SlideShare ist ein Scribd-Unternehmen logo
1 von 41
Downloaden Sie, um offline zu lesen
Cross-Border Privacy
Intellectual Property Issues




                          Karl Larson
                         April 13, 2007



                                          1
Presentation Overview
• Privacy Limitation Justifications
• Models of Privacy Protection
• United States Protection of Information
  Privacy
• European Union Data Protection Directive
• US Department of Commerce-Safe Harbor
• Model Contracts for the Transfer of Personal
  Data to Foreign Countries


                                                 2
Presentation Overview
• Electronic Privacy Information Center (EPIC)
• Privacy International
• Data Protection Laws Around the World
• Privacy Laws Around the World




                                                 3
Threats to Privacy

   • Increasing sophistication of information technology
            – Greater capacity to collect, analyze and disseminate information
   • New developments in medical research and care,
     telecommunications, advanced transportation systems and
     financial transfers
            – Increased level of information generated by each individual
   • Computers linked together by high speed networks
            – Increased capability of creating comprehensive dossiers on any
              person
   • New technologies in law enforcement, civilian agencies and
     private companies

See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives
3-10 (Cambridge University Press, 2006)                                                                                4
Privacy Limitation Justifications

   •      Free speech
   •      Market imperatives of commerce
   •      Public security
   •      Means to forge close relationships based on trust




See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives
3-10 (Cambridge University Press, 2006)                                                                                5
Models of Privacy Protection

• Comprehensive laws
  – Europe, Australia, Hong Kong, New Zealand and
    Canada
• Sectoral Laws
  – United States
• Self-Regulation
  – United States
• Technologies of Privacy



                                                    6
United States Protection of Information Privacy
Targeted Approach
• No precise constitutional guarantee of the right to
  privacy in the United States
      – Constitutional rights apply to government, not private sectors
• Laws are typically targeted based on the type of data
  rather than all computerized personal data
• The four basic types of privacy rights under common
  law do not offer protection for informational privacy:
      –     Intrusion upon seclusion
      –     Publication of embarrassing private facts
      –     Placing a person in a false light
      –     Appropriation of name, likeness and identity
  See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for
  Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001).


                                                                                                                                         7
EU Data Protection Directive
           95/46/EC (October 24, 1995)
                                                                                                                         •   Imposes an obligation on member
                                                                                                                             States to ensure that personal
                                                                                                                             information is protected when it is
                                                                                                                             exported to, and processed in,
                                                                                                                             countries outside Europe
                                                                                                                         •   A public official enforces the
                                                                                                                             comprehensive data protection
                                                                                                                             law




See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007)
                                                                                                                                                              8
EU Data Protection Directive
Objective
• protect fundamental rights and freedoms of natural
  persons, including
   – right to privacy with respect to the processing of
     personal data
• the free flow of personal data between Member States
  is not to be restricted or prohibited




                                                          9
EU Data Protection Directive
Intent
Data-processing systems must respect fundamental rights
and freedoms (whatever the nationality or residence of
natural persons) including:
• right to privacy

• contributing to economic and social progress, trade
  expansion and the well-being of individuals




                                                          10
European Union Data Protection Directive
Article 2 – Definitions
• personal data – any information relating to an
  identified or identifiable natural person

• processing of personal data – any operation
  performed on personal data (e.g., collection . . . )

• the data subject's consent – any freely given specific
  and informed indication of his wishes by which the
  data subject signifies his agreement to personal data




                                                           11
European Union Data Protection Directive
Article 3 – Scope
The Directive applies to processing of all personal data except:
• Public security
• Defense
• State security
• Criminal activities of the State
• In the course of a purely personal or household activity




                                                              12
European Union Data Protection Directive
Article 6 – Personal data must be:
• processed fairly and lawfully
• collected for specified, explicit and legitimate purposes and
  not further processed in a way incompatible with those
  purposes
• adequate, relevant and not excessive in relation to the
  purposes for which they are collected and/or further processed
• accurate and, where necessary, kept up to date
• kept in a form which permits identification of data subjects
  for no longer than is necessary for the purposes for which the
  data were collected or for which they are further processed



                                                                   13
EU Data Protection Directive
Article 7 – Personal data may be processed only if:
•   the data subject has unambiguously given his consent; or
•   processing is necessary for the performance of a contract to which the data
    subject is party or in order to take steps at the request of the data subject prior to
    entering into a contract; or
•   processing is necessary for compliance with a legal obligation to which the
    controller is subject; or
•   processing is necessary in order to protect the vital interests of the data subject;
    or
•   processing is necessary for the performance of a task carried out in the public
    interest or in the exercise of official authority vested in the controller or in a
    third party to whom the data are disclosed; or
•   processing is necessary for the purposes of the legitimate interests pursued by
    the controller or by the third party or parties to whom the data are disclosed,
    except where such interests are overridden by the interests for fundamental



