Karl Larson, profile picture
Uploaded byKarl Larson
PPS, PPTX977 views

Cross Border Privacy : Intellectual Property Issues

The document discusses various topics related to cross-border privacy and intellectual property issues, including: 1) Models of privacy protection such as comprehensive laws, sectoral laws, self-regulation, and technologies of privacy. 2) The European Union Data Protection Directive and its requirements for personal data processing and transfers to non-European countries. 3) The U.S. Department of Commerce Safe Harbor framework and its seven privacy principles for companies to self-certify compliance. 4) Issues around the transfer of EU airline passenger data to the U.S. and ongoing discussions between the two regions.

Technology
Related topics:
Intellectual Property

Embed presentation

Download as PPS, PPTX
Cross-Border Privacy Intellectual Property Issues Karl Larson April 13, 2007 1
Presentation Overview • Privacy Limitation Justifications • Models of Privacy Protection • United States Protection of Information Privacy • European Union Data Protection Directive • US Department of Commerce-Safe Harbor • Model Contracts for the Transfer of Personal Data to Foreign Countries 2
Presentation Overview • Electronic Privacy Information Center (EPIC) • Privacy International • Data Protection Laws Around the World • Privacy Laws Around the World 3
Threats to Privacy • Increasing sophistication of information technology – Greater capacity to collect, analyze and disseminate information • New developments in medical research and care, telecommunications, advanced transportation systems and financial transfers – Increased level of information generated by each individual • Computers linked together by high speed networks – Increased capability of creating comprehensive dossiers on any person • New technologies in law enforcement, civilian agencies and private companies See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006) 4
Privacy Limitation Justifications • Free speech • Market imperatives of commerce • Public security • Means to forge close relationships based on trust See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006) 5
Models of Privacy Protection • Comprehensive laws – Europe, Australia, Hong Kong, New Zealand and Canada • Sectoral Laws – United States • Self-Regulation – United States • Technologies of Privacy 6
United States Protection of Information Privacy Targeted Approach • No precise constitutional guarantee of the right to privacy in the United States – Constitutional rights apply to government, not private sectors • Laws are typically targeted based on the type of data rather than all computerized personal data • The four basic types of privacy rights under common law do not offer protection for informational privacy: – Intrusion upon seclusion – Publication of embarrassing private facts – Placing a person in a false light – Appropriation of name, likeness and identity See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001). 7
EU Data Protection Directive 95/46/EC (October 24, 1995) • Imposes an obligation on member States to ensure that personal information is protected when it is exported to, and processed in, countries outside Europe • A public official enforces the comprehensive data protection law See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007) 8
EU Data Protection Directive Objective • protect fundamental rights and freedoms of natural persons, including – right to privacy with respect to the processing of personal data • the free flow of personal data between Member States is not to be restricted or prohibited 9
EU Data Protection Directive Intent Data-processing systems must respect fundamental rights and freedoms (whatever the nationality or residence of natural persons) including: • right to privacy • contributing to economic and social progress, trade expansion and the well-being of individuals 10
European Union Data Protection Directive Article 2 – Definitions • personal data – any information relating to an identified or identifiable natural person • processing of personal data – any operation performed on personal data (e.g., collection . . . ) • the data subject's consent – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data 11
European Union Data Protection Directive Article 3 – Scope The Directive applies to processing of all personal data except: • Public security • Defense • State security • Criminal activities of the State • In the course of a purely personal or household activity 12
European Union Data Protection Directive Article 6 – Personal data must be: • processed fairly and lawfully • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed • accurate and, where necessary, kept up to date • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed 13
EU Data Protection Directive Article 7 – Personal data may be processed only if: • the data subject has unambiguously given his consent; or • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or • processing is necessary for compliance with a legal obligation to which the controller is subject; or • processing is necessary in order to protect the vital interests of the data subject; or • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental 14
EU Data Protection Directive Articles 10, 11 and 12 Subject has right to know : • the identity of collector of information • purpose for the collection 15
EU Data Protection Directive Article 25 – transfers to non-European countries • Transfer of personal data to a non-European country may take place only if the country ensures an “adequate level of data protection” • EU and United States use different approaches: – United States – targeted privacy laws (typically targeting specific records) – EU – Omnibus approach (comprehensive privacy regulations) • Where no adequate protection – transfer is permitted only by one of the narrow exceptions in Article 26 16
