29e confÉrence internationale des commissaires À la protection des donnÉes et de la vie privÉe...
TRANSCRIPT
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Data Flows and Data Mirroring
Martin Abrams
September [email protected]
972.781.6667
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
We Are In the Infancy Of An Information Revolution
• Volume of information is expanding geometrically.– We talk of exabytes of data today vs.
terabytes yesterday and gigabytes the day before.
• Data processes are expanding the data that we can understand using computers.– So usable data is expanding geometrically
as well.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
We Are in the Infancy of an Information Revolution (Cont.)
• Analytics are also improving at geometric rates.
– Information yields more value.• Emerging economies generate growth via
knowledge based employment.• Communications improvements mean that
work will be done where it may most effectively be done.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Data Flows Over a Ten Year Period
1997
• Data transferred via tape or disk
• Data located and processed in same location
• Access and location the same
• Small network of controllers and processors
• Fairly simple regulatory challenge
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Data Flows Over a Ten Year Period
2007
• Data flows electronically• Data processed remotely and in many locations at
the same time
• Access maybe anywhere• Long chain of controllers and subcontractors all
adding value
• Complex challenge
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
What Is A Transfer Today?
• 24/7/365 customer service• Processing a payment for a purchase in China
with a card issued in Germany from a phone in a Canadian hotel room
• Business process re-engineering in India• Global project teaming in Spain, Russia, China,
Australia, US and Canada
• Social networking in a global community
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
An Example of Global Teaming
• Team created to address a medical problem– Doctors and scientists in 10 countries with
various expertise working as a virtual team
– New members might be added
• All need to look at the same data sets
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
An Example of Global Teaming (Cont)
• Data sets comprised of– Clinical data– Epidemiological data– Data on compounds and materials
• Data located in servers in all ten countries, but mirrored on every screen
• What regulatory scheme covers this teaming?
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Nature of Privacy Compounds Our Issue
• Privacy is local– Personal information protection– Domain for autonomy– Security
• Data flows are global• Yet individuals demand and expect that their
local expectations be met in an increasingly networked world
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Emerging Model of Governance• Privacy is local• Data flows are global• Obligations are universal
– Accountability based systems of governance• Binding Corporate Rules• Cross Border Privacy Rules• Growth of accountability agents and
methods– Linkages based on common principles
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Conclusion
• Data transfers and mirroring are a simple reflection of information and communications revolution.
• Information will drive growth and change.• Individual expectations must be met no matter
where the data is seen.• That means governance structures that are
consistent with privacy being local, data flows being global, and obligations being universal.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Data Flows and Data Mirroring
Benjamin S. HayesAmericas Data Privacy Compliance Lead
Accenture, LLP
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Data Flows and Data Mirroring
• What data is flowing across borders, and where is it going?
• Why is the data moving? What are the trends?
• Predictions for the future
• Outsourcing—myth and reality
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Example 1: Commercial websiteContent / functionality modules (not including web advertisements) supplied by various third parties:
• Dell• Careerbuilder.com• Google• People magazine• Yahoo• Accuweather.com• Time.com• AOL• Fortune• Etc., etc., etc.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Commercial Website (cont.)
• Each module, in turn is likely powered by a service provider to Google, Time, AOL, etc.
• These service providers may outsource part or all of the functionality to a subcontractor.
• Data input through a module may be accessible to multiple parties in multiple geographies.
• Virtually all of the controls to protect data will be contractual (as opposed to compliance with laws)
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Example 2—HR Outsourcing
• Services typically involve providing the majority of personnel administration functions:– Payroll– Benefits enrollment– Change of status – Communications to employees – Helpline for employee inquiries
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
How a hypothetical HRO is staffed• Assume client is in US, UK, NL and Belgium.
– Deal may be signed in London between Client UK and Accenture UK
• Accenture Consultants in US, UK, Argentina and Manila
• Call centers in Buenos Aires, Warsaw, and Kuala Lampur to ensure 24 hr coverage.
• Data processing in Bangalore
• Printing / mailing performed by third party in US.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Why are services provided this way?
• Primary reason – cost – The search for efficiency and savings drives
outsourcing– Strong pressure on public companies to produce
profits for shareholders.
• Secondary reasons – – ability to distribute work to expert teams in various
geographies, – 24 hour capabilities, – languages
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Added complexity—communications infrastructure
• Servers are located in service locations, but are backed up on different continents for disaster discovery purposes.
• Secondary backup servers (“fail-over capacity”) may be in yet another country.
• The widely distributed service delivery team may use a private group website (hosted in Chicago, serviced from India) to collaborate on projects, share drafts, etc.
• The advent of VOIP may mean re-examining assumptions about the privacy /security of voice communications—caching, routing, clear-text packets, etc.
• All of this means a complex web of Model Clauses and other data transfer agreements must be applied to follow the data—difficult to administer.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Predictions for the future• The distribution of data and segmentation of business processes is driven by
economics and improvements in information technology. Bandwidth availability will continue to improve, which will drive further distribution of data and segmentation of business processes.
• More businesses will engage in transitory data processing instead of traditional controllership.
• Business realities require consistent administration of data from many sources—this means there is economic demand for harmonized international rules regarding data sharing,
• Increased or disharmonized regulation that interferes with transborder data flows will mean some economic efficiencies are unrealized.
• Territorial limits on transborder data flows may do little to address actual risks—a risk-focused (rather than territorial) regulatory regime would be more protective of consumer interests.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Outsourcing Myths
• Work is performed in substandard conditions, employing uneducated, untrustworthy people.
• Information security standards are lax.
• Data is necessarily less safe than it would be in its home country.
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Outsourcing—Reality• Work is performed
in modern business conditions by educated, trained, screened personnel
• Information security standards are extremely strict
• Data is safer than it might be in many other places
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Accenture Delivery Centers are focused on security expectations and are audited• Bangalore has been certified at Level 3 of the eSourcing
Capability Model for Service Providers by Carnegie Mellon University—1st outsourcer in the world to receive this designation
• 17+ Accenture delivery locations to receive SAS 70 Level II audits in 2007
• 8 centers are currently compliant with ISO 27001; 3 more will be added in October, 2007 (represents most of Accenture’s outsourced service delivery locations); variety of other standards certifications in place.
• Global mandatory training on data privacy for all personnel
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
DATA FLOWS & DATA MIRRORING
David Loukidelis
Information and Privacy Commissioner for British Columbia
oipc.bc.ca
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Changing Nature of Trans-Border Data Flows (TBDF)
• As the other members of the panel have noted, the nature, complexity, scale and range of global data flows have dramatically changed in just 10 years
• The economics are such that bandwidth will continue to grow, storage will get ever cheaper and ICT will go on evolving
• As we navigate the New Spice Routes (Alhadeff), challenges to traditional models of data protection (DP) will grow more acute
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Challenges to Traditional Accountability Mechanisms
• Governments and DPAs have long struggled with implications for DP enforcement of territorial limits of jurisdiction
• In Canada, constitutional limits on government authority result in a patchwork of similar but somewhat varying privacy laws
• Canadian DPAs thus face TBDF challenges similar to those across international borders
• Canadian legislative harmonization is desirable (compare US Uniform Law Conference approach)
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Challenges to Accountability (cont’d)
• Canadian DPA co-operation is desirable and is a reality, in public and private sector DPA activities
• Challenges to governments and DPAs are even greater in international TBDF
• Territorial limits on jurisdiction aside, basic nature of legal systems will vary, regulatory approaches often differ and cultures may clash
• This has to some degree been true since simpler days of ‘A to B’ batch data transfers
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Responding to Challenges
• Export control approach reflected in EU laws can be seen as one attempt to address challenges of TBDF
• US Safe Harbor is a noteworthy example of the challenges raised by varying policy responses to privacy issues, where one response is the export control approach
• Another response has been the model contract clauses approach (EU and ICC)
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Meeting New Challenges
• Rapidly changing nature and extent of TBDF demand new solutions—export control and model contract approaches are increasingly ill-suited for TBDF challenges
• What can be done?• Not a new question—and there are many
possible answers
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Regulatory Co-operation
• Bilateral DPA co-operation can be useful for specific complaints or cases (this can ease though not eliminate territorial limits issue—e.g., Abika case and Canada-US co-operation)
• DPA information sharing can help those co-operating better allocate enforcement resources
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Regulatory Co-operation (cont’d)
• Multilateral co-operation can achieve this and more—e.g., through creation of harmonized resources that smooth edges of privacy framework disparities
• Asia-Pacific Privacy Authorities organization as an example of multilateral co-operation in a regional international context
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Co-operation & What Else?
• There are clearly some serious limits on how fruitful co-operation can be—it cannot overcome the challenges mentioned earlier, most prominent being differences in legislative/regulatory regimes
• These challenges continue to drive the search for new approaches, to complement or replace existing approaches such as model contracts and export controls
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Cross-Border Privacy Rules (CBPR) Systems
• Leaving international standards aside for now (they have considerable merit in principle), CBPRs involve a corporation adopting privacy rules to govern their global conduct
• CBPRs can be underpinned by an international ‘standard’ like the APEC Privacy Framework
• Next step is for APEC and other organizations to establish accountability systems
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
CBPRs Systems (cont’d)
• Challenge is to find alternative, complementary approaches for ensuring accountability for privacy practices in a complex TBDF world
• Accountability agents like trustmarks offer promise—free of territorial restraints they could offer ADR, audit and redress and complement DPA and government action
29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 2929e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29thth INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
Conclusion
• CBPRs systems offer promise• Work on international standards should
continue (OECD meets APEC meets ISO?)• DPAs can and should increase the level of
co-operation on various fronts• There is no panacea, but an array of
approaches can serve stakeholders well in the brave new world of TBDF