2. Presentation Overview
• Privacy Limitation Justifications
• Models of Privacy Protection
• United States Protection of Information
Privacy
• European Union Data Protection Directive
• US Department of Commerce-Safe Harbor
• Model Contracts for the Transfer of Personal
Data to Foreign Countries
2
3. Presentation Overview
• Electronic Privacy Information Center (EPIC)
• Privacy International
• Data Protection Laws Around the World
• Privacy Laws Around the World
3
4. Threats to Privacy
• Increasing sophistication of information technology
– Greater capacity to collect, analyze and disseminate information
• New developments in medical research and care,
telecommunications, advanced transportation systems and
financial transfers
– Increased level of information generated by each individual
• Computers linked together by high speed networks
– Increased capability of creating comprehensive dossiers on any
person
• New technologies in law enforcement, civilian agencies and
private companies
See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives
3-10 (Cambridge University Press, 2006) 4
5. Privacy Limitation Justifications
• Free speech
• Market imperatives of commerce
• Public security
• Means to forge close relationships based on trust
See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives
3-10 (Cambridge University Press, 2006) 5
6. Models of Privacy Protection
• Comprehensive laws
– Europe, Australia, Hong Kong, New Zealand and
Canada
• Sectoral Laws
– United States
• Self-Regulation
– United States
• Technologies of Privacy
6
7. United States Protection of Information Privacy
Targeted Approach
• No precise constitutional guarantee of the right to
privacy in the United States
– Constitutional rights apply to government, not private sectors
• Laws are typically targeted based on the type of data
rather than all computerized personal data
• The four basic types of privacy rights under common
law do not offer protection for informational privacy:
– Intrusion upon seclusion
– Publication of embarrassing private facts
– Placing a person in a false light
– Appropriation of name, likeness and identity
See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for
Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001).
7
8. EU Data Protection Directive
95/46/EC (October 24, 1995)
• Imposes an obligation on member
States to ensure that personal
information is protected when it is
exported to, and processed in,
countries outside Europe
• A public official enforces the
comprehensive data protection
law
See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007)
8
9. EU Data Protection Directive
Objective
• protect fundamental rights and freedoms of natural
persons, including
– right to privacy with respect to the processing of
personal data
• the free flow of personal data between Member States
is not to be restricted or prohibited
9
10. EU Data Protection Directive
Intent
Data-processing systems must respect fundamental rights
and freedoms (whatever the nationality or residence of
natural persons) including:
• right to privacy
• contributing to economic and social progress, trade
expansion and the well-being of individuals
10
11. European Union Data Protection Directive
Article 2 – Definitions
• personal data – any information relating to an
identified or identifiable natural person
• processing of personal data – any operation
performed on personal data (e.g., collection . . . )
• the data subject's consent – any freely given specific
and informed indication of his wishes by which the
data subject signifies his agreement to personal data
11
12. European Union Data Protection Directive
Article 3 – Scope
The Directive applies to processing of all personal data except:
• Public security
• Defense
• State security
• Criminal activities of the State
• In the course of a purely personal or household activity
12
13. European Union Data Protection Directive
Article 6 – Personal data must be:
• processed fairly and lawfully
• collected for specified, explicit and legitimate purposes and
not further processed in a way incompatible with those
purposes
• adequate, relevant and not excessive in relation to the
purposes for which they are collected and/or further processed
• accurate and, where necessary, kept up to date
• kept in a form which permits identification of data subjects
for no longer than is necessary for the purposes for which the
data were collected or for which they are further processed
13
14. EU Data Protection Directive
Article 7 – Personal data may be processed only if:
• the data subject has unambiguously given his consent; or
• processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior to
entering into a contract; or
• processing is necessary for compliance with a legal obligation to which the
controller is subject; or
• processing is necessary in order to protect the vital interests of the data subject;
or
• processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller or in a
third party to whom the data are disclosed; or
• processing is necessary for the purposes of the legitimate interests pursued by
the controller or by the third party or parties to whom the data are disclosed,
except where such interests are overridden by the interests for fundamental
14
15. EU Data Protection Directive
Articles 10, 11 and 12
Subject has right to know :
• the identity of collector of information
• purpose for the collection
15
16. EU Data Protection Directive
Article 25 – transfers to non-European countries
• Transfer of personal data to a non-European country may
take place only if the country ensures an “adequate level of
data protection”
• EU and United States use different approaches:
– United States – targeted privacy laws (typically
targeting specific records)
– EU – Omnibus approach (comprehensive privacy
regulations)
• Where no adequate protection – transfer is permitted only
by one of the narrow exceptions in Article 26
16
17. EU Data Protection Directive
Article 26 – Exceptions where no adequate protection
• subject has given unambiguous consent; or
• transfer is necessary for the performance of a
contract
17
18. U.S. Department of Commerce
Commerce-Safe Harbor
• Created in response to the EU