EU Data Protection Directive Article 26 – Exceptions where no adequate protection • subject has given unambiguous consent; or • transfer is necessary for the performance of a contract 17
U.S. Department of Commerce Commerce-Safe Harbor • Created in response to the EU Data Protection Directive See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007) 18
US Department of Commerce-Safe Harbor Seven Safe Harbor Principles • Notice – must provide conspicuous notice to individuals about – purposes for which it collects and uses the personal information – types of third parties to which it discloses the personal information – contact information for complaints and inquires • Choice – must allow individual to opt-out or opt-in – opt-out of transferring personal information to a third party or using personal information for non-stated purpose if not sensitive – opt-in of transferring personal information to a third party or using personal information for non-stated purpose if sensitive (e.g., medical condition, political opinion, religious beliefs, sex life) 19
US Department of Commerce-Safe Harbor Seven Safe Harbor Principles • Transfers to Third Parties – must ensure that third party: – subscribes to the Safe Harbor – is subject to the EU Directive – other adequate finding – agrees to provide at least the same level of privacy protection as is required by the Safe Harbor • Security – reasonable precautions to protect personal information from “loss, misuse and unauthorized access, disclosure, alteration and destruction” 20
US Department of Commerce-Safe Harbor Seven Safe Harbor Principles • Relevance – personal information must be relevant for the purposes for which it is to be used • Access - individuals must have access to personal information about them and be able to “correct, amend, or delete” inaccurate information • Enforcement – must include – mechanism for assuring compliance – recourse for individuals to whom the data relate affected by non- compliance – consequences when organization fails to comply 21
US Department of Commerce-Safe Harbor Safe Harbor List See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007) 22
Model Contracts for the Transfer of Personal Data to Foreign Countries Member States are not under and obligation to notify the Commission if standard contractual clauses are used See Article 26(3) See Model Contracts for the transfer of personal data to third countries, available at 23 http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
EU-US Data Disclosure Ongoing Issues Concerning European Airline Passenger Data • On May 17, 2004, the European Commission adopted a decision recognizing adequate privacy protections in EU-US passenger data disclosure (allowed the transfer of personal information on European airline travelers to the U.S. government) • On May 30, 2006, the European Court of Justice struck down the EU-US passenger data disclosure deal • On October 6, 2006, the United States and the EU established a temporary arrangement that will expire in July of 2007 See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007) 24
Electronic Privacy Information Center (EPIC) • A public interest research center in Washington, D.C. • Established in 1994 • Focuses on emerging civil liberties issues and protecting privacy, the First Amendment, and constitutional values See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007) 25
Privacy International • A human rights group formed in 1990 as a watchdog on privacy issues • Based in London (an office in Washington, D.C.) • Conducts campaigns and research throughout the world See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007) 26
Google Gmail Email Content Based Advertising See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007) 27
Google Gmail Privacy International Complaint Arguments include: • Violates Article 17 for not accepting liability for security of personal information Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. • Violates Article 29 for a third party reading the contents of email between two parties Google also reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce this Agreement, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public. • Violates Article 7 for processing personal data without unambiguous consent See Complaint: Google Inc – Gmail email service, available at http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007) 28
Google Gmail Groups Call for Investigation of Gmail • On May 3, 2004, EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum urged the Attorney General of California to investigate Google’s Gmail service – Argued that the scanning of e- mails for targeted marketing violates California’s wiretapping laws (California Penal Code § 631) • The groups also called upon Google to suspend the service again, as Gmail users could be liable for violations of the law. See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007) 29
Data Protection Laws Around the World • Blue – Comprehensive Data Protection Law Enacted • Red – Pending Effort to Enact Law • White – No Law See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007) 30
Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Passed on April 13, 2000 • Applies to organizations that collect, use or disclose personal information in the course of commercial activities – Excludes certain government institutions to which the Privacy Act applies – Excludes certain individuals collecting, using or disclosing public information solely for person or domestic purposes – Excludes certain organizations collecting, using or disclosing public information solely for journalistic, artistic or literary purposes • Personal Information – “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” • Appropriate purposes - an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances See The Personal Information Protection and Electronic Documents Act, available at 31 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Notice – must provide notice to individuals about – purposes for which it collects and uses the personal information – procedures to gain access to personal information held by the organization – contact information of the person who is accountable for the organization’s policies and to whom complaints or inquires can be sent • Limited Collection – collection of personal information shall be limited to that which is necessary for the purposes identified by the organization See The Personal Information Protection and Electronic Documents Act, available at 32 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
Privacy Laws Around the World Canada – The Personal Information Protection and Electronic Documents Act • Security – must implement security safeguards against loss or theft, unauthorized access, disclosure, copying, use, or modification • Choice – Very limited exceptions where personal information may be used, disclosed or collected without prior consent • Accurate – must be accurate, complete and up-to-date as is necessary for the purpose for which it is to be used • Purpose – must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law See The Personal Information Protection and Electronic Documents Act, available at 33 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
Privacy Laws Around the World Japan – Personal Information Protection Law • Passed on May 23, 2003 • Protects information of individuals – does not cover information of corporations • Applies to the National government, public organizations, and Personal Information Handling Enterprises • Establishes penalties for data collectors who violate the law • Personal Information – “information that may make a living individual distinguishable from others.” • Personal Information Handling Enterprises – entities that use Personal Information Databases in their businesses – Excludes the National government, local public organizations, independent administrative agencies and local independent administrative agencies – Excludes enterprises that process less than 5,000 personal information records per day 34
Privacy Laws Around the World Japan – Personal Information Protection Law • Notice – must provide notice to individuals about – name of the data collector – purposes for which it collects and uses the Personal Information • personal information may not be used in a manner that exceeds the scope without prior consent from the individual – procedures to access, modify and terminate the use of personal information – contact information for complaints and inquires (complaints must be responded to adequately and promptly) • Relevance – personal information must be relevant for the purposes for which it is to be used 35
Privacy Laws Around the World Japan – Personal Information Protection Law • Security – must implement security safeguards and provide proper supervision of employees and other entities to which personal information may be may be entrusted • Choice – Generally, personal information may not be disclosed or made available to third parties without prior consent (“opt in”); exceptions, when disclosure is: – made in accordance with the law – necessary to protect life, body or property – necessary to protect public health – necessary for governmental purposes 36
Privacy Laws Around the World Australia – Federal Privacy Act See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007) 37
Privacy Laws Around the World Other Countries • Mexico – Article 214 of the Penal Code protects the disclosure of personal information held by government agencies – The General Population Act regulates the National Registry of Population and Personal Information • Russia – Article 24 of the Russian Federation forbids gathering, storing, using and disseminating information on the private life of any person without consent • France – The Data Protection Act covers personal information held by government agencies and private entities 38
Cross-Border Privacy Tips • There is a global trend toward comprehensive protection which must be taken into consideration; may require personal information to be: – obtained fairly and lawfully – used only for the original specified purpose – adequate, relevant and not excessive to purpose – accurate and up to date – destroyed after its purpose is complete • Current international laws should be reviewed prior to any cross-border transfers of personal information and periodically reevaluated – Confirm compliance with Safe Harbor provisions for transfers between US and EU • You are likely to be required to provide additional privacy protections for any cross-border transfers 39
Useful Resources • www.privacy.org – Joint project of the Electronic Privacy Information Center (EPIC) and Privacy International • www.privacyinternational.org – Privacy International • www.epic.org – Electronic Privacy Information Center • www.coe.int – Council of Europe • www.oecd.org – Organization for Economic Co-operation and Development • www.export.gov/safeharbor – U.S. Department of Commerce Safe Harbor • www.privacy.gov.au – The Office of the Privacy Commissioner of Australia 40
Gardere Wynne Sewell LLP Karl Larson 3000 Thanksgiving Tower 1601 Elm Street Dallas, TX 75201-4761 Phone: 214.999.4582 Fax: 214.999.3582 klarson@gardere.com 41

