Privacy Law Abroad:A Primer
Kimberly A. Verska
Page 2
The EU Data Directive
Page 3
EU Data Directive
• Data Protection Directive 1995/46/EC• Effective November 23, 1995• Radically different approach from U.S.
• Based on idea that control over personal data is founded in the human right to privacy
• Self-regulation is out, government regulation is in• Bold approach to exports of data from EU led to adoption of
laws based on the Data Directive worldwide• Currently implemented by all European Member States,
except France • National laws were to be adopted by November 23, 1998 • 9 of 15 Member States missed deadline, 5 by more than 4 years
Page 4
EU Data Directive
• General principles
• Data quality: Collected data must be adequate, relevant, accurate, up to date and not be excessive in relation to the intended purpose of collection
• Overall fairness: Data must be processed fairly, and collected only for specified legitimate purposes, not used inconsistently with those
• Data processing is, inter alia, legitimate, if
• Consent was unambiguously given; or• Processing is necessary for the performance of a contract to which the data
subject is party; or• Processing is necessary for compliance with legal obligation; or• Processing is necessary for the purposes of the legitimate interests pursued
by data processing entity
Page 5
EU Data Directive
• Data processing of sensitive data only permitted with explicit consent• Racial/ethnic origin, political opinion, religious or philosophical belief,
trade union membership, health/sex life, criminal record
• Information requirements• Identity of controller and its representative• Purpose of the processing• Recipients of data• Right of access to data and right to rectify data
• Right of access to and rectification, erasure and blocking of the data
• Prior right to object to use of data for direct marketing (opt-out) or to disclosure to third parties including affiliates
Page 6
EU Data Directive
• Confidentiality and security of processing• Technical and organizational measures to protect personal data
against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access
• Guarantees of compliance by third parties involved in the processing procedure
• Registration (“notification”) with Data Protection Authority (“DPA”)• Format varies widely• Permissions needed for certain activities
• Right not to be subject to automated decisions with respect to credit, work performance
Page 7
EU Data Directive
Transfers of Data From EU• Groundbreaking approach: “adequacy of protection” to be
decided by EU • Transfers to inadequate destinations only allowed in limited
circumstances, including inter alia:• Data subject has given his consent unambiguously to the
proposed transfer• Transfer is necessary for the performance of a contract
between the data subject and the controller [or in the interest of the data subject between controller and third party]
• Authority to block data transfers in violation of these laws
Page 8
EU Data Directive
Oversight and Enforcement Regime• DPA representatives make up Article 29 Working Party, makes
recommendations on EU-wide policies• Enforcement Structure
• EU Commission at EU level (Microsoft Passport)• DPAs in the Member States
• Powers range from direct imposition of civil penalties to court-based enforcement of civil and criminal penalties, to ombudsman model
• Direct right of action in courts (class action unavailable)
Page 9
EU Data Directive
Enforcement Picture and Trends• Slow to implement, slow to enforce
• In 2001, more than half of websites of EU companies did not allow choice for marketing or third party disclosures
• Key DPAs show preference for dialogue over sanction• Hot spots for enforcement
• Direct marketers, telecom, state agencies popular targets• Spain and Portugal impose many fines, sometimes very high ($9M in 1999)
• Trend is toward more enforcement• Consumer awareness campaigns bring more complaints• Finland arrests executives who monitored employee phone calls (2003)
Page 10
EU Data Directive
• Moving personal data from the EU to the U.S. and other countries without “adequate protection”
• Safe Harbor (US only)
• Model Contracts
• DPA Case-by-Case Approvals (often not available)
• Codes of Conduct
Page 11
Data Transfer MechanismsUS/EU Safe Harbor
• Agreement entered into in 2000 between EU and U.S. Dept. of Commerce
• U.S. companies who participate are given presumption of “adequate protection”
• Does not preclude EU residents’ private actions
• Safe Harbor program available since November 2000
Page 12
Data Transfer MechanismsUS/EU Safe Harbor
When the US/EU Safe Harbor
Is NOT Available • Financial services
• Telecommunications
• Non-profit organizations
• Processing involving countries beyond the U.S. (EU-US-Canada, EU-US-Japan, etc. involving onward transfer)
Page 13
US/EU Safe Harbor RequirementsQualifying for the Safe Harbor
In order to qualify for the Safe Harbor, an organization must self-certify to the Department of Commerce that:
(1)
It has joined a self-regulatory organization that adheres to the Principles
(2)
It has implemented privacy policies that conform with the privacy principles of the Directive
(3)
It is subject to a statutory, regulatory, administrative or other body of law that effectively protects personal privacy consis-tent with the Directive
Alternatively, it may enter into DPA-approved contracts directly with the entities in the US that transfer data to the US
OR
Page 14
US/EU Safe Harbor Principles
SAFE HARBOR PRINCIPLES
NOTICE PRINCIPLE
Notice must contain: Clear and conspicuous notice of the
purpose for collecting information How to contact your company with
inquiries or complaints Types of third parties to which your
