High Technology Cooperation Group: Data Privacy

1
High Technology Cooperation Group Data Privacy
Privacy and Cyber Security legal and policy
issues
Joseph Alhadeff Chair, USIBC Information
Technology Committee
The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
2
High Technology Cooperation Group Data Privacy
The Legal Landscape

• Governmental Sources
• EU Guidelines
• FTC Fair Information Practices
• Regional Law
• National Law
• Local Law

• Quasi Governmental
• OECD Guidelines
• APEC Guidelines
• APT Guidelines
• Self Regulatory Bodies
• Business/Sectoral Associations

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
3
High Technology Cooperation Group Data Privacy
OECD Guideline Principles

• The collection and use of data should be
  disclosed and users be given an opportunity to
  decline collection
• Data should be collected, stored, processed, and
  communicated only for legitimate purposes
• Data should be current, accurate, and relevant to
  the intended use and
• Data subjects should be entitled to examine,
  where appropriate, data relating to them, and to
  obtain correction or deletion of such data, if
  justified.

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
4
High Technology Cooperation Group Data Privacy
APEC Guidelines

• Like OECD Guidelines recognize the benefits of
  the information flows as well as responsibilities
• Based on OECD, but more flexible and adaptable to
  Global Information Flows
• Focus is more on use of personal information and
  preventing harm through appropriate protection
  obligations that flow with the information
• This includes work on using corporate rules with
  regional recognition
• Principles should be ratified this year, work on
  implementation continues.

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
5
High Technology Cooperation Group Data Privacy
Common Privacy Elements

• Disclosure/Notice of what, how, why and with who
• Choice opt in / opt-out
• Access for review correction
• Security
• Fair, relevant, timely, for business need
• Compliance/enforcement (company)
• Redress/oversight (government/third party)

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
6
High Technology Cooperation Group Data Privacy
Setting the Stage EU/US Basics
The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
7
High Technology Cooperation Group Data Privacy
EU/US Privacy Paradigms

• EU
• Privacy rights mainly applied to protect
  individuals from corporate/commercial use of
  information
• The role of government in protecting privacy
• The human right of privacy and moral rights of
  authors
• Regulation in advance of issue
• Wrongful collection of information

• US
• The Constitutional right to privacy secures
  citizens from unreasonable governmental intrusion
• The role of the government in assuring fairness
  and preventing deception
• Free speech, individual choice and the fair use
  doctrine
• Legislation in response to issue
• Harmful use of information

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
8
High Technology Cooperation Group Data Privacy
The Nature of a Directive

• EU wide application
• National country implementation
• May vary in implementation as long as not
  contrary
• Any Country / Citizen may bring action to claim
  that national is not in compliance
• Heard by EU court

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
9
High Technology Cooperation Group Data Privacy
EU Directive

• October 24, 1998 implementation
• EU Personally identifiable information must have
  adequate protection
• Intranet/Web collection
• Extraterritorial effect - adequacy of other laws
• National implementation spectrum floor not
  ceiling
• Directive review

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
10
High Technology Cooperation Group Data Privacy
EU Directive - Continued

• Extraterritorial effect precludes transfer to
  countries not providing for adequate protection
  of privacy
• Adequacy findings for Switzerland, Hungary,
  Canada, Argentina and the US Safe Harbor
  companies
• Derogations
• Contractual solutions
• EC Data Controller and Processor Model Contracts
• ICC Model Contract
• Binding Corporate Rules Work in progress

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
11
High Technology Cooperation Group Data Privacy
Directive Historical Context

• Directive was drafted in a time of point-to-point
  EDI and overnight batch processing.
• Contractual solutions/adequacy were more
  appropriate for country-to-country transfers
• Directive review recognized need for greater
  harmonization across EU application and need for
  greater flexibility of application to global
  information flows.

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
12
High Technology Cooperation Group Data Privacy
US/EU Agree on Safe Harbor

• Effective date 11/00 - Compliance By 7/01
• Self-certification
• Principles/FAQs
• Enforcement Mechanisms
• Third Party backed by FTC/DOT
• Panel of three registrars
• Benefit - Finding of adequacy is equivalent to
  transfer w/in EU for prior consent purposes, BUT
  still requires notice rationale

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
13
High Technology Cooperation Group Data Privacy
Safe Harbor Principles

• 1.Notice
• 2.Choice
• 3.Onward Transfer
• 4.Security
• 5.Access
• 6. Enforcement
• Documents may be found at
• http//www.export.gov/safeharbor

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
14
High Technology Cooperation Group Data Privacy
Safe Harbor Review

• Report was critical of certain practices but did
  not undermine the Safe Harbor
• Focused on need for clarification, education and
  review of oversight practices
• Financial Services still NOT covered
• Treasury negotiations
• Fractured alliance prospects
• Safe harbor predicated on Agency backstop FTC,
  DOT

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
15
High Technology Cooperation Group Data Privacy
Outside EU and US Some Highlights

• All enlargement countries, Switzerland and EFTA
• Other active countries w/some legislation
• Hong Kong New Zealand Chile Argentina Canada,
  AustraliaTaiwanKoreaSouth Africa, Japan
• Proposed/Thinking Thailand India Brazil
  Mexico China

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
16
High Technology Cooperation Group Data Privacy
Privacy and India

• Focus on rationale and objective
• Review existing laws and processes (including
  Contract Law and other related laws and
  processes)
• Review current state of the data processing and
  global sourcing industry re privacy and security
• Gap analysis to relevant international
  instruments and norms
• Selective amendment or revision of existing laws
  and processes as needed to achieve objectives
• The need for more, better and targeted
  information to address gaps in perception

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
17
High Technology Cooperation Group Data Privacy
Innovative Privacy Architecture Elements
The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
18
High Technology Cooperation Group Data Privacy
Concepts for Privacy Approaches

• Consistent with need for and benefits of global
  information flows
• Protection as appropriate to type and use of
  information business directory, for instance
• Limitation of bureaucratic overhead
• Innovative policy instruments and mechanisms
• Recognition of registration/ certification/
  accreditation
• Mediation/dispute resolution
• Cooperation in cross-border transfer and
  responsibility

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
19
High Technology Cooperation Group Data Privacy
Concepts contd

• Transparency for Business and Consumer
• Appropriate relationship to security
• Relevance to developed and developing countries
  as well as those with and without existing
  frameworks
• Considering appropriate incentives, motivating
  factors and redress frameworks

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com
20
High Technology Cooperation Group Data Privacy
To what end?

• Exploring the thought-leadership role that India
  could play as a result of long-established legal
  frameworks, cutting edge technology players,
  entrepreneurial expertise and increasingly
  important role in global data transfers

The Indo-U.S. High Technology Cooperation Group
November 18, 2004
www.usibc.com