More Related Content

PPT
The Data Retention Directive: recent developments
byblogzilla
 
PPTX
Wsgr eu data protection briefing march 20 2013 - final
byValentin Korobkov
 
PDF
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
byEUDAT
 
PDF
Privacy shield: What You Need To Know About Storing EU Data
bySchellman & Company
 
PPT
Gary Davis
bydri_ireland
 
PPTX
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
byAltheimPrivacy
 
PPTX
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
byAltheimPrivacy
 
PPT
Worldwide Laws Privacy Presentation 2006
byKimberly Verska
 
The Data Retention Directive: recent developments
byblogzilla
 
Wsgr eu data protection briefing march 20 2013 - final
byValentin Korobkov
 
Personal data: Legal Issues in Research Data Collection and Sharing by EUDAT ...
byEUDAT
 
Privacy shield: What You Need To Know About Storing EU Data
bySchellman & Company
 
Gary Davis
bydri_ireland
 
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...
byAltheimPrivacy
 
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...
byAltheimPrivacy
 
Worldwide Laws Privacy Presentation 2006
byKimberly Verska
 

What's hot

PPTX
1º Palestra sobre Proteção de Dados Pessoais
byIBE_USP
 
PPTX
Introduction to Information Policy
byNiamh Headon
 
PPTX
Privacy and Data Protection in Research
byMarlon Domingus
 
PPTX
Critical regulations governing data privacy and data protection 20 dec2018
bySurabhi Jain
 
PPTX
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
byAxon Lawyers
 
PDF
Right to be forgotten final paper
byreporter1120
 
PPTX
Overview of privacy and data protection considerations for DEVELOP
byTrilateral Research
 
PDF
Introduction privacy and drones130902.pptx (alleen lezen)
byschermerbw
 
PPT
E governance dushanbe 2012 katrin-nymanmetkalf
byE-Journal ICT4D
 
PDF
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
byCyber Watching
 
PDF
Keeping Information Safe: Privacy and Security Issues
byipspat
 
PPT
Overview of the_data_protection-act
byRodamaeLBaccay
 
PPT
Right to be forgotten presentation
byreporter1120
 
PDF
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
byFecomercioSP
 
PDF
Hannes astok data protection agency
byE-Government Center Moldova
 
PDF
Legal update
byRachel Aldighieri
 
PPT
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
byJausloos
 
1º Palestra sobre Proteção de Dados Pessoais
byIBE_USP
 
Introduction to Information Policy
byNiamh Headon
 
Privacy and Data Protection in Research
byMarlon Domingus
 
Critical regulations governing data privacy and data protection 20 dec2018
bySurabhi Jain
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
byAxon Lawyers
 
Right to be forgotten final paper
byreporter1120
 
Overview of privacy and data protection considerations for DEVELOP
byTrilateral Research
 
Introduction privacy and drones130902.pptx (alleen lezen)
byschermerbw
 
E governance dushanbe 2012 katrin-nymanmetkalf
byE-Journal ICT4D
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
byCyber Watching
 
Keeping Information Safe: Privacy and Security Issues
byipspat
 
Overview of the_data_protection-act
byRodamaeLBaccay
 
Right to be forgotten presentation
byreporter1120
 
IV Congresso de Crimes Eletrônicos e Formas de Proteção, 23/09/2012 - Apresen...
byFecomercioSP
 
