CIPP Guide » EU

Privacy & Intellectual Property

hannah — Tue, 15 Nov 2011 12:00:40 +0000

In recent years, information privacy is being considered a scare commodity, as it is relatively convenient and simple to collect large amounts of information that can be identified to specific individuals. Many commentators have pointed out the relationship between intellectual property and privacy issues. For instance, both are concerned with the control of sensitive information.

Intellectual property is related to the control of data generated by an individual and is a creative work, while privacy is concerned with the control of non-creative data, which are generated by an individual. This article will consider the links between the two concepts from a privacy professional’s perspective.

Introduction to Intellectual Property

Certain economists and privacy advocates are encouraging giving individuals property rights in their personal data, in order to promote information security. From this perspective, proponents argue that this would allow individuals to negotiate with firms regarding the uses they would agree to for their personal data. This would also force businesses and organizations to internalize a higher proportion of societal costs of processing personal data.

Regulations

In October 1998, the US Digital Millennium Copyright Act (DMCA) was signed into law. This piece of legislation implemented two 1996 World Intellectual Property Organization (WIPO) treaties, addressing a number of significant copyright-related issues. The Act effectively encouraged copyright owners to make their databases more available through digital distribution methods, by including technological protections in the form of penalties for copyright infringement, or piracy.

In January 1998, the EU’s Database Directive came into effect. This Directive provided two levels of protection:

It offers copyright protection for original selection and arrangement of facts in a database
It offers sui generis protection for non-original databases, thus prohibiting the unfair extraction of a substantial part of any database reflecting significant investment.

Essentially, a database could receive both types of protection simultaneously. It could receive copyright protection for the selection and arrangement of data, as well as sui generis protection against the extraction of a substantial part of the data. Sui generis protection lasts for 15 years, while copyright protection lasts for the life of the author, plus 70 years.

Critics Say…

While the DMCA and EU Database Directive were substantial steps towards ensuring privacy, a study of over 750 e-commerce sites in the EU and the US showed that the websites were still selling products and services to consumers in a manner that fell short of international standards. For instance, most sites would collect personal information, but fail to tell consumers how their data would be used, how security is maintained and the rights that consumers would have over their won information.

In a March 2011 White House analysis of intellectual property legislation and enforcement, entitled Administration’s White Paper on Intellectual Property Enforcement Legislative Recommendations, some trends were identified that may indicate that US governmental policy toward enforcement may be sacrificing privacy for copyright enforcement. In this analysis, the Administration recommended three legislative changes, which essentially give enforcement agencies the tools required to respond to infringement:

Clarify that, in appropriate circumstances, infringement by streaming, or by means of other similar new technology, is a felony;
Authorize DHS, and its component US Customs and Border Protection (CPB), to share pre-seizure information about, and samples of, products and devices with rightholders to help DHS to determine whether the products are infringing or the devices are circumvention devices; and
Give law enforcement authority to seek a wiretap for criminal copyright and trademark offenses.

The document also pointed out a number of other legislative recommendations made by the office of IP Enforcement. However, networking technologies that are needed for the advancement of communication technologies and security are making it so that such legislation is increasingly difficult to enforce. This results in more lobbyists and government officials pushing for even more stringent privacy-violating legislation.

Summary

This article takes a look at the relationship between privacy and intellectual property issues. Intellectual property is related to the control of data generated by an individual and is a creative work, while privacy is concerned with the control of non-creative data, which are generated by an individual. The article takes a look at regulations currently in effect, namely the US Digital Millennium Copyright Act (DMCA), and the EU’s Database Directive.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

Information types – intellectual property (IP) (I.A.c.ii.4.)

EU Data Protection Directive & Binding Corporate Rules

hannah — Tue, 25 Oct 2011 12:00:43 +0000

Data protection laws at their essence outline certain basic privacy requirements involved in the processing of personal data. The main objective of data protection laws The EU Data Protection Directive includes some of the strictest data protection limitations.

Binding Corporate Rules

Binding Corporate Rules (BCRs) is a loosely defined term and relates to a concept, rather than a distinct, clearly articulated vehicle. According to the European Commission, BCRs are,

“Internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.”

In practice, BCRs must contain the following elements:

Privacy principles (e.g. transparency, data quality, security, etc.)
Tools of effectiveness (e.g. audit, training, complaint handling systems, etc.)
An element that proves a BCR is binding

Another way of describing BCRs are as follows:

“A code of conduct setting forth the privacy policy of the entire enterprise is drafted, to which each entity included in the enterprise subscribes, enabling data subjects and other entities to enforce that code against the entity/enterprise.”

Who are they for?

BCRs may offer a viable solution for various multinational companies involved in the export of personal data from the European Economic Area to other group entities located in third countries which do not ensure an adequate level of protection.

BCRs are to be used by multinational companies to develop adequate safeguards for the protection of the privacy and fundamental right and freedoms of individuals within the meaning of Article 26 of the Directive 95/46/CE for all transfers of personal data protected under a European law. BCRs ensure that transfers of personal data are made within a group benefit from an adequate level of protection.

Global corporations have begun to take an interest in BCRs for two major reasons. First, they would like to diminish the amount of paper and effort involved to the legitimizing of their transfers. They also intend to impose less stringent requirements on their transfer activities. A number of global enterprises believe that codes of conduct should be sufficient for the cross-border transfer of personal data.

An American Perspective

From the perspective of a US-based multinational corporation (MNC), BCRs offer a number of advantages, as well as disadvantages. They are outlined as follows.

Advantages of BCRs:

Possibility of developing a more flexible privacy regime than other methods of cross-border data transfer
Ensure compliance with principles included in Article 25 and 26 of the European Directive 95/46 for all flows of data within the scope of the BCR
Harmonize practices relating to the protection of personal data within a group
Prevent the risks resulting from data transfers to third countries
Avoid the need for a contract for each single transfer
External communication on the company’s data protection policy
Offer an internal guide for employees, with regard to personal data management practices
Ensure that data protection is integral to the way the company does business

Disadvantages of BCRs:

Uncertainty around the use of BCRs
Reduced efficiency as a result of substituting possibly hundreds of other documents for a single document

EU Perspective

Since 2006, the EU has increased receptivity to BCRs. Its official publications indicate that it favors legitimizing this vehicle of data protection. However, in practice, it remains difficult to use BCRs for transfer from more than a single EU member state. BCRs are outlined in three documents, released by the Article 29 Working Party:

WP 74 – This document states that BCRs offer a viable alternative for cross-border transfer, but suggests a regime that many multinational corporations would view as so burdensome that their main incentive would not be met.
WP 107 – This document sets out a general procedure, under which a corporate enterprise interested in using BCRs for export from more than one EU Member State may seek to do so.
WP 108 – Likewise, this document clarifies what was set out in WP 74.

Summary

This article takes a look at Binding Corporate Rules (BCRs), as outlined by the EU Directive 95/46/CE for all transfers of personal data protected under a European law. The article takes a look at official as well as unofficial definitions of BCRs, the elements that consist of a BCR and US and EU perspectives on the implementation of BCRs.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

EU Data Protection Directive – Binding Corporate Rules (BCRs) (I.D.c.i.4.b.)

