Privacy Law

1
Privacy Law

• K778 Privacy, Security, and Trust
• Michael Bliemel
• March 15, 2002

2
Outline

• US Privacy Laws
• European Data Protection Directive
• Safe Harbor
• Canadian Laws
• Personal Information Protection and Electronic
  Documents Act
• Conclusions

3
US Privacy Law

• Patchwork of sector specific laws and regulations
  no comprehensive national law
• 1970 fair credit reporting act
• 1974 code of fair practices and privacy act
• 1978 right to financial privacy act
• 1982 debt collection act
• 1984 cable communications act
• 1986 electronic communications privacy act
• 1987 computer security act
• 1988 computer matching and privacy protection act
• 1994 communications assistance for law
  enforcement act
• 1994 drivers privacy protection act
• 1996 communications decency act
• 1998 identity theft and assumption deterrence act
• 1998 childrens online privacy protection act

4
Lawsuits in USA

• Need a degree in law to understand all the legal
  implications for privacy in USA
• Litigation seems the preferred form of regulation
• Litigation usually filed under deception
• Misrepresentation of privacy promises
• Failure to Disclose
• Children (COPPA)
• Identity Theft
• Cookies and Web Bugs
• For cases see Freeman, Nemiroff, Privacy Law in
  Q1 2002, www.privacylawplaybook.com/documents/PRI
  V_Privacy_Law_Primer_2002_Q1.PDF

5
European Law

• EU Data Protection Directive (1998)
• EU member states must adopt regulations that
  forbid the transfer of data to non-member
  countries, if those non-member countries fail to
  provide adequate protection
• Exceptions data transfer is permissible if
• Data subject consents to transfer
• Transfer is necessary to perform contract
• Transfer serves the interests of the subject
• Recipient provides sufficient guarantees to
  privacy

6
European Law

• EU Data Protection Directive (1998)
• Adequate level of protection individuals must be
  able to
• Withhold consent to process their data
• Access the data collected about them
• Correct inaccuracies in the data
• Bring a complaint and seek redress for misuse of
  data
• Data collector must provide individuals with
• Notice of the purposes for which the data is
  collected
• The intended uses of the data
• Any other recipients of the data

7
European Law

• EU Data Protection Directive (1998)
• Canada has been declared adequate as of Jan 14,
  2002
• EU officials determined that US protections are
  not adequate
• To prevent a trade war Safe Harbor agreements
  were made between US and EU
• Companies comply individually with directive
  requirements
• 170 have joined (www.export.gov/safeharbor)

8
EU US Safe Harbor

• Benefits for companies joining Safe Harbor
  program
• All 15 Member States of the European Union will
  be bound by the European Commissions finding of
  adequacy
• Companies participating in the safe harbor will
  be deemed adequate and data flows to those
  companies will continue
• Member State requirements for prior approval of
  data transfers either will be waived or approval
  will be automatically granted and
• Claims brought by European citizens against U.S.
  companies will be heard in the U.S. subject to
  limited exceptions.

9
EU US Safe Harbor

• Requirements for companies joining Safe Harbor
  program
• Notice
• Choice
• Onward Transfer
• Access
• Security
• Data integrity
• Enforcement
• Self regulated, but if commitments broken FTC can
  fine 12,000 per day

10
International Laws

• OECD Privacy Principles
• Governing transborder flows of personal data
• Similar to EU directive
• United Nations Guidelines Concerning Computerized
  Personal Data Files
• Adopted by general assembly 1990
• Lawfulness, Fairness, Accuracy, Purpose
  specification, Access, Non-Discrimination,
  Exceptions, Security, Supervision and Sanctions,
  Transborder Data flows, Field of Application

11
Canadian Privacy Law

• Federal Laws
• Privacy Act (1983)
• Personal Information and Electronic Documents Act
  (2001 2004)
• Provincial Legislation
• Sector Specific Legislation
• Personal Health Information Act
• Federal Bank Act

12
Privacy Commissioner of Canada

• Mandate
• investigate complaints and conduct audits under
  two federal laws
• publish information about personal
  information-handling practices in the public and
  private sector
• take matters to the Federal Court of Canada
• conduct research into privacy issues and
• promote awareness and understanding of privacy
  issues by the Canadian public

13
Personal Information and Electronic Documents Act

• Stage 1 - January 1, 2001
• Act applies to personal information excluding
  personal health information collected, used, or
  disclosed by federal works, undertakings and
  businesses
• Banks, telephone companies, cable television,
  broadcasting, interprovincial transportation, and
  air carriers
• Also applies to personal information that is
  shared or disclosed for profit across borders

14
Personal Information and Electronic Documents Act

• Stage 2 - January 1, 2002
• Act now covers all personal health information
  including mental and physical health, test
  results, examinations and services provided

