Commercial Privacy Law Globalization, Fair Information Practice Principles (FIPPs) and Treaties: What US Companies Should Prepare and Wish For Brian Hengesbaugh Partner, Baker & McKenzie (Chicago)
Commercial Privacy Law Globalization, Fair Information Practice Principles (FIPPs) and Treaties: What US Companies Should Prepare and Wish For
Brian Hengesbaugh
Partner, Baker & McKenzie (Chicago)
Agenda
– Global privacy conflicts
– Business transformations
– Compliance activities
– Harmonization efforts
– US developments
– European Union developments
– Global and regional efforts
– Take Aways
2
3
Privacy conflicts
in business
transformations
Scope of data privacy laws
– Regulate the collection, use, storage, disclosure, and other processing of “personally identifiable information” or “PII”
– Name and other “identifiers,” and any other data that can be linked with the identified or identifiable person.
– Employees, consumers, contractors, patients, insureds, corporate customer contacts, supplier contacts, website visitors, business partner contacts, end users, and other individuals.
– Three approaches to regulation globally:
– United States: Sector-specific (HIPAA/HITECH, GLBA/FCRA, and the like) and data-specific (SSNs, bank account, credit/debit card numbers)
– European Union: Omnibus privacy laws applicable to all PII, regardless of sector, category of individual, or type of PII; EU tends to lead the rest of the non-US world.
– Rest of World: Mix of US and EU approaches.
Enterprise resource planning (ERP) systems
– Global centralization and control:
– Financials
– Human resources management
– Supply chain
– Distribution
– Customer relationship management
– Global PII data flows about:
– Employees, consumers, corporate customers, distributors, and suppliers.
ERP systems (cont.)
Two “big picture” privacy issues:
– Local compliance obligations
– Notice/consent
– Legitimacy/proportionality
– Information security
– Sensitive PII requirements
– Data protection filings/ consultations with data protection officers
– Cross-border data transfer restrictions
– Key example: “Adequacy” requirement for ex-EU data transfers
ERP systems (cont.)
– Cross-border data transfer
solutions to the adequacy
requirement:
– Model contracts
– Safe Harbor
– Consent
– Binding corporate rules
Outsourcing
– Information technology outsourcing (ITO) to business process outsourcing (BPO)
– Role of “processor” vs. “controller”
– SWIFT case
– “Upstream” privacy issues/ local compliance issues
– “Downstream” privacy issues
– Information security and breach notification
– Contract terms with service provider – “new” EC Model Processor Contract
– Permits subcontracting
– Key “formalities”
Cloud computing
– Key characteristics of “public” cloud:– Multitenant where resources dynamically
assigned according to user demand, and without user control or knowledge over the exact location of the provided resources.
– Notable cost savings with reduced capital expenditure on servers/hardware, electricity,
– Ubiquitous access anywhere with web access, and
– Steady traffic flow that manages spikes in demand or “cloudbursts”.
– Service delivery models– Software as a Service (e.g.,
salesforce.com),
– Platform as a Service (e.g., Google App Engine), and
– Infrastructure as a Service (e.g., Rackspace hosting).
Cloud computing (cont.)
– Substantive data security concerns, particularly for SSNs and other sensitive PII
– Multitenant (e.g. malware in other user applications?)
– Limited knowledge (e.g., location of processing?) and limited control (e.g., details in the event of a data compromise?), and
– Rich target for hackers.
– For non-US, formalities may be challenge:
– Privity with subcontractors
– “People” issues with data protection officers, data protection authorities, and works councils
– “Private” cloud may be answer for sensitive PII and non-US data
Behavioral advertising and social networking
– Online and location-based data collections about consumers (or consumer devices) via:
– Third party cookies
– Mobile device and location-based tracking
– Social networking dialogues with consumers and users via Facebook, LinkedIn, MySpace, Blogs, company Internet sites, and other media
– Critical issues:
– Clear and unavoidable notice
– Consumer choice (opt-in for sensitive data)
– Information security
– Limited record retention
– Also, special employee issues with access to social networking sites.
12
Privacy conflicts in compliance activities
Whistleblower hotlines
– SOX and corporate compliance rules to establish “confidential and anonymous mechanism” to report violations
– Conflicts with privacy rights when “accused” is in the European Union and other non-US locations
– Cross-border transfers
– Solutions
E-Discovery, internal investigations, and e-monitoring
– Challenges:
– Business or compliance requirements at global (e.g., US) level for data or documents
– Local privacy rules and conflicting rights for employees or persons of interest in investigations, litigation, and compliance activities
– Solutions:
– IT policies, notices, and consents
– Proportionality, avoiding prohibited activities
– Filings with authorities and consultations with works councils
– Cross-border data transfer solutions
– Anonymizing data and “other” solutions
[change title in View/Header and Footer] 15
Harmonization
Harmonization
– Key developments:
– DOC Privacy “Green Paper”*
– FTC Reports*
– EC Directive Review*
– Asia-Pacific Economic Cooperation
(APEC) Forum
– Organization for Economic
Cooperation and Development
(OECD)
– International Organization for
Standardization (ISO)
– World Trade Organization (WTO)?
US Department of Commerce: Commercial Data Privacy
and Innovation in the Internet Economy (Dec 2010)
– Dynamic Policy Framework:
– 21st Century Fair Information Practice Principles (“FIPPs”): Transparency, Purpose Specification, Use Limitation, and Auditing
– Voluntary but enforceable Codes of Conduct
– Encourage Global Interoperability
– Federal law on Data Security Breach Notification
– FIPPs should act in concert with existing sector-specific laws
– Balance desire for uniformity (pre-emption) with States’ rights to protect consumers
– Review of the Electronic Communications Privacy Act in light of cloud computing and location-based services
– Calls for creation of Privacy Policy Office (“Privacy Watchdog”) within the US Department of Commerce to facilitate development of the Framework
FTC Staff Report: Protecting Consumer Privacy in
an Era of Rapid Change (Dec 2010)
– Scope: Data that can reasonably be linked to a specific consumer, computer or device (not just personally identifiable information)
– Proposed Privacy Framework (3 Components)
– Privacy By Design: reasonable security, data minimization, limited retention, secure disposal, data accuracy, procedural (assign privacy overseers, train employees, conduct privacy reviews of new products/services)
– Simplified Choice: No choice for commonly accepted practices (e.g., product fulfillment, first party marketing), just-in-time approach to consent, Do Not Track proposal
– Greater Transparency: clear, concise, and easy-to-read, reasonable access and correction (e.g., data brokers), robust notice and affirmative consent for retroactive and material changes, consumer education
Proposed Revisions to the 1995 EC Data Protection Directive
– Key elements of the European Commission (EC) Proposal
– New technologies
– Mandatory breach notification
– Consent
– Accountability
– Reducing administrative burden
– Clarifying and simplifying rules for
international data transfers
20
Take aways
Take aways
– Perfect privacy storm:
– more complex laws,
– more business activities, and
– more data sharing.
– Wish (and work) for:
– More private sector participation in privacy rulemaking
– Greater involvement of the US government (particularly DOC)
– Introduction of greater flexibility into privacy laws for compliance with non-local (and legitimate) legal demands.
– In the meantime: continue to set privacy compliance benchmarks as high as reasonably possible for company to prepare for coming changes.
Thank you
Brian Hengesbaugh
Partner, Baker & McKenzie (Chicago)
(312)-861-3077
Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm.