• Like
  • Save
Challenges to Achieve Privacy for Online Consumers in Mexico
Upcoming SlideShare
Loading in...5
×
 

Challenges to Achieve Privacy for Online Consumers in Mexico

on

  • 2,649 views

Conferencia Magistral para el Asia-Pacific Economic Cooperation Forum, ECSG 5 at SOM I. Febrero 2002.

Conferencia Magistral para el Asia-Pacific Economic Cooperation Forum, ECSG 5 at SOM I. Febrero 2002.

Statistics

Views

Total Views
2,649
Views on SlideShare
1,772
Embed Views
877

Actions

Likes
0
Downloads
0
Comments
0

5 Embeds 877

http://www.joelgomez.mx 661
http://www.derechoinformatico.mx 213
https://twitter.com 1
http://www.linkedin.com 1
http://webcache.googleusercontent.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Challenges to Achieve Privacy for Online Consumers in Mexico Challenges to Achieve Privacy for Online Consumers in Mexico Presentation Transcript

    • Global Framework for Privacy Challenges to Achieve “Privacy” for Online Consumers in Mexico
      • Joel Gómez-Treviño, LL.B., LL.M.
      • Founder Chairman of AMDI
      • Vice Chairman of the National Association of Corporate Lawyers, Nuevo Leon Chapter
      • Professor of Law, ITESM. E-commerce Masters, LL.M. & LL.B. Programs
      Asia-Pacific Economic Cooperation Privacy Forum Electronic Commerce Steering Group Senior Officials Meeting I Mexico City February 22, 2002 http://www.apec2002.org.mx
    •  
    • Mexican Satutes related to “Privacy”
      • Political Constitution of Mexican United States
        • The private communications shall not be violated. The law will impose criminal sanctions to any action that infringe the freedom and privacy of communications.
        • Only the Federal Judicial Authority can authorize the eavesdropping of communications (§ 14, 9th paragraph)
    • Mexican Satutes related to “Privacy”
      • Copyright Law
        • Title IV, Chapter IV.- Software & Databases
          • The access to private information about persons contained in databases, as well as the publication, reproduction, disclosure, public communication and broadcast of such information, shall require previous consent of the persons on the database. (§ 109)
    • Mexican Satutes related to “Privacy”
      • Federal Law for the Protection of Consumers
        • The supplier (seller) shall keep confidential the information provided by consumers, except by express consent of the consumer. § 76 bis, I.
        • The supplier shall use an available technical mechanism to provide security and confidentiality to the information submitted by the consumer, and shall inform to the consumer previously to any transaction the general characteristics of such mechanism. § 76 bis, II.
    • Mexican Satutes related to “Privacy”
      • Federal Law for the Protection of Consumers...
        • If the consumer decides not to receive slogans ( avisos comerciales ), the supplier shall respect such decision. § 76 bis, II.
          • The intention of the legislator was to ban spamming practices. However, the section II was improperly drafted.
          • The phrase “ avisos comerciales ” does not mean (legally speaking) Spam , UCE or advertising of any nature.
          • According to the Industrial Property Law , “ avisos comerciales ” means the slogans that the merchants use to sell their products. IPL § 99 – 104.
    • Mexican Satutes related to “Privacy”
      • Federal Law for the Protection of Consumers...
        • Any infringement of the previous sections shall be sanctioned with a fine from USD$4.00 to USD$10,000.00 dollars ($40.35 to $100,875 pesos)
    • Bills pending in the Congress
      • Senators Chamber
        • Federal Law for the Protection of Personal Data Feb. 14, 2001. PRI Political Party.
          • Data collected must be adequate, accurate and proportional for the purpose they are collected.
          • Data collection must be done by legal mechanisms that guarantee the respect to constitutional guaranties, and especially those related with the honor and intimacy.
          • Purpose.
          • Accurate and up to date information.
          • Access and cancellation when the purpose.
    • Bills pending in the Congress
      • Representatives Chamber
        • Federal Law for the Protection of Personal Data Sept. 6, 2001. PRD Political Party.
          • Consent.
          • Treatment of sensible data.
          • Conditions to collect personal data:
            • Data must be true, adequate and not excesive.
            • Purpose.
            • Accurate and up to date data.
            • Access and cancellation/destruction.
    • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data O rganization for E conomic C o-operation and D evelopment
    • OECD Guidelines
      • Collection Limitation Principle
      • Data Quality Principle
      • Purpose Specification Principle
      • Use Limitation Principle
      • Security Safeguards Principle
      • Openness Principle
      • Individual Participation Principle
      • Accountability Principle
    • OECD Guidelines
      • Notice , individuals be notified when personal data is collected from them;
      • Purpose , data collected for one purpose should not be used later for another;
      • Consent , personal data should not be disclosed without the consent of the individual it is collected from;
