International Privacy 0309 - Pillsbury Winthrop Shaw … Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The ... àNeed opt-out or opt-in – choice must not disadvantage customer

Pillsbury Winthrop Shaw Pittman LLP

10 March 2009

© 2009 Pillsbury Winthrop Shaw Pittman LLP and Gowlings Lafleur Henderson LLP.

Rafi Azim-Khan – Pillsbury (London)

Catherine Meyer – Pillsbury (Los Angeles)

Ariane Siegel – Gowlings (Toronto)

Cal Slemp – Protiviti (Stamford, CT)

International Privacy Regulations:What Global Companies Need to Know

1 | International Privacy Regulations

Agenda

Overview of European Privacy Regulations

Overview of Canadian Privacy Regulations

Overview of U.S. Privacy Regulations

Cross-Border Data Security


Overview of European Privacy Regulations


Privacy Regulations

27 EU Member States: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK

EEA countries: EU + Iceland, Liechtenstein, Norway


Privacy Regulations

EU Data Protection Directive (95/46/EC)Applies to ‘data controllers’Requires data controllers who are ‘established’ in the EU to:

notify with their applicable MS Data Protection Authorityobserve the 8 data protection principles when ‘processing’ ‘personal data’

principle 7 – personal data must be processed securelyprinciple 8 – personal data must not be transferred outside EEA unless there is adequate protection

Sets up Article 29 Working Party to publish opinions and guidance on issues flowing from the Directive


Privacy Regulations

Data Controllerestablished in the EUdetermines the purposes for and means of the processing of personal data

Established in the EUestablishment (includes uses of equipment)

Personal Dataany information relating to an identified or identifiable natural person (Data Subject)

Data Processorprocesses personal data on behalf of the data controller

Processingincludes collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction


Privacy Regulations – Triggers –the 8 Data Protection Principles

Data controllers must ensure that personal data is:fairly and lawfully processedprocessed for limited purposesadequate, relevant and not excessiveaccurate and up to datenot kept for longer than is necessaryprocessed in line with data subject’s rightsprocessed securelynot transferred to other countries without adequate protection


Privacy Regulations – Triggers –Sensitive Personal Data

Extra care must always be taken when processing ‘sensitive personal data’ which is data relating to:

racial or ethnic originpolitical beliefstrade union membershipphysical or mental health or conditionsexual lifecommission or alleged commission by him of any offence


Privacy Regulations – Enforcement

The Directive is a Minimum Harmonisation Directive

So procedure and penalties differ from Member State to Member State

A few examples follow…


Privacy Regulations – Enforcement - UK

Law – Data Protection Act 1998

Data Protection Authority – Information Commissioner’s Office (ICO)

Applicable penalties for breach:maximum fine of £5K on summary conviction or an unlimited fine on conviction on indictment

these penalties tend to be applied to data theft or traffickingBUT

government is due to increase the penalties to include (yet to be introduced):more intrusive inspection powers for the ICOICO power to impose substantial financial penalties for deliberate or reckless breaches

Personal liability for directors6 months imprisonment on summary conviction or 2 years on indictment and/or fines


Privacy Regulations – Enforcement – France

1978 Act (Loi Informatique et Liberte) – modified to implement the EU DirectiveData Protection Authority – Commission Nationale de I’Informatique et des Libertes (CNIL)Applicable penalties for breach:

up to five years imprisonment and fines of up to EUR300K for individuals and EUR1.5 million for companies

The CNIL is also given a range of powers, including:the imposition of administrative remedies (e.g. warning notices) and fines of up to EUR300Kthe imposition of provisional sanctions, such as the cessation of the data processingthe institution of summary proceedings with a view to obtaining a provisional order ensuring the safeguard of data subjects’ rights and freedoms


Privacy Regulations – Enforcement - Germany

Law – the amended German Federal Data Protection Act (Bundesdatenschutzgesetz) (BDSG)

Data Protection Authority:there is a single national data protection authority for the public sectorin the non-public sector there are several data protection authorities within each of the different German states

Applicable penalties for breach:Fines

minor infringements – up to EUR25Kmajor infringements – up to EUR250K

Other can halt all compromised data processing until compliance establishedorder data protection audits


Privacy Regulations – Opt In/Opt Out

Data Protection Act 1998

Privacy and Electronic Communications (EC Directive) Regulations2003

CAP Code


Privacy Regulations – Opt In/Opt Out –E-Privacy Directive

Electronic Communications

Individualsconsent needed so no contact unless person has opted in.