                                                                                       14
EU Data Protection Directive
Articles 10, 11 and 12
Subject has right to know :
• the identity of collector of information
• purpose for the collection




                                             15
EU Data Protection Directive
Article 25 – transfers to non-European countries
• Transfer of personal data to a non-European country may
  take place only if the country ensures an “adequate level of
  data protection”
• EU and United States use different approaches:
   – United States – targeted privacy laws (typically
     targeting specific records)
   – EU – Omnibus approach (comprehensive privacy
     regulations)
• Where no adequate protection – transfer is permitted only
  by one of the narrow exceptions in Article 26


                                                            16
EU Data Protection Directive
Article 26 – Exceptions where no adequate protection
• subject has given unambiguous consent; or
• transfer is necessary for the performance of a
  contract




                                                   17
U.S. Department of Commerce
          Commerce-Safe Harbor
                                                                                                               •   Created in response to the EU
                                                                                                                   Data Protection Directive




See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007)                                       18
US Department of Commerce-Safe Harbor
Seven Safe Harbor Principles
• Notice – must provide conspicuous notice to individuals
  about
   – purposes for which it collects and uses the personal information
   – types of third parties to which it discloses the personal
     information
   – contact information for complaints and inquires
• Choice – must allow individual to opt-out or opt-in
   – opt-out of transferring personal information to a third party or
     using personal information for non-stated purpose if not sensitive
   – opt-in of transferring personal information to a third party or
     using personal information for non-stated purpose if sensitive
     (e.g., medical condition, political opinion, religious beliefs, sex
     life)

                                                                           19
US Department of Commerce-Safe Harbor
Seven Safe Harbor Principles
• Transfers to Third Parties – must ensure that third party:
   – subscribes to the Safe Harbor
   – is subject to the EU Directive
   – other adequate finding
   – agrees to provide at least the same level of privacy protection as is
     required by the Safe Harbor
• Security – reasonable precautions to protect personal
  information from “loss, misuse and unauthorized access,
  disclosure, alteration and destruction”




                                                                             20
US Department of Commerce-Safe Harbor
Seven Safe Harbor Principles
• Relevance – personal information must be relevant for
  the purposes for which it is to be used
• Access - individuals must have access to personal
  information about them and be able to “correct, amend,
  or delete” inaccurate information
• Enforcement – must include
   – mechanism for assuring compliance
   – recourse for individuals to whom the data relate affected by non-
     compliance
   – consequences when organization fails to comply




                                                                         21
US Department of Commerce-Safe Harbor
            Safe Harbor List




See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007)
                                                                                                                                          22
Model Contracts for the Transfer of
          Personal Data to Foreign Countries
                                                                                                         Member States are not
                                                                                                         under and obligation to
                                                                                                         notify the Commission if
                                                                                                         standard contractual
                                                                                                         clauses are used
                                                                                                         See Article 26(3)




See Model Contracts for the transfer of personal data to third countries, available at                                         23
http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
EU-US Data Disclosure
           Ongoing Issues Concerning European Airline Passenger Data
                                                                                                                                     •         On May 17, 2004, the European
                                                                                                                                               Commission adopted a decision
                                                                                                                                               recognizing adequate privacy
                                                                                                                                               protections in EU-US passenger
                                                                                                                                               data disclosure (allowed the
                                                                                                                                               transfer of personal information
                                                                                                                                               on European airline travelers to
                                                                                                                                               the U.S. government)
                                                                                                                                     •         On May 30, 2006, the European
                                                                                                                                               Court of Justice struck down the
                                                                                                                                               EU-US passenger data disclosure
                                                                                                                                               deal
                                                                                                                                     •         On October 6, 2006, the United
                                                                                                                                               States and the EU established a
                                                                                                                                               temporary arrangement that will
                                                                                                                                               expire in July of 2007




See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007)

                                                                                                                                                                             24
Electronic Privacy Information Center
          (EPIC)
                                                                                                             •   A public interest research center
                                                                                                                 in Washington, D.C.
                                                                                                             •   Established in 1994
                                                                                                             •   Focuses on emerging civil
                                                                                                                 liberties issues and protecting
                                                                                                                 privacy, the First Amendment, and
                                                                                                                 constitutional values




See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007)

