cross border privacy : intellectual property issues

1

Karl LarsonApril 13, 2007

Cross-Border PrivacyIntellectual Property Issues

2

Presentation Overview• Privacy Limitation Justifications• Models of Privacy Protection• United States Protection of Information

Privacy• European Union Data Protection Directive• US Department of Commerce-Safe Harbor• Model Contracts for the Transfer of Personal

Data to Foreign Countries

3

Presentation Overview• Electronic Privacy Information Center (EPIC)• Privacy International• Data Protection Laws Around the World• Privacy Laws Around the World

4

• Increasing sophistication of information technology– Greater capacity to collect, analyze and disseminate information

• New developments in medical research and care, telecommunications, advanced transportation systems and financial transfers– Increased level of information generated by each individual

• Computers linked together by high speed networks– Increased capability of creating comprehensive dossiers on any

person

• New technologies in law enforcement, civilian agencies and private companies

Threats to Privacy

See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006)

5

• Free speech• Market imperatives of commerce• Public security• Means to forge close relationships based on trust

Privacy Limitation Justifications

See Andrew T. Kenyon and Megan Richardson, New Dimensions in Privacy Law, International and Comparative Perspectives 3-10 (Cambridge University Press, 2006)

6

• Comprehensive laws– Europe, Australia, Hong Kong, New Zealand and

Canada • Sectoral Laws

– United States• Self-Regulation

– United States • Technologies of Privacy

Models of Privacy Protection

7

• No precise constitutional guarantee of the right to privacy in the United States– Constitutional rights apply to government, not private sectors

• Laws are typically targeted based on the type of data rather than all computerized personal data

• The four basic types of privacy rights under common law do not offer protection for informational privacy:– Intrusion upon seclusion– Publication of embarrassing private facts– Placing a person in a false light– Appropriation of name, likeness and identity

United States Protection of Information PrivacyTargeted Approach

See, e.g., Anita L. Allen-Catellitto, Origins and Growth of U.S. Privacy Law, Second Annual Institute on Privacy Law: Strategies for Legal Compliance in a High-Tech & Changing Regulatory Environment 9, 24 (Practicing Law Institute 2001).

8

EU Data Protection Directive95/46/EC (October 24, 1995)

See EU Directive, available at http://www.cdt.org/privacy/eudirective/EU_Directive_.html (last visited April 10, 2007)

• Imposes an obligation on member States to ensure that personal information is protected when it is exported to, and processed in, countries outside Europe

• A public official enforces the comprehensive data protection law

9

• protect fundamental rights and freedoms of natural persons, including

– right to privacy with respect to the processing of personal data

• the free flow of personal data between Member States is not to be restricted or prohibited

EU Data Protection DirectiveObjective

10

• right to privacy

• contributing to economic and social progress, trade expansion and the well-being of individuals

EU Data Protection DirectiveIntent

Data-processing systems must respect fundamental rights and freedoms (whatever the nationality or residence of natural persons) including:

11

• personal data – any information relating to an identified or identifiable natural person

• processing of personal data – any operation performed on personal data (e.g., collection . . . )

• the data subject's consent – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data

European Union Data Protection DirectiveArticle 2 – Definitions

12

The Directive applies to processing of all personal data except:

• Public security

• Defense

• State security

• Criminal activities of the State

• In the course of a purely personal or household activity

European Union Data Protection DirectiveArticle 3 – Scope

13

• processed fairly and lawfully

• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes

• adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed

• accurate and, where necessary, kept up to date

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed

European Union Data Protection DirectiveArticle 6 – Personal data must be:

14

• the data subject has unambiguously given his consent; or• processing is necessary for the performance of a contract to which the data

subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

• processing is necessary for compliance with a legal obligation to which the controller is subject; or

• processing is necessary in order to protect the vital interests of the data subject; or

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental

EU Data Protection DirectiveArticle 7 – Personal data may be processed only if:

15

Subject has right to know :

• the identity of collector of information

• purpose for the collection

EU Data Protection DirectiveArticles 10, 11 and 12

16

• Transfer of personal data to a non-European country may take place only if the country ensures an “adequate level of data protection”

• EU and United States use different approaches:– United States – targeted privacy laws (typically

targeting specific records) – EU – Omnibus approach (comprehensive privacy

regulations)• Where no adequate protection – transfer is permitted only

by one of the narrow exceptions in Article 26

EU Data Protection DirectiveArticle 25 – transfers to non-European countries

17

• subject has given unambiguous consent; or

• transfer is necessary for the performance of a contract

EU Data Protection DirectiveArticle 26 – Exceptions where no adequate protection

18

U.S. Department of CommerceCommerce-Safe Harbor

See Welcome to the Safe Harbor, available at http://www.export.gov/safeharbor/ (last visited April 10, 2007)