Roles & Responsibilities in Processing Personal Data

hannah — Tue, 11 Oct 2011 12:00:42 +0000

Personal data that is processed in accordance with EU Data Protection Regulation (EC) 45/2001 on the protection of individuals, regarding the processing of personal data must respect data protection roles. It is necessary to identify the Controller, Processor and their interaction, in order to determine “who is responsible for compliance with data protection rules, how data subjects can exercise their rights, which is the applicable national law and how effective Data Protection Authorities can operate.”

European Data Protection Supervisor (EDPS)

The EDPS is an independent supervisory authority whose primary objective is to ensure European bodies and institutions respect the right to privacy and data protection when they process personal data and develop new policies. The EDPS is also responsible for advising EC institutions and bodies on all matters that have an impact on the protection of personal data. This may apply to proposals for new EU legislation, as well as other instruments, such as communications of the European Commission. Finally, the EDPS is also responsible for intervening in cases before the Court of Justice, as well as cooperating with national supervisory authorities and supervisory bodies in the “third pillar” of the EU. This is in order to improve consistency in the protection of personal data.

The main duties of the EDPS are:

I. Supervision

Monitor the processing of personal data be EC institutions and bodies. This is typically done in cooperation with the Data Protection Officer (see below).
Hearing and investigating complaints, conducting inquiries (either initiated by the EDPS, or on the basis of a complaint).
Prior checking DPO’s notifications of processing operations, which could present risks to the data subjects.
Provide consulting services to EC institutions and bodies on administrative measures having to do with the processing of personal data.

II. Consultation

Advise all EC institutions and bodies on matters that relate to the processing of personal data.
Intervene in cases related to data protection, before the Court of Justice.

III. Cooperation

Cooperate with national data protection authorities.
Cooperate with the supervisory data protection bodies.
Participate win regular international conferences on data protection (e.g. the European and the International Data Protection Conferences).

Data Protection Officer (DPO)

Under Regulation (EC) 45/2001, each Community institution and body must have a data protection officer (DPO). The DPO is responsible for ensuring the internal application of the Regulation, and that the rights and freedoms of the data subjects are not likely to be adversely affected by any processing operations. The DPO must also keep a register of processing operations notified by the controllers of the institution or body where he/she works.

Other DPO functions include:

Ensuring controllers and data subjects are informed of their rights and obligations
Carrying out inquiries, when necessary
Notifying the EDPS of processing operations that may present specific risks
Responding to any requests from the EDPS and cooperating with the EDPS

A full list of data protection officers is available here.

Data Controllers

The term “data controller” refers to an individual or legal person who controls and is responsible for the keeping and use of personal information on a computer, or in structured manual files. In essence, data controllers keep or process any information about living people. Any organizations that control or are responsible for personal data are also considered data controllers.

Examples of data controllers include:

Companies
Government departments
Voluntary organizations
Individuals (e.g. general practitioners, pharmacists, politicians and sole traders)

Data Processors

Data processors refer to anyone who holds or processes personal data, without exercising responsibility for/control over the personal data. In certain cases, it is possible for a single company/person to be both a data controller and data processor at the same time, in respect of distinct sets of personal data.

Examples of data processors include:

Payroll companies
Accountants
Market research companies

Data Subject

The data subject refers to the person whose personal data are collected, held or processed by the data controller.

Summary

This article takes a look at the legal roles of various parties, according to the Regulation (EC) 45/2010, namely: data subjects, data processors, data controllers, data protection officers and the European Data Protection Supervisor (EDPS).

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

Processing of personal data – roles (I.A.e.)

Adequacy in the EU Data Protection Directive

hannah — Tue, 27 Sep 2011 12:00:33 +0000

The EU Data Protection Directive (95/46/EC) regulates the processing of personal data within the European Union. The Directive was developed in response to increased threats to informational privacy, as a way of regulating the collection, storage, usage and dissemination of personal data.

The Adequacy Standard

The key purpose of the Directive was to harmonize EU Member States’ laws, so that each Member State could transfer data to other Member States, while still safeguarding the fundamental rights and freedoms of their citizens. If data controllers in one State transferred data to a third country that failed to protect personal data, the State’s protection of personal data would be lost once the Member State transferred the data to the third country.

Article 25 of the Directive prohibits Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. Article 26 of the Directive outlines exceptions to the requirement that a third country have adequate protection in third countries.

For example, if the laws of a third country (e.g. Canada) fails to provide adequate protection of personal data, then a data controller located in a Member State would be prohibited from transferring personal data to Canada, unless an exception happened to apply. Without this exception, a transfer of data could lead to a data or information embargo.

Data Embargos

A data or information embargo would result in serious consequences on both Member State and third country. The Member State government may be prohibited from sending information to the third country regarding individuals in that country.

For instance, a Member State might prevent a private bank in the Member State from transferring information about its customers to Canadian financial institutions. Or perhaps a Member State might prohibit a European employer from sending information about its employees to its Canadian subsidiaries.

Article 26 outlines a number of exceptions to any such data embargo. Specifically, even if a sector or activity is found to lack adequate private protection, the Directive would still permit the transfer of personal data out of the EU if:

The party desiring to send the data has entered into a contract approved by the privacy office in the EU member country (thus committing the party to providing certain protections)
The individual has unambiguously consented to the data transfer
The transfer is necessary to complete a transaction
The data are otherwise public

It’s worth mentioning that the American credit reporting industry’s privacy protections should certainly satisfy the EU Data Protection Directive. The US Federal Credit Reporting Act (FCRA) includes the types of protections that EU Member States have incorporated into their laws, namely notice to consumers and the opportunity for them to correct any incorrect or inaccurate information in their files.

Working Party

Article 29 of the Directive establishes that a Working Party will advise the Commission on data protection matters, as well as contribute to the uniform application of the national data protection measures. Essentially, the Working Party is an independent advisory group, composed of a representative from each Member State’s supervisory authority, a representative of the Community and a representative of the Commission.

The responsibilities of the Working Party include examination of Member States’ data protection laws, as well as consulting with the Commission on the level of protection available in Member States and third countries.

Adequacy and US Data Protection

The United States’ sectoral approach to data protection is derived from the American philosophy that laws should ensure citizens’ access to government, while still protecting them from government. While this enables the US to extensively regulate its public sector, it generally prevents the federal government from limiting interactions between private citizens. As a result, the US commitment to the free flow of information also favors a narrow regulatory approach to data protection.

Essentially, whether the Directive prohibits certain data transfers to the US largely depends upon what constitutes an adequate level of protection. The Directive requires a standard of adequacy that should be assessed in light of all the circumstances surrounding the transfer, yet fails to elaborate about this standard. Earlier data protection measures require a standard of equivalency, rather than adequacy.

For instance, the OECD Guidelines, as well as the COE Convention do not define or use an adequacy standard for data transfers to third countries. In the same vein, the traditional legislation of most European countries establishes a standard of equivalency, rather than adequacy.

However, since the October 2008 enactment of the European Commission’s Directive on Data protection, the Safe Harbor framework has been developed which bridges the gap between some US privacy laws and the EC’s adequacy requirements.

