What if my organization conducts business across borders ?

1. What if my organization conducts business across borders ? • Privacy and “Personal Information” have different meanings in different countries; however, you should be aware that privacy is regulated to one extent or another in most countries with which the U.S. does business. And regulation in this area is increasing and evolving rapidly. •  Privacy concerns come into play in any situation where uniquely identifiable information relating to a person is collected, processed and stored. • These concerns apply regardless of whether an organization collects uniquely identifiable information in digital form or otherwise. • Typical considerations for businesses and organizations that collect Personal Information may include: • how is Personal Information collected, stored, and associated? • who is given access to your customers’ Personal Information? • how is such information used? • does the individual have any ownership rights to such data , and/or the right to view, verify, and challenge that information?

2. Different Notions of “Privacy” UNITED STATES EUROPEAN UNION Differences also stem from very different historical experiences • Right to privacy as a “fundamental human right” • Privacy as a “human dignity right” • Art. 8 EU Convention of Human Rights: “…respect for…private and family life…home, and…correspondence”. • Protection of people from having their lives exposed to public view, esp. mass media • Right to privacy primarily enforced as “consumer protection right” • Privacy “balanced” against Free Speech; latter often prevails • Implied (not express) right in U.S. Constitution • Protection of people against Government overreaching, esp. at home

3. Different Approaches to Privacy Regulation EUROPEAN UNION UNITED STATES • Free speech and interstate commerce privileged over privacy; protections crafted primarily for consumers • Transfers of personal data are presumed legitimate and necessary (protections limited to situations of egregious misuse or unauthorized access) • Regulation fragmented by economic sector (e.g., HIPAA, FCRA, HITECH, GLBA) not uniformly • Privacy protection is privileged over economic efficiency and speech, even if this creates trade barriers • Transfers of personal data in commerce, at work, etc. presumed to not be legitimate unless there is a “legal basis” (express consent; fulfillment of contractual or legal obligations) • Data Protection Principles • Most countries not deemed to offer “adequate protection”

4. PRIVACY REGULATION IN CANADA • Canada often assumed to be similar to the U.S. with respect to business practices; but privacy regulation is another matter. Canadian approach to confidentiality and the transfer of Personal Information is much more in line with the European model than that of the U.S. • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became effective in 2004 and provides a federal-level personal information protection regime • Basic principles and obligations for organizations covered by PIPEDA: • obtain an individual's consent when they collect, use or disclose the individual's personal information. • the individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. • personal information can only be used for the purposes for which it was collected. If purpose changes, consent must be obtained again. • individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

5. PRIVACY REGULATION IN MEXICO • Mexico enacted comprehensive data protection law in 2010, the “Law on the Protection of Personal Data in the Possession of Private Entities” (“LFPD”) • LFPD regulates the processing of personal information by private companies (other than credit bureaus, which are regulated separately) and seeks to protect citizens’ rights to “privacy and to personal information self-determination”. • The LFPD provides data subject s the right to give his/her consent to the processing of personal data, subject to certain statutory exceptions. • The data controller must disclose to the data subject, through a privacy notice the information gathered about him/her and the use(s) to be given to said information. • LFPD requires express written consent of the data subject for the disclosure of sensitive personal data (incl. ethnic origin, current or foreseeable health condition(s), genetic information, religious, philosophical or moral beliefs, labor union affiliation, political opinions and/or sexual orientation). • The LFPD creates a right of civil action for data subjects for the data controllers’ breaches of the LFPD.

6. B-2-B agreements Business regarding use of personal Customers Partners information Privacy Policy Terms and Conditions Your Organization Representations made re: Agreements to use personal Use of Personal Information information only for your organization Internal policies and Service Employees procedures regulating Providers access to and use of personal information How to Address Privacy Compliance Across National Borders with Different Constituencies

7. Other Country Regulation & Select Resources • http://www.ey.com/Publication/vwLUAssets/Privacy_trends_2012/$FILE/Privacy-trends-2012_AU1064.pdf • http://www.financierworldwide.com/AnnualReviews/AR_DataProtection_326jpm.pdf • http://heatmap.forrestertools.com/