Corporatescan object to receiving direct marketing under the DPA


Privacy Regulations – Opt In/Opt Out –Individuals – Electronic Communications

Consent required to receive electronic marketing message“any freely given specific and informed indication of his wishes by which a data subject signifies his agreement to personal data relating to him being processed”(E-Privacy Directive Article 2(1)(h))beware of pre-ticked opt-in boxes

Soft Opt Inobtained consent in the course of the sale or negotiationsin respect of similar products and servicesgiven an opportunity to opt out (free of charge)


Privacy Regulations – Opt In/Opt Out –Other Communications

TelephoneE-Privacy Regulations: can contact unless individual has opted outBoth Individuals and Corporates can register on the Telephone Preference Service

FaxE-Privacy Regulations: opt in is needed for individualsBoth Individuals and Corporates can register on the Fax Preference Service

LetterIndividuals can register on the Mail Preference Service – opt outCorporates are not entitled to register on the Mail Preference Service


Privacy Regulations – Opt In/Opt Out –Enforcement and Penalties - UK

Information Commissioner may issue:information noticesenforcement noticesfines

Aggrieved may seek injunction and damagesMicrosoft v McDonald

ASA sanctions

Public perception is often more important


Privacy Regulations – International Data Transfer

Data Protection Principle 8 prohibits extra-EEA personal data transfer

Except where there is adequate protection

Adequate protection includes:ConsentUS Safe HarborModel Contract ClausesBinding Corporate RulesAdequate Jurisdictions


Privacy Regulations – International Data Transfer –US Safe Harbor

E.g. US companies with EU subsidiaries

7 Safe Harbor principlesnotice (tell data subject use and purpose of personal data collection)fair processing (data subject decides whether and how his personal data will be used and disclosed)onward transfer (once in the US, personal data disclosed to 3rd parties based on the notice and fair processing principles)access (data subject can access data to correct it)security (members must take reasonable steps to protect personal data)data integrity (reasonable steps taken to maintain personal data for its intended use)enforcement (members must ensure that data subjects have recourse to solid complaint mechanisms)


Privacy Regulations – International Data Transfer –Model Contract Clauses/Binding Corporate Rules

The Commission has approved 2 forms of MCCs between a data exporter (EEA-based) and a data importer (outside EEA)

Controller to ControllerController to Processor

permitting extra-EEA transfer of personal data

BCRs are a Working Party initiative that allow a global corporate group to implement a binding inter-group policy that:

sets out criteria for data processing by all the group entities worldwideallows inter-group data transfer within the corporate group


Privacy Regulations – International Data Transfer –Adequate Jurisdictions

Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Jersey,Switzerland

Other countries for a future possible “adequacy” declaration: Australia, Dubai, Hong Kong, Israel, New Zealand


Overview of Canadian Privacy Regulations


Privacy Law in Canada

UNITED STATESThe Legislative Mosaic-SarbanesHIPPA, Penalties

EUROPEThe Data Protection Standard

CANADAThe Comprehensive Approach


Legislative Background

The Canadian Privacy LandscapeCanada – PIPEDAQuebecManitobaAlbertaSaskatchewanBritish ColumbiaOntarioNova Scotia - Outsourcing