                                                                                                                                                25
Privacy International
                                                                                                             •   A human rights group formed in
                                                                                                                 1990 as a watchdog on privacy
                                                                                                                 issues
                                                                                                             •   Based in London (an office in
                                                                                                                 Washington, D.C.)
                                                                                                             •   Conducts campaigns and research
                                                                                                                 throughout the world




See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007)
                                                                                                                                                 26
Google Gmail
           Email Content Based Advertising




See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007)
                                                                                                            27
Google Gmail
           Privacy International Complaint
                                                                                                        Arguments include:
                                                                                                        •   Violates Article 17 for not accepting liability for
                                                                                                            security of personal information
                                                                                                             Google disclaims all responsibility and liability for the
                                                                                                             availability, timeliness, security or reliability of the
                                                                                                             Service.
                                                                                                        •   Violates Article 29 for a third party reading the
                                                                                                            contents of email between two parties
                                                                                                             Google also reserves the right to access, read,
                                                                                                             preserve, and disclose any information as it reasonably
                                                                                                             believes is necessary to (a) satisfy any applicable law,
                                                                                                             regulation, legal process or governmental request, (b)
                                                                                                             enforce this Agreement, including investigation of
                                                                                                             potential violations hereof, (c) detect, prevent, or
                                                                                                             otherwise address fraud, security or technical issues
                                                                                                             (including, without limitation, the filtering of spam), (d)
                                                                                                             respond to user support requests, or (e) protect the
                                                                                                             rights, property or safety of Google, its users and the
                                                                                                             public.
                                                                                                        •   Violates Article 7 for processing personal data
                                                                                                            without unambiguous consent


See Complaint: Google Inc – Gmail email service, available at
http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007)
                                                                                                                                                                   28
Google Gmail
           Groups Call for Investigation of Gmail
                                                                                                                            •   On May 3, 2004, EPIC, Privacy
                                                                                                                                Rights Clearinghouse, and the
                                                                                                                                World Privacy Forum urged the
                                                                                                                                Attorney General of California to
                                                                                                                                investigate Google’s Gmail
                                                                                                                                service
                                                                                                                                 –   Argued that the scanning of e-
                                                                                                                                     mails for targeted marketing
                                                                                                                                     violates California’s wiretapping
                                                                                                                                     laws (California Penal Code §
                                                                                                                                     631)
                                                                                                                            •   The groups also called upon
                                                                                                                                Google to suspend the service
                                                                                                                                again, as Gmail users could be
                                                                                                                                liable for violations of the law.




See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007)

                                                                                                                                                                  29
Data Protection Laws Around the World



                                                                                                                                             •   Blue – Comprehensive
                                                                                                                                                 Data Protection Law
                                                                                                                                                 Enacted
                                                                                                                                             •   Red – Pending Effort to
                                                                                                                                                 Enact Law
                                                                                                                                             •   White – No Law




See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007)

                                                                                                                                                                     30
Privacy Laws Around the World
           Canada – The Personal Information Protection and Electronic Documents Act
             •       Passed on April 13, 2000
             •       Applies to organizations that collect, use or disclose personal information
                     in the course of commercial activities
                        – Excludes certain government institutions to which the Privacy Act applies
                        – Excludes certain individuals collecting, using or disclosing public information
                          solely for person or domestic purposes
                        – Excludes certain organizations collecting, using or disclosing public
                          information solely for journalistic, artistic or literary purposes
             •       Personal Information – “information about an identifiable individual, but
                     does not include the name, title or business address or telephone number
                     of an employee of an organization.”
             •       Appropriate purposes - an organization may collect, use or disclose
                     personal information only for purposes that a reasonable person would
                     consider are appropriate in the circumstances




See The Personal Information Protection and Electronic Documents Act, available at                          31
http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
Privacy Laws Around the World
           Canada – The Personal Information Protection and Electronic Documents Act

             • Notice – must provide notice to individuals about
                        – purposes for which it collects and uses the personal information
                        – procedures to gain access to personal information held by the
                          organization
                        – contact information of the person who is accountable for the
                          organization’s policies and to whom complaints or inquires can be
                          sent
             • Limited Collection – collection of personal information
               shall be limited to that which is necessary for the purposes
               identified by the organization




See The Personal Information Protection and Electronic Documents Act, available at            32
http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
Privacy Laws Around the World
           Canada – The Personal Information Protection and Electronic Documents Act

             • Security – must implement security safeguards against
               loss or theft, unauthorized access, disclosure, copying, use,
               or modification
             • Choice – Very limited exceptions where personal
               information may be used, disclosed or collected without
               prior consent
             • Accurate – must be accurate, complete and up-to-date as
               is necessary for the purpose for which it is to be used
             • Purpose – must not be used or disclosed for purposes
               other than those for which it was collected, except with the
               consent of the individual or as required by law

