cross border privacy : intellectual property issues
TRANSCRIPT
1
Karl LarsonApril 13, 2007
Cross-Border PrivacyIntellectual Property Issues
2
Presentation Overview• Privacy Limitation Justifications• Models of Privacy Protection• United States Protection of Information
Privacy• European Union Data Protection Directive• US Department of Commerce-Safe Harbor• Model Contracts for the Transfer of Personal
Data to Foreign Countries
3
Presentation Overview• Electronic Privacy Information Center (EPIC)• Privacy International• Data Protection Laws Around the World• Privacy Laws Around the World
4
• Increasing sophistication of information technology– Greater capacity to collect, analyze and disseminate information
• New developments in medical research and care, telecommunications, advanced transportation systems and financial transfers– Increased level of information generated by each individual
• Computers linked together by high speed networks– Increased capability of creating comprehensive dossiers on any
person
• New technologies in law enforcement, civilian agencies and private companies
Threats to Privacy
See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006)
5
• Free speech• Market imperatives of commerce• Public security• Means to forge close relationships based on trust
Privacy Limitation Justifications
See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006)
6
• Comprehensive laws– Europe, Australia, Hong Kong, New Zealand and
Canada • Sectoral Laws
– United States• Self-Regulation
– United States • Technologies of Privacy
Models of Privacy Protection
7
• No precise constitutional guarantee of the right to privacy in the United States– Constitutional rights apply to government, not private sectors
• Laws are typically targeted based on the type of data rather than all computerized personal data
• The four basic types of privacy rights under common law do not offer protection for informational privacy:– Intrusion upon seclusion– Publication of embarrassing private facts– Placing a person in a false light– Appropriation of name, likeness and identity
United States Protection of Information PrivacyTargeted Approach
See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001).
8
EU Data Protection Directive95/46/EC (October 24, 1995)
See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007)
• Imposes an obligation on member States to ensure that personal information is protected when it is exported to, and processed in, countries outside Europe
• A public official enforces the comprehensive data protection law
9
• protect fundamental rights and freedoms of natural persons, including
– right to privacy with respect to the processing of personal data
• the free flow of personal data between Member States is not to be restricted or prohibited
EU Data Protection DirectiveObjective
10
• right to privacy
• contributing to economic and social progress, trade expansion and the well-being of individuals
EU Data Protection DirectiveIntent
Data-processing systems must respect fundamental rights and freedoms (whatever the nationality or residence of natural persons) including:
11
• personal data – any information relating to an identified or identifiable natural person
• processing of personal data – any operation performed on personal data (e.g., collection . . . )
• the data subject's consent – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data
European Union Data Protection DirectiveArticle 2 – Definitions
12
The Directive applies to processing of all personal data except:
• Public security
• Defense
• State security
• Criminal activities of the State
• In the course of a purely personal or household activity
European Union Data Protection DirectiveArticle 3 – Scope
13
• processed fairly and lawfully
• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes
• adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed
• accurate and, where necessary, kept up to date
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed
European Union Data Protection DirectiveArticle 6 – Personal data must be:
14
• the data subject has unambiguously given his consent; or• processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• processing is necessary for compliance with a legal obligation to which the controller is subject; or
• processing is necessary in order to protect the vital interests of the data subject; or
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental
EU Data Protection DirectiveArticle 7 – Personal data may be processed only if:
15
Subject has right to know :
• the identity of collector of information
• purpose for the collection
EU Data Protection DirectiveArticles 10, 11 and 12
16
• Transfer of personal data to a non-European country may take place only if the country ensures an “adequate level of data protection”
• EU and United States use different approaches:– United States – targeted privacy laws (typically
targeting specific records) – EU – Omnibus approach (comprehensive privacy
regulations)• Where no adequate protection – transfer is permitted only
by one of the narrow exceptions in Article 26
EU Data Protection DirectiveArticle 25 – transfers to non-European countries
17
• subject has given unambiguous consent; or
• transfer is necessary for the performance of a contract
EU Data Protection DirectiveArticle 26 – Exceptions where no adequate protection
18
U.S. Department of CommerceCommerce-Safe Harbor
See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007)