      • Security , any compilation of personal data from individuals should be kept secure from potential abuses by other parties;
    • OECD Guidelines...
      • Disclosure , individuals should be able to learn who is collecting data about them;
      • Access , individuals should be allowed to access data that has been collected and have corrections made if the date is not accurate;
      • Accountability , some means of holding those who collected personal data accountable for compliance with these principles.
    • EU Data Protection Directive (95/46/EC)
      • Consent obtained from individuals before personal identifiable information is transferred from the entity collecting the information to a third party.
      • Disclose the purpose for which the data is collected.
      • Privacy . Adequate laws ensuring privacy must exist in third party countries outside EU before individual´s personal identifiable data is transferred to that country.
        • Personal identifiable data is defined as any information that can be linked “directly or indirectly to a specific person, and can include names, unique physical characteristics, or even internet cookies”.
    • Regulation of the Collection of PII in US
      • Self-Regulatory Schemes
        • Notice TRUSTe
        • Choice Opt-out v. Opt-in
        • Access USA v. EU
    • Regulation of the Collection of PII in US
      • Dramatic Change in the FTC's Approach to Online Privacy ( 1999 ) .
        • Only 20% of web sites that were collecting information from site visitors implemented all four of the fair information practice principles -- notice , choice , access , and security .
        • The FTC categorized existing self-regulatory measures as ineffective and recommended Congress enact legislation to “ensure adequate protection of consumer privacy online”.
        • Instead of federal legislation, the Department of Commerce created a national safe harbor complying with the Data Protection Directive.
    • The Safe Harbor Agreement
      • United States approach to privacy:
        • Industry self-regulation
        • Sectoral approach that relies on a mix of legislation, regulation and self-regulation.
      • European Union approach to privacy:
        • Comprehensive legislation
    • The Safe Harbor Agreement (SHA)
      • Compliance with the Data Protection Directive in other (non EU) countries is being achieved through legislative regulations and national model standards.
        • Canadadian Model Code for the Protection of Personal Information :
          • Accountability Accuracy
          • Identifying purpose Safeguards
          • Consent Openness
          • Limiting collection Individual access
          • Limiting use, disclosure Challenging compliance and retention
    • The Requirements of the SHA
      • To receive the benefits of the SHA organizations must comply with the Principles and publicly declare that they do so.
      • Organizations can self-certify that they are elegible for the SHA after joining a self-regulatory privacy program adhering to the safe harbor´s requirements.
      • Annual self-certification to the Department of Commerce is necessary for continued participation in the safe harbor.
    • The Requirements of the SHA
      • Seven primary principles of the SHA are:
        • Notice
        • Choice
        • Onward transfer
        • Security
        • Data integrity
        • Access
        • Enforcement
    • Habeas Data in Latin America
      • Argentina
      • Brasil
      • Chile
      • Colombia
      • Costa Rica
      • Ecuador
      • Paraguay
      • Perú
    • Challenges to achieve Privacy for On-line Consumers in México
      • México has not formally recogized the figure of Habeas Data .
      • Current “privacy” legislation in México is not adequate to protect consumers and their personal data:
        • The law does not include the main and common principles of privacy adopted in several countries.
      • Consumers do not know their rights and how to enforce them.
    • Nexts steps...
      • Adopt the Habeas Data
        • Enact a Federal Law for the Protection of Personal Data that shall include at least OCDE Guidelines princinples or SHA principles.
        • Promote self-regulatory schemes for the industry with higher standards than those imposed by law.
        • Establish a Federal Agency that will be responsible for the surveillance and enforcement of the law.
        • Create a website and promotional campaigns that provide comprehensive information for consumers.
    • Key learning points...
      • Learn from the experiences from other countries:
        • Hong Kong: Self regulation did not seem to offer an adequate level of privacy for consumers. – Mr. Tang.
        • United States:
          • After a random sampling discovered that only 20% of web sites that were collecting information from site visitors in 1999 implemented all four of the fair information practice principles -- notice, choice, access, and security.
          • The FTC categorized existing self-regulatory measures as ineffective and recommended Congress enact legislation to “ensure adequate protection of consumer privacy online”.
          • FTC, Privacy Online: Fair Information Practice in the Electronic Marketplace 2 (2000),
          • http:// www.ftc.gov/reports/privacy2000/privacy2000.pdf