Cross-Border PrivacyIntellectual Property Issues                          Karl Larson                         April 13, 20...
Presentation Overview• Privacy Limitation Justifications• Models of Privacy Protection• United States Protection of Inform...
Presentation Overview• Electronic Privacy Information Center (EPIC)• Privacy International• Data Protection Laws Around th...
Threats to Privacy   • Increasing sophistication of information technology            – Greater capacity to collect, analy...
Privacy Limitation Justifications   •      Free speech   •      Market imperatives of commerce   •      Public security   ...
Models of Privacy Protection• Comprehensive laws  – Europe, Australia, Hong Kong, New Zealand and    Canada• Sectoral Laws...
United States Protection of Information PrivacyTargeted Approach• No precise constitutional guarantee of the right to  pri...
EU Data Protection Directive           95/46/EC (October 24, 1995)                                                        ...
EU Data Protection DirectiveObjective• protect fundamental rights and freedoms of natural  persons, including   – right to...
EU Data Protection DirectiveIntentData-processing systems must respect fundamental rightsand freedoms (whatever the nation...
European Union Data Protection DirectiveArticle 2 – Definitions• personal data – any information relating to an  identifie...
European Union Data Protection DirectiveArticle 3 – ScopeThe Directive applies to processing of all personal data except:•...
European Union Data Protection DirectiveArticle 6 – Personal data must be:• processed fairly and lawfully• collected for s...
EU Data Protection DirectiveArticle 7 – Personal data may be processed only if:•   the data subject has unambiguously give...
EU Data Protection DirectiveArticles 10, 11 and 12Subject has right to know :• the identity of collector of information• p...
EU Data Protection DirectiveArticle 25 – transfers to non-European countries• Transfer of personal data to a non-European ...
EU Data Protection DirectiveArticle 26 – Exceptions where no adequate protection• subject has given unambiguous consent; o...
U.S. Department of Commerce          Commerce-Safe Harbor                                                                 ...
US Department of Commerce-Safe HarborSeven Safe Harbor Principles• Notice – must provide conspicuous notice to individuals...
US Department of Commerce-Safe HarborSeven Safe Harbor Principles• Transfers to Third Parties – must ensure that third par...
US Department of Commerce-Safe HarborSeven Safe Harbor Principles• Relevance – personal information must be relevant for  ...
US Department of Commerce-Safe Harbor            Safe Harbor ListSee Safe Harbor List, available at http://web.ita.doc.gov...
Model Contracts for the Transfer of          Personal Data to Foreign Countries                                           ...
EU-US Data Disclosure           Ongoing Issues Concerning European Airline Passenger Data                                 ...
Electronic Privacy Information Center          (EPIC)                                                                     ...
Privacy International                                                                                                     ...
Google Gmail           Email Content Based AdvertisingSee About Gmail, available at http://mail.google.com/mail/help/scree...
Google Gmail           Privacy International Complaint                                                                    ...
Google Gmail           Groups Call for Investigation of Gmail                                                             ...
Data Protection Laws Around the World                                                                                     ...
Privacy Laws Around the World           Canada – The Personal Information Protection and Electronic Documents Act         ...
Privacy Laws Around the World           Canada – The Personal Information Protection and Electronic Documents Act         ...
Privacy Laws Around the World           Canada – The Personal Information Protection and Electronic Documents Act         ...
Privacy Laws Around the WorldJapan – Personal Information Protection Law•   Passed on May 23, 2003•   Protects information...
Privacy Laws Around the WorldJapan – Personal Information Protection Law• Notice – must provide notice to individuals abou...
Privacy Laws Around the WorldJapan – Personal Information Protection Law• Security – must implement security safeguards an...
Privacy Laws Around the World            Australia – Federal Privacy ActSee The Office of the Privacy Commissioner, Federa...
Privacy Laws Around the WorldOther Countries• Mexico    – Article 214 of the Penal Code protects the disclosure of persona...
Cross-Border Privacy Tips•   There is a global trend toward comprehensive protection which must be    taken into considera...
Useful Resources•   www.privacy.org     – Joint project of the Electronic Privacy Information Center (EPIC) and Privacy   ...
Gardere Wynne Sewell LLP                            Karl Larson               3000 Thanksgiving Tower                     ...