• Created in response to the EU Data Protection Directive
19
• Notice – must provide conspicuous notice to individuals about– purposes for which it collects and uses the personal information– types of third parties to which it discloses the personal
information– contact information for complaints and inquires
• Choice – must allow individual to opt-out or opt-in – opt-out of transferring personal information to a third party or
using personal information for non-stated purpose if not sensitive– opt-in of transferring personal information to a third party or
using personal information for non-stated purpose if sensitive (e.g., medical condition, political opinion, religious beliefs, sex life)
US Department of Commerce-Safe HarborSeven Safe Harbor Principles
20
• Transfers to Third Parties – must ensure that third party: – subscribes to the Safe Harbor– is subject to the EU Directive– other adequate finding– agrees to provide at least the same level of privacy protection as is
required by the Safe Harbor
• Security – reasonable precautions to protect personal information from “loss, misuse and unauthorized access, disclosure, alteration and destruction”
US Department of Commerce-Safe HarborSeven Safe Harbor Principles
21
• Relevance – personal information must be relevant for the purposes for which it is to be used
• Access - individuals must have access to personal information about them and be able to “correct, amend, or delete” inaccurate information
• Enforcement – must include – mechanism for assuring compliance– recourse for individuals to whom the data relate affected by non-
compliance– consequences when organization fails to comply
US Department of Commerce-Safe HarborSeven Safe Harbor Principles
22
US Department of Commerce-Safe HarborSafe Harbor List
See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007)
23
Model Contracts for the Transfer of Personal Data to Foreign Countries
See Model Contracts for the transfer of personal data to third countries, available at http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
Member States are not under and obligation to notify the Commission if standard contractual clauses are used
See Article 26(3)
24
• On May 17, 2004, the European Commission adopted a decision recognizing adequate privacy protections in EU-US passenger data disclosure (allowed the transfer of personal information on European airline travelers to the U.S. government)
• On May 30, 2006, the European Court of Justice struck down the EU-US passenger data disclosure deal
• On October 6, 2006, the United States and the EU established a temporary arrangement that will expire in July of 2007
See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007)
EU-US Data DisclosureOngoing Issues Concerning European Airline Passenger Data
25
Electronic Privacy Information Center (EPIC)
See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007)
• A public interest research center in Washington, D.C.
• Established in 1994
• Focuses on emerging civil liberties issues and protecting privacy, the First Amendment, and constitutional values
26See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007)
Privacy International
• A human rights group formed in 1990 as a watchdog on privacy issues
• Based in London (an office in Washington, D.C.)
• Conducts campaigns and research throughout the world
27
Google GmailEmail Content Based Advertising
See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007)
28See Complaint: Google Inc – Gmail email service, available at http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007)
Arguments include:• Violates Article 17 for not accepting liability for
security of personal informationGoogle disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service.
• Violates Article 29 for a third party reading the contents of email between two parties
Google also reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce this Agreement, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public.
• Violates Article 7 for processing personal data without unambiguous consent
Google GmailPrivacy International Complaint
29
• On May 3, 2004, EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum urged the Attorney General of California to investigate Google’s Gmail service
– Argued that the scanning of e-mails for targeted marketing violates California’s wiretapping laws (California Penal Code § 631)
• The groups also called upon Google to suspend the service again, as Gmail users could be liable for violations of the law.
Google GmailGroups Call for Investigation of Gmail
See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007)
30
Data Protection Laws Around the World
• Blue – Comprehensive Data Protection Law Enacted
• Red – Pending Effort to Enact Law
• White – No Law
See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007)
31
• Passed on April 13, 2000• Applies to organizations that collect, use or disclose personal information
in the course of commercial activities– Excludes certain government institutions to which the Privacy Act applies– Excludes certain individuals collecting, using or disclosing public information
solely for person or domestic purposes– Excludes certain organizations collecting, using or disclosing public
information solely for journalistic, artistic or literary purposes• Personal Information – “information about an identifiable individual, but
does not include the name, title or business address or telephone number of an employee of an organization.”