See The Personal Information Protection and Electronic Documents Act, available at     33
http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
Privacy Laws Around the World
Japan – Personal Information Protection Law
•   Passed on May 23, 2003
•   Protects information of individuals
     – does not cover information of corporations
•   Applies to the National government, public organizations, and Personal
    Information Handling Enterprises
•   Establishes penalties for data collectors who violate the law
•   Personal Information – “information that may make a living individual
    distinguishable from others.”
•   Personal Information Handling Enterprises – entities that use Personal
    Information Databases in their businesses
     – Excludes the National government, local public organizations, independent
       administrative agencies and local independent administrative agencies
     – Excludes enterprises that process less than 5,000 personal information records
       per day




                                                                                        34
Privacy Laws Around the World
Japan – Personal Information Protection Law
• Notice – must provide notice to individuals about
   – name of the data collector
   – purposes for which it collects and uses the Personal Information
       • personal information may not be used in a manner that exceeds the
         scope without prior consent from the individual
   – procedures to access, modify and terminate the use of personal
     information
   – contact information for complaints and inquires (complaints
     must be responded to adequately and promptly)
• Relevance – personal information must be relevant for the
  purposes for which it is to be used


                                                                             35
Privacy Laws Around the World
Japan – Personal Information Protection Law
• Security – must implement security safeguards and
  provide proper supervision of employees and other entities
  to which personal information may be may be entrusted
• Choice – Generally, personal information may not be
  disclosed or made available to third parties without prior
  consent (“opt in”); exceptions, when disclosure is:
   – made in accordance with the law
   – necessary to protect life, body or property
   – necessary to protect public health
   – necessary for governmental purposes




                                                               36
Privacy Laws Around the World
            Australia – Federal Privacy Act




See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007)
                                                                                                                                                       37
Privacy Laws Around the World
Other Countries
• Mexico
    – Article 214 of the Penal Code protects the disclosure of personal
      information held by government agencies
    – The General Population Act regulates the National Registry of
      Population and Personal Information
• Russia
    – Article 24 of the Russian Federation forbids gathering, storing,
      using and disseminating information on the private life of any
      person without consent
• France
    – The Data Protection Act covers personal information held by
      government agencies and private entities


                                                                          38
Cross-Border Privacy Tips

•   There is a global trend toward comprehensive protection which must be
    taken into consideration; may require personal information to be:
     –   obtained fairly and lawfully
     –   used only for the original specified purpose
     –   adequate, relevant and not excessive to purpose
     –   accurate and up to date
     –   destroyed after its purpose is complete
•   Current international laws should be reviewed prior to any cross-border
    transfers of personal information and periodically reevaluated
     – Confirm compliance with Safe Harbor provisions for transfers between US
       and EU
•   You are likely to be required to provide additional privacy protections
    for any cross-border transfers


                                                                              39
Useful Resources
•   www.privacy.org
     – Joint project of the Electronic Privacy Information Center (EPIC) and Privacy
       International
•   www.privacyinternational.org
     – Privacy International
•   www.epic.org
     – Electronic Privacy Information Center
•   www.coe.int
     – Council of Europe
•   www.oecd.org
     – Organization for Economic Co-operation and Development
•   www.export.gov/safeharbor
     – U.S. Department of Commerce Safe Harbor
•   www.privacy.gov.au
     – The Office of the Privacy Commissioner of Australia



                                                                                       40
Gardere Wynne Sewell LLP
                            Karl Larson
               3000 Thanksgiving Tower
                         1601 Elm Street
                 Dallas, TX 75201-4761
Phone: 214.999.4582 Fax: 214.999.3582
                   klarson@gardere.com




                                           41

Weitere ähnliche Inhalte

Was ist angesagt?