Summary

This article takes a look at the European Commission’s Directive on Data Protection (95/46/EC), and the establishment of the adequacy requirement, which prevents Member States from transferring data to a third country, unless the third country ensures an adequate level of protection. The Directive also explores certain related concepts, including the Working Party and data/information embargoes. Finally, the article takes a look at the US data protection approach and its ability to meet the EC’s adequacy standard.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

EU Data Protection Directive – Adequacy (I.C.c.i.4.a.)

Implementing the EU e-Privacy Directive: The Cookie Problem

hannah — Tue, 12 Apr 2011 12:00:44 +0000

This article explores the EU e-Privacy Directive, with a focus on the “Cookie Law,” which was passed late 2009. The Directive has yet to be fully implemented in all EU member states and the amendment of the “Cookie Law” has created additional roadblocks to harmonization of legislation across Europe.

Background: e-Privacy Directive
The European Commission’s Directive of Privacy and Electronic Communications 2002/58/EC (also referred to as the e-Privacy Directive) required that public communications providers (i.e. internet service providers and telecommunications companies) inform national regulatory authorities of any data security breach. Subscribers should also be notified if the personal data breach is likely to adversely affect the personal data or the privacy of the subscriber. The deadline for member states to implement this Directive is May 25, 2011.

The Cookie Law
On November 9, 2009, the European Parliament made additions to the e-Privacy Directive, which included an effort to regulate online cookies. According to the previous law, web sites were required to allow consumers to opt-out of cookies, typically by selecting a setting on their web browsers. A Parliament committee determined that the practice be reversed; users should be presented with the opportunity to opt in before cookies are placed on their computers.

Under the new addition, companies are required to secure consent from users before tracking files, such as online cookies, are placed on the users’ computers. This addition is commonly referred to as the “cookie law:”

“The new e-Privacy Directive will include a provision requiring the EU Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.”

Although it does not directly mention cookies, commenters point out that the wording includes cookies as well as any other technologies which may be used to track users’ behavior through their internet browsers.

Cookie Law Controversy
The Cookie Law applies to cookies that collect personal data. Some experts have pointed out that certain cookies are not covered by this consent requirement. According to data protection authorities, persistent cookies that contain a unique user ID would qualify as personal data, thus subject to applicable data protection regulations. However, there are other types of cookies that do not meet such criteria.

Another uncertainty regarding the Cookie Law is the process by which consent should be obtained. The statement does not mention prior consent, rather suggests that users are presented with an opportunity to refuse cookies before they are delivered to their computers. The means by which consent should be obtained has given rise to a series of discussions between internet service providers, privacy advocates, advertisers, law makers and EU member states.

It is unclear if “consent” means that users need to agree to cookies when setting up their web browsers, or if they must give unambiguous consent for each and every cookie. Others have interpreted “consent” to mean a standardized plan that allows users to view and opt-out of data collected about them through cookies.

Advertising Outcry
Europe’s online advertising industry currently generates US$20.12 billion in advertising spending annually. The initial idea that cookie placement needed the user’s prior consent concerned industry executives, who argued it would be a costly and disruptive practice. As a result, the requirement of “prior consent” was moved to an addendum.

Rather than recurring pop-up windows requesting consent, advertising executives suggested placing icons on internet ads that rely on tracking tools. Users can click on the icon to view what data is being collected about them, or to block any cookies.

Dutch Telecommunications Act
On November 3, 2010, an amendment to the Dutch Telecommunications Act was submitted to the Dutch Parliament. This was an effort to implement the EU e-Privacy Directive.

The proposed Bill requires telecommunications and internet service providers to give notification of data security breaches involving personal data to the Dutch Telecom Authority. If individuals’ privacy is likely to be compromised in a breach, service providers would also be obliged to notify the appropriate individuals.
The proposed Bill also requires that consent be secured before the use of cookies, in particular, prior to the use of third party cookies that are designed to track individuals’ web browsing activities for behavioral advertising purposes. In response to confusion regarding unambiguous consent (i.e. whether or not consent was required for placing individual cookies), the Bill indicates that browser consent would be sufficient. However, browser consent may not be enough in all situations.

Summary
This article discusses the European Union’s e-Privacy Directive, also referred to as the Directive of Privacy and Electronic Communications 2002/58/EC. The Directive is a continuation of the EU Data Protection Directive and deals with data protection and privacy issues relating to digital technologies. The article takes a look at the “Cookie Law,” an amendment to the Directive that requires user consent before cookies are placed on users’ computers. This amendment has given rise to controversial discussions between internet service providers, privacy advocates, advertisers, law makers and EU member states. Finally, the article takes a look at how the elements of the e-Privacy Directive are being implemented in the legislation of member states.

CIPP Exam Preparation
In preparation for the Certification Foundation exam (Foundations) and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Online Privacy – Online Identification Mechanisms – Cookies (Foundations; III.B.g.i.)
• Privacy-Enhancing Technologies – Web Cookies (CIPP/IT; III.B.c.i.)
• Privacy & Data Protection Regulation – Europe (Foundations; I.F.b.ii.)

EU Data Retention Directive: A Request for Repeal

hannah — Tue, 04 Jan 2011 17:00:11 +0000

Data retention has been an important issue for law enforcement agencies and privacy rights organizations alike. Governments have made efforts to require telecommunications service providers to record and retain information, such as telephone calls, emails, or other communications. This article examines the European Union Directive on Mandatory Retention of Communications Traffic Data, which was enacted in March 2006. The article goes on to look at criticisms of the Directive as well as recent efforts calling for the repeal of this Directive.

Background: The 2006 EU Data Retention Directive
The EU Data Retention Directive 2006/24/EC required that operators of public electronic communication networks store specific data for the investigation, detection and prosecution of serious crime. The Directive requires that Internet service providers operating in Europe retain telecom and Internet traffic data about all their clients’ communications for at least six months, to a maximum of two years from the date of the communication. This is for the potential use of law enforcement authorities. Retained data includes the traffic and location data, but not the contents of the communications.

Of specific concern to privacy professionals was that the retained data included the following:
• Fixed network telephony
• Mobile telephony
• Internet access
• Internet email
• Internet telephony

The data retention regulations listed four data security principles, applicable to the retained data. These regulations are outlined below:
1. The data must have the same security levels when retained and must remain the same quality.
2. Security measures (both technical and organizational) must be enacted to protect against accidental or unlawful disclosure, access, alteration or loss of the data.
3. The retained data should only be accessible by authorized persons.
4. All retained data must be appropriately destroyed at the end of the retention period.

As part of the terms of the Directive, the data could only be made available to competent national authorities in particular cases, in line with national law. EU member states are responsible to ensure that any intentional access or transfer of this data is punishable by administrative or criminal penalties. Member states were also required to have a public authority responsible for implementing and monitoring the Directive within 18 months after it was introduced. Each state developed their own version of the Directive, which was integrated into their national laws.

Controversy Surrounding the Directive
For public communications providers throughout the EU, the Directive presented a number of different challenges. Service providers were mandated to retain communications data to allow requested access for investigations. This meant that they were faced with the challenge of harmonizing their data center with hundreds of storage devices and petabytes of data. This significantly increased the size of IT infrastructures. Many critics argued that the mandated retention practices made organizations more vulnerable to privacy risks.