• Appropriate purposes - an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances
Privacy Laws Around the WorldCanada – The Personal Information Protection and Electronic Documents Act
See The Personal Information Protection and Electronic Documents Act , available at http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
32
• Notice – must provide notice to individuals about– purposes for which it collects and uses the personal information– procedures to gain access to personal information held by the
organization– contact information of the person who is accountable for the
organization’s policies and to whom complaints or inquires can be sent
• Limited Collection – collection of personal information shall be limited to that which is necessary for the purposes identified by the organization
Privacy Laws Around the WorldCanada – The Personal Information Protection and Electronic Documents Act
See The Personal Information Protection and Electronic Documents Act , available at http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
33
• Security – must implement security safeguards against loss or theft, unauthorized access, disclosure, copying, use, or modification
• Choice – Very limited exceptions where personal information may be used, disclosed or collected without prior consent
• Accurate – must be accurate, complete and up-to-date as is necessary for the purpose for which it is to be used
• Purpose – must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law
Privacy Laws Around the WorldCanada – The Personal Information Protection and Electronic Documents Act
See The Personal Information Protection and Electronic Documents Act , available at http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
34
• Passed on May 23, 2003• Protects information of individuals
– does not cover information of corporations• Applies to the National government, public organizations, and Personal
Information Handling Enterprises• Establishes penalties for data collectors who violate the law• Personal Information – “information that may make a living individual
distinguishable from others.”• Personal Information Handling Enterprises – entities that use Personal
Information Databases in their businesses– Excludes the National government, local public organizations, independent
administrative agencies and local independent administrative agencies– Excludes enterprises that process less than 5,000 personal information records
per day
Japan – Personal Information Protection LawPrivacy Laws Around the World
35
• Notice – must provide notice to individuals about– name of the data collector– purposes for which it collects and uses the Personal Information
• personal information may not be used in a manner that exceeds the scope without prior consent from the individual
– procedures to access, modify and terminate the use of personal information
– contact information for complaints and inquires (complaints must be responded to adequately and promptly)
• Relevance – personal information must be relevant for the purposes for which it is to be used
Japan – Personal Information Protection LawPrivacy Laws Around the World
36
• Security – must implement security safeguards and provide proper supervision of employees and other entities to which personal information may be may be entrusted
• Choice – Generally, personal information may not be disclosed or made available to third parties without prior consent (“opt in”); exceptions, when disclosure is:– made in accordance with the law– necessary to protect life, body or property– necessary to protect public health– necessary for governmental purposes
Japan – Personal Information Protection LawPrivacy Laws Around the World
37
Australia – Federal Privacy Act
See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007)
Privacy Laws Around the World
38
• Mexico– Article 214 of the Penal Code protects the disclosure of personal
information held by government agencies– The General Population Act regulates the National Registry of
Population and Personal Information
• Russia– Article 24 of the Russian Federation forbids gathering, storing,
using and disseminating information on the private life of any person without consent
• France– The Data Protection Act covers personal information held by
government agencies and private entities
Other Countries Privacy Laws Around the World
39
• There is a global trend toward comprehensive protection which must be taken into consideration; may require personal information to be:
– obtained fairly and lawfully– used only for the original specified purpose– adequate, relevant and not excessive to purpose– accurate and up to date– destroyed after its purpose is complete
• Current international laws should be reviewed prior to any cross-border transfers of personal information and periodically reevaluated
– Confirm compliance with Safe Harbor provisions for transfers between US and EU
• You are likely to be required to provide additional privacy protections for any cross-border transfers
Cross-Border Privacy Tips
40
Useful Resources• www.privacy.org
– Joint project of the Electronic Privacy Information Center (EPIC) and Privacy International
• www.privacyinternational.org– Privacy International
• www.epic.org– Electronic Privacy Information Center
• www.coe.int– Council of Europe
• www.oecd.org– Organization for Economic Co-operation and Development
• www.export.gov/safeharbor– U.S. Department of Commerce Safe Harbor
• www.privacy.gov.au– The Office of the Privacy Commissioner of Australia
41
Gardere Wynne Sewell LLPKarl Larson
3000 Thanksgiving Tower1601 Elm Street
Dallas, TX 75201-4761Phone: 214.999.4582 Fax: 214.999.3582