1 / 44

International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond

International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond. Panelists. Dorene Stupski, CIPP/US, CIPP/C Director, Information Protection and Privacy, Marriott International Incorporated Mitchell Merowitz Vice President Corporate Affairs, LoyaltyOne

fergus
Download Presentation

International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond

  2. Panelists Dorene Stupski, CIPP/US, CIPP/C Director, Information Protection and Privacy, Marriott International Incorporated Mitchell Merowitz Vice President Corporate Affairs, LoyaltyOne Mehmet Munur, CIPP/US Attorney, Tsibouris & Associates, LLC

  3. Outline • Formulating an approach to privacy challenges • Background information for international privacy laws • Challenges in the EU, Canada, and Beyond • Other concerns in addressing international privacy challenges • Conclusion

  4. Lessons • Approach international privacy challenges methodically. • Data privacy laws are local, data flows are global, obligation to comply is universal. • 1 size does not fit all. Aligning practices with the most stringent requirements is unlikely to work well.

  5. Jurisdiction • Am I subject to jurisdiction? • Over the internet? • Via payments? • Due to employees, stores, data centers? • Mergers and acquisitions? • What does the law require? • What is the climate like? • Am I subject to conflicts?

  6. International Privacy Laws • Organisation for Economic Co-operation and Development Privacy Principles • Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data • EU Data Protection Directive • Asia Pacific Economic Cooperation Privacy Framework

  7. Major Challenges in Europe • EU Data Protection Directive and its revisions in the near future • EU E-Privacy Directive and the most recent revisions

  8. Data Protection Directive Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.

  9. Concepts • Personal Data: any information relating to a data subject • Data Subjects: identified or identifiable natural person • Sensitive Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. • Establishment: the effective and real exercise of activity through stable arrangements

  10. Concepts • Data Controller: entity that determines the purposes and means of processing • Processor: processes personal data on behalf of the controller • Processing: any operation performed upon personal data • Consent: freely given, specific, unambiguous, explicit, informed indication of wishes

  11. Concepts • Establishment • Choice of law and jurisdiction • Notice • Notification • Legitimacy • Proportionality • Adequacy and international transfers

  12. Legal Bases for Processing • Unambiguous consent • Necessary for: • Contract • Compliance with legal obligation • Protection of the vital interests • Performance of task carried out in public interest • *Purposes of legitimate interest of the controller v. interests of data subject*

  13. Grounds for Transfers • General Rule: Transfers to 3rd Countries with inadequate protections prohibited • Adequacy presumed for EU Member States, Canada, Australia, Argentina, Switzerland, Israel, Uruguay, and U.S. Safe Harbor • Exceptions: • Unambiguous consent • Standard Contractual Clauses • Binding Corporate Rules

  14. EU Data Protection Directive • Employment issues: • Human resources databases • Employee hiring and firing • Employee monitoring • Sensitive personal information

  15. EU Data Protection Directive • Whistleblower Hotlines • Anonymity • Subject matter • Reported employees • Information and access rights • Outsourcing • Works councils

  16. EU Data Protection Directive • Service providers • Cloud Computing • National Security Letters • Electronic discovery • Data Protection Authorities • Uniformity

  17. Revisions to the Data Protection Directive • About 2 years away • Removal of notification • Addition of breach notification for all personal information • Privacy by Design and Accountability • Data Protection Officers

  18. Revisions to the Data Protection Directive • Streamlined access rights • Right to be forgotten • Uniformity • Expanded Binding Corporate Rules • Substantial increase in fines • 2% of annual turnover

  19. E-Privacy Directive • Personal information and non-personal information • Cookies and related technologies • Consent required • Varying levels of justification for use of technologies • Implementation behind schedule • Uniformity

  20. E-Privacy Directive Compliance • Audit for cookies and related technologies. • Determine purposes and intrusiveness of cookies. • Determine retention period of the cookies and related technologies. • Remediate the issues found in the audit.