1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados PessoaisIBE_USP
 
Introduction to Information Policy
Introduction to Information PolicyIntroduction to Information Policy
Introduction to Information PolicyNiamh Headon
 
Privacy and Data Protection in Research
Privacy and Data Protection in ResearchPrivacy and Data Protection in Research
Privacy and Data Protection in ResearchMarlon Domingus
 
Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018Surabhi Jain
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Axon Lawyers
 
Right to be forgotten final paper
Right to be forgotten final paperRight to be forgotten final paper
Right to be forgotten final paperreporter1120
 
Overview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPOverview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPTrilateral Research
 
Introduction privacy and drones130902.pptx (alleen lezen)
Introduction privacy and drones130902.pptx (alleen lezen)Introduction privacy and drones130902.pptx (alleen lezen)
Introduction privacy and drones130902.pptx (alleen lezen)schermerbw
 
E governance dushanbe 2012 katrin-nymanmetkalf
E governance dushanbe 2012 katrin-nymanmetkalfE governance dushanbe 2012 katrin-nymanmetkalf
E governance dushanbe 2012 katrin-nymanmetkalfE-Journal ICT4D
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
Keeping Information Safe: Privacy and Security Issues
Keeping Information Safe: Privacy and Security IssuesKeeping Information Safe: Privacy and Security Issues
Keeping Information Safe: Privacy and Security Issuesipspat
 
Overview of the_data_protection-act
Overview of the_data_protection-actOverview of the_data_protection-act
Overview of the_data_protection-actRodamaeLBaccay
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
Right to be forgotten presentation
Right to be forgotten presentationRight to be forgotten presentation
Right to be forgotten presentationreporter1120
 
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...FecomercioSP
 
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)Jausloos
 

Was ist angesagt? (19)

1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais1º Palestra sobre Proteção de Dados Pessoais
1º Palestra sobre Proteção de Dados Pessoais
 
Introduction to Information Policy
Introduction to Information PolicyIntroduction to Information Policy
Introduction to Information Policy
 
Privacy and Data Protection in Research
Privacy and Data Protection in ResearchPrivacy and Data Protection in Research
Privacy and Data Protection in Research
 
Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018Critical regulations governing data privacy and data protection 20 dec2018
Critical regulations governing data privacy and data protection 20 dec2018
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
 
Right to be forgotten final paper
Right to be forgotten final paperRight to be forgotten final paper
Right to be forgotten final paper
 
Overview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOPOverview of privacy and data protection considerations for DEVELOP
Overview of privacy and data protection considerations for DEVELOP
 
Introduction privacy and drones130902.pptx (alleen lezen)
Introduction privacy and drones130902.pptx (alleen lezen)Introduction privacy and drones130902.pptx (alleen lezen)
Introduction privacy and drones130902.pptx (alleen lezen)
 
E governance dushanbe 2012 katrin-nymanmetkalf
E governance dushanbe 2012 katrin-nymanmetkalfE governance dushanbe 2012 katrin-nymanmetkalf
E governance dushanbe 2012 katrin-nymanmetkalf
 
Data Protection / EU Counter-Terrorism policy
Data Protection / EU Counter-Terrorism policyData Protection / EU Counter-Terrorism policy
Data Protection / EU Counter-Terrorism policy
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
Keeping Information Safe: Privacy and Security Issues
Keeping Information Safe: Privacy and Security IssuesKeeping Information Safe: Privacy and Security Issues
Keeping Information Safe: Privacy and Security Issues
 
Overview of the_data_protection-act
Overview of the_data_protection-actOverview of the_data_protection-act
Overview of the_data_protection-act
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
Right to be forgotten presentation
Right to be forgotten presentationRight to be forgotten presentation
Right to be forgotten presentation
 
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
 
Hannes astok data protection agency
Hannes astok data protection agencyHannes astok data protection agency
Hannes astok data protection agency
 
Legal update
Legal updateLegal update
Legal update
 
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
 

Ähnlich wie Cross Border Privacy : Intellectual Property Issues

Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Andrew Sharpe
 
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015ICT Watch
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
Privacy And Security Laws For Sm And Lbs (110120)
Privacy And Security Laws For Sm And Lbs (110120)Privacy And Security Laws For Sm And Lbs (110120)
Privacy And Security Laws For Sm And Lbs (110120)JNicholson
 
John Nicholson Presentation
John Nicholson PresentationJohn Nicholson Presentation
John Nicholson PresentationMediabistro
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)brentcarey
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalSofie van der Meulen
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Axon Lawyers
 
Guernsey Data Protection Legislation
Guernsey Data Protection LegislationGuernsey Data Protection Legislation
Guernsey Data Protection Legislationjonbarclay
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
Data protection and data integrity
 Data protection and data integrity Data protection and data integrity
Data protection and data integrityAxon Lawyers
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...AltheimPrivacy
 
What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?Nexsen Pruet
 
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard   Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard   Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard
 
GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIKarel Holst
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson LLP
 

Ähnlich wie Cross Border Privacy : Intellectual Property Issues (20)

Data Protection (Download for slideshow)
Data Protection (Download for slideshow)Data Protection (Download for slideshow)
Data Protection (Download for slideshow)
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
 
