforcement• Principles “attach” to data collected during participation, even if

company later leaves the safe harbor• Personal liability of officers

Data Transfer MechanismsModel Contracts

• The EU Commission has adopted Model Contracts for both processor and non-processor data transfers from the EU to non-EU countries. Some discussion of developing industry-specific Model Contracts exists.

• EU Member States are obliged to recognize that use of such Model Contracts constitutes “adequate protection” of the transferred data.

• Use of the Model Contracts is voluntary, but offers a straightforward means of complying with the “adequate protection” obligation for data transfer outside of the EU.


Elements of Model Contracts

• Importer chooses which substantive rules to apply to its processing:

• Mandatory Data Protection Principles on Appendix; or selected MDPPs plus:

• National law of the exporter• (Certain other findings of adequacy)

• Importer agrees to abide by advice of DPA and submit to audit

• Third party beneficiary clauses

• Joint and several liability for exporter and importer

• Dispute resolution in courts of Member State where exporter is established


Mandatory Data Protection Principles

• “Unavoidable” MDPPs that must be used in addition to other choices:

• Purpose. Data must be used only for the purposes listed in Appendix to Model Contract.

• Access. Rights of access/correction/blocking granted to data subjects.

• Onward Transfer. Onward transfer only with consent of data subject (opt-out or opt-in for sensitive data) OR if new controller becomes party to Model Contract


Mandatory Data Protection Principles

• Other MDPPs:

• Quality and Proportionality. Data must be accurate and up-to-date, not excessive in relation to purposes of use.

• Transparency. Data subject must receive notice of purposes of processing and identity of importer.

• Security. Controller must take technical and organizational security measures appropriate to level of risk.

• Sensitive Data. Additional measures such as consent and heightened security.

• Direct Marketing. Opt-out opportunity must be provided to data subject.• Automated Decisions. Limitations on completely automated decision-

making where individual may be significantly affected.


Problems with Model Contracts for U.S. Companies • Joint and several liability

• American Chamber of Commerce negotiations reflect some flexibility here• Member state jurisdiction

• Under Safe Harbor, this only arises after failure to comply with FTC or other US-based enforcer

• Variances from the model• Does it have to be approved in each individual country?

• Substantive rules for data handling• Yet another set of Principles for use when data is coming from multiple

jurisdictions

Data Transfer MechanismsCodes of Conduct

• The development of Codes of Conduct is in its early stage • Can Codes fulfill the same role as contractual clauses in meeting adequacy

objective?• Can Codes be used as single, worldwide policies for processing

employees’ personal data?• Expect DPAs to:

• Exercise their competence/authority to be notified of the transfer • Review the Code of Conduct• Require similar content or the same results as when contracts are utilized

for data transfer• Expect data protection equivalent to the set of rules contained in the Directive

or in the national law of the data exporter

Other Worldwide Privacy Laws

Adequate and Potentially Adequate

Officially adequate for EU:• Norway• Iceland• Liechtenstein• Hungary• Switzerland• Canada

In active negotiations for adequacy finding:• Australia• Argentina

Passed legislation based on Directive,not yet considered by EU:

• Most of Eastern Europe:

• Albania, Bosnia, Bulgaria, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Slovak Republic and Slovenia.

• Others:

• Cyprus, Hong Kong, Malta, New Zealand, Paraguay and South Africa

Canada

• The 2001 Personal Information and Electronic Documents Act (PIPEDA) regulates use of personal information by private sector organizations at the federal level • Establishes parameters for the collection, use, disclosure, retention, and

disposal of personal information.• After phase-in, takes effect for all entities on January 1, 2004• Sets out 10 privacy principles as standards that organizations must comply

with when dealing with personal information, including: accountability; identify purpose; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance

• PIPEDA provides adequate protection (as determined by the EU) for personal data transferred from the EU to Canada. No additional safeguards are needed.

Canada

Canada’s law promised a more business-friendly approach:

• Clear exemption for names, addresses and telephone numbers of employees of an organization

• Implied consent expressly embraced by rules for non-sensitive information

• Numerous PIPEDA rules are precatory rather than mandatory

Yet – Canada’s Privacy Commissioner is very active

• Privacy Commissioner has issued 114 written findings to date

• Use of “reasonable person” test to challenge privacy practices, even where consent is present

• Has stated his intention to limit use of implied consent and opt-outs, though these are expressly permitted by law in some circumstances

Japan

• Until recently, the Japanese government promoted a policy of self-regulation for the private sector

• The Personal Data Protection Bill was introduced in 1999 (and is currently being deliberated by the Diet). The Bill would provide a framework for both governmental and commercial use of personal information based on 5 principles: • (1) to explicitly specify the purpose for data collection and hold to the scope of

that purpose; (2) to gather personal information “by lawful and appropriate means”; (3) to maintain accuracy and currency of data; (4) to protect the security of personal information; (5) to infuse transparency into the collection and use of data.

• The Bill also: • Requires private businesses to disclose to individuals any personal information

collected from them and the purposes of such collection• Prohibits companies from sharing personal information with third parties.