Sources of Privacy Law in Canada

Collective Agreements

Common Law

Criminal CodeCollective Agreements

Sector specific rules – CRTC, DO NOT CALL, CMA Code of Ethics

Common Law

British Columbia, AlbertaOntario Health Privacy

Charter of Rights

Quebec legislationCriminal Code

PIPEDAPrivacy Act

PRIVATE SECTORPUBLIC SECTOR


PIPEDA – Application and Exemptions

Applies to personal information collected, used or disclosed:In the course of commercial activities; orAbout employees in the operation of any “federal work, undertaking or business”

PIPEDA will NOT apply to “employee personal information” of non federal works or undertakings

“commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

Very broad e.g. buying, selling, trading, or providing a service for payment or consideration


PIPEDA – Application and Exemptions

“personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Includes “cookies”, currently business e-mail addresses


PIPEDA – Jurisdiction

PIPEDA not long arm statute

What does that mean?

Abika.com/Lawson findings – obligation to investigate

Often companies choose different web sites for US, EU and Canada

Provincial Consumer Protection Acts-can’t contract out


PIPEDA – Jurisdiction- Abika

Federal Court of Canada ordered the Federal Privacy Commissionerto investigate a U.S. company collecting the personal information of Canadians whose only operations in Canada were conducted througha “dot.com” website without any infrastructure in Canada

Privacy Commissioner vested by Parliament with authority to investigate complaints against foreign organization which collect, use and sell the personal information of Canadians

Privacy Commissioner has jurisdiction to investigate both foreigners who have Canadian sources of information and the Canadian sources themselves


PIPEDA – Marketing Opt-in Opt-out

Primary and Secondary MarketingForm of Consent:

Opt-in (positive) sensitive information

Opt-out (non sensitive)

Ticketmaster Order, OPC Findings & Alberta OrderTelephone practice-customer’s told collection in line with privacy policy (web). Little information about disclosure.

Online customers told by pressing “Submit Order” button they were consenting to policy of sharing purchaser’s email addresses with partners like venues, teams, fan clubs etc. who would contact them for marketing. Also told third parties could use and disclose the collected information in other ways.


PIPEDA – Marketing Opt-in Opt-out

“Regardless of whether customer requests are issued on paper, in person, by telephone or via a web site, businesses must effectively communicate to customers in the same consistent manner their practices and policies regarding personal information collection, disclosure and use.”

FindingsNeed consistency telephone v. online

Need opt-out or opt-in – choice must not disadvantage customer re service

Telephone scripts changed. Telephone ticket agent now explains use and sharing and requests verbal consent. Automated transactions, customers invited to press # key to choose

Online, customer can opt out by checking off a box before their ticket payment is remitted


PIPEDA – Marketing Other

CMA Code-Marketing to Minors

CRTC Administered Do Not Call List


Data Breach

Data BreachFederal Data Breach Guidelines Pressure to become statutory requirement to report to Privacy CommissionerNo mandatory notification requirements in Canada except for PHIPA in Ontario

12(2). Subject to subsection (3) and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.


PIPEDA and Cross Border Transfers

No prohibition against the use of third-party service providers outside of Canada for private organizations or federal works and undertakings

Requirement that “an organization [be] responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”

Applies equally to cross border transfers



Key: Who collects and controls personal information?

Non Disclosure / Confidentiality Agreement

Prohibition from using personal information

Obligations not to use/ disclose passed on through contract

Transporter Data Flow-Patriot Act – can Canadian data be processed in the U.S.? Yes….safeguard data as above.

Exception data of of B.C. public service



PIPEDA Case Summary #313

Considered data processing in the U.S. with respect to customer information held by a Canadian bank

Although customer consent not necessary for such outsourcing, must notify customers that:

data processing was occurring outside of Canada;personal information would be subject to the laws of that country; andthe potential risks involved under the Patriot Act.



Security or records stored in electronic and physical forms

Security built into outsourcing agreements – must have comparable safeguards across partnerships

Security in destruction – information needs to be disposed of in a manner that protects confidentiality


Impact on Organizations and Cross Border Trade

Organizations should:

Identify sources of personal information, by province, to determine whether provincial disclosure and consent requirements apply

May be more practical to implement highest provincial standard to all cross border transfers

Ensure agreements in place with third party service providers toaddress cross border data transfers

Ensure that appropriate disclosure is made regarding cross border transfers


Overview of U.S. Privacy Regulations


U.S. Privacy Regulations Overview

Emerging TrendsProtection of personal information in all formats

Security breach legislationSecurity of information

Requirements for encryptionIn transmission and in placePortable devices

Specific data security plan requirementsIdentity Theft Red Flag RuleMassachusetts (Personal Information)Connecticut (Social Security Number privacy policy)PCI Data Security Standards

State regulations to protect residents impact out-of-state businesses


U.S. Privacy Regulation Overview

Identity Theft Red Flag Rule

Requires a written Identity Theft Prevention Program designed to“detect, prevent, and mitigate identity theft” in connection with “covered accounts”

Implements Section 615(e) of the FCRA, amended by FACTA in 2003, which calls for “establishment of procedures for the identification of possible instances of identity theft.”


U.S. Privacy Regulations Overview

Massachusetts

“Standards for the Protection of Personal Information of Residents of the Commonwealth”

(201 Mass. Code Regs. § 17.00)

Purpose: To establish “minimum standards to safeguard personal information in both paper and electronic records.”

Compliance Deadline: January 1, 2010General compliance with the new standards, with third-party service provider requirements and encryption of laptopsEncryption of all other portable devices


U.S. Privacy Regulation Overview

Connecticut

“An Act Concerning the Confidentiality of Social Security Numbers”(Public Act No. 08-167)

“Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.”“Any person who collects Social Security numbers in the course ofbusiness shall create a privacy protection policy which shall be published or publicly displayed.”Effective Date: October 1, 2008Penalties: Provides for fines of $500 per violation not to exceed $500,000.


U.S. Privacy Regulation Triggers

Personal informationName with Social Security Number, drivers license number, financial account number, medical information, passport number, date of birth, biometrics

CollectionCustomer information, cookies, check and credit card transactions

UseMarketing, behavioral advertising, violation of privacy policies

Disclosure (intended or unintended)Sharing, selling, unauthorized access or misuse, credit card number truncation

Destruction or dispositionRecords, equipment

Imposition of state regulation on out-of-state business


U.S. Privacy Regulation Enforcement

Federal AgenciesFTCFCCFinancial regulatorsDepartment of Justice

State Attorneys GeneralPrivate right of action – Class ActionsUnfair and Deceptive Practices ActsComputer Fraud and Abuse ActsInvasion of PrivacyIssues include proof of damage where no statutory penaltyCivil and criminal penalties


U.S. Privacy Regulation Data Security

Federal regulation of public companies, financial institutions, “creditors” and users of consumer report informationState by State regulations are resident-centricObligation to secure “personal information” against unauthorized use, access, destruction (8 states)Obligation to destroy records containing “personal information” by shredding, burning, erasing (23 states)Obligation to provide notice to individuals whose “personal information” has been accessed or acquired by an unauthorized person or has been misused (44 states, Puerto Rico, Guam)Encryption requirements are emerging trend

Nevada (prohibits unencrypted transmission of information outside system)Massachusetts regulation (January 1, 2010) requires encryption in transmission and on portable devices


U.S. Privacy Regulation Opt-In/Opt-Out

Generally, Opt-Out is the preferred option for US privacy statutesGramm-Leach-Bliley Act requires Opt-Out for financial services providers’ sharing with third partiesFCRA/FACTA requires Opt-Out under Affiliate Marketing Rule for use of information received from affiliate for direct marketingCAN-SPAM and many state anti-spam laws require provision of Opt-Out of future emailsNational “Do-Not-Call” list for Opting-Out of telephone solicitationCalifornia “Shine the Light” Act provides option of disclosing the recipients of informationshared for marketing purposes or providing Opt-Out.Some states require Opt-Out before personal information may be shared or sold.