Hannes astok data protection agency
byE-Government Center Moldova
 
Legal update
byRachel Aldighieri
 
The Right to be Forgotten - It's About Time, or is it? (CPDP2014)
byJausloos
 

Similar to Cross Border Privacy : Intellectual Property Issues

PDF
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
byDaniel Parziale, CIPP/US
 
PPT
Istanbul conference 2011_roberto_lattanzi
byAtıf ÜNALDI
 
PDF
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
byFrancoise Gilbert
 
PDF
Data Protection Guide – What are your rights as a citizen?
byEdouard Nguyen
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
PPTX
Safe Harbor: A framework for US – EU data privacy
byRaymond Cunningham
 
PPT
Guernsey Data Protection Legislation
byjonbarclay
 
PDF
GDPR and Copyright Law
byGiovanni Maria Riccio
 
PPT
Challenges to Achieve Privacy for Online Consumers in Mexico
byJoel A. Gómez Treviño
 
PPT
Auditing your EU entities for data protection compliance 5661651 1
byrtjbond
 
PPTX
GDPR: Key Article Overview
byCraig Clark ITIL, CIS LI,EU GDPR P
 
PPT
3e - Data Protection
byMISY
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
byFinancial Poise
 
PPT
Safety And Security Of Data 4
byWynthorpe
 
PDF
Federal Data Protection Act (FDPA)
byAMIPCI
 
PPTX
GDPR Introduction and overview
byJane Lambert
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PPTX
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PPTX
Ley protección de datos personales
byJuan Carlos Carrillo
 
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
byDaniel Parziale, CIPP/US
 
Istanbul conference 2011_roberto_lattanzi
byAtıf ÜNALDI
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
byFrancoise Gilbert
 
Data Protection Guide – What are your rights as a citizen?
byEdouard Nguyen
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
Safe Harbor: A framework for US – EU data privacy
byRaymond Cunningham
 
Guernsey Data Protection Legislation
byjonbarclay
 
GDPR and Copyright Law
byGiovanni Maria Riccio
 
Challenges to Achieve Privacy for Online Consumers in Mexico
byJoel A. Gómez Treviño
 
Auditing your EU entities for data protection compliance 5661651 1
byrtjbond
 
GDPR: Key Article Overview
byCraig Clark ITIL, CIS LI,EU GDPR P
 
3e - Data Protection
byMISY
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
byFinancial Poise
 
Safety And Security Of Data 4
byWynthorpe
 
Federal Data Protection Act (FDPA)
byAMIPCI
 
GDPR Introduction and overview
byJane Lambert
 
Introduction to GDPR
byPriyab Satoshi
 
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
3A – DATA PROTECTION: ADVICE
byCFG
 
Ley protección de datos personales
byJuan Carlos Carrillo
 

Recently uploaded

PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PDF
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PPTX
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
Français Patch Tuesday - Janvier
byIvanti
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Implementing A Data Lakehouse Using Iceberg & Spark
byAnass Nabil
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Microsoft Azure News - January 2026 - BAUG
byDaniel Toomey
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Français Patch Tuesday - Janvier
byIvanti
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 