Observers also argued that the requirements of the Directive amounted to a type of surveillance. The Directive requires member states to collect personal data about citizens, without the consent of the citizens. It also allows the states to apply the data to monitor and control citizens, by applying criminal penalties.
For these and other reasons, many European privacy activists have strongly opposed the Directive.

One example was the Freedom Not Fear movement, which organized protests in major cities across Europe. These demonstrations aimed to raise public awareness of increased surveillance and data retention practices. The Freedom Not Fear movement also demanded the following:
• Cutbacks on surveillance measures
• Evaluation of existing surveillance powers
• Moratorium on new surveillance powers
• Ensure the freedom of expression, dialogue and information on the Internet

During 2007, the German Working Group on Data Retention represented 35 000 people and filed a class-action lawsuit against data retention laws. The court found the laws unconstitutional, which led to requirements for the immediate deletion of all data retained under the law.

During 2009, the Romanian Constitutional Court ruled that the Directive was in direct violation of Article 8 of the European Convention on Human Rights, guaranteeing the right to respect for private life and correspondence. The Court held that data retention turns all those who use public communication networks into potential criminals.

Also during 2009, the European Commission initiated a lawsuit with the Swedish government, which had refused to implement the Data Retention Directive within the required time frame. Political leaders argued that the Directive was inconsistent with the European Convention on Human Rights, as well as being an expensive and ineffective means of protecting citizens’ rights and freedoms. In addition to Sweden’s non-cooperation with the Directive, Austria, Greece, Ireland, the Netherlands and Poland also did not implement data retention laws within the April 2009 deadline stipulated by the Directive.

Calls to repeal the Directive
During the 32nd Annual Conference of Data Protection and Privacy Commissioners, which was held during October 27-29, 2010, privacy authorities called for the repeal of the Data Retention Directive.

A vocal participant in this discussion was the Electronic Frontier Foundation (EFF), which has protested the indiscriminate collection of traffic data. According to the EFF, there is no clear link between data retention and effective law enforcement. Rather, such retention leads to abuse of authorities, including excessive tracking and over-collection. Furthermore, many of the retention practices pose a serious violation of individuals’ rights and freedoms.

Summary
This article explores the 2006 European Union Data Retention Directive, which required member states to implement laws requiring communications service providers to retain data from anywhere between six months to two years. This was supposedly to facilitate law enforcement efforts, particularly anti-terrorist programs. The Directive was met with widespread public outcry, given the potential for surveillance, monitoring and abuse, in addition to arguments that it was a violation of rights and freedoms. The article explores a number of different responses to the Directive, including citizens’ movements throughout Europe, national court rulings against the Directive and non-compliance issues.

CIPP Exam Preparation
In preparation for the Certification Foundation (Foundations) exam and the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
• Data Retention & Destruction – Period of Retention (CIPP/IT; I.E.a.)
• Privacy Concerns – Government Surveillance (CIPP/IT; II.A.k.)
• Modern Principles of Privacy – Europe (Foundations; I.D.a.ii.)
• Privacy & Data Protection Regulation – Europe (Foundations; I.F.b.ii.)

Safe Harbor in Action: CARU Example

hannah — Tue, 21 Dec 2010 12:00:24 +0000

The EU-US Safe Harbor framework was developed to facilitate the cross-border transmission of information, as well as ensure high standards of privacy protection. This article explores the implementation of these principles in context of the Children’s Advertising Review Unit (CARU) Safe Harbor Program.

Safe Harbor in a nutshell
During October 1998, the European Commission’s Directive on Data Protection was enacted, prohibiting the transfer of personal data from European Union (EU) member states to non-EU nations that did not meet the privacy protection standard. In order to facilitate the transfer of information between EU-based organizations and US-based organizations, the Safe Harbor framework was developed.

US-based organizations may qualify for Safe Harbor statues in two different ways. They may join self-regulatory privacy programs following the requirements of Safe Harbor. Alternatively, they may choose to develop organization-specific self-regulatory privacy policies, in line with the requirements of Safe Harbor.

What is CARU?
In 1974, the Children’s Advertising Review Unit (CARU) was created in order to promote responsible advertising to children. CARU was developed as a component of a strategic alliance amongst the major US advertising trade associations, including the American Association of Advertising Agencies (AAAA), American Advertising Federation (AAF), Association of National Advertisers (ANA) and the Council of Better Business Bureaus (CBBB).

CARU is in charge of children’s advertising issues within the advertising industry’s self-regulation program. It assesses the truthfulness, accuracy and consistency of child-directed advertising and assists advertisers in dealing with child audiences responsibly. CARU does so by advancing compliance with its Self-Regulatory Guidelines for Children’s Advertising, the Children’s Online Privacy Protection Act of 2000 (COPPA) and other relevant laws.

The CARU Safe Harbor Program
As of January 2001, the CARU self-regulatory program was approved as Safe Harbor-compliant, under the Children’s Online Privacy Protection Act (COPPA). It was also the first such program to the FTC-approved. Organizations that comply with CARU Guidelines are also in compliance with the COPPA, thus insulated from FTC enforcement action.

Compliance with CARU’s Safe Harbor Program is dependent on the following elements:
• Adhering to the requirements in the CARU Safe Harbor Compliance Checklist
• Compliance with the CARU Self-Regulatory Guidelines for Children’s Advertising
• Review by CARU staff of the web site’s information practices; completion of Initial Website Review & Seeding form
• Continuous monitoring of web site by CARU staff to ensure compliance with the Safe Harbor framework
• Completion of CARU Self-Assessment Form and Attestation by Safe Harbor participant

CARU Safe Harbor Compliance Checklist
This checklist makes up a critical component of the Safe Harbor compliance, as discussed above. The checklist includes the Safe Harbor principles and is specific to web sites advertising to child audiences. The following elements are on the CARU Safe Harbor Compliance Checklist:
1. Provide notice
2. Obtain verifiable parental consent
3. Limit collection, use and disclosure of personal information collected from children
4. Provide access upon verification of parental identity
5. Maintain reasonable security

The elements of the checklist are explored in greater detail below:

1. Provide Notice
In accordance with the Safe Harbor principles, privacy notices should be clearly written and easily understandable. They should not contain irrelevant, confusing or contradictory statements. There are two different types of notices that are required of CARU Safe Harbor participants: a Notice of Information Practices and a Direct Notice to Parents.

The Notice of Information Practices is also referred to as the “Web Site Notice,” or “Children’s Privacy Policy.” Such a notice requires a prominent link on the site’s home page and in each area where personal information is collected from children. This notice must state all of the following information:
• Name, address, phone number and email of the operators responsible for the collection and maintenance of personal information collected from children through the site.
• Types of personal information that is collected from children.
• Identification of the means of collection of the information (i.e. directly or passively).
• How the personal information is being used, or will be used.
• If the personal information will be disclosed to third parties. If this is being done, then the notice must state the types of businesses in which third parties are engaged; the purpose of such personal information; and if the third parties are committed to maintaining the security and confidentiality of the information collected.
• An option for the parent to agree to the collection and use of the child’s information, that is not dependent on consent for disclosing information to third parties.
• The child cannot be required to disclose more information than reasonable necessary to participate in the web site activities.
• The parent has the right to review the child’s personal information, request that it be deleted, and prevent any further collection or use of the personal information.
• Procedures for the parent to review or delete their child’s personal information and prevent ongoing use or disclosure.

