Commercial Privacy Law Globalization, Fair Information Practice Principles (FIPPs) and Treaties: What US Companies Should Prepare and Wish For Brian Hengesbaugh Partner, Baker & McKenzie (Chicago)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Commercial Privacy Law Globalization, Fair Information Practice Principles (FIPPs) and Treaties: What US Companies Should Prepare and Wish For
Brian Hengesbaugh
Partner, Baker & McKenzie (Chicago)
Agenda
– Global privacy conflicts
– Business transformations
– Compliance activities
– Harmonization efforts
– US developments
– European Union developments
– Global and regional efforts
– Take Aways
2
3
Privacy conflicts
in business
transformations
Scope of data privacy laws
– Regulate the collection, use, storage, disclosure, and other processing of “personally identifiable information” or “PII”
– Name and other “identifiers,” and any other data that can be linked with the identified or identifiable person.
– Employees, consumers, contractors, patients, insureds, corporate customer contacts, supplier contacts, website visitors, business partner contacts, end users, and other individuals.
– Three approaches to regulation globally:
– United States: Sector-specific (HIPAA/HITECH, GLBA/FCRA, and the like) and data-specific (SSNs, bank account, credit/debit card numbers)
– European Union: Omnibus privacy laws applicable to all PII, regardless of sector, category of individual, or type of PII; EU tends to lead the rest of the non-US world.
– Rest of World: Mix of US and EU approaches.
Enterprise resource planning (ERP) systems
– Global centralization and control:
– Financials
– Human resources management
– Supply chain
– Distribution
– Customer relationship management
– Global PII data flows about:
– Employees, consumers, corporate customers, distributors, and suppliers.
ERP systems (cont.)
Two “big picture” privacy issues:
– Local compliance obligations
– Notice/consent
– Legitimacy/proportionality
– Information security
– Sensitive PII requirements
– Data protection filings/ consultations with data protection officers
– Cross-border data transfer restrictions
– Key example: “Adequacy” requirement for ex-EU data transfers
ERP systems (cont.)
– Cross-border data transfer
solutions to the adequacy
requirement:
– Model contracts
– Safe Harbor
– Consent
– Binding corporate rules
Outsourcing
– Information technology outsourcing (ITO) to business process outsourcing (BPO)
– Role of “processor” vs. “controller”
– SWIFT case
– “Upstream” privacy issues/ local compliance issues
– “Downstream” privacy issues
– Information security and breach notification
– Contract terms with service provider – “new” EC Model Processor Contract
– Permits subcontracting
– Key “formalities”
Cloud computing
– Key characteristics of “public” cloud:– Multitenant where resources dynamically
assigned according to user demand, and without user control or knowledge over the exact location of the provided resources.
– Notable cost savings with reduced capital expenditure on servers/hardware, electricity,
– Ubiquitous access anywhere with web access, and
– Steady traffic flow that manages spikes in demand or “cloudbursts”.
– Service delivery models– Software as a Service (e.g.,
salesforce.com),
– Platform as a Service (e.g., Google App Engine), and
– Infrastructure as a Service (e.g., Rackspace hosting).
Cloud computing (cont.)
– Substantive data security concerns, particularly for SSNs and other sensitive PII
– Multitenant (e.g. malware in other user applications?)
– Limited knowledge (e.g., location of processing?) and limited control (e.g., details in the event of a data compromise?), and
– Rich target for hackers.
– For non-US, formalities may be challenge:
– Privity with subcontractors
– “People” issues with data protection officers, data protection authorities, and works councils
– “Private” cloud may be answer for sensitive PII and non-US data
Behavioral advertising and social networking
– Online and location-based data collections about consumers (or consumer devices) via:
– Third party cookies
– Mobile device and location-based tracking
– Social networking dialogues with consumers and users via Facebook, LinkedIn, MySpace, Blogs, company Internet sites, and other media
– Critical issues:
– Clear and unavoidable notice
– Consumer choice (opt-in for sensitive data)
– Information security
– Limited record retention
– Also, special employee issues with access to social networking sites.
12
Privacy conflicts in compliance activities
Whistleblower hotlines
– SOX and corporate compliance rules to establish “confidential and anonymous mechanism” to report violations
– Conflicts with privacy rights when “accused” is in the European Union and other non-US locations
– Cross-border transfers
– Solutions
E-Discovery, internal investigations, and e-monitoring
– Challenges:
– Business or compliance requirements at global (e.g., US) level for data or documents
– Local privacy rules and conflicting rights for employees or persons of interest in investigations, litigation, and compliance activities
– Solutions:
– IT policies, notices, and consents
– Proportionality, avoiding prohibited activities
– Filings with authorities and consultations with works councils
– Cross-border data transfer solutions
– Anonymizing data and “other” solutions
[change title in View/Header and Footer] 15
Harmonization
Harmonization
– Key developments:
– DOC Privacy “Green Paper”*
– FTC Reports*
– EC Directive Review*
– Asia-Pacific Economic Cooperation
(APEC) Forum
– Organization for Economic
Cooperation and Development
(OECD)
– International Organization for
Standardization (ISO)
– World Trade Organization (WTO)?
US Department of Commerce: Commercial Data Privacy
and Innovation in the Internet Economy (Dec 2010)
– Dynamic Policy Framework:
– 21st Century Fair Information Practice Principles (“FIPPs”): Transparency, Purpose Specification, Use Limitation, and Auditing
– Voluntary but enforceable Codes of Conduct
– Encourage Global Interoperability
– Federal law on Data Security Breach Notification
– FIPPs should act in concert with existing sector-specific laws
– Balance desire for uniformity (pre-emption) with States’ rights to protect consumers
– Review of the Electronic Communications Privacy Act in light of cloud computing and location-based services
– Calls for creation of Privacy Policy Office (“Privacy Watchdog”) within the US Department of Commerce to facilitate development of the Framework
FTC Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change (Dec 2010)
– Scope: Data that can reasonably be linked to a specific consumer, computer or device (not just personally identifiable information)
– Proposed Privacy Framework (3 Components)
– Privacy By Design: reasonable security, data minimization, limited retention, secure disposal, data accuracy, procedural (assign privacy overseers, train employees, conduct privacy reviews of new products/services)
– Simplified Choice: No choice for commonly accepted practices (e.g., product fulfillment, first party marketing), just-in-time approach to consent, Do Not Track proposal
– Greater Transparency: clear, concise, and easy-to-read, reasonable access and correction (e.g., data brokers), robust notice and affirmative consent for retroactive and material changes, consumer education
Proposed Revisions to the 1995 EC Data Protection Directive
– Key elements of the European Commission (EC) Proposal
– New technologies
– Mandatory breach notification
– Consent
– Accountability
– Reducing administrative burden
– Clarifying and simplifying rules for
international data transfers
20
Take aways
Take aways
– Perfect privacy storm:
– more complex laws,
– more business activities, and
– more data sharing.
– Wish (and work) for:
– More private sector participation in privacy rulemaking
– Greater involvement of the US government (particularly DOC)
– Introduction of greater flexibility into privacy laws for compliance with non-local (and legitimate) legal demands.
– In the meantime: continue to set privacy compliance benchmarks as high as reasonably possible for company to prepare for coming changes.
Thank you
Brian Hengesbaugh
Partner, Baker & McKenzie (Chicago)
(312)-861-3077
Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm.
Related Documents