Cross Border Privacy : Intellectual Property Issues

  • 1.
    Cross-Border Privacy Intellectual PropertyIssues Karl Larson April 13, 2007 1
  • 2.
    Presentation Overview • PrivacyLimitation Justifications • Models of Privacy Protection • United States Protection of Information Privacy • European Union Data Protection Directive • US Department of Commerce-Safe Harbor • Model Contracts for the Transfer of Personal Data to Foreign Countries 2
  • 3.
    Presentation Overview • ElectronicPrivacy Information Center (EPIC) • Privacy International • Data Protection Laws Around the World • Privacy Laws Around the World 3
  • 4.
    Threats to Privacy • Increasing sophistication of information technology – Greater capacity to collect, analyze and disseminate information • New developments in medical research and care, telecommunications, advanced transportation systems and financial transfers – Increased level of information generated by each individual • Computers linked together by high speed networks – Increased capability of creating comprehensive dossiers on any person • New technologies in law enforcement, civilian agencies and private companies See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006) 4
  • 5.
    Privacy Limitation Justifications • Free speech • Market imperatives of commerce • Public security • Means to forge close relationships based on trust See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006) 5
  • 6.
    Models of PrivacyProtection • Comprehensive laws – Europe, Australia, Hong Kong, New Zealand and Canada • Sectoral Laws – United States • Self-Regulation – United States • Technologies of Privacy 6
  • 7.
    United States Protectionof Information Privacy Targeted Approach • No precise constitutional guarantee of the right to privacy in the United States – Constitutional rights apply to government, not private sectors • Laws are typically targeted based on the type of data rather than all computerized personal data • The four basic types of privacy rights under common law do not offer protection for informational privacy: – Intrusion upon seclusion – Publication of embarrassing private facts – Placing a person in a false light – Appropriation of name, likeness and identity See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001). 7
  • 8.
    EU Data ProtectionDirective 95/46/EC (October 24, 1995) • Imposes an obligation on member States to ensure that personal information is protected when it is exported to, and processed in, countries outside Europe • A public official enforces the comprehensive data protection law See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007) 8
  • 9.
    EU Data ProtectionDirective Objective • protect fundamental rights and freedoms of natural persons, including – right to privacy with respect to the processing of personal data • the free flow of personal data between Member States is not to be restricted or prohibited 9
  • 10.
    EU Data ProtectionDirective Intent Data-processing systems must respect fundamental rights and freedoms (whatever the nationality or residence of natural persons) including: • right to privacy • contributing to economic and social progress, trade expansion and the well-being of individuals 10
  • 11.
    European Union DataProtection Directive Article 2 – Definitions • personal data – any information relating to an identified or identifiable natural person • processing of personal data – any operation performed on personal data (e.g., collection . . . ) • the data subject's consent – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data 11
  • 12.
    European Union DataProtection Directive Article 3 – Scope The Directive applies to processing of all personal data except: • Public security • Defense • State security • Criminal activities of the State • In the course of a purely personal or household activity 12
  • 13.
    European Union DataProtection Directive Article 6 – Personal data must be: • processed fairly and lawfully • collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes • adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed • accurate and, where necessary, kept up to date • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed 13
  • 14.
    EU Data ProtectionDirective Article 7 – Personal data may be processed only if: • the data subject has unambiguously given his consent; or • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or • processing is necessary for compliance with a legal obligation to which the controller is subject; or • processing is necessary in order to protect the vital interests of the data subject; or • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental 14
  • 15.
    EU Data ProtectionDirective Articles 10, 11 and 12 Subject has right to know : • the identity of collector of information • purpose for the collection 15
  • 16.
    EU Data ProtectionDirective Article 25 – transfers to non-European countries • Transfer of personal data to a non-European country may take place only if the country ensures an “adequate level of data protection” • EU and United States use different approaches: – United States – targeted privacy laws (typically targeting specific records) – EU – Omnibus approach (comprehensive privacy regulations) • Where no adequate protection – transfer is permitted only by one of the narrow exceptions in Article 26 16
  • 17.
    EU Data ProtectionDirective Article 26 – Exceptions where no adequate protection • subject has given unambiguous consent; or • transfer is necessary for the performance of a contract 17
  • 18.
    U.S. Department ofCommerce Commerce-Safe Harbor • Created in response to the EU Data Protection Directive See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007) 18
  • 19.
