What if my organization conducts business across borders ?

Your footnote

• Privacy and “Personal Information” have different meanings in different countries; however, you should be aware that privacy is regulated to one extent or another in most countries with which the U.S. does business. And regulation in this area is increasing and evolving rapidly.

•  Privacy concerns come into play in any situation where uniquely identifiable information relating to a person is collected, processed and stored.

• These concerns apply regardless of whether an organization collects uniquely identifiable information in digital form or otherwise.

• Typical considerations for businesses and organizations that collect Personal Information may include: - how is Personal Information collected, stored, and associated?- who is given access to your customers’ Personal Information?- how is such information used?- does the individual have any ownership rights to such data ,

and/or the right to view, verify, and challenge that information?

Different Notions of “Privacy”

• Right to privacy primarily enforced as “consumer protection right”

• Privacy “balanced” against Free Speech; latter often prevails

• Implied (not express) right in U.S. Constitution

• Protection of people against Government overreaching, esp. at home

• Right to privacy as a “fundamental human right”

• Privacy as a “human dignity right”

• Art. 8 EU Convention of Human Rights: “…respect for…private and family life…home, and…correspondence”.

• Protection of people from having their lives exposed to public view, esp. mass media

EUROPEAN UNION UNITED STATES

Differences also stem from very different historical experiences

• Privacy protection is privileged over economic efficiency and speech, even if this creates trade barriers

• Transfers of personal data in commerce, at work, etc. presumed to not be legitimate unless there is a “legal basis” (express consent; fulfillment of contractual or legal obligations)

• Data Protection Principles

• Most countries not deemed to offer “adequate protection”

• Free speech and interstate commerce privileged over privacy; protections crafted primarily for consumers

• Transfers of personal data are presumed legitimate and necessary (protections limited to situations of egregious misuse or unauthorized access)

• Regulation fragmented by economic sector (e.g., HIPAA, FCRA, HITECH, GLBA) not uniformly

EUROPEAN UNION UNITED STATES

Different Approaches to Privacy Regulation

• Canada often assumed to be similar to the U.S. with respect to business practices; but privacy regulation is another matter. Canadian approach to confidentiality and the transfer of Personal Information is much more in line with the European model than that of the U.S.

• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became effective in 2004 and provides a federal-level personal information protection regime

• Basic principles and obligations for organizations covered by PIPEDA: - obtain an individual's consent when they collect, use or disclose the individual's

personal information. - the individual has a right to access personal information held by an organization and to

challenge its accuracy, if need be. - personal information can only be used for the purposes for which it was collected.

If purpose changes, consent must be obtained again. - individuals should also be assured that their information will be protected by specific

safeguards, including measures such as locked cabinets, computer passwords or encryption.

PRIVACY REGULATION IN CANADA

Your footnote

• Mexico enacted comprehensive data protection law in 2010, the “Law on the Protection of Personal Data in the Possession of Private Entities” (“LFPD”)

• LFPD regulates the processing of personal information by private companies (other than credit bureaus, which are regulated separately) and seeks to protect citizens’ rights to “privacy and to personal information self-determination”.

• The LFPD provides data subject s the right to give his/her consent to the processing of personal data, subject to certain statutory exceptions.

• The data controller must disclose to the data subject, through a privacy notice the information gathered about him/her and the use(s) to be given to said information.

• LFPD requires express written consent of the data subject for the disclosure of sensitive personal data (incl. ethnic origin, current or foreseeable health condition(s), genetic information, religious, philosophical or moral beliefs, labor union affiliation, political opinions and/or sexual orientation).

• The LFPD creates a right of civil action for data subjects for the data controllers’ breaches of the LFPD.

PRIVACY REGULATION IN MEXICO

Your footnote

How to Address Privacy Compliance Across National Borders with Different Constituencies

BusinessBusinessPartnersPartners

EmployeesEmployees

CustomersCustomers

ServiceServiceProvidersProviders

B-2-B agreementsregarding use of personal

information

Privacy Policy

Terms and Conditions

Representations made re: Use of Personal Information

Internal policies andprocedures regulating

access to and use of personal information

Agreements to use personal

information only for your organization

Your Organization Your Organization

• http://www.ey.com/Publication/vwLUAssets/Privacy_trends_2012/$FILE/Privacy-trends-2012_AU1064.pdf

• http://www.financierworldwide.com/AnnualReviews/AR_DataProtection_326jpm.pdf

• http://heatmap.forrestertools.com/

Other Country Regulation & Select Resources

Your footnote