company discloses information Choices and methods available to the
individual for limiting use and disclosure
Notice must be provided: When an individual is first asked to
provide personal information or as soon thereafter as practicable, but in any event prior to using such information for any purpose other than that for which it was originally collected or disclosing it to a third party
Notice not required when disclosing information to an agent
CHOICE PRINCIPLE
Choice (opt out) required prior to: Disclosing an individual’s personal data to
a third party Using personal data for a purpose
incompatible with purpose for which it was originally collected or subsequently authorized by the individual
Choice (opt in) required with respect to ‘sensitive information’ prior to:
Disclosure to a third party Use for purpose other than that for which
it was collected or subsequently authorized by such individual through the exercise of an opt in choice
Limited exceptions to choice requirement for sensitive information (e.g., when disclosure is in vital interests of data subject or another person)
Choice not required when disclosing information to an agent
Page 15
US/EU Safe Harbor Principles
ACCESS PRINCIPLE
Must provide access to personal information and the ability to correct, amend or delete inaccurate information, except where the burden or expense of providing access is disproportionate to the privacy rights at issue or where the rights of others would be violated
Right of access is not absolute, but is subject to the principle of proportionality or reasonableness
Expense and burden are factors to be taken into account but are not dispositive
Must make a good faith effort to provide access
If access is denied, it must be for a specific reason accompanied by an explanation
ONWARD TRANSFER PRINCIPLE
Notice and Choice Principles apply to: Disclosures of personal data to third parties
Prior to any transfer to agents, must first determine that agent either:
Subscribes to the Principles; or Is subject to the EU Data Directive or another
finding of adequacy
If not, must Include provision in contract with agent
obligating agent to provide at least the same level of privacy protection required by the Principles
DATA INTEGRITY PRINCIPLE
Collect only that information relevant to the purpose for which it will be used
Take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current
SECURITY PRINCIPLE
Take reasonable precautions to protect personal information from loss and misuse and unauthorized access, disclosure, alteration and destruction
SAFE HARBOR PRINCIPLES
Page 16
US/EU Safe Harbor Principles Enforcement Principle
(1)Readily available and affordable independent recourse mechanisms for investigating complaints, resolving claims by reference to the Principles and awarding damages where applicable law or private sector initiatives so provide
(2)Follow-up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and have been implemented as presented
(3)Obligations to remedy problems arising out of failure to comply with the Principles and consequences for same
Dispute resolution requirements set forth in (1) and (3) above may be satisfied by:
Agreeing to cooperate with Data Processing Authorities (“DPAs”) located in the European Community
Complying with private sector privacy programs that incorporate the Principles into their rules and include effective enforcement mechanisms
Complying with legal or regulatory supervisory authorities that provide for the handling of individual complaints and dispute resolution; OR
Any other mechanism devised by the private sector that meets the requirements of the enforcement principle
Cooperation with the DPAs’ option: Annual fee (not to exceed $500) Agree in self-certification to DOC to cooperate with the
DPAs regarding investigation and resolution of complaints brought under the safe harbor and comply with DPA advice, including remedial or compensatory measures
Legal/Regulatory Authority Option: FTC will review complaints referred by privacy self-
regulatory organizations and EU member nations on a priority basis
If FTC finds a violation, it may seek an administrative cease and desist order prohibiting the challenged practice or file an action
Verification requirement set forth in (2) above may be satisfied by:Self-assessment: an organization must issue an annual written
statement signed by a corporate officer stating: Its privacy policy is accurate, complete, prominently displayed,
fully implemented, accessible and in conformance with the Principles
It has procedures in place to: (i) inform individuals of mechanisms for handling complaints; (ii) train employees; and (iii) conduct periodic compliance reviews
Outside compliance reviews: require an annual review or audit to demonstrate that an organization’s privacy policy conforms to the Principles, that it is being complied with, and that individuals are informed of the mechanisms by which they may pursue complaints
Page 17
Data Transfer MechanismsUS/EU Safe Harbor
Why have only 308 U.S. companies have joined the safe harbor? • Enforcement
• May subject companies to FTC enforcement (of non-US laws) • U.S. class action lawsuits may be possible
• Jurisdiction in multiple EU countries• Expense of implementation and compliance
• Certification process• Lack of EU enforcement• Principles “attach” to data collected during participation, even if
company later leaves the safe harbor• Personal liability of officers
Page 18
Data Transfer MechanismsModel Contracts
• The EU Commission has adopted Model Contracts for both processor and non-processor data transfers from the EU to non-EU countries. Some discussion of developing industry-specific Model Contracts exists.
• EU Member States are obliged to recognize that use of such Model Contracts constitutes “adequate protection” of the transferred data.
• Use of the Model Contracts is voluntary, but offers a straightforward means of complying with the “adequate protection” obligation for data transfer outside of the EU.
Page 19
Data Transfer MechanismsModel Contracts
Elements of Model Contracts
• Importer chooses which substantive rules to apply to its processing:
• Mandatory Data Protection Principles on Appendix; or selected MDPPs plus:
• National law of the exporter• (Certain other findings of adequacy)
• Importer agrees to abide by advice of DPA and submit to audit
• Third party beneficiary clauses
• Joint and several liability for exporter and importer
• Dispute resolution in courts of Member State where exporter is established
Page 20
Data Transfer MechanismsModel Contracts
Mandatory Data Protection Principles
• “Unavoidable” MDPPs that must be used in addition to other choices:
• Purpose. Data must be used only for the purposes listed in Appendix to Model Contract.
• Access. Rights of access/correction/blocking granted to data subjects.
• Onward Transfer. Onward transfer only with consent of data subject (opt-out or opt-in for sensitive data) OR if new controller becomes party to Model Contract
Page 21
Data Transfer MechanismsModel Contracts
Mandatory Data Protection Principles
• Other MDPPs:
• Quality and Proportionality. Data must be accurate and up-to-date, not excessive in relation to purposes of use.
• Transparency. Data subject must receive notice of purposes of processing and identity of importer.
• Security. Controller must take technical and organizational security measures appropriate to level of risk.
• Sensitive Data. Additional measures such as consent and heightened security.
• Direct Marketing. Opt-out opportunity must be provided to data subject.• Automated Decisions. Limitations on completely automated decision-
making where individual may be significantly affected.
Page 22
Data Transfer MechanismsModel Contracts
Problems with Model Contracts for U.S. Companies • Joint and several liability
• American Chamber of Commerce negotiations reflect some flexibility here• Member state jurisdiction
• Under Safe Harbor, this only arises after failure to comply with FTC or other US-based enforcer
• Variances from the model• Does it have to be approved in each individual country?
• Substantive rules for data handling• Yet another set of Principles for use when data is coming from multiple
jurisdictions
Page 23
Data Transfer MechanismsCodes of Conduct
• The development of Codes of Conduct is in its early stage • Can Codes fulfill the same role as contractual clauses in meeting adequacy
objective?• Can Codes be used as single, worldwide policies for processing
employees’ personal data?• Expect DPAs to:
• Exercise their competence/authority to be notified of the transfer • Review the Code of Conduct• Require similar content or the same results as when contracts are utilized
for data transfer• Expect data protection equivalent to the set of rules contained in the Directive
or in the national law of the data exporter
Page 24
Other Worldwide Privacy Laws
Page 25
Adequate and Potentially Adequate
Officially adequate for EU:• Norway• Iceland• Liechtenstein• Hungary• Switzerland• Canada
In active negotiations for adequacy finding:• Australia• Argentina
Passed legislation based on Directive,not yet considered by EU:
• Most of Eastern Europe:
• Albania, Bosnia, Bulgaria, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Slovak Republic and Slovenia.
