international privacy & data protection - scce official site · 10/12/2012 3 the challenges...
TRANSCRIPT
10/12/2012
1
International Privacy & Data Protection
Lindsey Greig, CEO, DataGuidance
Web Hull, Sr. Privacy & Compliance
Specialist, Iron Mountain
SCCE 2013 Institute
International Privacy
1) The Challenges
2) 5 Top Tips for an Effective Program
3) Global Roundup
4) Resources
10/12/2012
2
The Challenges
• It’s a big, wide wonderful world, and …
Every country, state, & province wants to have its own law, regulation, enforcement, …
• PII and its many cousins (PHI, ePHI, Sensitive PII) have many different definitions & meanings
EU
USA
The Challenges
Principles, Processes, & Controls
• Notice & Consent
• Data Protection Authorities
• Video Surveillance
• Whistleblowing
• HIPAA/HITECH, Mass. CMR 201 17:00, & PCI
10/12/2012
3
The Challenges
• What you do & where you do it determines what you have to know & do
– What kind of data do you have, where is it, & what do you do with it?
Controller/Covered Entity
Processor/Subcontractor
The Challenges
• Moving Data Around the Globe
– European Union to Other Countries
• Adequate Countries
• Safe Harbor - USA
• Binding Corporate Rules
• Model Contracts
• Consent
10/12/2012
4
5 Top Tips for an Effective International Privacy Program
1. Have a Program
5 Top Tips for an Effective International Privacy Program
1. Have a Program
2. Know What Applies to You
10/12/2012
5
5 Top Tips for an Effective International Privacy Program
1. Have a Program
2. Know What Applies to You
3. All Privacy Laws & Regulations Are Local
5 Top Tips for an Effective International Privacy Program
1. Have a Program
2. Know What Applies to You
3. All Privacy Laws & Regulations Are Local
4. You Can’t Know Everything All the Time
10/12/2012
6
5 Top Tips for an Effective International Privacy Program
1. Have a Program
2. Know What Applies to You
3. All Privacy Laws & Regulations Are Local
4. You Can’t Know Everything All the Time
5. Build & Maintain Your Infrastructure in Advance – Have Friends
5 Top Tips for an Effective International Privacy Program
But Wait … There’s More!!!
10/12/2012
7
5 Top Tips for an Effective International Privacy Program
6. Work Hard to Keep Current
5 Top Tips for an Effective International Privacy Program
And If You Call Right Now!!!
10/12/2012
8
5 Top Tips for an Effective International Privacy Program
7. Keep Your Key Positions Filled
Global Roundup
• Emerging Global Issues • Breach Reporting
• Cloud Computing
- USA - FFIEC
- EU
10/12/2012
9
Global Roundup EU Cloud Computing Strategy
– The UK Information Commissioner's Office (ICO) released a cloud computing guide, recommending that cloud customers create a clear record about the categories of data they intend to move to the cloud and warns that using cloud services 'may give rise to more personal data collected...for example, the usage statistics or transaction histories of users may be recorded'.
– The strictest line in the guide is about cloud customers reviewing the guarantees of availability, confidentiality and integrity' of the service provider. ICO suggests that prospective users arrange for an independent third party to conduct a detailed security audit of the cloud service and provide a copy of the assessment to them.
Global Roundup EU Cloud Computing Strategy
– The guide states that customers should take care if a service provider offers a 'take it or leave it' set of terms and conditions without opportunity for negotiation.
– For cloud services residing outside of the UK, the ICO recommends that providers disclose information about their data centres and the location of sub-processors.
– The EU has also released its Cloud Computing strategy, which once implemented, could boost the EU’s gross domestic product by \160 billion annually by 2020 and generate 2.5 million new jobs. The EU supports certification schemes across the EU for cloud service reliability, and technical standards to ensure interoperability and
data portability for users of cloud service.
10/12/2012
10
Global Roundup
• European Union
- Cookies
- Proposed EU Data Protection Regulation
Global Roundup
• Proposed EU Data Protection Regulation
– Data breach notification requirement – within 24 hours.
– Fines of 2% of global turnover
– Privacy by Design, Accountability and requirement to appoint a DPO
– Impact on US companies
10/12/2012
11
Global Roundup
Concerns about the regulation:
– Search engines, cloud computing services and software, social networks, and IP addresses should be explicitly mentioned and addressed in the text of the Regulation.
– Overly engineered text of the Directive and Regulation, including the numerous delegated powers given to the EU Commission. A key tension in the Regulation exists between the drive towards harmonisation and the consequent prescriptive practices and procedures that the Commission's version of harmonisation requires
Global Roundup
• Europe – Monaco
– Italy
– Turkey
– Norway
10/12/2012
12
Global Roundup
• Eastern Europe – Ukraine
– Russia
Global Roundup
• North America
– Cayman Islands
– Mexico
– Canada
10/12/2012
13
Global Roundup North America
Mexico
– The Administrative Rules of the Federal Law on the Protection of Personal Data held by Private Parties came into effect on 22 December 2011 - making the data protection obligations imposed by the Law and the Regulations fully enforceable.
– The Regulations provide key definitions to the Law, and clarify the powers given to IFAI, the incentives for self-regulatory schemes, and the actions that must be taken in case of data breaches, among others.
– All parts of the Law and the Regulations are now fully enforceable. However, a grace period is provided for certain security measures required. This grace period is 18 months after the effective date of the publication of the secondary regulations which will be due on June 2013.
Global Update North America
Canada
– The Canadian Federal Commissioner released - on 17 April 2012 – an accountability guide for the private sector entitled 'Getting Accountability Right with a Privacy Management Program', which aims to help companies develop a privacy management program compliant with the accountability requirements under Canadian law.
– The proposed Privacy Management Program consists of a number of 'building blocks' or steps that companies should take, such as demonstrating organizational commitment by securing 'buy-in from the top' as 'senior management support is key to a successful privacy management program and essential for a privacy respectful culture'.
– Appointment of a privacy officer, establishment of a privacy office with sufficient resources, and a reporting mechanism are also essential parts of a compliant program.
10/12/2012
14
Global Roundup
• Latin America
– Columbia
– Costa Rica
– Peru
– Chile
– Jamaica
– Uruguay
Global Update Latin America
Uruguay
– The EU Commission recognised Uruguay's legal framework as providing 'adequate protection' for personal data under the EU Data Protection Directive 95/46/EC, in a decision issued on 23 August 2012.
– The framework is largely based on the standards set out in Directive 95/46/EC and are laid down in Act No 18.331 on the Protection of Personal Data and 'Habeas Data' Action of 11 August 2008.
– Enforcement is guaranteed by administrative and judicial remedies, in particular, by 'habeas data' action, which enables a data subject to take a data controller to court in order to enforce his/her right of access, rectification and deletion.
10/12/2012
15
Global Roundup
• Asia Pacific
- Taiwan - Thailand - China - Malaysia - Singapore - New Zealand
- India - APEC - Philippines - Hong Kong - Australia - South Korea
Global Update Asia Pacific
Philippines
– Philippines signed the Data Privacy Act 2012 on 15 August 2012, which introduces for the first time a data privacy regime in the country.
– Data transfers from the Philippines will be subject to the accountability principle, however the Act provides that this principle is subject to cross-border arrangements and cooperation, to allow for future implementation of the APEC Cross-Border Privacy Rules (CBPR).
– The Act applies to all types of information and both public and private entities, including data controllers and processors located outside of the Philippines but which use equipment or maintain an office in the Philippines.
10/12/2012
16
Global Update Asia Pacific
Hong Kong
– The Legislative Council passed - on 27 June 2012 - the Personal Data (Privacy) (Amendment) Ordinance 2012 (the Amendment Ordinance) which would amend significantly the sections on the use of personal data for direct marketing purposes, and increase the maximum penalty for violations of the direct marketing provisions to a maximum of HK$ 1 million (approximately \ 102,800) and five years' imprisonment.
– The major change from the existing provisions relating to direct marketing is that data users are now required to obtain the express consent of data subjects before they can use personal data for direct marketing.
Global Update Asia Pacific
Australia
– The Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which will significantly increase the obligations on organisations that collect or deal with personal data in Australia or from Australian residents, is expected to be passed in Parliament this year.
– The reforms to the Privacy Act will amend the current credit reporting provisions, significantly enhance the functions and powers of the Privacy Commissioner, introduce a single set of principles (the ‘Australian Privacy Principles’ or ‘APPs’) applicable to both the public and private sectors, and, for the first time, introduce significant monetary penalties for certain breaches of the Privacy Act.
10/12/2012
17
Global Update Asia Pacific
South Korea
– South Korea passed the Personal Information Protection Act (PIPA) in 2011 which requires for the first time that data controllers create and disclose to data subjects, privacy policies detailing the types of personal data that they intend to process and the length for which the data will be retained.
– PIPA regulate the processing of personal data held in both electronic and manual records by any individual, company or government entity. Personal data is defined as any information which by itself or combined with other information, can identify an individual.
Global Update Middle East
Israel
– The Israeli Law, Information and Technology Authority (ILITA) published - on 21 November 2011 - 'Guidelines on the Use of Outsourcing Services of Processing Personal Information (Guideline 2-2011)', which require database owners to assess the need to outsource, and analyse the content to be outsourced prior to engaging a service provider in an outsourcing contract.
The Guidelines - which came into force on 19 May 2012 - require the database owners to ensure the legitimacy of any data transfer, and outsource the minimum amount of data necessary. ILITA also recommends database owners to provide service providers with access to the database instead of copying the data across to them.
10/12/2012
18
Global Update Africa
South Africa
– In South Africa, there is currently no comprehensive data privacy legislation in place, however when considering the implications of data privacy it is necessary to take into consideration the overarching right to privacy guaranteed under the Constitution of the Republic of South Africa and also the provisions set out in the Electronic Communications and Transactions Act, 2003 , which regulate the electronic collection of personal information, although compliance with these ECT Act provisions is voluntary. The South African Department of Justice and Constitutional Development is in the process of drafting data privacy legislation in the form of the Protection of Personal Information Bill which seeks to establish mandatory information protection principles which will apply to the processing of personal information by both public and private bodies, and will also establish a Regulator who will oversee such processing.
International Privacy Resources
• Free – Lexology – www.lexology.com
– IAPP Dashboards – www.privacyassociation.org
– Hunton & Williams Blog – www.huntonprivacyblog.com
– Speechly Bircham Webinars – www.speechlys.com
– DataGuidance Alerts - www.dataguidance.com
– DLA Piper Handbook
– Baker & McKenzie Handbook
– Legal Firm Updates & Alerts
10/12/2012
19
International Privacy Resources
• Not Free
– BNA Privacy & Security Law Report – www.bna.com
– BNA World Data Protection Report- www.bna.com
– DataGuidance – www.dataguidance.com
Thank You! &
Questions?