Data Protection Directive
See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007) 18
19. US Department of Commerce-Safe Harbor
Seven Safe Harbor Principles
• Notice – must provide conspicuous notice to individuals
about
– purposes for which it collects and uses the personal information
– types of third parties to which it discloses the personal
information
– contact information for complaints and inquires
• Choice – must allow individual to opt-out or opt-in
– opt-out of transferring personal information to a third party or
using personal information for non-stated purpose if not sensitive
– opt-in of transferring personal information to a third party or
using personal information for non-stated purpose if sensitive
(e.g., medical condition, political opinion, religious beliefs, sex
life)
19
20. US Department of Commerce-Safe Harbor
Seven Safe Harbor Principles
• Transfers to Third Parties – must ensure that third party:
– subscribes to the Safe Harbor
– is subject to the EU Directive
– other adequate finding
– agrees to provide at least the same level of privacy protection as is
required by the Safe Harbor
• Security – reasonable precautions to protect personal
information from “loss, misuse and unauthorized access,
disclosure, alteration and destruction”
20
21. US Department of Commerce-Safe Harbor
Seven Safe Harbor Principles
• Relevance – personal information must be relevant for
the purposes for which it is to be used
• Access - individuals must have access to personal
information about them and be able to “correct, amend,
or delete” inaccurate information
• Enforcement – must include
– mechanism for assuring compliance
– recourse for individuals to whom the data relate affected by non-
compliance
– consequences when organization fails to comply
21
22. US Department of Commerce-Safe Harbor
Safe Harbor List
See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007)
22
23. Model Contracts for the Transfer of
Personal Data to Foreign Countries
Member States are not
under and obligation to
notify the Commission if
standard contractual
clauses are used
See Article 26(3)
See Model Contracts for the transfer of personal data to third countries, available at 23
http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
24. EU-US Data Disclosure
Ongoing Issues Concerning European Airline Passenger Data
• On May 17, 2004, the European
Commission adopted a decision
recognizing adequate privacy
protections in EU-US passenger
data disclosure (allowed the
transfer of personal information
on European airline travelers to
the U.S. government)
• On May 30, 2006, the European
Court of Justice struck down the
EU-US passenger data disclosure
deal
• On October 6, 2006, the United
States and the EU established a
temporary arrangement that will
expire in July of 2007
See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007)
24
25. Electronic Privacy Information Center
(EPIC)
• A public interest research center
in Washington, D.C.
• Established in 1994
• Focuses on emerging civil
liberties issues and protecting
privacy, the First Amendment, and
constitutional values
See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007)
25
26. Privacy International
• A human rights group formed in
1990 as a watchdog on privacy
issues
• Based in London (an office in
Washington, D.C.)
• Conducts campaigns and research
throughout the world
See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007)
26
27. Google Gmail
Email Content Based Advertising
See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007)
27
28. Google Gmail
Privacy International Complaint
Arguments include:
• Violates Article 17 for not accepting liability for
security of personal information
Google disclaims all responsibility and liability for the
availability, timeliness, security or reliability of the
Service.
• Violates Article 29 for a third party reading the
contents of email between two parties
Google also reserves the right to access, read,
preserve, and disclose any information as it reasonably
believes is necessary to (a) satisfy any applicable law,
regulation, legal process or governmental request, (b)
enforce this Agreement, including investigation of
potential violations hereof, (c) detect, prevent, or
otherwise address fraud, security or technical issues
(including, without limitation, the filtering of spam), (d)
respond to user support requests, or (e) protect the
rights, property or safety of Google, its users and the
public.
• Violates Article 7 for processing personal data
without unambiguous consent
See Complaint: Google Inc – Gmail email service, available at
http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007)
28
29. Google Gmail
Groups Call for Investigation of Gmail
• On May 3, 2004, EPIC, Privacy
Rights Clearinghouse, and the
World Privacy Forum urged the
Attorney General of California to
investigate Google’s Gmail
service
– Argued that the scanning of e-
mails for targeted marketing
violates California’s wiretapping
laws (California Penal Code §
631)
• The groups also called upon
Google to suspend the service
again, as Gmail users could be
liable for violations of the law.
See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007)
29
30. Data Protection Laws Around the World
• Blue – Comprehensive
Data Protection Law
Enacted
• Red – Pending Effort to
Enact Law
• White – No Law
See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007)
30
31. Privacy Laws Around the World
Canada – The Personal Information Protection and Electronic Documents Act
• Passed on April 13, 2000
• Applies to organizations that collect, use or disclose personal information
in the course of commercial activities
– Excludes certain government institutions to which the Privacy Act applies
– Excludes certain individuals collecting, using or disclosing public information
solely for person or domestic purposes
– Excludes certain organizations collecting, using or disclosing public
information solely for journalistic, artistic or literary purposes
• Personal Information – “information about an identifiable individual, but
does not include the name, title or business address or telephone number
of an employee of an organization.”
