international privacy challenges affecting u s companies operating in canada europe and beyond n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond PowerPoint Presentation
Download Presentation
International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond

Loading in 2 Seconds...

play fullscreen
1 / 44

International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond. Panelists. Dorene Stupski, CIPP/US, CIPP/C Director, Information Protection and Privacy, Marriott International Incorporated Mitchell Merowitz Vice President Corporate Affairs, LoyaltyOne

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond' - fergus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
international privacy challenges affecting u s companies operating in canada europe and beyond

International Privacy Challenges Affecting U.S. Companies Operating in Canada, Europe, and Beyond

panelists
Panelists

Dorene Stupski, CIPP/US, CIPP/C

Director, Information Protection and Privacy, Marriott International Incorporated

Mitchell Merowitz

Vice President Corporate Affairs, LoyaltyOne

Mehmet Munur, CIPP/US

Attorney, Tsibouris & Associates, LLC

outline
Outline
  • Formulating an approach to privacy challenges
  • Background information for international privacy laws
  • Challenges in the EU, Canada, and Beyond
  • Other concerns in addressing international privacy challenges
  • Conclusion
lessons
Lessons
  • Approach international privacy challenges methodically.
  • Data privacy laws are local, data flows are global, obligation to comply is universal.
  • 1 size does not fit all. Aligning practices with the most stringent requirements is unlikely to work well.
jurisdiction
Jurisdiction
  • Am I subject to jurisdiction?
    • Over the internet?
    • Via payments?
    • Due to employees, stores, data centers?
    • Mergers and acquisitions?
  • What does the law require?
    • What is the climate like?
  • Am I subject to conflicts?
international privacy laws
International Privacy Laws
  • Organisation for Economic Co-operation and Development Privacy Principles
  • Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
  • EU Data Protection Directive
  • Asia Pacific Economic Cooperation Privacy Framework
major challenges in europe
Major Challenges in Europe
  • EU Data Protection Directive and its revisions in the near future
  • EU E-Privacy Directive and the most recent revisions
data protection directive
Data Protection Directive

Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.

concepts
Concepts
  • Personal Data: any information relating to a data subject
  • Data Subjects: identified or identifiable natural person
  • Sensitive Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.
  • Establishment: the effective and real exercise of activity through stable arrangements
concepts1
Concepts
  • Data Controller: entity that determines the purposes and means of processing
  • Processor: processes personal data on behalf of the controller
  • Processing: any operation performed upon personal data
  • Consent: freely given, specific, unambiguous, explicit, informed indication of wishes
concepts2
Concepts
  • Establishment
  • Choice of law and jurisdiction
  • Notice
  • Notification
  • Legitimacy
  • Proportionality
  • Adequacy and international transfers
legal bases for processing
Legal Bases for Processing
  • Unambiguous consent
  • Necessary for:
    • Contract
    • Compliance with legal obligation
    • Protection of the vital interests
    • Performance of task carried out in public interest
    • *Purposes of legitimate interest of the controller v. interests of data subject*
grounds for transfers
Grounds for Transfers
  • General Rule: Transfers to 3rd Countries with inadequate protections prohibited
    • Adequacy presumed for EU Member States, Canada, Australia, Argentina, Switzerland, Israel, Uruguay, and U.S. Safe Harbor
  • Exceptions:
    • Unambiguous consent
    • Standard Contractual Clauses
    • Binding Corporate Rules
eu data protection directive
EU Data Protection Directive
  • Employment issues:
    • Human resources databases
    • Employee hiring and firing
    • Employee monitoring
    • Sensitive personal information
eu data protection directive1
EU Data Protection Directive
  • Whistleblower Hotlines
      • Anonymity
      • Subject matter
      • Reported employees
      • Information and access rights
      • Outsourcing
    • Works councils
eu data protection directive2
EU Data Protection Directive
  • Service providers
    • Cloud Computing
    • National Security Letters
    • Electronic discovery
  • Data Protection Authorities
  • Uniformity
revisions to the data protection directive
Revisions to the Data Protection Directive
  • About 2 years away
  • Removal of notification
  • Addition of breach notification for all personal information
  • Privacy by Design and Accountability
  • Data Protection Officers
revisions to the data protection directive1
Revisions to the Data Protection Directive
  • Streamlined access rights
  • Right to be forgotten
  • Uniformity
  • Expanded Binding Corporate Rules
  • Substantial increase in fines
    • 2% of annual turnover
e privacy directive
E-Privacy Directive
  • Personal information and non-personal information
  • Cookies and related technologies
  • Consent required
  • Varying levels of justification for use of technologies
  • Implementation behind schedule
  • Uniformity
e privacy directive compliance
E-Privacy Directive Compliance
  • Audit for cookies and related technologies.
  • Determine purposes and intrusiveness of cookies.
  • Determine retention period of the cookies and related technologies.
  • Remediate the issues found in the audit.
e privacy directive compliance1
E-Privacy Directive Compliance
  • Find a consent method for justifying use of cookies
  • Drafting a cookie policy that supplements the privacy policy
  • Compile a list of cookies that complements the cookie policy
  • Publishing policy, cookie list, and consent method
pipeda basics
PIPEDA Basics
  • Accountability: identify a role and adopt suitable measures to comply with obligations under the Act, including staffing requirements and training.
  • Identifying Purpose: advise the purpose for which information is collected.
  • Consent: explain concept to individuals and obtain their consent (express and implied).
  • Limiting Collection: limit to necessary information that fulfills the purpose of collection of information obtained lawfully and fairly.
  • Limiting Use, Disclosure & Retention: use to fulfill purposes of collection and deleting information that is no longer required.
pipeda basics1
PIPEDA Basics
  • Accuracy: maintain up-to-date and complete files.
  • Safeguards: must be implemented based on sensitivity of information.
  • Openness: provide clear statements about practices and policies for collection, use and disclosure of information and document purposes for collection.
  • Individual Access: provide reasonable access to information when requested and to correct for accuracy and completeness when requested.
  • Challenging Compliance: mechanisms for questions or complaints and information about federal and provincial complaint procedures.
pipeda amendments bill c 28
PIPEDA Amendments – Bill C-28
  • OPC can now use its discretion in the investigation of complaints filed under PIPEDA. Information can also now be shared with Provincial Commissioners.
  • Commissioner can decline investigating complaints deemed trivial or frivolous, non-jurisdictional, not initially sought-through with the affected organization, not timely, etc.
  • Implementation: Brought into force in March 2011 and currently being implemented by the Office of the Privacy Commissioner of Canada (OPC).
pipeda amendments bill c 12
PIPEDA Amendments – Bill C-12
  • Amendments include recommendations from the first Parliamentary PIPEDA 5 year review (2007).
  • Amendments will also further clarify: required elements for valid consent, situations where disclosure of personal information without consent can occur, situations where businesses can collect and use personal information related to prospective or completed business transactions and requirements for businesses to report data breaches to the OPC.
  • Proposed Timeline: introduced in the House of Commons on September 29, 2011; has not yet moved to Second Reading nor sent to Committee.

