highlighting the cross-border challenges – privacy...

www.internetsociety.org

HIGHLIGHTING THE CROSS-BORDER CHALLENGES – PRIVACY REGIMES

ABA Identity Management Legal Task Force Meeting

10-11 December 2012 London

The Internet Society

The gate-keeper criterion: personal data

11 December 20122Image from iStock Photos


Personal data: let’s compare… (regional)

any information relating to an identified or identifiable individual • OECD Privacy Guidelines (1980)

• Council of Europe Convention 108 (1981)

• EU Data Protection Directive (1995) *with some additional clarification

… an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

any information about an identified or identifiable individual• APEC Privacy Framework (2004) *personal information

… It also includes information that would not meet this criteria alone, but when put together with other information would identify an individual.

11 December 20123


any information relating to an identified or identifiable individual

11 December 20124 Images from Wikimedia Commons: EU image - S. Solberg J; OECD image modified

EU

OECD

.

CoE


any information about an identified or identifiable individual

11 December 20125 Image from Wikimedia Commons

APEC



any information relating to an identified natural person or a person who may be identified by means reasonably likely to be used

• Madrid Resolution (2009)

any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifiers or one of more factors specific to the physical, physiological, genetic, psychic, cultural, social or economic identity of that person

• Draft EU Directive and Draft EU Regulation (2012)

11 December 20126



any information relating to “…an identified natural person or a natural person who can be identified, directly or indirectly, or singled out and treated differently, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person’

• Draft EU Directive and Draft EU Regulation (2012) with Article 29 Working Party Opinion 8/2012 regarding the definition of “data subject” in relation to the EU data protection reform discussions

11 December 20127


Draft Convention on Cyber Legislation in Africa (2012)

11 December 20128

any information relating to a physical person directly or indirectly identified or identifiable by reference to an identification number or to one or several elements relating to his/her physical, physiological, genetic, psychic, cultural, social or economic identity

Image from NASA


Personal data: let’s compare… (national)information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

• Privacy Act 1988 (Cth) – Australia *personal information

11 December 20129

information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.

Privacy Amendment (Enhancing Privacy Protection) Act 2012 – due to come into effect in March 2014

Image from Wikimedia Commons: S. Solberg J


Personal data: let’s compare… (national)data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

• Data Protection Act 1998 UK



Personal data: let’s compare… (national)information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization

• Personal Information Protection and Electronic Documents Act 2000 –Canada *personal information

11 December 201211Image from Wikimedia Commons: S. Solberg J


Personal data: let’s compare… (national)information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual)

Act on the Protection of Personal Information Act 2003 – Japan



Personal data: let’s compare… (national)

"personal data" (個人資料) means any data –

(a)relating directly or indirectly to a living individual;

(b)from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and

(c)in a form in which access to or processing of the data is practicable.

11 December 201213

Personal Data (Privacy) Ordinance - Hong Kong

Image from iStock Photos


Personal data: let’s compare… (national)information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

• Data Privacy Act of 2011 – Philippines *personal information

11 December 201214Image from Wikimedia Commons: S. Solberg J


Personal data: let’s compare… (national)any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person

• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules enacted under the provisions of the Information Technology Act 2000 – India *personal information

11 December 201215


Personal data: let’s compare… (national)

any type of information related to identified or identifiable individuals or legal entities

• Personal Data Protection Law No. 25,326, as restated by the Regulatory Decree No. 1,558/2001 – Argentina

any information concerning an identified or identifiable individual• Federal Law on Protection of Personal Data held by Private Parties – Mexico

(2010)

any information on an individual which identifies or makes him identifiable through means that may be reasonably used

• Law for Personal Data Protection, Ley No. 29733 – Peru (2011)

11 December 201216


Crossing boundaries …

11 December 201217 Image from iStock Photos


Transfers across boundaries (some examples)

OECD Privacy Guidelines

A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection..

11 December 201218



OAS (preliminary principles)

International transfers of personal data should only be performed if the recipient of these offers the same level of protection, using the following factors: 1) the nature of data, 2) the country home, 3) the recipient country, 4) the purpose for data processing, and 5) the security measures established for the international processing and transfer. Personal data can be transferred to a recipient that does not afford the same level of protection of personal data only when there is a contractual agreement that the transfer process and meet the level of protection required.

11 December 201219



EU: Binding Corporate Rules

“internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection”

US-EU: Safe Harbor Framework (2000)

voluntary; self-certifying; commitment; self-regulatory enforcement unpinned by regulatory enforcement (e.g. by the FTC)

11 December 201220



APEC Cross-Border Privacy Rules System

Four main components

Intake questionnaire for organisations

Recognition criteria for Accountability Agents (AAs)

Assessment criteria for AA to use when reviewing an organisation’s answers to the intake questionnaire

Regulatory cooperative arrangements to ensure enforceability

11 December 201221


References:

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

APEC Privacy Framework

Madrid resolution – International Standards on the Protection of Personal Data and Privacy

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data

11 December 201222


References (continued):

A proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

Article 29 Working Party Opinion 08/2012 providing further input on the data protection reform discussions

Draft Convention on Cyber Legislation in Africa

Privacy Act 1988 (Australia)

Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Australia)

Data Protection Act 1998 (UK)

Personal Information Protection and Electronics Documents Act 2000 (Canada)

11 December 201223


References (continued):

Act on the Protection of Personal Data Act 2003 (Japan)

Data Privacy Act of 2011 (Philippines)

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 enacted under the provisions of the Information Technology Act 2000 (India)

Federal Law on Protection of Personal Data held by Private Parties 2010 (Mexico)

Law for Personal Data Protection, Ley No. 29733 2011 (Peru)

U.S.-EU & U.S.-Swiss Safe Harbor Frameworks

APEC Cross Border Privacy Rules System

11 December 201224

www.internetsociety.org

Contact: Christine Runnegar ([email protected])

11 December 2012