  21. E-Privacy Directive Compliance • Find a consent method for justifying use of cookies • Drafting a cookie policy that supplements the privacy policy • Compile a list of cookies that complements the cookie policy • Publishing policy, cookie list, and consent method

  22. PIPEDA Basics • Accountability: identify a role and adopt suitable measures to comply with obligations under the Act, including staffing requirements and training. • Identifying Purpose: advise the purpose for which information is collected. • Consent: explain concept to individuals and obtain their consent (express and implied). • Limiting Collection: limit to necessary information that fulfills the purpose of collection of information obtained lawfully and fairly. • Limiting Use, Disclosure & Retention: use to fulfill purposes of collection and deleting information that is no longer required.

  23. PIPEDA Basics • Accuracy: maintain up-to-date and complete files. • Safeguards: must be implemented based on sensitivity of information. • Openness: provide clear statements about practices and policies for collection, use and disclosure of information and document purposes for collection. • Individual Access: provide reasonable access to information when requested and to correct for accuracy and completeness when requested. • Challenging Compliance: mechanisms for questions or complaints and information about federal and provincial complaint procedures.

  24. PIPEDA Amendments – Bill C-28 • OPC can now use its discretion in the investigation of complaints filed under PIPEDA. Information can also now be shared with Provincial Commissioners. • Commissioner can decline investigating complaints deemed trivial or frivolous, non-jurisdictional, not initially sought-through with the affected organization, not timely, etc. • Implementation: Brought into force in March 2011 and currently being implemented by the Office of the Privacy Commissioner of Canada (OPC).

  25. PIPEDA Amendments – Bill C-12 • Amendments include recommendations from the first Parliamentary PIPEDA 5 year review (2007). • Amendments will also further clarify: required elements for valid consent, situations where disclosure of personal information without consent can occur, situations where businesses can collect and use personal information related to prospective or completed business transactions and requirements for businesses to report data breaches to the OPC. • Proposed Timeline: introduced in the House of Commons on September 29, 2011; has not yet moved to Second Reading nor sent to Committee. *second PIPEDA 5 year review (2012) has not yet been undertaken by Parliament

  26. CASL – Canada’s Anti-Spam Legislation(formerly FISA – Fighting Internet Spam Act) • Regulates the sending of commercial “electronic messages” defined to include text, sound, voice and image messages sent to email, instant messaging, telephone, etc. (i.e. prohibitions aimed at preventing SPAM). • Applies to Canadian and international organizations (all who transmit to Canadians). • Requires express consent to communicate with a few exceptions, notably businesses, charities and political parties with an existing relationship can rely on implied consent for the delivery of e-messages for two years past the last interaction. • Administrative emails, i.e. transactional/commercial communications are also exempt from the express consent requirement.

  27. CASL – Canada’s Anti-Spam Legislation(formerly FISA – Fighting Internet Spam Act) • E-messages must clearly identify the sender, provide accurate contact information/address and a transparent opt-out option. • Implementation: a) Canadian Radio-television and Telecommunications Commission (CRTC); b) Industry Canada (IC) – Federal Privacy Commissioner • Timeline: passed in December 2010, final CRTC regulations registered, IC regulations expected shortly. Implementation expected in 2012/13. • Enforcement: CRTC can impose Administrative Monetary Penalties up to $1 million per violation for individuals/$10 million for businesses.

  28. Bill C-30 and U.S. Legislation that May Affect Existing Canadian Law C-30 • Bill C-30, Protecting Children from Internet Predators Act, is Canada’s version of the U.S. CISPA bill. Presently, this cyber security bill is not being linked to C-12 or any other privacy legislation. • Recent comments in the U.S. media have attempted to link Canadian cyber security and privacy legislation and have compared the package to CISPA. If Canadian privacy advocates choose to adopt this position, it will have an impact on all privacy legislation moving forward. • Proposed Timeline: introduced in the House of Commons on February 14, 2012 and has not yet moved to Second Reading nor sent to Committee.

  29. Bill C-30 and U.S. Legislation that May Affect Existing Canadian Law Online Behavioral Advertising (OBA) • Efforts to address OBA in Canada are led by the OPC. The OPC currently believes that practices pertaining to OBA and tracking are covered under PIPEDA provisions. • A recent OPC position paper outlined that OBA is an appropriate purpose for collecting PI and that meaningful consent is required prior to engaging in OBA. • Opt-in (explicit) consent is the best practice for OBA; however opt-out (implied) consent is appropriate in limited circumstances.