15
Personal Information and Electronic Documents Act

• Stage 3 - January 1, 2004
• Act will apply to the collection, use, or
  disclosure of personal information in the course
  of any commercial activity within a province
• All personal information in all international or
  interprovincial transactions by all organizations
• Only exempt business may be provincial, that are
  subject to substantially similar provincial
  laws (e.g. Quebec)

16
What is personal information?

• Personal information is any factual or subjective
  information, recorded or not, about an
  identifiable individual. It includes
• age, name, weight, height
• medical records
• ID numbers, income, ethnic origin, or blood type
  
• opinions, evaluations, comments, social status,
  or disciplinary action and, employee files,
  credit records, loan records, existence of a
  dispute between a consumer and a merchant,
  intentions (for example, to acquire goods or
  services, or change jobs.)
• Personal information does not include your job
  title, telephone number or address, anything that
  might appear on your business card, or can be
  found through publicly available information such
  as the telephone book.

17
PIPED 10 Principles of Fair Information Practices

• Accountability
• Identifying purposes
• Consent
• Limiting collection
• Limiting use, disclosure, and retention
• Accuracy
• Safeguards
• Openness
• Individual access
• Provide recourse

18
PIPED 10 Principles of Fair Information Practices

• Accountability
• Appoint individual(s) responsible for
  organizational compliance with the act
• Training, documentation, analysis of data,
  policies on data and security
• Contracts for third parties guaranteeing the same
  level of protection
• Publish policies to customers and employees

19
PIPED 10 Principles of Fair Information Practices

• Identifying Purposes
• The organization must identify and document the
  purposes of personal information before or during
  collection
• Purposes must be what a reasonable person would
  expect under the circumstances
• Individuals must be informed of this
• Grandfathering if information is to be used for
  new purposes, consent must be obtained from
  individuals

20
PIPED 10 Principles of Fair Information Practices

• Consent
• The knowledge and consent must be obtained for
  the collection, use, or disclosure of information
• Consent must be obtained fairly and can be
  withdrawn at any time
• Exceptions
• Collection Publicly available information,
  journalistic, literary, or artistic purposes
• Use emergencies, statistical or scholarly study
  with notification of PCC, clearly in individuals
  interest, public
• Disclosure can be criminal investigations, debt
  collection, court order, studies as above,
  emergencies, 20 years after the death of the
  individual or 100 years after the recording

21
PIPED 10 Principles of Fair Information Practices

• Limiting collection
• Only information specifically required for
  identified purposes may be collected
• Purposes should not be stated too broadly
• Employees must be able to explain why information
  is needed

22
PIPED 10 Principles of Fair Information Practices

• Limiting use, disclosure and retention
• Information may only be used or disclosed for
  purposes for which it was collected
• Information may only be kept for as long as
  necessary to satisfy the purposes
• Personal information used to make a decision must
  be kept for a reasonable amount of time after the
  decision
• Policies must be put in place for destroying,
  erasing and rendering anonymous information that
  is no longer required

23
PIPED 10 Principles of Fair Information Practices

• Accuracy
• Information must be accurate when disclosing or
  making decisions
• Updating information without a purpose is not
  allowed

24
PIPED 10 Principles of Fair Information Practices

• Safeguards
• Personal Information must be protected against
  loss or theft regardless of format
• Security policy and auditing
• Employees must be aware of confidentiality of
  personal information

25
PIPED 10 Principles of Fair Information Practices

• Openness
• Policies and practices must be easily
  understandable and available
• What data is collected
• How it is used
• Who it is disclosed to
• How to access it
• How to make inquiries or complaints
• Individuals responsible must be clearly
  identified and contactable

26
PIPED 10 Principles of Fair Information Practices

• Individual access
• Individuals can request copies of personal
  information, its past and present use, to whom it
  has been disclosed
• Exceptions to access law enforcement, other
  individuals, confidential commercial information,
  generated in formal dispute
• Amend incorrect information, inform third parties
  of amendments

27
PIPED 10 Principles of Fair Information Practices

• Provide recourse
• Simple, accessible complaint procedures
• Inform individuals of avenues of complaints
• Organization
• Regulatory bodies
• Privacy Commissioner of Canada
• Whistleblower Protection
• Organizations can not take recourse on employees
  making complaints to Commissioner, refuses to do
  something that would be a violation, acts in good
  faith to prevent a violation

28
Complying with the PIPED Act

• Designate CPO and Privacy Team
• Audit
• Develop Privacy Policy
• Develop Procedures
• Educate Employees
• Deal with Inquiries
• Monitor Privacy

29
Conclusions

• Privacy Law is
• Immature
• Complex
• Mandatory
• Main Facets of Privacy are
• Ensuring Consent (Opt In)
• Identifying and Making Clear Purposes
• Protecting Data
• Individuals Rights to Access and Opt Out