• Save
Ceic2009 International Data Protection
Upcoming SlideShare
Loading in...5

Ceic2009 International Data Protection






Total Views
Views on SlideShare
Embed Views



10 Embeds 500

http://forensicfactory.tistory.com 409
http://www.elitigation.com.au 56
http://www.ledjit.com 14
http://www.ledjit.ca 11
http://ledjit.ca 5
http://e-discoveryinformation.com 1
http://www.slideshare.net 1
http://www.linkedin.com 1
http://www.elaw.com.au 1
http://translate.googleusercontent.com 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Ceic2009 International Data Protection Ceic2009 International Data Protection Presentation Transcript

  • International Data Protection and Privacy Laws Patrick Burke, Seamus E. Byrne, Chris Dale and Dominic Jaar
  • Agenda  Defining Data Protection  United States  European Union  Key Jurisdictions  United Kingdom  European Union  Canada  Asia-Pacific P A G E 2
  • Defining Data Protection United States  Legal  Financial orientation  Marketing orientation  Medical orientation  Information Technology  Data security and risk  Data loss and leakage P A G E 3
  • Defining Data Protection European Union  In many civil law jurisdictions, particularly the EU, protection of personal data is perceived as a fundamental human right  Almost all data protection and privacy laws have a general prohibition on cross-border data transfer P A G E 4
  • Definition “Personal Data”  UK Definition  “Data which relates to a living individual who can be identified - (a) from the data, or (b) from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”  Includes e-mail containing the employees’ email address P A G E 5
  • Definition “Sensitive Personal Data”  Racial or ethnic origin  Political opinions  Religious beliefs or other beliefs of a similar nature  Physical or mental health or condition  Trade union membership  Sex life  Commission or alleged commission of any offence, including any disposed proceedings P A G E 6
  • Defining Data Protection European Union  “Processing” of “Personal Data”  Searching  Viewing or investigating  Collecting, copying or duplicating  Transfer P A G E 7
  • Defining Data Protection Cultural Challenges  Quest for justice v. individual privacy rights  French Sarbanes-Oxley (SOX) whistleblower case P A G E 8
  • European Union  United Kingdom  Germany  France  Switzerland  Sweden  Denmark P A G E 9
  • European Union Data Protection – Transfer Restrictions  Data Protection Directive 95/46/EC (1995)  Each EU Member State has adopted with varied consistency  General prohibition of personal data transfer to foreign jurisdictions  Guiding Principle - Cross-Border Transfer – Art 25(1)  “The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection”  EU to US Safe Harbor Framework P A G E 10
  • European Union Data Protection - Transfer Restrictions  Legal Defense Exception - Cross-Border Transfer - Art 26(1)(d)  “By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that: (d) the transfer is necessary or legally required on …for the establishment, exercise or defense of legal claims” P A G E 11
  • European Union Data Protection  If US subsidiary, subject to an order for discovery, is located within one or more EU Member States, consult local legal advisory to examine whether ESI may be transferred to the US by:  Consent  Standard Contractual Clauses (Limited Liability)  Binding Corporate Rules approved by Data Protection Authority  Safe Harbor compliance is strongly recommended for both US parent companies and any engaged external service providers as data recipients  Also consider viability of processing and reviewing potentially discoverable ESI within the EU Member State, and redacting personal data, prior to US transfer P A G E 12
  • United Kingdom Regulatory Framework  Collection of electronic records necessarily implicates employee privacy issues (data protection far more stringent in the UK and EU than in the US  EU Data Protection Directive 1995  Data Protection Act 1998  Regulation of Investigatory Powers Act 2000  Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 P A G E 13
  • United Kingdom Proportionality  The 1995 EU Directive was issued to harmonize data protection legislation throughout the EU so as to balance:  Protection of individual employees’ fundamental right to privacy as to personal data versus  The goal of a free flow of personal data within the EU, so as to improve the operation of a single European market  The UK Act states that its aim is to strike a balance between:  The legitimate expectations of workers that personal information about them will be handled properly versus  The legitimate interests of employers in deciding how best, within the law, to run their own businesses  The UK Act regime urges proportionality, meaning that the investigation of personal data shall be:  “adequate, relevant and not excessive in relation to the purpose or purposes of the investigation” P A G E 14
  • Germany  Federal Data Protection Act (Bundesdatenschutzgesetz)  Regulates the collection of personal data as well as the storage, alteration, transfer, blocking, deletion and use of such data.  It also allows for collection of employee data under certain circumstances and calls for a balance between the legitimate business purposes of the company and the legitimate privacy interests of affected employees.  In some situations, employee notification and even consent are required for collection of personal data.  The Federal Data Protection Act regulates compliance with the law through company self-monitoring and external government oversight. It also differentiates between criminal and administrative violations of the law as well penalties for such infractions.  Data protection is also regulated on the state level. P A G E 15
  • Germany Works Council Rights  Under the Works Constitution Act, works councils have the right to co-determination in matters affecting company structure, personnel decisions, and policies regulating workplace and individual conduct within the company.  The rights of a works council can be categorized as follows:  Information: The works council has the right to information regarding the implementation or change of practices or policies at the company. If necessary, the employer must provide documentation to that effect.  Consultation and Cooperation: The works council has the right to consult and cooperate with management to jointly discuss and develop the topic at issue.  Veto Right: A works council has the right to block certain management decisions. The employer is required to keep the works council fully informed in matters relating to operations and personnel planning so that the council can participate in drafting company policy.  The purpose of this is to allow the works council to cooperate with management to avoid potential disputes and raise relevant concerns or other suggestions. P A G E 16