  30. Bill C-30 and U.S. Legislation that May Affect Existing Canadian Law • The OPC recently conducted research on 25 websites avidly used by Canadians and found that 11 of the 25 companies were disclosing users’ personal information to third parties with the knowledge or consent of users - “web leakage”. • The OBA environment in Canada is fluid. Next steps for Canada may be dependent on further action taken by the Federal Trade Commission or the movement of Bills through Congress.

  31. Asia Pacific Organizational Considerations & Challenges: • Data protection regimes vary significantly • Few countries have comprehensive data protection regimes in place today • Some countries are working towards implementing legislation • Many countries desire EU adequacy • Many countries rely on general legal principles, sector specific legislation, non-binding guidelines or a combination

  32. Asia Pacific: Varying Regimes Australia: Current Regulations • Australian Privacy Act 1988 (Privacy Act) • Regulates collection, use and disclosure of PI concerning Australian citizens (including permanent residents) • Information Privacy Principles (IPPs) • Private organizations also need to comply with NPPs when collecting, storing using and disclosing PI • National Privacy Principles (NPPs) • Government agencies need to comply • The Privacy Amendment Bill 2012 • Creates a new single set of Australian Privacy Principles (APPs) and will regulate government & private sector • Extends the jurisdiction to organizations with an Australian link

  33. Asia Pacific: Varying Regimes India: Current- • Information Technology Rules • Initial outsourcing industry concern • Law clarified- only applies to Indian companies collecting data from natural persons • Interpretation could be challenged • Right of Privacy Bill • Create DPA- registry of data controllers • Investigate data breaches • Statutory right of privacy

  34. Asia Pacific: Varying Regimes Singapore: Current regulation • Sector specific • Common law • 2002 Model Data Protection Code • Voluntary code for privacy sector- widely respected • Proposed Persona Data Protection Bill • Expected to pass Q3, 2012 • 18 month sunrise • Jurisdiction extends to organization not physically located in Singapore • DPO required • DNC registry

  35. Asia Pacific: Varying Regimes Philippines : Current regulation • Data privacy Act of 2012 • Applies if established, have equipment located or office in Philippines • Does not apply to PI originally collected from residents of foreign jurisdictions

  36. Asia Pacific: Varying Regimes South Korea • Act on the Protection of Personal Data • Prior consent required • Explicit consent for data transfers • Breach notification requirement 2014 • Organizations will be required to disclose publically: • Whether they have been hacked • How they managed their incident • Staff and budget allocated for security

  37. Asia Pacific • Working with local regulators • International politics • Cultural influence • Importance of working with local counsel

  38. Consent Requirements| Asia & South America Consent Requirements for Organizations Marketing Own Product or Service      Legend Email  Direct Mail  Telemarketing  Opt Out BLUE Opt InRED

  39. Consent Requirements| Asia & South America Consent Requirements if Organizations Marketing Different Product /Sharing 3rd Party       Legend Email  Direct Mail  Telemarketing  Opt Out BLUE Opt InRED

  40. Impact of Consent Requirements by Country |Europe Consent Requirements for Organizations Marketing Own Product or Service                 Legend Email  Direct Mail  Telemarketing  Opt Out BLUE Opt InRED 

  41. Impact of Consent Requirements by Country | Europe Consent Requirements for Organizations Sharing Data & Marketing 3rd Party Product                 Legend Email  Direct Mail  Telemarketing  Opt Out BLUE Opt InRED 

  42. Lessons • Approach privacy challenges methodically. • Data privacy laws are local, data flows are global, obligation to comply is universal. • 1 size does not fit all. Aligning practices with the most stringent requirements is unlikely to work well.

  43. Outline • Formulating an approach to privacy challenges • Background information for international privacy laws • Challenges in the EU, Canada, and Beyond • Other concerns in addressing international privacy challenges • Conclusion

  44. Questions

More Related