The Direct Notice to Parents must include the following information:
• The same information stated in the Notice of Information Practices (as listed above).
• The web site operator wishes to collect personal information from the child.
• Request for the parent’s consent to collect this personal information. This consent is required for the collection, use and disclosure of personal information.
• Methods for providing parental consent.

2. Obtain Verifiable Parental Consent
Web site operators are obliged to obtain verifiable parental consent before the collection, use or disclosure of children’s personal information. Such consent may be obtained in the following ways:
• When personal information is being collected for internal use only. In this case, email may be used to obtain parental consent. This also requires the additional steps of a follow-up email, letter or phone call to verify the consent. This method was used prior to April 21, 2002.
• When personal information is being made publicly available, such as in a chat room, message board, personal home page, profile, or email account. OR, when personal information is being disclosed to third parties.

In such cases, website operators are obliged to employ a more reliable means of securing parental consent. This may include: (a) A form with a parent’s signature through postal mail or fax; (b) A credit card number in connection with a transaction; (c) A toll-free phone number managed by trained personnel; (d) Email consent in conjunction with a digital signature from a parent; (e) Email consent in conjunction with a PIN or password; (f) Consent through a CARU-approved method. After April 21, 2002, only these methods were acceptable for securing parental consent.

3. Limit Collection, Use and Disclosure of Personal Information Collected from Children
Web site operators are prohibited from conditional a child’s participate on the basis of disclosing more personal information than is reasonably necessary to participate. The collection of personal information from a child ought to be limited to that which is reasonable for participation. For instance, a web site operator cannot offer a prize for greater disclosure of personal information. Parents should also be given the option to consent to the collection and use of their children’s personal information. They should also be permitted to prevent disclosure of such information to third party affiliates.

4. Provide Access upon Verification of Parental Identity
Upon parental request, web site operators are obliged to disclose both the type of information collected from children and the specific information that has been collected. Parents are permitted, at any time, to refuse further use or future collection of personal information from their child. They can also ensure the deletion of their child’s personal information. However, before this happens, operators must verify the identity of the parent in the same methods used for securing parental consent (i.e. those listed in “2. Obtain Verifiable Parental Consent”).

5. Maintain Reasonable Security
Web site operators are obliged to create and implement reasonable mechanisms for protecting the confidentiality, security and integrity of children’s personal information. Examples of such mechanisms include:
• Appropriately destroying unnecessary personal information.
• Limiting employee access to personal information.
• Ensuring physical security of servers.
• Encrypting data during transmission.
• Using firewalls.

Summary
This article looks at the EU-US Safe Harbor framework in light of the CARU Safe Harbor Program, which aims to protect children’s online privacy and meet the requirements of the COPPA (Children’s Online Privacy Protection Act). The CARU program is partially based on the Safe Harbor Compliance Checklist. This checklist is made of the following five elements: (1) Provide Notice; (2) Obtain Verifiable Parental Consent; (3) Limit Collection, Use and Disclosure of Personal Information Collected from Children; (4) Provide Access upon Verification of Parental Identity; and (5) Maintain Reasonable Security.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certified Information Privacy Professional/Canada (CIPP/C) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (CIPP; I.A.c.iii.)
• Children’s Online Privacy Protection Act of 2000; COPPA (CIPP/G; I.B.a.ii.)

Is Safe Harbor necessary?

hannah — Tue, 14 Dec 2010 12:00:28 +0000

The Safe Harbor framework deals with privacy protection around the transfer of personal data between organizations in European Union (EU) member states to organizations located in the United States. This article explores the purposes and requirements of the Safe Harbor framework. It also provides information for US-based organizations who may participate in the Safe Harbor framework.

What is Safe Harbor?
In October 1998, the European Commission Directive on Data Protection went into effect. The Directive prohibited the transfer of personal data from EU member states to non-EU nations that did not meet the adequacy standard of privacy protection. There are significant differences between the US and EU approaches to privacy protection. The US takes a sectoral approach to privacy protection that involves legislation, regulation and self-regulation. In contrast, the EU has enacted comprehensive privacy legislation that involves government data protection agencies, registration of databases with these agencies and pre-approval before the processing of personal data.

As the EU Directive is significantly more rigorous than the privacy protection system currently found in the United States, it was necessary to develop a streamlined and cost-effective means for organizations and businesses in the US to achieve compliance with the EU adequacy standard.

Seven Principles of Safe Harbor
The Safe Harbor Framework was thus developed as a joint effort between the US Department of Commerce and the European Commission. The Safe Harbor Principles were established in order to prevent accidental or unauthorized information disclosure or loss. US organizations can meet Safe Harbor requirements by adhering to the following seven principles:

1. Notice – Organizations are required to notify individuals of the purposes for collecting and using personal information. Individuals should also be provided with the organizations’ contact information, should they have inquiries or complaints. Individuals should be aware of third parties and methods for limiting use/disclosure of personal information.

2. Choice – Individuals should have the right to opt-out (to choose) whether they want their personal information to be disclosed to a third party or used for other purposes. Opt-in choice is required for sensitive information.

3. Onward Transfer – This principle refers to transfers of personal information to third parties. Notice and choice principles apply to third parties handling personal information. Organizations should ensure that the third party adheres to Safe Harbor principles, is subject to the EU Directive, or provides an adequate level of privacy protection.

4. Access – Individuals should have access to any personal information about them held by an organization, for the purposes of correction, amendment or deletion.

5. Security – Organizations are obliged to take reasonable precautions in order to protect personal information from loss; misuse; and unauthorized access, disclosure, alteration and destruction.

6. Data Integrity – Organizations are obliged to take reasonable steps in order to ensure that the personal information is reliable and relevant for its intended use. This means that the data should be accurate, complete and current.

7. Enforcement – This includes independent recourse mechanisms; procedures for verifying the organization’s commitments to the above principles; and obligations to remedy compliance failures.

Why Safe Harbor?
Safe Harbor participation offers several benefits to US-based organizations:
• EU member states are bound by the European Commission’s adequacy finding
• Organizations under Safe Harbor meet the adequacy standard, allowing data flows to continue
• EU member state requirements for approval of data transfers will be waived, or automatically approved
• Claims by EU citizens against US organizations will be heard in the US

The Safe Harbor framework also offers several benefits to EU-based organizations, as they can ensure privacy protection standards through a list of Safe Harbor-compliant organizations in the US

Participating in Safe Harbor?
The first step in participating in the Safe Harbor framework is determining if your organization is covered by the United States-European Union Safe Harbor framework. Businesses that are covered by the Safe Harbor framework must meet the following criteria:

1. Its business practices fall under the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DoT). Such organizations may include US air carriers and ticket agents.

Organizations that are usually not under the jurisdiction of the FTC include financial institutions (e.g. banks, investment houses, credit unions, savings and loan institutions, etc.); telecommunication common carriers; labor associations; non-profit organizations; agricultural cooperatives; and meat processing facilities.