  • Germany Works Council Suggestions  Generally  Make your presentation in German  Get on the Works Council agenda as early as possible  Assure that collections will be done “in-country”  Permit employees to create a “personal folder”  Emphasize that existing investigative policies already approved by the Works Council will remain in place  If using EnCase Enterprise  Ability to restrict searches by file type  Emphasize that it can enable you to avoid collecting employee personal e-mail and documents  How it can be configured to prevent employee data from being transferred outside the EU P A G E 17
  • France  Last Member State to implement European Directive no. 95/46 EC (October 24, 1995) by Act no. 2004-801 (August 6, 2004)  Article 2  Declare and notify any processing of “personal data” — any information relating to an identified natural person or a natural person who can be identified by reference to an identification number or to “one or more factors specific to him  Data relating to legal entities is excluded from the scope of the Act  Removal of the distinction between the public and private sector  Creation of a distinction based on whether or not the processing is dangerous in terms of individual privacy protection. P A G E 18
  • France  Strauss v. Credit Lyonnais, S.A., 242 F.R.D. 199 (E.D.N.Y. May 25, 2007)  Federal District Court in New York proceeding under the Anti-Terrorism Act 1992  Bank potentially had info in relation to charity involved with terrorists  Defendant pleaded French criminal code  US Court rejected the blocking statute — (1) the importance to the litigation of the documents or other information requested; — (2) the degree of specificity of the request; — (3) whether the information originated in the United States; — (4) the availability of alternative means of securing the information; and — (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine the important interests of the state where the information is located.  In re Advocat “Christopher X”, Cour de Cassation, French Supreme Court, December 12, 2007, Appeal n 07-8322 P A G E 19
  • France  Data controller must be notified about any data processing  Only data processing presenting specific risks to individual rights is subject to authorization, e.g. sensitive data  “Personal data protection correspondent”  Independently ensuring compliance with legal obligations  Organization is not required to notify the CNIL P A G E 20
  • France  Opt-in system: data subject’s prior consent  Right of opposition: no justification necessary  Even if it does not ensure “adequate protection”, transfers are still possible if  the data subject expressly consents to the transfer  the transfer is necessary in order to comply with obligations for the establishment, exercise or defense of legal claims P A G E 21
  • Switzerland  Swiss Banking Act  Makes it a criminal offense to divulge banking information — Whoever tries to induce others to violate professional secrecy shall be punished by imprisonment (up to six months) or fine (SFr. 50,000)  Art 271, Swiss Penal Code  Prohibits the gathering of evidence in Switzerland for use in a foreign proceeding unless done through judicial assistance  Art 273, Swiss Penal Code  Prohibits “disclosing business secrets of third parties residing in Switzerland to foreign states and foreign entities” (including affiliates and parent companies) P A G E 22
  • Sweden  Contrary to most other states  Does not require Data Controllers to be notified prior to processing any data  Those engaged in the electronic processing of personal data must register with the Data Inspection Board  Data subject’s consent, except if  Contractual necessity;  Comply with a legal obligation;  Protect a subject’s vital interests;  Perform a task in the public interest/official authority;  Satisfy a legitimate interest of greater weight than the subject’s personal integrity interest;  Public information. P A G E 23
  • Denmark  Hague Convention not applicable  Denmark (and Austria) has extended the protection to cover “legal persons” as well as individuals P A G E 24
  • Canada  Federal  Personal Information Protection and Electronic Documents Act  Foreign Extraterritorial Measures Act  Provincial  Quebec Business Concerns Records Act  Ontario Business Records Protection Act  Privacy is similar to EU  Quebec Privacy Acts  Provincial Privacy Acts  Blocking statutes  Reaction to the application of US laws to Canada — Cuban Policy — Asbestos P A G E 25
  • Asia-Pacific Data Protection and Privacy Australia Privacy Act 1988 •2001 Amendments National Privacy Principle 9 •Substantially similar privacy laws •Actual (or likely) consent •Contractual necessity •Intra-organization transfer is permitted where reasonable •NEW! ALRC Report 108 •Authority: Privacy Commissioner P A G E 26
  • Asia-Pacific Data Protection and Privacy China (PRC) •Very limited constitutional right to privacy •Widespread communications surveillance P A G E 27
  • Asia-Pacific Data Protection and Privacy Hong Kong SAR Personal Data (Privacy) Ordinance Section 33 •Actual (or likely) consent •Substantially similar privacy laws (~by Commissioner Notice) •Authority: Privacy Commissioner P A G E 28
  • Asia-Pacific Data Protection and Privacy Taiwan Computer-Processed Personal Data Protection Act 1995 Article 24 •Written consent •Adequate privacy laws P A G E 29
  • Asia-Pacific Data Protection and Privacy India Information Technology (Amendment) Act 2008 Sections 43A – 72A •Focused on data loss and leakage •Provides (some) reassurance for LPO and associated industries managing personal data under contractual agreements P A G E 30
  • Asia-Pacific Data Protection and Privacy Japan Act on the Protection of Personal Information Act 2003 Article 23 •Prior consent of data subject; or •To data processor where supervised by data controller and liability remains P A G E 31
  • Asia-Pacific Data Protection and Privacy Malaysia Intentionally blank P A G E 32
  • Asia-Pacific Data Protection and Privacy Singapore Intentionally blank P A G E 33
  • Asia-Pacific Data Protection and Privacy South Korea Promotion of Information and Com Article 54 •Technically, applies to ISPs only •Same or higher level of privacy laws Authority: Korea Information Security Agency (K P A G E 34
  • Thank You Patrick Burke Guidance Software, Inc. Seamus E. Byrne Lawyer (Australia) Chris Dale eDisclosure Information Project (UK) Dominic Jaar Ledjit Consulting (Canada) P A G E 35