• Created in response to the EU Data Protection Directive

19

• Notice – must provide conspicuous notice to individuals about– purposes for which it collects and uses the personal information– types of third parties to which it discloses the personal

information– contact information for complaints and inquires

• Choice – must allow individual to opt-out or opt-in – opt-out of transferring personal information to a third party or

using personal information for non-stated purpose if not sensitive– opt-in of transferring personal information to a third party or

using personal information for non-stated purpose if sensitive (e.g., medical condition, political opinion, religious beliefs, sex life)

US Department of Commerce-Safe HarborSeven Safe Harbor Principles

20

• Transfers to Third Parties – must ensure that third party: – subscribes to the Safe Harbor– is subject to the EU Directive– other adequate finding– agrees to provide at least the same level of privacy protection as is

required by the Safe Harbor

• Security – reasonable precautions to protect personal information from “loss, misuse and unauthorized access, disclosure, alteration and destruction”


21

• Relevance – personal information must be relevant for the purposes for which it is to be used

• Access - individuals must have access to personal information about them and be able to “correct, amend, or delete” inaccurate information

• Enforcement – must include – mechanism for assuring compliance– recourse for individuals to whom the data relate affected by non-

compliance– consequences when organization fails to comply


22

US Department of Commerce-Safe HarborSafe Harbor List

See Safe Harbor List, available at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list (last visited April 10, 2007)

23

Model Contracts for the Transfer of Personal Data to Foreign Countries

See Model Contracts for the transfer of personal data to third countries, available at http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm (last visited April 10, 2007)

Member States are not under and obligation to notify the Commission if standard contractual clauses are used

See Article 26(3)

24

• On May 17, 2004, the European Commission adopted a decision recognizing adequate privacy protections in EU-US passenger data disclosure (allowed the transfer of personal information on European airline travelers to the U.S. government)

• On May 30, 2006, the European Court of Justice struck down the EU-US passenger data disclosure deal

• On October 6, 2006, the United States and the EU established a temporary arrangement that will expire in July of 2007

See EU-US Airline Passenger Data Disclosure, available at http://www.epic.org/privacy/intl/passenger_data.html (last visited April 11, 2007)

EU-US Data DisclosureOngoing Issues Concerning European Airline Passenger Data

25

Electronic Privacy Information Center (EPIC)

See Electronic Privacy Information Center, available at http://www.epic.org/ (last visited April 10, 2007)

• A public interest research center in Washington, D.C.

• Established in 1994

• Focuses on emerging civil liberties issues and protecting privacy, the First Amendment, and constitutional values

26See Privacy International, available at http://www.privacyinternational.org/ (last visited April 10, 2007)

Privacy International

• A human rights group formed in 1990 as a watchdog on privacy issues

• Based in London (an office in Washington, D.C.)

• Conducts campaigns and research throughout the world

27

Google GmailEmail Content Based Advertising

See About Gmail, available at http://mail.google.com/mail/help/screen2.html (last visited April 12, 2007)

28See Complaint: Google Inc – Gmail email service, available at http://www.privacyinternational.org/issues/internet/gmail-complaint.pdf (last visited April 11, 2007)

Arguments include:• Violates Article 17 for not accepting liability for

security of personal informationGoogle disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service.

• Violates Article 29 for a third party reading the contents of email between two parties

Google also reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce this Agreement, including investigation of potential violations hereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public.

• Violates Article 7 for processing personal data without unambiguous consent

Google GmailPrivacy International Complaint

29

• On May 3, 2004, EPIC, Privacy Rights Clearinghouse, and the World Privacy Forum urged the Attorney General of California to investigate Google’s Gmail service

– Argued that the scanning of e-mails for targeted marketing violates California’s wiretapping laws (California Penal Code § 631)

• The groups also called upon Google to suspend the service again, as Gmail users could be liable for violations of the law.

Google GmailGroups Call for Investigation of Gmail

See Groups Call for Investigation of Gmail, available at http://www.epic.org/news/2004.html (last visited April 12, 2007)

30

Data Protection Laws Around the World

• Blue – Comprehensive Data Protection Law Enacted

• Red – Pending Effort to Enact Law

• White – No Law

See Data Protection Laws Around the World, available at http://www.privacyinternational.org/survey/dpmap.jpg (last visited April 12, 2007)

31

• Passed on April 13, 2000• Applies to organizations that collect, use or disclose personal information

in the course of commercial activities– Excludes certain government institutions to which the Privacy Act applies– Excludes certain individuals collecting, using or disclosing public information

solely for person or domestic purposes– Excludes certain organizations collecting, using or disclosing public

information solely for journalistic, artistic or literary purposes• Personal Information – “information about an identifiable individual, but

does not include the name, title or business address or telephone number of an employee of an organization.”