2. It receives or processes personally identifiable information (PII) directly or indirectly from EU member states. This also includes subsidiaries and affiliates that process PII in the US.

These organizations may collect, store or process PII for a wide variety of reasons, including: determining, evaluating, or implementing employment-related actions or obligations; designing, evaluating or administering compensation, benefits, or other human resources programs; evaluating employee performance; maintaining business records that relate to past, present or potential employees; supporting relationships with clients and vendors; and facilitating business communications and compliance with contractual or legal obligations.

Organizations have two options for qualifying for Safe Harbor. They may choose to join a self-regulatory privacy program which follows the requirements of Safe Harbor. Or, they may choose to develop an organization-specific self-regulatory privacy policy which conforms to Safe Harbor.

Developing & Establishing Safe Harbor Mechanisms
Prior to certifying to the Safe Harbor framework, organizations should also develop and implement supporting mechanisms. These are discussed below:

• Safe Harbor-Compliant Privacy Statement – Developing a Safe Harbor-Compliant Privacy Statement is a necessary step before submitting a self-certification form to the Department of Commerce. The organization’s privacy policy statement must be compliant to Safe Harbor, meaning that it needs to conform to the seven privacy principles listed above. The statement should also reference the organization’s compliance with Safe Harbor. The statement should be available to the public.

• Independent Recourse Mechanism – This step ensures compliance with the seventh Safe Harbor principle (enforcement). The organization’s independent recourse mechanism is responsible for investigating unresolved privacy complaints. This mechanism may be a private sector dispute resolution program, such as BBB OnLine, TRUSTe, Direct Marketing Association, AICPA WebTrust, etc. As an alternative, the organization may also cooperate with the European Data Protection Authorities (DPAs) for dispute resolution.

• Verification Mechanism – This mechanism verifies the organization’s compliance with the Safe Harbor framework. This may involve a self-assessment program, or a third-party assessment program.

• Contact Point – Organizations are obliged to provide an internal contact point responsible for questions, complaints, access requests, or other issues encompassed by Safe Harbor. For instance, this may be the corporate officer responsible for Safe Harbor, or the organization’s Chief Privacy Officer.

Safe Harbor Fees
As of March 1, 2009, the US Department of Commerce introduced fees meant to support the operation of the US-EU Safe Harbor framework. New registrants to the Safe Harbor framework must pay a fee of $200.00. Self-certified organizations are required to pay a $100.00 annual fee to recertify their compliance with the Safe Harbor framework.

Summary
This article explores the purposes of the US-EU Safe Harbor framework, which allows data transfers between organizations based in EU member states and organizations based in the US. It looks at some of the benefits for certifying under the Safe Harbor and well as the requirements of an organization for certification. According to the US Department of Commerce, organizations may choose to join a self-regulatory privacy program which follows the requirements of Safe Harbor. Or, organizations may develop a self-regulatory privacy policy which conforms to Safe Harbor.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Canada (CIPP/C) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (I.A.c.iii.)

Data Protection Laws Around the Globe

jbrook — Sun, 06 Dec 2009 12:00:18 +0000

Information Privacy is an International concern. Today, most countries have laws protecting personal data from misuse and destruction. Regulation and enforcement of data protection varies from country to country. However, despite such differences, almost every country uses the same basic privacy concepts and principles– notice, access, consent, data integrity, disclosure and accountability– to develop data protection laws.

Data Protection in Europe

The European Union has the most extensive and comprehensive data protection laws in the world. In 1995, the European Commission instituted their most significant body of law known as the Data Protection Directive (95/45/EC). The directive applies to all entities that process personal data in all member states of the European Union.

E.U. Data Protection Directive Privacy Principles

The Data Protection Directive outlines privacy principles for the processing of data which include:

1) Notice– (Article 10) The data subject must be provided with the identity of the data controller, the purposes for which data is collected and third party recipients

2) Choice– (Article 14) The data subject may object to the processing of their personal data for the purpose of direct marketing and the disclosure of data for third parties or uses.

3) Access and Correction– (Article 12) The data subject may request to view data an entity has on record about them and rectify, erase of block the processing of data if incorrect or incomplete.

4) Data Quality–(Article 6) Data should be processed lawfully. It should be collected and processed for specific and legitimate purposes. Data should be timely, accurate and complete. Data that is no longer necessary should be kept in a format that is not personally identifiable.

5) Data Security– (Article 17) Appropriate steps must be taken to protect against accidental loss, and unauthorized access, use or destruction.

Enforcement

The E.U. data directive requires the creation of a National Data Protection Authority for all member states. This supervisory authority must regulate and implement data protection laws within its country as well as investigate privacy violations. Every data controller must register with a supervisory authority before processing personal data.

Onward Transfer

In order to protect personal data when transferred to countries outside the European Union, the Data Protection Directive prohibits onward transfer to entities in non-member states unless they meet an equivalent level of protection. Agreements like Safe Harbor between the United States and the E.U. allow businesses to participate in a program that allows unrestricted international data flow as long as a businesses institutes similar privacy principles to those of the E.U.

The Data Protection Directive also has special regulations for the transfer of sensitive data such as racial or ethnic origins, political or religious beliefs, sexual orientation, trade union membership and other similar characteristics. The E.U. requires explicit, affirmative consent from a data subject in order to disclose sensitive information to third parties, not matter whether the third party is within or outside the European Union.

Privacy and Electronic Communications Directive

In 2003, the Directive on Privacy and Electronic Communications Directive (2002/58)was developed to complement the Data Protection Directive. It deals specifically with data protection and with regard to marketing messages and the growing use of digital technology and electronic communications. The Privacy and Electronic Communications Directive requires explicit consent from a data subject to send marketing messages unless all of the following criteria are met:

1) The provider already has information on the data subject on file from a previous service or transaction

2) The marketing message is in relation to similar services or products

3) The data subject is given the opportunity to opt-out of further marketing messages.

The E-Privacy Directive also places restrictions on the use of marketing messages through telemarketing, automated telephone calls and faxes. The directive also requires a mechanism to opt-out of the use and receipt of cookies.

Data Protection in Canada

Canada is one of the countries closest to the European Union in terms of comprehensive information privacy law. It uses a coregulatory framework between the government and the privacy sector to enforce data protection.

The Privacy Act of 1983

The Privacy Act of 1983 regulates the use of personal information by the Canadian Federal Government. The Privacy Act requires:

Notice– the data subject must be notified of the information collected and its uses
Access– a data subject has the right to view what personal information is held by a government institution and rectify erroneous information
Consent– data subject must provide explicit consent before information is disclosed to parties outside the control of a government institution (with a few exceptions)
Limited Use– collected information must directly relate to the activities of a government program and may only be used for the purposes it was originally collected (with a few exceptions)
Enforcement– the Privacy Commissioner of Canada must investigate and complaints it receives regarding privacy violations to data subjects.

The Personal Information Protection and Electronic Documents Act

PIPEDA deals with information privacy in the private sector of Canada which includes financial and health institutions. It protects all information that may identify an individual used in the course of rendering commercial services including those of nonprofit organizations.