    US Department ofCommerce-Safe Harbor Seven Safe Harbor Principles • Notice – must provide conspicuous notice to individuals about – purposes for which it collects and uses the personal information – types of third parties to which it discloses the personal information – contact information for complaints and inquires • Choice – must allow individual to opt-out or opt-in – opt-out of transferring personal information to a third party or using personal information for non-stated purpose if not sensitive – opt-in of transferring personal information to a third party or using personal information for non-stated purpose if sensitive (e.g., medical condition, political opinion, religious beliefs, sex life) 19
  • 20.
    US Department ofCommerce-Safe Harbor Seven Safe Harbor Principles • Transfers to Third Parties – must ensure that third party: – subscribes to the Safe Harbor – is subject to the EU Directive – other adequate finding – agrees to provide at least the same level of privacy protection as is required by the Safe Harbor • Security – reasonable precautions to protect personal information from “loss, misuse and unauthorized access, disclosure, alteration and destruction” 20
  • 21.
    US Department ofCommerce-Safe Harbor Seven Safe Harbor Principles • Relevance – personal information must be relevant for the purposes for which it is to be used • Access - individuals must have access to personal information about them and be able to “correct, amend, or delete” inaccurate information • Enforcement – must include – mechanism for assuring compliance – recourse for individuals to whom the data relate affected by non- compliance – consequences when organization fails to comply 21
  • 22.
    US Department ofCommerce-Safe Harbor Safe Harbor List See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007) 22
  • 23.
    Model Contracts forthe Transfer of Personal Data to Foreign Countries Member States are not under and obligation to notify the Commission if standard contractual clauses are used See Article 26(3) See Model Contracts for the transfer of personal data to third countries, available at 23 http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)
  • 24.
    EU-US Data Disclosure Ongoing Issues Concerning European Airline Passenger Data • On May 17, 2004, the European Commission adopted a decision recognizing adequate privacy protections in EU-US passenger data disclosure (allowed the transfer of personal information on European airline travelers to the U.S. government) • On May 30, 2006, the European Court of Justice struck down the EU-US passenger data disclosure deal • On October 6, 2006, the United States and the EU established a temporary arrangement that will expire in July of 2007 See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007) 24
  • 25.
    Electronic Privacy InformationCenter (EPIC) • A public interest research center in Washington, D.C. • Established in 1994 • Focuses on emerging civil liberties issues and protecting privacy, the First Amendment, and constitutional values See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007) 25
  • 26.
    Privacy International • A human rights group formed in 1990 as a watchdog on privacy issues • Based in London (an office in Washington, D.C.) • Conducts campaigns and research throughout the world See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007) 26
  • 27.
    Google Gmail Email Content Based Advertising See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007) 27
  • 28.
    Google Gmail Privacy International Complaint Arguments include: • Violates Article 17 for not accepting liability for security of personal information Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. • Violates Article 29 for a third party reading the contents of email between two parties Google also reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce this Agreement, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public. • Violates Article 7 for processing personal data without unambiguous consent See Complaint: Google Inc – Gmail email service, available at http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007) 28
  • 29.
    Google Gmail Groups Call for Investigation of Gmail • On May 3, 2004, EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum urged the Attorney General of California to investigate Google’s Gmail service – Argued that the scanning of e- mails for targeted marketing violates California’s wiretapping laws (California Penal Code § 631) • The groups also called upon Google to suspend the service again, as Gmail users could be liable for violations of the law. See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007) 29
  • 30.
    Data Protection LawsAround the World • Blue – Comprehensive Data Protection Law Enacted • Red – Pending Effort to Enact Law • White – No Law See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007) 30
  • 31.
    Privacy Laws Aroundthe World Canada – The Personal Information Protection and Electronic Documents Act • Passed on April 13, 2000 • Applies to organizations that collect, use or disclose personal information in the course of commercial activities – Excludes certain government institutions to which the Privacy Act applies – Excludes certain individuals collecting, using or disclosing public information solely for person or domestic purposes – Excludes certain organizations collecting, using or disclosing public information solely for journalistic, artistic or literary purposes • Personal Information – “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” • Appropriate purposes - an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances See The Personal Information Protection and Electronic Documents Act, available at 31 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