• Appropriate purposes - an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances

Privacy Laws Around the WorldCanada – The Personal Information Protection and Electronic Documents Act

See The Personal Information Protection and Electronic Documents Act , available at http://www.privcom.gc.ca/legislation/02_06_01_e.asp (last visited April 12, 2007)

32

• Notice – must provide notice to individuals about– purposes for which it collects and uses the personal information– procedures to gain access to personal information held by the

organization– contact information of the person who is accountable for the

organization’s policies and to whom complaints or inquires can be sent

• Limited Collection – collection of personal information shall be limited to that which is necessary for the purposes identified by the organization



33

• Security – must implement security safeguards against loss or theft, unauthorized access, disclosure, copying, use, or modification

• Choice – Very limited exceptions where personal information may be used, disclosed or collected without prior consent

• Accurate – must be accurate, complete and up-to-date as is necessary for the purpose for which it is to be used

• Purpose – must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law



34

• Passed on May 23, 2003• Protects information of individuals

– does not cover information of corporations• Applies to the National government, public organizations, and Personal

Information Handling Enterprises• Establishes penalties for data collectors who violate the law• Personal Information – “information that may make a living individual

distinguishable from others.”• Personal Information Handling Enterprises – entities that use Personal

Information Databases in their businesses– Excludes the National government, local public organizations, independent

administrative agencies and local independent administrative agencies– Excludes enterprises that process less than 5,000 personal information records

per day

Japan – Personal Information Protection LawPrivacy Laws Around the World

35

• Notice – must provide notice to individuals about– name of the data collector– purposes for which it collects and uses the Personal Information

• personal information may not be used in a manner that exceeds the scope without prior consent from the individual

– procedures to access, modify and terminate the use of personal information

– contact information for complaints and inquires (complaints must be responded to adequately and promptly)

• Relevance – personal information must be relevant for the purposes for which it is to be used


36

• Security – must implement security safeguards and provide proper supervision of employees and other entities to which personal information may be may be entrusted

• Choice – Generally, personal information may not be disclosed or made available to third parties without prior consent (“opt in”); exceptions, when disclosure is:– made in accordance with the law– necessary to protect life, body or property– necessary to protect public health– necessary for governmental purposes


37

Australia – Federal Privacy Act

See The Office of the Privacy Commissioner, Federal Privacy Law, available at http://www.privacy.gov.au/act/index.html (last visited April 12, 2007)

Privacy Laws Around the World

38

• Mexico– Article 214 of the Penal Code protects the disclosure of personal

information held by government agencies– The General Population Act regulates the National Registry of

Population and Personal Information

• Russia– Article 24 of the Russian Federation forbids gathering, storing,

using and disseminating information on the private life of any person without consent

• France– The Data Protection Act covers personal information held by

government agencies and private entities

Other Countries Privacy Laws Around the World

39

• There is a global trend toward comprehensive protection which must be taken into consideration; may require personal information to be:

– obtained fairly and lawfully– used only for the original specified purpose– adequate, relevant and not excessive to purpose– accurate and up to date– destroyed after its purpose is complete

• Current international laws should be reviewed prior to any cross-border transfers of personal information and periodically reevaluated

– Confirm compliance with Safe Harbor provisions for transfers between US and EU

• You are likely to be required to provide additional privacy protections for any cross-border transfers

Cross-Border Privacy Tips

40

Useful Resources• www.privacy.org

– Joint project of the Electronic Privacy Information Center (EPIC) and Privacy International

• www.privacyinternational.org– Privacy International

• www.epic.org– Electronic Privacy Information Center

• www.coe.int– Council of Europe

• www.oecd.org– Organization for Economic Co-operation and Development

• www.export.gov/safeharbor– U.S. Department of Commerce Safe Harbor

• www.privacy.gov.au– The Office of the Privacy Commissioner of Australia

41

Gardere Wynne Sewell LLPKarl Larson

3000 Thanksgiving Tower1601 Elm Street

Dallas, TX 75201-4761Phone: 214.999.4582 Fax: 214.999.3582

[email protected]

cross border privacy : intellectual property issues

Technology