Upcoming SlideShare
Loading in …5
×

Cross Border Privacy : Intellectual Property Issues

641 views
517 views

Published on

Privacy laws vary around the world.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
641
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Protection in the United States is a fractured, eposodic, recorded targeted patchwork of laws. No precise constitutional guarantee of the right to privacy in the United States
  • Cross Border Privacy : Intellectual Property Issues

    1. 1. Cross-Border PrivacyIntellectual Property Issues Karl Larson April 13, 2007 1
    2. 2. Presentation Overview• Privacy Limitation Justifications• Models of Privacy Protection• United States Protection of Information Privacy• European Union Data Protection Directive• US Department of Commerce-Safe Harbor• Model Contracts for the Transfer of Personal Data to Foreign Countries 2
    3. 3. Presentation Overview• Electronic Privacy Information Center (EPIC)• Privacy International• Data Protection Laws Around the World• Privacy Laws Around the World 3
    4. 4. Threats to Privacy • Increasing sophistication of information technology – Greater capacity to collect, analyze and disseminate information • New developments in medical research and care, telecommunications, advanced transportation systems and financial transfers – Increased level of information generated by each individual • Computers linked together by high speed networks – Increased capability of creating comprehensive dossiers on any person • New technologies in law enforcement, civilian agencies and private companiesSee Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives3-10 (Cambridge University Press, 2006) 4
    5. 5. Privacy Limitation Justifications • Free speech • Market imperatives of commerce • Public security • Means to forge close relationships based on trustSee Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives3-10 (Cambridge University Press, 2006) 5
    6. 6. Models of Privacy Protection• Comprehensive laws – Europe, Australia, Hong Kong, New Zealand and Canada• Sectoral Laws – United States• Self-Regulation – United States• Technologies of Privacy 6
    7. 7. United States Protection of Information PrivacyTargeted Approach• No precise constitutional guarantee of the right to privacy in the United States – Constitutional rights apply to government, not private sectors• Laws are typically targeted based on the type of data rather than all computerized personal data• The four basic types of privacy rights under common law do not offer protection for informational privacy: – Intrusion upon seclusion – Publication of embarrassing private facts – Placing a person in a false light – Appropriation of name, likeness and identity See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001). 7
    8. 8. EU Data Protection Directive 95/46/EC (October 24, 1995) • Imposes an obligation on member States to ensure that personal information is protected when it is exported to, and processed in, countries outside Europe • A public official enforces the comprehensive data protection lawSee EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007) 8
    9. 9. EU Data Protection DirectiveObjective• protect fundamental rights and freedoms of natural persons, including – right to privacy with respect to the processing of personal data• the free flow of personal data between Member States is not to be restricted or prohibited 9
    10. 10. EU Data Protection DirectiveIntentData-processing systems must respect fundamental rightsand freedoms (whatever the nationality or residence ofnatural persons) including:• right to privacy• contributing to economic and social progress, trade expansion and the well-being of individuals 10
    11. 11. European Union Data Protection DirectiveArticle 2 – Definitions• personal data – any information relating to an identified or identifiable natural person• processing of personal data – any operation performed on personal data (e.g., collection . . . )• the data subjects consent – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data 11
    12. 12. European Union Data Protection DirectiveArticle 3 – ScopeThe Directive applies to processing of all personal data except:• Public security• Defense• State security• Criminal activities of the State• In the course of a purely personal or household activity 12
    13. 13. European Union Data Protection DirectiveArticle 6 – Personal data must be:• processed fairly and lawfully• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes• adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed• accurate and, where necessary, kept up to date• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed 13
    14. 14. EU Data Protection DirectiveArticle 7 – Personal data may be processed only if:• the data subject has unambiguously given his consent; or• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or• processing is necessary for compliance with a legal obligation to which the controller is subject; or• processing is necessary in order to protect the vital interests of the data subject; or• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or• processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental 14
    15. 15. EU Data Protection DirectiveArticles 10, 11 and 12Subject has right to know :• the identity of collector of information• purpose for the collection 15
    16. 16. EU Data Protection DirectiveArticle 25 – transfers to non-European countries• Transfer of personal data to a non-European country may take place only if the country ensures an “adequate level of data protection”• EU and United States use different approaches: – United States – targeted privacy laws (typically targeting specific records) – EU – Omnibus approach (comprehensive privacy regulations)• Where no adequate protection – transfer is permitted only by one of the narrow exceptions in Article 26 16
    17. 17. EU Data Protection DirectiveArticle 26 – Exceptions where no adequate protection• subject has given unambiguous consent; or• transfer is necessary for the performance of a contract 17
    18. 18. U.S. Department of Commerce Commerce-Safe Harbor • Created in response to the EU Data Protection DirectiveSee Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007) 18
    19. 19. US Department of Commerce-Safe HarborSeven Safe Harbor Principles• Notice – must provide conspicuous notice to individuals about – purposes for which it collects and uses the personal information – types of third parties to which it discloses the personal information – contact information for complaints and inquires• Choice – must allow individual to opt-out or opt-in – opt-out of transferring personal information to a third party or using personal information for non-stated purpose if not sensitive – opt-in of transferring personal information to a third party or using personal information for non-stated purpose if sensitive (e.g., medical condition, political opinion, religious beliefs, sex life) 19
    20. 20. US Department of Commerce-Safe HarborSeven Safe Harbor Principles• Transfers to Third Parties – must ensure that third party: – subscribes to the Safe Harbor – is subject to the EU Directive – other adequate finding – agrees to provide at least the same level of privacy protection as is required by the Safe Harbor• Security – reasonable precautions to protect personal information from “loss, misuse and unauthorized access, disclosure, alteration and destruction” 20
    21. 21. US Department of Commerce-Safe HarborSeven Safe Harbor Principles• Relevance – personal information must be relevant for the purposes for which it is to be used• Access - individuals must have access to personal information about them and be able to “correct, amend, or delete” inaccurate information• Enforcement – must include – mechanism for assuring compliance – recourse for individuals to whom the data relate affected by non- compliance – consequences when organization fails to comply 21
    22. 22. US Department of Commerce-Safe Harbor Safe Harbor ListSee Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007) 22
    23. 23. Model Contracts for the Transfer of Personal Data to Foreign Countries Member States are not under and obligation to notify the Commission if standard contractual clauses are used See Article 26(3)See Model Contracts for the transfer of personal data to third countries, available at 23http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
    24. 24. EU-US Data Disclosure Ongoing Issues Concerning European Airline Passenger Data • On May 17, 2004, the European Commission adopted a decision recognizing adequate privacy protections in EU-US passenger data disclosure (allowed the transfer of personal information on European airline travelers to the U.S. government) • On May 30, 2006, the European Court of Justice struck down the EU-US passenger data disclosure deal • On October 6, 2006, the United States and the EU established a temporary arrangement that will expire in July of 2007See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007) 24
    25. 25. Electronic Privacy Information Center (EPIC) • A public interest research center in Washington, D.C. • Established in 1994 • Focuses on emerging civil liberties issues and protecting privacy, the First Amendment, and constitutional valuesSee Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007) 25
    26. 26. Privacy International • A human rights group formed in 1990 as a watchdog on privacy issues • Based in London (an office in Washington, D.C.) • Conducts campaigns and research throughout the worldSee Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007) 26
    27. 27. Google Gmail Email Content Based AdvertisingSee About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007) 27
    28. 28. Google Gmail Privacy International Complaint Arguments include: • Violates Article 17 for not accepting liability for security of personal information Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. • Violates Article 29 for a third party reading the contents of email between two parties Google also reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce this Agreement, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public. • Violates Article 7 for processing personal data without unambiguous consentSee Complaint: Google Inc – Gmail email service, available athttp://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007) 28
    29. 29. Google Gmail Groups Call for Investigation of Gmail • On May 3, 2004, EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum urged the Attorney General of California to investigate Google’s Gmail service – Argued that the scanning of e- mails for targeted marketing violates California’s wiretapping laws (California Penal Code § 631) • The groups also called upon Google to suspend the service again, as Gmail users could be liable for violations of the law.See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007) 29
    30. 30. Data Protection Laws Around the World • Blue – Comprehensive Data Protection Law Enacted • Red – Pending Effort to Enact Law • White – No LawSee Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007) 30
    31. 31. Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Passed on April 13, 2000 • Applies to organizations that collect, use or disclose personal information in the course of commercial activities – Excludes certain government institutions to which the Privacy Act applies – Excludes certain individuals collecting, using or disclosing public information solely for person or domestic purposes – Excludes certain organizations collecting, using or disclosing public information solely for journalistic, artistic or literary purposes • Personal Information – “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” • Appropriate purposes - an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstancesSee The Personal Information Protection and Electronic Documents Act, available at 31http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
    32. 32. Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Notice – must provide notice to individuals about – purposes for which it collects and uses the personal information – procedures to gain access to personal information held by the organization – contact information of the person who is accountable for the organization’s policies and to whom complaints or inquires can be sent • Limited Collection – collection of personal information shall be limited to that which is necessary for the purposes identified by the organizationSee The Personal Information Protection and Electronic Documents Act, available at 32http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
    33. 33. Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Security – must implement security safeguards against loss or theft, unauthorized access, disclosure, copying, use, or modification • Choice – Very limited exceptions where personal information may be used, disclosed or collected without prior consent • Accurate – must be accurate, complete and up-to-date as is necessary for the purpose for which it is to be used • Purpose – must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by lawSee The Personal Information Protection and Electronic Documents Act, available at 33http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
    34. 34. Privacy Laws Around the WorldJapan – Personal Information Protection Law• Passed on May 23, 2003• Protects information of individuals – does not cover information of corporations• Applies to the National government, public organizations, and Personal Information Handling Enterprises• Establishes penalties for data collectors who violate the law• Personal Information – “information that may make a living individual distinguishable from others.”• Personal Information Handling Enterprises – entities that use Personal Information Databases in their businesses – Excludes the National government, local public organizations, independent administrative agencies and local independent administrative agencies – Excludes enterprises that process less than 5,000 personal information records per day 34
    35. 35. Privacy Laws Around the WorldJapan – Personal Information Protection Law• Notice – must provide notice to individuals about – name of the data collector – purposes for which it collects and uses the Personal Information • personal information may not be used in a manner that exceeds the scope without prior consent from the individual – procedures to access, modify and terminate the use of personal information – contact information for complaints and inquires (complaints must be responded to adequately and promptly)• Relevance – personal information must be relevant for the purposes for which it is to be used 35
    36. 36. Privacy Laws Around the WorldJapan – Personal Information Protection Law• Security – must implement security safeguards and provide proper supervision of employees and other entities to which personal information may be may be entrusted• Choice – Generally, personal information may not be disclosed or made available to third parties without prior consent (“opt in”); exceptions, when disclosure is: – made in accordance with the law – necessary to protect life, body or property – necessary to protect public health – necessary for governmental purposes 36
    37. 37. Privacy Laws Around the World Australia – Federal Privacy ActSee The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007) 37
    38. 38. Privacy Laws Around the WorldOther Countries• Mexico – Article 214 of the Penal Code protects the disclosure of personal information held by government agencies – The General Population Act regulates the National Registry of Population and Personal Information• Russia – Article 24 of the Russian Federation forbids gathering, storing, using and disseminating information on the private life of any person without consent• France – The Data Protection Act covers personal information held by government agencies and private entities 38
    39. 39. Cross-Border Privacy Tips• There is a global trend toward comprehensive protection which must be taken into consideration; may require personal information to be: – obtained fairly and lawfully – used only for the original specified purpose – adequate, relevant and not excessive to purpose – accurate and up to date – destroyed after its purpose is complete• Current international laws should be reviewed prior to any cross-border transfers of personal information and periodically reevaluated – Confirm compliance with Safe Harbor provisions for transfers between US and EU• You are likely to be required to provide additional privacy protections for any cross-border transfers 39
    40. 40. Useful Resources• www.privacy.org – Joint project of the Electronic Privacy Information Center (EPIC) and Privacy International• www.privacyinternational.org – Privacy International• www.epic.org – Electronic Privacy Information Center• www.coe.int – Council of Europe• www.oecd.org – Organization for Economic Co-operation and Development• www.export.gov/safeharbor – U.S. Department of Commerce Safe Harbor• www.privacy.gov.au – The Office of the Privacy Commissioner of Australia 40
    41. 41. Gardere Wynne Sewell LLP Karl Larson 3000 Thanksgiving Tower 1601 Elm Street Dallas, TX 75201-4761Phone: 214.999.4582 Fax: 214.999.3582 klarson@gardere.com 41

    ×