Opt-In is usually reserved for sensitive information or where cost is a factorHIPAA requires consent for sharing of personal health informationCalifornia Financial Information Privacy Act (SB-1)(Financial Code 4050-4060) requires Opt-In for sharing non-consumer report information with unaffiliated third partiesTelephone Consumer Protection Act provisions for advertising by fax and to mobile phones require Opt-In

Cost to consumer for paper and toner were important in the decision to require consent“Advertising by Theft”Similar restriction for marketing to mobile telephones

State “Junk Fax” statutes require consent; some except existing business relationship


Cross-Border Data Security


Data Security and Loss Prevention

Data Security is ultimately about Data Protection(independent of data type or classification)H

ighl

y C

onfid

entia

l D

ata

Business Data - confidential or sensitive business-related data that does not relate to individuals (e.g., pricing information, trade secrets, financials, M&A or other strategic plans, etc.).

Personal Data - any data, which is not publicly available, that can uniquely identify a specific individual (customer, employee, etc.); and

Intellectual Property - any intangible asset that consists of human knowledge and ideas, of which the ownership or right to use is legally protected by the company (e.g., copyright, patent, trademark, etc.);

In MotionWhere is it

going?

At RestWhere is it

stored?

In UseHow is it used, and by who?


Payment Card Industry – Data Security Standard (PCI DSS)… a global data security requirement

12 comprehensive requirements for enhancing payment account data security, were developed by the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International.

Intended to have organizations proactively protect customer account data

PCI DSS is a multifaceted security standard that includes requirements to:

Build and Maintain a Secure Network (2)Protect Cardholder Data (2)Maintain a Vulnerability Management Program (2)Implement Strong Access Control Measures (3)Regularly Monitor and Test Networks (2)Maintain an Information Security Policy (1)


Data Security Regulations overlap with Privacy (example)

PCI HIPAA AICPA ISO 27001

1.1 Roles and Responsibilities X X X

1.2 Risk Assessment X X

2.1 Collection and Usage of Personal Data X

2.2 Notice, Consent, and Quality X

2.3 Knowledge Sharing X X

3.1 Access Rights X X X X

3.2 Authentication X X X X

3.3 Storage X X X X

3.4 Transmission X X X X

3.5 Backups X X

3.6 Systems Security X X X X

3.7 Network Security X X X

3.8 Information Disposal X X X

3.9 Application Development and Management X X X

4.1 Physical Security X X X X

4.2 Walkthroughs X X

5.1 Security Breach Response and Reporting X X X

6.1 Initial Training X X X X

6.2 Ongoing Training and Awareness X X X X

6.3 Roll-On and Roll-Off X X X

7.1 Vendor Compliance X X


Security vs. Privacy

PrivacyConsentLimiting CollectionPurpose SpecificationAccuracyOpenness

Shared PracticesAccountabilityLimiting Use (Auth)Disclosure (Access)RetentionCompliance

Security

Security SafeguardsConfidentialityIntegrityAvailability

Although the specific drivers of focus have a different genesis, the topics will be necessarily intertwined.

You can have good security without privacy. But you cannot have good privacy without security.


Contacts

Rafi Azim-KhanPartner

Pillsbury Winthrop Shaw Pittman LLP Tower 42, Level 2325 Old Broad StreetLondon EC2N 1HQ

United Kingdom44.20.7847.9500

[email protected]

Catherine MeyerCounsel

Pillsbury Winthrop Shaw Pittman LLP725 South Figueroa Street, Suite 2800

Los Angeles, CA 90017-5406United States of America

[email protected]

Ariane SiegelPartner

Gowlings Lafleur Henderson LLPFirst Canadian Place

100 King Street West, Suite 1600Toronto, Ontario M5X 1G5

Canada416.369.7228

[email protected]

Cal SlempManaging Director

Protiviti Inc.One Stamford Plaza

263 Tresser Blvd., 14th Floor, Suite 1401Stamford, CT 06901

United States of America203.905.2926

[email protected]

Documents

International Privacy 0309 - Pillsbury Winthrop Shaw … Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, The ... àNeed opt-out or opt-in – choice must not disadvantage customer