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
Urgensi Perlindungan Data Pribadi Menuju ASEAN Community 2015
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
4-Privacy1.pptx
4-Privacy1.pptx4-Privacy1.pptx
4-Privacy1.pptx
 
Privacy And Security Laws For Sm And Lbs (110120)
Privacy And Security Laws For Sm And Lbs (110120)Privacy And Security Laws For Sm And Lbs (110120)
Privacy And Security Laws For Sm And Lbs (110120)
 
John Nicholson Presentation
John Nicholson PresentationJohn Nicholson Presentation
John Nicholson Presentation
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)
 
PLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics finalPLA Legal aspects of Big Data analytics final
PLA Legal aspects of Big Data analytics final
 
Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics' Paperless Lab Academy 'legal aspects of big data analytics'
Paperless Lab Academy 'legal aspects of big data analytics'
 
Guernsey Data Protection Legislation
Guernsey Data Protection LegislationGuernsey Data Protection Legislation
Guernsey Data Protection Legislation
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Data protection and data integrity
 Data protection and data integrity Data protection and data integrity
Data protection and data integrity
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
 
What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?What is the GDPR & What does it mean for YOUR business?
What is the GDPR & What does it mean for YOUR business?
 
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard   Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard   Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
 
GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORI
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson - Administrative and public law - October 2017
 

Kürzlich hochgeladen

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 

Kürzlich hochgeladen (20)