  • 32.
    Privacy Laws Aroundthe World Canada – The Personal Information Protection and Electronic Documents Act • Notice – must provide notice to individuals about – purposes for which it collects and uses the personal information – procedures to gain access to personal information held by the organization – contact information of the person who is accountable for the organization’s policies and to whom complaints or inquires can be sent • Limited Collection – collection of personal information shall be limited to that which is necessary for the purposes identified by the organization See The Personal Information Protection and Electronic Documents Act, available at 32 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
  • 33.
    Privacy Laws Aroundthe World Canada – The Personal Information Protection and Electronic Documents Act • Security – must implement security safeguards against loss or theft, unauthorized access, disclosure, copying, use, or modification • Choice – Very limited exceptions where personal information may be used, disclosed or collected without prior consent • Accurate – must be accurate, complete and up-to-date as is necessary for the purpose for which it is to be used • Purpose – must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law See The Personal Information Protection and Electronic Documents Act, available at 33 http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)
  • 34.
    Privacy Laws Aroundthe World Japan – Personal Information Protection Law • Passed on May 23, 2003 • Protects information of individuals – does not cover information of corporations • Applies to the National government, public organizations, and Personal Information Handling Enterprises • Establishes penalties for data collectors who violate the law • Personal Information – “information that may make a living individual distinguishable from others.” • Personal Information Handling Enterprises – entities that use Personal Information Databases in their businesses – Excludes the National government, local public organizations, independent administrative agencies and local independent administrative agencies – Excludes enterprises that process less than 5,000 personal information records per day 34
  • 35.
    Privacy Laws Aroundthe World Japan – Personal Information Protection Law • Notice – must provide notice to individuals about – name of the data collector – purposes for which it collects and uses the Personal Information • personal information may not be used in a manner that exceeds the scope without prior consent from the individual – procedures to access, modify and terminate the use of personal information – contact information for complaints and inquires (complaints must be responded to adequately and promptly) • Relevance – personal information must be relevant for the purposes for which it is to be used 35
  • 36.
    Privacy Laws Aroundthe World Japan – Personal Information Protection Law • Security – must implement security safeguards and provide proper supervision of employees and other entities to which personal information may be may be entrusted • Choice – Generally, personal information may not be disclosed or made available to third parties without prior consent (“opt in”); exceptions, when disclosure is: – made in accordance with the law – necessary to protect life, body or property – necessary to protect public health – necessary for governmental purposes 36
  • 37.
    Privacy Laws Aroundthe World Australia – Federal Privacy Act See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007) 37
  • 38.
    Privacy Laws Aroundthe World Other Countries • Mexico – Article 214 of the Penal Code protects the disclosure of personal information held by government agencies – The General Population Act regulates the National Registry of Population and Personal Information • Russia – Article 24 of the Russian Federation forbids gathering, storing, using and disseminating information on the private life of any person without consent • France – The Data Protection Act covers personal information held by government agencies and private entities 38
  • 39.
    Cross-Border Privacy Tips • There is a global trend toward comprehensive protection which must be taken into consideration; may require personal information to be: – obtained fairly and lawfully – used only for the original specified purpose – adequate, relevant and not excessive to purpose – accurate and up to date – destroyed after its purpose is complete • Current international laws should be reviewed prior to any cross-border transfers of personal information and periodically reevaluated – Confirm compliance with Safe Harbor provisions for transfers between US and EU • You are likely to be required to provide additional privacy protections for any cross-border transfers 39
  • 40.
    Useful Resources • www.privacy.org – Joint project of the Electronic Privacy Information Center (EPIC) and Privacy International • www.privacyinternational.org – Privacy International • www.epic.org – Electronic Privacy Information Center • www.coe.int – Council of Europe • www.oecd.org – Organization for Economic Co-operation and Development • www.export.gov/safeharbor – U.S. Department of Commerce Safe Harbor • www.privacy.gov.au – The Office of the Privacy Commissioner of Australia 40
  • 41.
    Gardere Wynne SewellLLP Karl Larson 3000 Thanksgiving Tower 1601 Elm Street Dallas, TX 75201-4761 Phone: 214.999.4582 Fax: 214.999.3582 klarson@gardere.com 41

Editor's Notes

  • #17 Protection in the United States is a fractured, eposodic, recorded targeted patchwork of laws. No precise constitutional guarantee of the right to privacy in the United States