PIPEDA incorporates the ten privacy principles outlined by the Canadian Standards Association which include: Accountability, Identifying Purposes, Consent, Limiting collection, Limiting use, disclosure and retention, Accuracy, Safeguards, Openness, Individual Access, Challenging compliance. PIPEDA requires explicit consent from individuals in order to use, process or disclose their personal information (with a few exceptions)

PIPEDA is enforced through the Office of the Privacy Commissioner of Canada or similar territorial privacy commissioners. The Commissioner is required, by PIPEDA, to investigate any privacy complaints lodged against a commercial institution and create a report of their findings.The report is sent to the organization against whom the complaint was filed with recommendations. The report is also returned to the complainant who can then pursue the matter further in the Federal Courts.

Data Protection in Asia

Data Protection across Asia is varied depending on the development and political beliefs of each country, however even counties that grant the least amount of protection have shown a concern for Data Protection and the way it affects the free flow of information.

Japan and the Law Concerning the Protection of Personal Information

Data Protection in Japan is covered under the Law Concerning the Protection of Personal Information. It was put into effect in 2005. Enforcement is regulated by ministries of each industry sector (i.e.: Ministry of Health enforces the Law in the Health industry) Each industry may place additional restrictions on the use of personal information.

Like many data protection laws, Japan’s Law requires specific and limited use of information, adequate data security and integrity, data subject notice of purpose of use, as well as access to and correction of information held by an institution. One major different in Japan’s Law is in their policies regarding disclosure. Explicit consent is required for all disclosure of information to third parties, even if the third party is affiliated with the data controlling entity.

The Asia-Pacific Economic Cooperation

APEC is a non-binding cooperative agreement between countries along the coast of the Pacific to facilitate regional trade. In 2004, APEC developed a Privacy Framework, recognizing the need for strong data protection laws to allow multinational and international business and trade to continue. Members of APEC include: Australia, Canada, Chile, China, Japan, Peru, Russia, the United States, as well as others.

APEC’s Privacy Framework outlines 9 privacy principles:

1) Preventing Harm– Above all privacy regulations should prevent harm to data subjects from the unauthorized or misuse collection, use or disclosure of personal information.

2) Notice– An individual should be notified regarding the personal information including what, why, how and to whom their information is collected, used or disclosed. They must also be given the choice and means to limit the use and disclosure of their information

3) Collection Limitation– Collected information should be used for specific and limited purposes.

4) Uses of Personal Information–Person Information should be collected with consent of the data subject and when necessary to render a service or transaction

5) Choice– Individuals must be provided with unambiguous mechanisms to control the collection, use and disclosure of their personal information.

6) Integrity of Personal Information– Personal Information should be complete, timely and accurate

7) Security Safeguards–Safeguards should be created to protect against data loss as well as unauthorized, access, use, disclosure, destruction and other misuses.

8) Access and Correction– Individuals must be able to obtain the personal information a data controller may hold about them in a timely and reasonable manner and be allowed to challenge the accuracy of the information.

9) Accountability– Entities controlling personal information must be accountable for complying with privacy principles.

APEC is non-binding which means that there is no single supervisory authority for enforcing compliance in member states. Each member state is responsible for creating and enforcing their own information privacy regulations that adhere to the APEC Privacy Framework.

Data Protection in Latin America

Like, Asia, data protection in Latin America is inconsistent. However, many Latin American countries along the Pacific are members of APEC and comply with the APEC Privacy Framework. Furthermore, many countries have included some forms of data protection in their constitutions under the writ of Habeas Data

Habeas Data

Habeas Data literally translates to “[we command] you have the data.” It protects the right of an individual file complaints to a constitutional court regarding violations to their image, honor, privacy, and freedom of information. Legally this has translated to information privacy regulations for the government. Often similar regulations have been extended to the private sector. Habeas Data requires that an individual be able to view information on record about their person and correct any false information. Furthermore it holds a data controlling entity accountable for the integrity of data. The 1988 Brazilian Constitution was the first to include the writ of Habeas Data.

Argentina

Argentina is the only Latin American country considered adequate under the E.U. Data Protection Directive. The Argentine Constitution contains the writ of Habeas Data. In 2000, a comprehensive data protection law called the Personal Data Protection Act was implemented to protect personal data in both the public and private sector.

Under the Act, data must be collected for “certain, appropriate, pertinent and not excessive” purposes and must be collected lawfully. Data must be accurate, complete, secure and destroyed once it is no longer necessary for the purposes it was originally collected. Furthermore any activities surrounding personal data must receive explicit consent from the individual with a few specific exceptions (section 5).

The Act also prohibits the creation of files linking sensitive data with identifiable individuals and requires that no person may be compelled to share sensitive data. Much like the E.U. Data protection directive, the Act requires other countries to have adequate levels of protection before transferring data.

Chile

In 1999, Chile was the first Latin American country to implement a data protection law. Chile uses a comprehensive law called The Law for the Protection of Private Life to govern the public and private sectors. While the Law guarantees the rights of a data subject’s to access, correction, notice, and judicial control, there is no supervisory authority and compliance is largely self enforced. Furthermore, the Law provides no protection for international transfers.

Paraguay

Paraguay includes Habeas Data in Article 135 of its constitutions which states:

“Everyone may have access to information and data available on himself or assets in official or private registries of a public nature. He is also entitled to know how the information is being used and for what purpose. He may request a competent judge to order the updating, rectification, or destruction of these entries if they are wrong or if they are illegitimately affecting his rights.” Paraguay also has its own privacy law to govern information privacy during the course of commercial business. Additionally it protects sensitive data and economic status information by requiring explicit, written consent of the data subject unless it is required by law.

In Conclusion

As technology progresses and the unrestricted flow of information across borders becomes increasingly important, countries will no longer have the luxury of avoiding data protection. In order to protect the data of their citizens, governments like the E.U. and Argentina require similar levels of protection when they transfer their information to other countries. To allow such trade to continue, countries around the globe must implement privacy policies of their own and consider how they will protect the information of their citizens as well as the personal information they receive through onward transfer. With the growth of electronic technology, information privacy has become an international issue that cannot be ignored.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

Privacy and Data Protection Regulation (Foundations: I.F.b.ii-v.) including Europe, Canada, Asia and South America

Safe Harbor Compliance

jbrook — Mon, 30 Nov 2009 12:00:21 +0000

Safe Harbor is an advantageous agreement between the United States and the European Union that governs the protection of data during transfer from the E.U. to the U.S. American companies wishing to do business with companies in the E.U. may receive certification, stating they have implemented data protection principles that are similar and equal to those of the E.U. Data Protection Directive, and are then allowed unrestricted data transfers with entities in the E.U. Recently, the FTC– the U.S. body governing enforcement of Safe Harbor– has begun to crack down on U.S. companies claiming Safe Harbor compliance, but failing to implement the required protection standards. Multi-national companies must now take a strong look at their privacy policies and notices to ensure they are Safe Harbor compliant and avoid Federal scrutiny.

What is Safe Harbor?

In 1995, the E.U. implemented a comprehensive law, the Data Protection Directive, which created strong standards and principles governing the use and protection of data. Any data transferred within the E.U. or the European Economic Area would be protected under the law. However, personal data transferred to other countries would not be guaranteed the same protection. The Data Protection Directive restricts the transfer of data with other countries unless they meet a comparable level of data protection.