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 

Cross Border Privacy : Intellectual Property Issues

  • 1. Cross-Border Privacy Intellectual Property Issues Karl Larson April 13, 2007 1
  • 2. Presentation Overview • Privacy Limitation Justifications • Models of Privacy Protection • United States Protection of Information Privacy • European Union Data Protection Directive • US Department of Commerce-Safe Harbor • Model Contracts for the Transfer of Personal Data to Foreign Countries 2
  • 3. Presentation Overview • Electronic Privacy Information Center (EPIC) • Privacy International • Data Protection Laws Around the World • Privacy Laws Around the World 3
  • 4. Threats to Privacy • Increasing sophistication of information technology – Greater capacity to collect, analyze and disseminate information • New developments in medical research and care, telecommunications, advanced transportation systems and financial transfers – Increased level of information generated by each individual • Computers linked together by high speed networks – Increased capability of creating comprehensive dossiers on any person • New technologies in law enforcement, civilian agencies and private companies See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006) 4
  • 5. Privacy Limitation Justifications • Free speech • Market imperatives of commerce • Public security • Means to forge close relationships based on trust See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006) 5
  • 6. Models of Privacy Protection • Comprehensive laws – Europe, Australia, Hong Kong, New Zealand and Canada • Sectoral Laws – United States • Self-Regulation – United States • Technologies of Privacy 6
  • 7. United States Protection of Information Privacy Targeted Approach • No precise constitutional guarantee of the right to privacy in the United States – Constitutional rights apply to government, not private sectors • Laws are typically targeted based on the type of data rather than all computerized personal data • The four basic types of privacy rights under common law do not offer protection for informational privacy: – Intrusion upon seclusion – Publication of embarrassing private facts – Placing a person in a false light – Appropriation of name, likeness and identity See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001). 7
  • 8. EU Data Protection Directive 95/46/EC (October 24, 1995) • Imposes an obligation on member States to ensure that personal information is protected when it is exported to, and processed in, countries outside Europe • A public official enforces the comprehensive data protection law See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007) 8
  • 9. EU Data Protection Directive Objective • protect fundamental rights and freedoms of natural persons, including – right to privacy with respect to the processing of personal data • the free flow of personal data between Member States is not to be restricted or prohibited 9
  • 10. EU Data Protection Directive Intent Data-processing systems must respect fundamental rights and freedoms (whatever the nationality or residence of natural persons) including: • right to privacy • contributing to economic and social progress, trade expansion and the well-being of individuals 10
  • 11. European Union Data Protection Directive Article 2 – Definitions • personal data – any information relating to an identified or identifiable natural person • processing of personal data – any operation performed on personal data (e.g., collection . . . ) • the data subject's consent – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data 11
  • 12. European Union Data Protection Directive Article 3 – Scope The Directive applies to processing of all personal data except: • Public security • Defense • State security • Criminal activities of the State • In the course of a purely personal or household activity 12
  • 13. European Union Data Protection Directive Article 6 – Personal data must be: • processed fairly and lawfully • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed • accurate and, where necessary, kept up to date • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed 13
  • 14. EU Data Protection Directive Article 7 – Personal data may be processed only if: • the data subject has unambiguously given his consent; or • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or • processing is necessary for compliance with a legal obligation to which the controller is subject; or • processing is necessary in order to protect the vital interests of the data subject; or • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental 14
  • 15. EU Data Protection Directive Articles 10, 11 and 12 Subject has right to know : • the identity of collector of information • purpose for the collection 15
  • 16. EU Data Protection Directive Article 25 – transfers to non-European countries • Transfer of personal data to a non-European country may take place only if the country ensures an “adequate level of data protection” • EU and United States use different approaches: – United States – targeted privacy laws (typically targeting specific records) – EU – Omnibus approach (comprehensive privacy regulations) • Where no adequate protection – transfer is permitted only by one of the narrow exceptions in Article 26 16
  • 17. EU Data Protection Directive Article 26 – Exceptions where no adequate protection • subject has given unambiguous consent; or • transfer is necessary for the performance of a contract 17
  • 18. U.S. Department of Commerce Commerce-Safe Harbor • Created in response to the EU Data Protection Directive See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007) 18
  • 19. US Department of Commerce-Safe Harbor Seven Safe Harbor Principles • Notice – must provide conspicuous notice to individuals about – purposes for which it collects and uses the personal information – types of third parties to which it discloses the personal information – contact information for complaints and inquires • Choice – must allow individual to opt-out or opt-in – opt-out of transferring personal information to a third party or using personal information for non-stated purpose if not sensitive – opt-in of transferring personal information to a third party or using personal information for non-stated purpose if sensitive (e.g., medical condition, political opinion, religious beliefs, sex life) 19
  • 20. US Department of Commerce-Safe Harbor Seven Safe Harbor Principles • Transfers to Third Parties – must ensure that third party: – subscribes to the Safe Harbor – is subject to the EU Directive – other adequate finding – agrees to provide at least the same level of privacy protection as is required by the Safe Harbor • Security – reasonable precautions to protect personal information from “loss, misuse and unauthorized access, disclosure, alteration and destruction” 20
  • 21. US Department of Commerce-Safe Harbor Seven Safe Harbor Principles • Relevance – personal information must be relevant for the purposes for which it is to be used • Access - individuals must have access to personal information about them and be able to “correct, amend, or delete” inaccurate information • Enforcement – must include – mechanism for assuring compliance – recourse for individuals to whom the data relate affected by non- compliance – consequences when organization fails to comply 21
  • 22. US Department of Commerce-Safe Harbor Safe Harbor List See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007) 22
  • 23. Model Contracts for the Transfer of Personal Data to Foreign Countries Member States are not under and obligation to notify the Commission if standard contractual clauses are used See Article 26(3) See Model Contracts for the transfer of personal data to third countries, available at 23 http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
  • 24. EU-US Data Disclosure Ongoing Issues Concerning European Airline Passenger Data • On May 17, 2004, the European Commission adopted a decision recognizing adequate privacy protections in EU-US passenger data disclosure (allowed the transfer of personal information on European airline travelers to the U.S. government) • On May 30, 2006, the European Court of Justice struck down the EU-US passenger data disclosure deal • On October 6, 2006, the United States and the EU established a temporary arrangement that will expire in July of 2007 See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007) 24