Australia

Privacy Amendment (Private Sector) Act 2000• Applies broadly to private sector entities that collect and use

personal information about identifiable individuals• Contains a set of very detailed National Privacy Principles (NPPs) • May elect to be subject to the NPPs OR to a Code of Conduct

meeting or exceeding the NPPs. The Codes of Conduct: • Must be approved by the Australian Privacy Czar • Allow for complaint resolution by independent third party rather

than by Privacy Czar enforcement• Does not currently satisfy the EU Directive’s adequacy test, but

negotiations for an adequacy finding continue

Australia• Transborder transfers are allowed if:

• Transferring organization “reasonably believes” the recipient is subject to a law, “binding scheme or contract” that is substantially similar to the NPPs OR the transferring has taken reasonable steps to ensure recipient will comply with the NPPs

• The individual consents OR obtaining consent is impracticable and organization believes consent would be granted if requested

• It is necessary for contract• Comparatively business-friendly regime

• Trans-border transfer scheme • Uses and disclosures of non-sensitive information are allowed for related and reasonably expected secondary

purposes • “Related bodies corporate” permitted to share non-sensitive data so long as together they comply with the NPPs

or an approved Code of Conduct

•

South America

• Argentina: Passed the Law for the Protection of Personal Data in Nov. 2000. More onerous in some respects than the Directive, yet no formal declaration of adequacy has yet been adopted. • Legal entities as well as natural persons covered• Must register with government of Argentina prior to collecting

data• No transfer of any data outside Argentina not deemed to have

adequate protection, with limited exceptions• One exception is “stock exchange or banking transfers”• Rule has since been softened by regulation to allow transfers

with consent• Regulatory authority recently formed but inactive

South America

• Brazil: 1988 constitutional guarantees of privacy and data protection has been augmented with additional statutory protection: • 1990 Consumer Protection Law provides broad consumer rights in data

• Amended in 2002 to void clauses granting blanket authority to transfer data to third parties without consumer permission

• Comprehensive data protection bill is under consideration

• Mexico: Federal Law for the Protection of Personal Data expected to pass legislature in 2003• Based on EU Data Directive• Includes registration requirement• Same virtual prohibition on international transfers originally found in

Argentina’s law

South America

• Chile: Passed the Law for the Protection of Private Life in 1999. The law covers processing and use of personal data in the public and private sector and the rights of individuals to access, correction, and judicial control. The law also contains a chapter devoted to use of financial, commercial and banking data. The law does not contain restrictions on transfers to third countries.

• Peru: The 1993 Peruvian Constitution sets out extensive privacy, data protection and freedom of information rights. A Data Protection Bill was introduced in Parliament in 1999. The Bill is based in part on the Directive.

Hong Kong

• Personal Data (Privacy) Ordinance (1996)• Based on EU Directive concepts: notice, choice,

access/correction, security, enforcement• Privacy Commissioner maintains public registry of private

entities processing data• Restrictions on transfer from Hong Kong

• Exceptions: consent, exempt transfers (many and varied), or reasonable measures by transferor to ensure legal compliance

• “Matching procedures” may not be done unless consent is obtained or the procedure is listed in a government regulation as allowed

South Africa

• Electronic Communications and Transactions Act (2002)

• Applies to personal information obtained through electronic transactions

• Voluntary, but all-or-nothing adoption required

• Data controllers must obtain “express written permission” to obtain or use data, except where permitted or required by law

• Info collected must be only what is necessary and only what has been notified to data subject

• No enforcement mechanism as yet but coming in 2003

For more information,

please visit our International Privacy Library at

www.alston.com\privacy_library.htm

U.S. Law on Spam

• No federal legislation as of yet• “Can Spam Act” (SB 630) now pending

• Criminal penalty for fraudulent routing info• Mandates use of functioning return address for opt-outs

and inclusion of postal address• Unlawful to send message after opt-out received• To be enforced by FTC (or other federal agencies) and

state AG’s as deceptive trade practice– Damages is number of violations x $10, up to $500,000

or $1,500,000 for willful conduct• FTC engaged in “Spam Harvest” sting against deceptive spam

U.S. Law on Spam

• State laws• 28 states now have laws regulating content or manner of e-mails

• All are opt-out except for Delaware• Coverage extends to “unsolicited commercial” messages

– “Unsolicited” can contain exception for existing business relationship in some laws

• Experience in the courts:• ISPs have had some success with actions for trespass in the

courts• Spammers have won other cases based on argument that anti-

spam laws violate Constitution’s dormant Commerce Clause

U.S. Law on Spam

• Content of state laws• Mandatory working return e-mail address or toll-free number for

opt-outs• Prohibition on cloaked e-mails• Requirement that e-mails disclose that they are advertisements• Prohibition of violating ISP policies

• Delaware has the strictest law• Prohibition on sending of any “bulk” unsolicited commercial e-

mail unless it is “sent between human beings” or where recipient has requested the message

EU Law on Spam: Opt-In

• E-Commerce Directive 2000/31/EC• Effective 7/17/00, deadline for Member States was

1/17/02• 7 member states have failed to implement

• Directive concerning the processing of personal data and the protection of privacy in the electronic commerce sector (“Communication Directive”)

• Passed on 5/30/02, deadline for Member States is 9/30/03

EU Law on Spam: Opt-In

• E-Commerce Directive: Member States may ban spam, but if spam permitted, Member States shall ensure that unsolicited commercial communication by e-mail by a service provider established in their territory shall be identifiable clearly and unambiguously as such

• Communications Directive: The use of [...] electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent

• Exception for prior business relationships: the same natural or legal person may use e-mail addresses obtained as part of sale of product or service for direct marketing of its own similar products or services, so long as opt-out opportunity is given on each occasion

Worldwide Spam Laws

• 2003 survey of international spam laws indicated:

• Outside the EU, opt-out standard is most prevalent

• Japan, Australia, South Africa• Many jurisdictions have not yet addressed this issue

legislatively

• Like FTC in U.S., regulatory authorities have non-binding codes of conduct including opt-in standard that are urged upon industry