• Others:
• Cyprus, Hong Kong, Malta, New Zealand, Paraguay and South Africa
Page 26
Canada
• The 2001 Personal Information and Electronic Documents Act (PIPEDA) regulates use of personal information by private sector organizations at the federal level • Establishes parameters for the collection, use, disclosure, retention, and
disposal of personal information.• After phase-in, takes effect for all entities on January 1, 2004• Sets out 10 privacy principles as standards that organizations must comply
with when dealing with personal information, including: accountability; identify purpose; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance
• PIPEDA provides adequate protection (as determined by the EU) for personal data transferred from the EU to Canada. No additional safeguards are needed.
Page 27
Canada
Canada’s law promised a more business-friendly approach:
• Clear exemption for names, addresses and telephone numbers of employees of an organization
• Implied consent expressly embraced by rules for non-sensitive information
• Numerous PIPEDA rules are precatory rather than mandatory
Yet – Canada’s Privacy Commissioner is very active
• Privacy Commissioner has issued 114 written findings to date
• Use of “reasonable person” test to challenge privacy practices, even where consent is present
• Has stated his intention to limit use of implied consent and opt-outs, though these are expressly permitted by law in some circumstances
Page 28
Japan
• Until recently, the Japanese government promoted a policy of self-regulation for the private sector
• The Personal Data Protection Bill was introduced in 1999 (and is currently being deliberated by the Diet). The Bill would provide a framework for both governmental and commercial use of personal information based on 5 principles: • (1) to explicitly specify the purpose for data collection and hold to the scope of
that purpose; (2) to gather personal information “by lawful and appropriate means”; (3) to maintain accuracy and currency of data; (4) to protect the security of personal information; (5) to infuse transparency into the collection and use of data.
• The Bill also: • Requires private businesses to disclose to individuals any personal information
collected from them and the purposes of such collection• Prohibits companies from sharing personal information with third parties.
Page 29
Australia
Privacy Amendment (Private Sector) Act 2000• Applies broadly to private sector entities that collect and use
personal information about identifiable individuals• Contains a set of very detailed National Privacy Principles (NPPs) • May elect to be subject to the NPPs OR to a Code of Conduct
meeting or exceeding the NPPs. The Codes of Conduct: • Must be approved by the Australian Privacy Czar • Allow for complaint resolution by independent third party rather
than by Privacy Czar enforcement• Does not currently satisfy the EU Directive’s adequacy test, but
negotiations for an adequacy finding continue
Page 30
Australia• Transborder transfers are allowed if:
• Transferring organization “reasonably believes” the recipient is subject to a law, “binding scheme or contract” that is substantially similar to the NPPs OR the transferring has taken reasonable steps to ensure recipient will comply with the NPPs
• The individual consents OR obtaining consent is impracticable and organization believes consent would be granted if requested
• It is necessary for contract• Comparatively business-friendly regime
• Trans-border transfer scheme • Uses and disclosures of non-sensitive information are allowed for related and reasonably expected secondary
purposes • “Related bodies corporate” permitted to share non-sensitive data so long as together they comply with the NPPs
or an approved Code of Conduct
•
Page 31
South America
• Argentina: Passed the Law for the Protection of Personal Data in Nov. 2000. More onerous in some respects than the Directive, yet no formal declaration of adequacy has yet been adopted. • Legal entities as well as natural persons covered• Must register with government of Argentina prior to collecting
data• No transfer of any data outside Argentina not deemed to have
adequate protection, with limited exceptions• One exception is “stock exchange or banking transfers”• Rule has since been softened by regulation to allow transfers
with consent• Regulatory authority recently formed but inactive
Page 32
South America
• Brazil: 1988 constitutional guarantees of privacy and data protection has been augmented with additional statutory protection: • 1990 Consumer Protection Law provides broad consumer rights in data
• Amended in 2002 to void clauses granting blanket authority to transfer data to third parties without consumer permission
• Comprehensive data protection bill is under consideration
• Mexico: Federal Law for the Protection of Personal Data expected to pass legislature in 2003• Based on EU Data Directive• Includes registration requirement• Same virtual prohibition on international transfers originally found in
Argentina’s law
Page 33
South America
• Chile: Passed the Law for the Protection of Private Life in 1999. The law covers processing and use of personal data in the public and private sector and the rights of individuals to access, correction, and judicial control. The law also contains a chapter devoted to use of financial, commercial and banking data. The law does not contain restrictions on transfers to third countries.