  • 25. Electronic Privacy Information Center (EPIC) • A public interest research center in Washington, D.C. • Established in 1994 • Focuses on emerging civil liberties issues and protecting privacy, the First Amendment, and constitutional values See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007) 25
  • 26. Privacy International • A human rights group formed in 1990 as a watchdog on privacy issues • Based in London (an office in Washington, D.C.) • Conducts campaigns and research throughout the world See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007) 26
  • 27. Google Gmail Email Content Based Advertising See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007) 27
  • 28. Google Gmail Privacy International Complaint Arguments include: • Violates Article 17 for not accepting liability for security of personal information Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. • Violates Article 29 for a third party reading the contents of email between two parties Google also reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce this Agreement, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public. • Violates Article 7 for processing personal data without unambiguous consent See Complaint: Google Inc – Gmail email service, available at http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007) 28
  • 29. Google Gmail Groups Call for Investigation of Gmail • On May 3, 2004, EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum urged the Attorney General of California to investigate Google’s Gmail service – Argued that the scanning of e- mails for targeted marketing violates California’s wiretapping laws (California Penal Code § 631) • The groups also called upon Google to suspend the service again, as Gmail users could be liable for violations of the law. See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007) 29
  • 30. Data Protection Laws Around the World • Blue – Comprehensive Data Protection Law Enacted • Red – Pending Effort to Enact Law • White – No Law See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007) 30
  • 31. Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Passed on April 13, 2000 • Applies to organizations that collect, use or disclose personal information in the course of commercial activities – Excludes certain government institutions to which the Privacy Act applies – Excludes certain individuals collecting, using or disclosing public information solely for person or domestic purposes – Excludes certain organizations collecting, using or disclosing public information solely for journalistic, artistic or literary purposes • Personal Information – “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” • Appropriate purposes - an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances See The Personal Information Protection and Electronic Documents Act, available at 31 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
  • 32. Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Notice – must provide notice to individuals about – purposes for which it collects and uses the personal information – procedures to gain access to personal information held by the organization – contact information of the person who is accountable for the organization’s policies and to whom complaints or inquires can be sent • Limited Collection – collection of personal information shall be limited to that which is necessary for the purposes identified by the organization See The Personal Information Protection and Electronic Documents Act, available at 32 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
  • 33. Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Security – must implement security safeguards against loss or theft, unauthorized access, disclosure, copying, use, or modification • Choice – Very limited exceptions where personal information may be used, disclosed or collected without prior consent • Accurate – must be accurate, complete and up-to-date as is necessary for the purpose for which it is to be used • Purpose – must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law See The Personal Information Protection and Electronic Documents Act, available at 33 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
  • 34. Privacy Laws Around the World Japan – Personal Information Protection Law • Passed on May 23, 2003 • Protects information of individuals – does not cover information of corporations • Applies to the National government, public organizations, and Personal Information Handling Enterprises • Establishes penalties for data collectors who violate the law • Personal Information – “information that may make a living individual distinguishable from others.” • Personal Information Handling Enterprises – entities that use Personal Information Databases in their businesses – Excludes the National government, local public organizations, independent administrative agencies and local independent administrative agencies – Excludes enterprises that process less than 5,000 personal information records per day 34
  • 35. Privacy Laws Around the World Japan – Personal Information Protection Law • Notice – must provide notice to individuals about – name of the data collector – purposes for which it collects and uses the Personal Information • personal information may not be used in a manner that exceeds the scope without prior consent from the individual – procedures to access, modify and terminate the use of personal information – contact information for complaints and inquires (complaints must be responded to adequately and promptly) • Relevance – personal information must be relevant for the purposes for which it is to be used 35
  • 36. Privacy Laws Around the World Japan – Personal Information Protection Law • Security – must implement security safeguards and provide proper supervision of employees and other entities to which personal information may be may be entrusted • Choice – Generally, personal information may not be disclosed or made available to third parties without prior consent (“opt in”); exceptions, when disclosure is: – made in accordance with the law – necessary to protect life, body or property – necessary to protect public health – necessary for governmental purposes 36
  • 37. Privacy Laws Around the World Australia – Federal Privacy Act See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007) 37
  • 38. Privacy Laws Around the World Other Countries • Mexico – Article 214 of the Penal Code protects the disclosure of personal information held by government agencies – The General Population Act regulates the National Registry of Population and Personal Information • Russia – Article 24 of the Russian Federation forbids gathering, storing, using and disseminating information on the private life of any person without consent • France – The Data Protection Act covers personal information held by government agencies and private entities 38
  • 39. Cross-Border Privacy Tips • There is a global trend toward comprehensive protection which must be taken into consideration; may require personal information to be: – obtained fairly and lawfully – used only for the original specified purpose – adequate, relevant and not excessive to purpose – accurate and up to date – destroyed after its purpose is complete • Current international laws should be reviewed prior to any cross-border transfers of personal information and periodically reevaluated – Confirm compliance with Safe Harbor provisions for transfers between US and EU • You are likely to be required to provide additional privacy protections for any cross-border transfers 39
  • 40. Useful Resources • www.privacy.org – Joint project of the Electronic Privacy Information Center (EPIC) and Privacy International • www.privacyinternational.org – Privacy International • www.epic.org – Electronic Privacy Information Center • www.coe.int – Council of Europe • www.oecd.org – Organization for Economic Co-operation and Development • www.export.gov/safeharbor – U.S. Department of Commerce Safe Harbor • www.privacy.gov.au – The Office of the Privacy Commissioner of Australia 40
  • 41. Gardere Wynne Sewell LLP Karl Larson 3000 Thanksgiving Tower 1601 Elm Street Dallas, TX 75201-4761 Phone: 214.999.4582 Fax: 214.999.3582 klarson@gardere.com 41

Hinweis der Redaktion

  1. Protection in the United States is a fractured, eposodic, recorded targeted patchwork of laws. No precise constitutional guarantee of the right to privacy in the United States