Data protection in the United States, which is more commonly known as information privacy, is governed by a number of sectoral laws that protect data within specific industries, ie: HIPAA protects personal health information, FACTA protects personal information in the financial sector. The U.S. has no central or comprehensive data protection regime and therefore, the E.U. finds data protection in the U.S. to be inadequate.

To facilitate unrestricted, data transfer between the United States and the European Union, the Safe Harbor agreement was created to allow U.S. companies the opportunity to raise their level of data protection and achieve “adequate” status, thus meeting the restriction rules for onward transfer to third parties under the E.U. Data Directive.

The Benefits of Safe Harbor Compliance

In 2000, when the Safe Harbor agreement was developed between the E.U. and the U.S., data transfers accounted for over $ 300 Billion dollars in trade. Safe Harbor allows such exportation and importation of data to continue while still protecting the personal data of European citizens. Though the Safe Harbor agreement requires stricter privacy standards for U.S. companies, than is required by U.S. law it is really to the benefit of both sides that such an agreement exists.

Participating U.S. companies enjoy the privilege of the Safe Harbor Agreement which demands that all E.U. member states allow unrestricted data transfers with any and all Safe Harbor certified participants. This means that certified companies may not be denied transfers by individual data controllers or Data Protection Authorities according to their own agendas.

Furthermore, complaints brought against a U.S. entity by European citizens regarding the protection of their personal data are heard in U.S. courts and the Safe Harbor program is under U.S. enforcement.

Safe Harbor also eliminates the need, or grants automatic approval for, data transfers creating a more cost and time efficient system. Companies may choose not to join the Safe Harbor agreement and make individual agreements or model contracts with a Data Protection Authority, but this may increase the time and energy needed to allow for the unrestricted transfer of data.

How Does a Company Become Safe Harbor Compliant?

The Safe Harbor program is voluntary. In order to participate, an entity must complete a self certification process annually with the Department of Commerce. To do this a company may join a self regulatory privacy program such as the BBB online, which audits companies to review their privacy policies and business operations to provide certificates of compliance with Safe Harbor. Or an entity may choose to create their own self-regulatory privacy policy which adheres to all Safe Harbor principles. Furthermore, the entity must publicly state in their privacy notice that they are Safe Harbor compliant.

The Safe Harbor Principles

The following principles must be included in a Safe Harbor compliant privacy policy.

Notice

The data subject must be notified about the purposes for which personal information is collected and used.
The data subject must be notified about contact methods to file inquiries and complaints.
The data subject must be notified about the types of third parties to whom personal information may be disclosed.
The data subject must be provided with their choices and means of limiting disclosure of their personal data.
Notice should be provided at the time when information is first collected or shortly thereafter and must be provided before data is processed or disclosed.

Choice

The data subject must be able to opt-out of third party disclosures.
The data subject must be able to opt-out of secondary usage of information.
The data subject must give affirmative consent (opt-in) for the disclosure or use of sensitive information.

Onward Transfer

All third parties to whom data may be transferred must follow the Safe Harbor principles or Data Directive compliant. The same level of protection must be guaranteed no matter how many times data is transferred.

Security

Entities that process data in any stage of its life cycle (collection, use, analysis, storage) must take reasonable measures to protect against data loss, destruction, misuse and unauthorized access.

Data Integrity

Data may only be processed or used as it is related and proportional to the purposes for which it was originally collected.
An entity should take reasonable steps to ensure data is accurate, timely and complete.

Access

Data subjects must be able to view the information an organization holds about them.
Data subjects must be able to correct, add to, or delete inaccurate information.

Enforcement

A recourse mechanism must be in place for data subjects to file complaints, have disputes investigated, and resolved.
An entity must have a mechanism to verify that the stated privacy policy and business operations are compliant with the Safe Harbor agreement. Audits should be completed annually.
It is the obligation and responsibility of the entity to remedy any problems with compliance in a timely fashion.

Enforcing Safe Harbor

U.S. compliance with Safe Harbor is largely self regulated. Entities may choose to complete self verification of compliance and investigate complaints internally. Companies also have the option of using private, third party dispute resolution mechanisms, that have gained a reputation of trustworthiness to verify their compliance and investigate disputes.

Some well known, third party dispute resolution service providers include:

Third party dispute resolution providers are self regulated and not certified by the Department of Commerce or the FTC. Therefore, it is the legal responsibility of the entity to choose a program that is Safe Harbor compliant.

Though, Safe Harbor has not been strictly enforced in the past, there are regulations within the privacy and trade law to punish violators. Misuse of the Safe Harbor agreement can qualify as “unfair or deceptive trade practices” under Section 5 of the Federal Trade Commission Act. The FTC may take action against offenders including conducting formal hearings, and issuing cease and desist or temporary restraining orders. Failing to comply with an FTC order may carry a penalty of up to $11,000 for every day of continued violation and any entity that knowingly violates an FTC rule may be subject to the same penalty.

Safe Harbor in the News

Historically, the FTC has done very little to enforce Safe Harbor compliance. However, that has begun to change. In August 2009, the FTC publicly announced a suit against a California based company, Balls of Kryptonite, which purposely misled UK consumers to believe it was an E.U. company by using a .co.uk domain address. Furthermore, the company stated in its privacy policy that it was Safe Harbor compliant though no certification had ever been filed.

Then, in October 2009, the FTC filed settlement complaints against six multinational companies that had lapsed in their compliance but failed to alter their privacy policies to notify data subjects of the change. The recent enforcement has sent the message to business owners that the FTC may no longer rely on private, self-regulation to provide adequate enforcement. Since Safe Harbor compliance requires a public statement in privacy notices stating participation in the program, the FTC needs only to compare their current list of Safe Harbor participants with the privacy notice of an entity to gain evidence of unfair or deceptive trade practices. There is also speculation that the audits may be conducted in the future for companies with current certifications, to verify full compliance with all Safe Harbor regulations.

Data protection, especially with regard to onward transfer, continues to remain a significant issue in International politics. In the first week of November 2009, the United States and European Union, recognizing the weaknesses in current regulation, joined together to create a common set of principles to govern the transfer of personal data. That same week, privacy representatives from around the world met in Madrid for the International Data Protection and Privacy to create a universal standard of privacy and data protection, in the hopes of eventually creating a universal data protection law.

In Conclusion:

Companies wishing to conduct legal and successful business on a multinational level must be concerned with the protection of data both when it is transferred to and from the United States. Agreements, like Safe Harbor, allow the United States and the European Union to continue a mutually beneficial trade relationship, however, the agreement alone does not guarantee data protection. Participating U.S. companies need to ensure Safe Harbor compliance to build trust in their organization, as well as in the program to allow such agreements to continue in the future, despite the differing approaches the U.S. and the E.U. take regarding data protection.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

The Collective View of Privacy Principles (Foundations I.E) including Notice, Consent, Access, Security, and Quality
Privacy and Data Protection Regulation (Foundations: I.F) including Onward Transfer, Safe Harbor, and the E.U. Data Protection Directive