• Peru: The 1993 Peruvian Constitution sets out extensive privacy, data protection and freedom of information rights. A Data Protection Bill was introduced in Parliament in 1999. The Bill is based in part on the Directive.
Page 34
Hong Kong
• Personal Data (Privacy) Ordinance (1996)• Based on EU Directive concepts: notice, choice,
access/correction, security, enforcement• Privacy Commissioner maintains public registry of private
entities processing data• Restrictions on transfer from Hong Kong
• Exceptions: consent, exempt transfers (many and varied), or reasonable measures by transferor to ensure legal compliance
• “Matching procedures” may not be done unless consent is obtained or the procedure is listed in a government regulation as allowed
Page 35
South Africa
• Electronic Communications and Transactions Act (2002)
• Applies to personal information obtained through electronic transactions
• Voluntary, but all-or-nothing adoption required
• Data controllers must obtain “express written permission” to obtain or use data, except where permitted or required by law
• Info collected must be only what is necessary and only what has been notified to data subject
• No enforcement mechanism as yet but coming in 2003
Page 36
For more information,
please visit our International Privacy Library at
www.alston.com\privacy_library.htm
Page 37
U.S. Law on Spam
• No federal legislation as of yet• “Can Spam Act” (SB 630) now pending
• Criminal penalty for fraudulent routing info• Mandates use of functioning return address for opt-outs
and inclusion of postal address• Unlawful to send message after opt-out received• To be enforced by FTC (or other federal agencies) and
state AG’s as deceptive trade practice– Damages is number of violations x $10, up to $500,000
or $1,500,000 for willful conduct• FTC engaged in “Spam Harvest” sting against deceptive spam
Page 38
U.S. Law on Spam
• State laws• 28 states now have laws regulating content or manner of e-mails
• All are opt-out except for Delaware• Coverage extends to “unsolicited commercial” messages
– “Unsolicited” can contain exception for existing business relationship in some laws
• Experience in the courts:• ISPs have had some success with actions for trespass in the
courts• Spammers have won other cases based on argument that anti-
spam laws violate Constitution’s dormant Commerce Clause
Page 39
U.S. Law on Spam
• Content of state laws• Mandatory working return e-mail address or toll-free number for
opt-outs• Prohibition on cloaked e-mails• Requirement that e-mails disclose that they are advertisements• Prohibition of violating ISP policies
• Delaware has the strictest law• Prohibition on sending of any “bulk” unsolicited commercial e-
mail unless it is “sent between human beings” or where recipient has requested the message
Page 40
EU Law on Spam: Opt-In
• E-Commerce Directive 2000/31/EC• Effective 7/17/00, deadline for Member States was
1/17/02• 7 member states have failed to implement
• Directive concerning the processing of personal data and the protection of privacy in the electronic commerce sector (“Communication Directive”)
• Passed on 5/30/02, deadline for Member States is 9/30/03
Page 41
EU Law on Spam: Opt-In
• E-Commerce Directive: Member States may ban spam, but if spam permitted, Member States shall ensure that unsolicited commercial communication by e-mail by a service provider established in their territory shall be identifiable clearly and unambiguously as such
• Communications Directive: The use of [...] electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent
• Exception for prior business relationships: the same natural or legal person may use e-mail addresses obtained as part of sale of product or service for direct marketing of its own similar products or services, so long as opt-out opportunity is given on each occasion
Page 42
Worldwide Spam Laws
• 2003 survey of international spam laws indicated:
• Outside the EU, opt-out standard is most prevalent
• Japan, Australia, South Africa• Many jurisdictions have not yet addressed this issue
legislatively
• Like FTC in U.S., regulatory authorities have non-binding codes of conduct including opt-in standard that are urged upon industry