• Appropriate purposes - an organization may collect, use or disclose
personal information only for purposes that a reasonable person would
consider are appropriate in the circumstances
See The Personal Information Protection and Electronic Documents Act, available at 31
http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
32. Privacy Laws Around the World
Canada – The Personal Information Protection and Electronic Documents Act
• Notice – must provide notice to individuals about
– purposes for which it collects and uses the personal information
– procedures to gain access to personal information held by the
organization
– contact information of the person who is accountable for the
organization’s policies and to whom complaints or inquires can be
sent
• Limited Collection – collection of personal information
shall be limited to that which is necessary for the purposes
identified by the organization
See The Personal Information Protection and Electronic Documents Act, available at 32
http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
33. Privacy Laws Around the World
Canada – The Personal Information Protection and Electronic Documents Act
• Security – must implement security safeguards against
loss or theft, unauthorized access, disclosure, copying, use,
or modification
• Choice – Very limited exceptions where personal
information may be used, disclosed or collected without
prior consent
• Accurate – must be accurate, complete and up-to-date as
is necessary for the purpose for which it is to be used
• Purpose – must not be used or disclosed for purposes
other than those for which it was collected, except with the
consent of the individual or as required by law
See The Personal Information Protection and Electronic Documents Act, available at 33
http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
34. Privacy Laws Around the World
Japan – Personal Information Protection Law
• Passed on May 23, 2003
• Protects information of individuals
– does not cover information of corporations
• Applies to the National government, public organizations, and Personal
Information Handling Enterprises
• Establishes penalties for data collectors who violate the law
• Personal Information – “information that may make a living individual
distinguishable from others.”
• Personal Information Handling Enterprises – entities that use Personal
Information Databases in their businesses
– Excludes the National government, local public organizations, independent
administrative agencies and local independent administrative agencies
– Excludes enterprises that process less than 5,000 personal information records
per day
34
35. Privacy Laws Around the World
Japan – Personal Information Protection Law
• Notice – must provide notice to individuals about
– name of the data collector
– purposes for which it collects and uses the Personal Information
• personal information may not be used in a manner that exceeds the
scope without prior consent from the individual
– procedures to access, modify and terminate the use of personal
information
– contact information for complaints and inquires (complaints
must be responded to adequately and promptly)
• Relevance – personal information must be relevant for the
purposes for which it is to be used
35
36. Privacy Laws Around the World
Japan – Personal Information Protection Law
• Security – must implement security safeguards and
provide proper supervision of employees and other entities
to which personal information may be may be entrusted
• Choice – Generally, personal information may not be
disclosed or made available to third parties without prior
consent (“opt in”); exceptions, when disclosure is:
– made in accordance with the law
– necessary to protect life, body or property
– necessary to protect public health
– necessary for governmental purposes
36
37. Privacy Laws Around the World
Australia – Federal Privacy Act
See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007)
37
38. Privacy Laws Around the World
Other Countries
• Mexico
– Article 214 of the Penal Code protects the disclosure of personal
information held by government agencies
– The General Population Act regulates the National Registry of
Population and Personal Information
• Russia
– Article 24 of the Russian Federation forbids gathering, storing,
using and disseminating information on the private life of any
person without consent
• France
– The Data Protection Act covers personal information held by
government agencies and private entities
38
39. Cross-Border Privacy Tips
• There is a global trend toward comprehensive protection which must be
taken into consideration; may require personal information to be:
– obtained fairly and lawfully
– used only for the original specified purpose
– adequate, relevant and not excessive to purpose
– accurate and up to date
– destroyed after its purpose is complete
• Current international laws should be reviewed prior to any cross-border
transfers of personal information and periodically reevaluated
– Confirm compliance with Safe Harbor provisions for transfers between US
and EU
• You are likely to be required to provide additional privacy protections
for any cross-border transfers
39
40. Useful Resources
• www.privacy.org
– Joint project of the Electronic Privacy Information Center (EPIC) and Privacy
International
• www.privacyinternational.org
– Privacy International
• www.epic.org
– Electronic Privacy Information Center
• www.coe.int
– Council of Europe
• www.oecd.org
– Organization for Economic Co-operation and Development
• www.export.gov/safeharbor
– U.S. Department of Commerce Safe Harbor
• www.privacy.gov.au
– The Office of the Privacy Commissioner of Australia
40
41. Gardere Wynne Sewell LLP
Karl Larson
3000 Thanksgiving Tower
1601 Elm Street
Dallas, TX 75201-4761
Phone: 214.999.4582 Fax: 214.999.3582
klarson@gardere.com
41
Editor's Notes
Protection in the United States is a fractured, eposodic, recorded targeted patchwork of laws. No precise constitutional guarantee of the right to privacy in the United States