Dra. Isabel Davara Fdez. de Marcos U.S. Department of Commerce Washington, D.C., October 2007 [email protected] CONFERENCE ON CROSS BORDER DATA FLOWS.

Dra. Isabel Davara Fdez. de MarcosU.S. Department of Commerce

Washington, D.C., October [email protected]

CONFERENCE ON CROSS BORDER DATA FLOWS & PRIVACY

2

STRIKE THE RIGHT BALANCE

PROTECTION OF PUBLIC SAFETYv.

OTHER PUBLIC INTERESTS,SUCH AS THE PRIVACY RIGHTS OF

INDIVIDUALS

3

DIFFERENT APPROACHES

•Data Protection (European standard)

•USA: Public sector mainly (Federal and State laws); “self-regulation”

• Canada: recognized as a country with an adequate level of protection by the EU but also similar to USA

• European Union: Public and Private sector laws; “self-regulation” in some way

• Other countries-countries with an european approach and adequate level of protection-Sectorial laws (without an adequate level of data protection)- Without any law (without an adequate level of data protection)

4

DIFFERENT “REGULATORY” APPROACHES

•APEC: APEC Privacy Framework (2004). Project: CBPR.•Council of Europe: Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data (1981)•European Union: Charter of fundamental rights; Directive

95/46/EC; Directive 2002/58/EC, amendment by Directive

2006/34/EC; and Regulation (EC) No 45/2001.•OECD: OECD Guidelines on the Protection of Privacy and

Transborders Flows of Personal Data (1980)•United States: Privacy Act of 1974, and GLB, HIPAA, COPPA,

ECPA, FCRA, but also other Federal and State laws and “self-

regulation”.

5

CONSEQUENCES FOR THIRD COUNTRIES

(OTHER THAN USA AND EU STATE MEMBERS)

•USA approach does not guarantee that the country fullfils the requirements that the EU demands.

•What is more, not opting for a European legal approach implies not being able to commerce, in a wide sense, with EU.

•For example, LatAm countries are used to “law based” regulations. State rules. Self regulation does always not work properly in these enviroments. Legal certainty is based on laws. As a result, trends in Latin America are following european standards, and, specifically, spaniards ones, for cultural, historical and linguistical reasons.

6

TRANSBORDER FLOWS OF DATA

Definition and legal provisions• OECD 1980 Guidelines

- “Transborder flows of personal data” means movements of

personal data across national borders (Annex).• Directive 95/46/EC

- Directive 95/46/EC does not define the expression

“transborder flows of personal data” or “transfer of data to a

third country”

- Title of the Directive: “… free movement of such data”, not

only in the internal market, but also to third countries

- Provisions about transfer to third countries: adequate level

of protection

7

INTERNATIONAL TRANSFER OF DATA (ITD)Key issues

international transfer of passengers data to the immigration and custom authorities in different countries

use and implementation of Binding Corporate Rules as a mean for multinational companies to ensure sufficient guarantees with regard to data protection for worldwide intra-group transfers by means of a tool better adapted to the situation than contracts but guaranteeing a similar level of data protection for the persons whose data are being sent abroad.

need to foster the transatlantic dialog and strengthen the links with bodies playing a role in connection with privacy in countries like Canada and the United States of America.

WP 98

8

INTERNATIONAL TRANSFER OF DATA (ITD)

Talking about ITD implies studying european rules, as US doesn´t impose barriers. From EU point of view (art. 25 EU Directive), ITD is defined by:

1. Country of destination European or EEA country Country with an adecuate level of protection (Sweden,

Hungary -now an EU country-, Canada, companies affiliated to Safe Harbor and PNR in USA, Argentina, Guernsey and the Island of Man)

A third country

2. Purpose of the ITDTransfer to processors established in third countries Transfer intended for processing after transfer

9

SO, WHAT ARE THE CHOICES?

• As a general solution, the country should obtain the European Commision´s declaration of an adecuate level of protection, as that means freedom in data exchange.

• As punctual solutions, countries could use other means, as contractual clauses. Problems: they need to be agreed every time between the parties, is not a general country solution, and it establishes a lot of responsibilities and duties. New trend: BINDING CORPORATE RULES (BCR)

10

ADEQUACY TEST (Art. 25 EU Directive)

Nature of the data

Purpose of transfer

Duration of transfer

Country of origin

Profesional rules

Country of final destination

Rules of law

Security measures

ADEQUACY TEST

11

EXCEPTIONS (Art. 26 EU Directive)

Data subject«s conssent

Vital interests of data subject

Contract/precontract (request of data

subject)

Contract in interest of data subject

Public Registers

Legal claims

Public interest

EXCEPTIONS

12

CONTRACTUAL SOLUTION“26.2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.”

Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (Text with EEA relevance) (notified under document number C(2001) 1539) (OJ L 181, 7/4/2001)Corrigendum to Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (OJ L 181 of 4.7.2001) (OJ L 253, 9/21/2001)Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (notified under document number C(2004) 5271)Text with EEA relevance (OJ L 385, 12/29/2004) Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC (Text with EEA relevance) (notified under document number C(2001) 4540) (OJ L 6, 1/10/2002)

13

BINDING CORPORATE RULESAs we have already seen, the Data Protection Directive 95/46/EC allows personal data to be transferred outside the EEA only when the third country provides an "adequate level of protection" for the data (Art. 25) or when the controller adduces adequate safeguards with respect to the protection of privacy (Art. 26). Binding Corporate Rules (BCRs) are one of the ways in which such adequate safeguards (Art. 26) may be demonstrated "by a group of companies in respect of intra group transfers" although the BCR are not a tool expressly listed and set forth in the Data Protection Directive 95/46/EC.

The use of BCRs to provide a legal basis for international data transfers from the EEA requires the approval of each of the EEA data protection authorities (DPAs) from whose country the data are to be transferred. The following form is for use by companies seeking approval of BCRs. The form is based on two key papers issued by the Article 29 Working Party of European data protection authorities. One sets out a co-operation procedure among national supervisory authorities to issue common opinions on adequate safeguards resulting from the Binding Corporate Rules. The other establishes a model checklist to be used by data controllers to apply for approval of those rules as providing adequate safeguards. (WP 74 and WP 108 respectively)

WP 133

14

GOOGLE PRIVACY PRACTICES

• Subpoena from the U.S. Department of Justice demanding disclosure of two full months’ worth of search queries that Google received from its users, August 2005

• Google opposed to the Government’s motion to compel, February, 17, 2006http://googleblog.blogspot.com/pdf/Google_Oppo_to_Motion.pdf

• Google announced a new policy to anonymize its server logs after 18-24 monthshttp://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html

• Letter from Article 29 Working Party to Google regarding their new privacy practices, May 16, 2007http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_google_16_05_07_en.pdf

• Letter from Google responding to Data Protection Working Party, June 10, 2007http://64.233.179.110/blog_resources/Google_response_Working_Party_06_2007.pdf

• Peter Fleischer, Google’s Global Privacy Counsel, calls for Global Privacy Standardshttp://peterfleischer.blogspot.com/2007/09/need-for-global-privacy-standards.html

15

RESOLUTION ON PRIVACY PROTECTION AND SEARCH ENGINES

28th International Data Protection Privacy Commissioners’ Conference, London, United Kingdom, 2 and 3 November 2006

“Data Protection and Privacy Commissioners have been especially concerned about the possibility to draw up profiles of citizens in the past. Now the technology available on the Internet makes this practice, to a certain extent, technically possible on a global basis.”

Recommendantions

1. Among other things, providers of search engines should inform users upfront in a transparent way about the processing data in the course of using their services.2. In view of the sensitivity of the traces users leave when using a search engine, providers of search engines should offer their services in a privacy-friendly manner.3. In any case, data minimization is key.

http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_google_annex_16_05_07_en.pdf

16

SWIFT CASE

SWIFT (Society for Worldwide Interbank Financial Telecommunication), is an industry-owned cooperative placed in Brussels that operates an electronic money service used by more than 7800 financial institutions to communicate with their counterparts around the world. Violation of EU privacy regulations by SWIFT. Existence of a secret international financial monitoring programme put in place by the US law enforcement agencies after the events of 9/11. Constitutional right of all clients of financial institutions, regardless of their nationality or conuntry of residence, to know what happened to their confidential data.

17

SWIFT CASE (EUROPEAN PARLIAMENT)

European Parliament resolution on SWIFT, the PNR agreement and the transatlantic dialogue on these issues (P6_TA(2007)0039) Regards the access to SWIFT data

“… [f]or four years SWIFT, upon receipt of subpoenas, has been transferring to the US administration a subset of data treated in its US system, including data that did not concern US citizens and data not generated on US territory, based on commercial and systemic reasons …”“Considers it very worrying that this situation, in breach of the Convention for the Protection of Human Rights and Fundamental Freedoms and the Charter of Fundamental Rights of the European Union, as well as of the Treaties and secondary legislation (Data Protection Directive and Regulation (EC) No 45/2001) …”“Reiterates its belief that, under clearly defined conditions, data generated in financial transactions can be used exclusively for judicial investigative purposes in connection with suspicion of terrorism financing and recalls that both the EC and the US in their respective legislation …”

18

SWIFT CASE (EUROPEAN PARLIAMENT)

“Believes that the EU and the US are fundamental and loyal allies in the fight against terrorism and that this legislative framework should therefore be the basis for the negotiation of a possible international agreement, based on the assumption that SWIFT as a Belgian company is subject to Belgian law and is consequently responsible for the treatment of data in accordance with Article 4(1) of Directive 95/46/EC …the natural consequence would be for SWIFT to be obliged to stop its current practice of mirroring all data concerning EU citizens and enterprises in its US site or to move its alternative database site outside US jurisdiction …”

19

SWIFT (WP 29)

• Conclusion no 128 dated November 22, 2006 on the processing of personal data by the SWIFT •Among others1. The EU Data Protection Directive 95/46/EC is applicable to the exchange of personal data via the SWIFTNet FIN service.2. SWIFT and the financial institutions in the EU have failed to respect the provisions of the Directive• Inmediate actions to be taken to improve the current situation1. Cessation of infringements2. Return to lawful data processing3. Actions as regards to SWIFT; It must take the neccesary measures to comply with Belgian data protection law4. Actions as regards to Central Banks; Clarification of the oversight on SWIFT5. Actions as regards to Finnancial institutions; Give information to their clients about how their personal data are processed and their rights

20

PNR AGREEMENTS

• November 19, 2001: The U.S. Aviation and Transportation Security Act introduced the requirement that airlines operating passenger flights to, from or through the United States provide US authorities, upon request, with electronic access to PNR data contained in their reservation and departure control systems. • May 28, 2004: The European Community and the USA signed an Agreement that was denonunced by the European Union.• May 20, 2006: Judgment of the European Court of Justice. Joined Cases C-317/04 and C-318/04. The Court annuled Council Decision 2004/496/EC of 17 May 2004.• October 16, 2006: Council Decision 2006/729/CFSP/JHA on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security • July 23, 2007: Council Decision 2007/551/CFSP/JHA. New long-therm Agreement between the EU and the USA on PNR (2007 PNR Agreement) August 17, 2007: WP 29 Opinion. “… the new PNR agreement signed by the EU and the US in July 2007 does not even preserve the level of data protection of the previous agreement, which was already considered weak …”

21

2007 PNR AGREEMENT

WP 29, Opinion 5/2007• “The safeguards provided for under the previous agreement have been

markedly weakened”• The number of transferable data elements has been increased and

includes information on third parties other than the data subject • The retention period has been extended at least fifteen years and

might be even longer• “The new agreement leaves open serious questions and shortcomings,

and contains too many emergency exceptions”• Transition from “pull” to “push” system• The agreement does not foresee any mechanism aimed at resolving

disputes, leaving it up to the contracting parties

22

DATA RETENTION

• Grounds of the Directive 2006/24/EC - Fight against terrorism and “serious crimes” - Limitation of the fundamental rights and freedoms of individuals

• Some considerations about the provisions of the ePrivacy Directive- Definitions: services and providers subject to the Directive

- Period of retention within the range of 6 months to 2 years

- Security measures- Transposition: September 15, 2007, although each Member State may postpone application of the Directive until March 15, 2009, to the retention of comunications data relating to Internet access, Internet telephony and Internet e-mail

- Cost of data retention for ISPs- Other issues: companies operating in several countries; technical and

technological differences between countries• Global Privacy concerns

- Countries whit an adequate level; data retention practices; standards- Global Privacy standards? APEC, OECD, European Directives, etc.

23

ICANN AND WHO IS DATABASE

Who Is Database

• Does it violate the First Amendment of the US Constitution? - Anonimous free speech

• Does it violate the European data protection legislation? - Principles of the Directive 95/46/EC (consent, purpose, accuracy….?)

24

SOME COORDENATES

US Democracy EU

Public safety Privacy

Civil rights Fundamental rights

BALANCE

Some legislation Constituionsand auto-regulation and Laws