*second PIPEDA 5 year review (2012) has not yet been undertaken by Parliament

casl canada s anti spam legislation formerly fisa fighting internet spam act
CASL – Canada’s Anti-Spam Legislation(formerly FISA – Fighting Internet Spam Act)
  • Regulates the sending of commercial “electronic messages” defined to include text, sound, voice and image messages sent to email, instant messaging, telephone, etc. (i.e. prohibitions aimed at preventing SPAM).
  • Applies to Canadian and international organizations (all who transmit to Canadians).
  • Requires express consent to communicate with a few exceptions, notably businesses, charities and political parties with an existing relationship can rely on implied consent for the delivery of e-messages for two years past the last interaction.
  • Administrative emails, i.e. transactional/commercial communications are also exempt from the express consent requirement.
casl canada s anti spam legislation formerly fisa fighting internet spam act1
CASL – Canada’s Anti-Spam Legislation(formerly FISA – Fighting Internet Spam Act)
  • E-messages must clearly identify the sender, provide accurate contact information/address and a transparent opt-out option.
  • Implementation: a) Canadian Radio-television and Telecommunications Commission (CRTC); b) Industry Canada (IC) – Federal Privacy Commissioner
  • Timeline: passed in December 2010, final CRTC regulations registered, IC regulations expected shortly. Implementation expected in 2012/13.
  • Enforcement: CRTC can impose Administrative Monetary Penalties up to $1 million per violation for individuals/$10 million for businesses.
bill c 30 and u s legislation that may affect existing canadian law
Bill C-30 and U.S. Legislation that May Affect Existing Canadian Law

C-30

  • Bill C-30, Protecting Children from Internet Predators Act, is Canada’s version of the U.S. CISPA bill. Presently, this cyber security bill is not being linked to C-12 or any other privacy legislation.
    • Recent comments in the U.S. media have attempted to link Canadian cyber security and privacy legislation and have compared the package to CISPA. If Canadian privacy advocates choose to adopt this position, it will have an impact on all privacy legislation moving forward.
  • Proposed Timeline: introduced in the House of Commons on February 14, 2012 and has not yet moved to Second Reading nor sent to Committee.
bill c 30 and u s legislation that may affect existing canadian law1
Bill C-30 and U.S. Legislation that May Affect Existing Canadian Law

Online Behavioral Advertising (OBA)

  • Efforts to address OBA in Canada are led by the OPC. The OPC currently believes that practices pertaining to OBA and tracking are covered under PIPEDA provisions.
  • A recent OPC position paper outlined that OBA is an appropriate purpose for collecting PI and that meaningful consent is required prior to engaging in OBA.
  • Opt-in (explicit) consent is the best practice for OBA; however opt-out (implied) consent is appropriate in limited circumstances.
bill c 30 and u s legislation that may affect existing canadian law2
Bill C-30 and U.S. Legislation that May Affect Existing Canadian Law
  • The OPC recently conducted research on 25 websites avidly used by Canadians and found that 11 of the 25 companies were disclosing users’ personal information to third parties with the knowledge or consent of users - “web leakage”.
  • The OBA environment in Canada is fluid.

Next steps for Canada may be dependent on further action taken by the Federal Trade Commission or the movement of Bills through Congress.

asia pacific
Asia Pacific

Organizational Considerations & Challenges:

  • Data protection regimes vary significantly
    • Few countries have comprehensive data protection regimes in place today
    • Some countries are working towards implementing legislation
    • Many countries desire EU adequacy
    • Many countries rely on general legal principles, sector specific legislation, non-binding guidelines or a combination
asia pacific varying regimes
Asia Pacific: Varying Regimes

Australia: Current Regulations

  • Australian Privacy Act 1988 (Privacy Act)
    • Regulates collection, use and disclosure of PI concerning Australian citizens (including permanent residents)
  • Information Privacy Principles (IPPs)
    • Private organizations also need to comply with NPPs when collecting, storing using and disclosing PI
  • National Privacy Principles (NPPs)
    • Government agencies need to comply
  • The Privacy Amendment Bill 2012
    • Creates a new single set of Australian Privacy Principles (APPs) and will regulate government & private sector
    • Extends the jurisdiction to organizations with an Australian link
asia pacific varying regimes1
Asia Pacific: Varying Regimes

India: Current-

  • Information Technology Rules
    • Initial outsourcing industry concern
    • Law clarified- only applies to Indian companies collecting data from natural persons
    • Interpretation could be challenged
  • Right of Privacy Bill
    • Create DPA- registry of data controllers
    • Investigate data breaches
    • Statutory right of privacy
asia pacific varying regimes2
Asia Pacific: Varying Regimes

Singapore: Current regulation

    • Sector specific
    • Common law
    • 2002 Model Data Protection Code
      • Voluntary code for privacy sector- widely respected
  • Proposed Persona Data Protection Bill
    • Expected to pass Q3, 2012
    • 18 month sunrise
    • Jurisdiction extends to organization not physically located in Singapore
    • DPO required
    • DNC registry
asia pacific varying regimes3
Asia Pacific: Varying Regimes

Philippines : Current regulation

  • Data privacy Act of 2012
    • Applies if established, have equipment located or office in Philippines
    • Does not apply to PI originally collected from residents of foreign jurisdictions
asia pacific varying regimes4
Asia Pacific: Varying Regimes

South Korea

  • Act on the Protection of Personal Data
    • Prior consent required
    • Explicit consent for data transfers
  • Breach notification requirement 2014
    • Organizations will be required to disclose publically:
      • Whether they have been hacked
      • How they managed their incident
      • Staff and budget allocated for security
asia pacific1
Asia Pacific
  • Working with local regulators
  • International politics
  • Cultural influence
  • Importance of working with local counsel
slide38

Consent Requirements| Asia & South America

Consent Requirements for Organizations Marketing Own Product or Service











Legend

Email 

Direct Mail 

Telemarketing 

Opt Out BLUE

Opt InRED

consent requirements asia south america
Consent Requirements| Asia & South America

Consent Requirements if Organizations Marketing Different Product /Sharing 3rd Party













Legend

Email 

Direct Mail 

Telemarketing 

Opt Out BLUE

Opt InRED

impact of consent requirements by country europe
Impact of Consent Requirements by Country |Europe

Consent Requirements for Organizations Marketing Own Product or Service

































Legend

Email 

Direct Mail 

Telemarketing 

Opt Out BLUE

Opt InRED



impact of consent requirements by country europe1
Impact of Consent Requirements by Country | Europe

Consent Requirements for Organizations Sharing Data & Marketing 3rd Party Product

































Legend

Email 

Direct Mail 

Telemarketing 

Opt Out BLUE

Opt InRED



lessons1
Lessons
  • Approach privacy challenges methodically.
  • Data privacy laws are local, data flows are global, obligation to comply is universal.
  • 1 size does not fit all. Aligning practices with the most stringent requirements is unlikely to work well.
outline1
Outline
  • Formulating an approach to privacy challenges
  • Background information for international privacy laws
  • Challenges in the EU, Canada, and Beyond
  • Other concerns in addressing international privacy challenges
  • Conclusion