why are more companies joining the u.s. - eu safe harbor ...ing shadows of ever-tightening security...

Establishing an annual privacy risk assessment process toidentify new or changed risks to personal information isa key enhancement to Generally Accepted Privacy

Principles (GAPP). GAPP is an internationally recognized priva-cy framework developed by the American Institute of CertifiedPublic Accountants (AICPA) and the Canadian Institute ofChartered Accountants (CICA).

“An annual risk assessment is critical to understanding the privacy risks within an organization,” said Everett C.Johnson, CPA, chair of the AICPA/CICA Privacy Task Force anda past international president of ISACA. “Once those risks areidentified and assessed, the organization can then take the

The U.S. Department of Commerce (U.S. DOC) recentlyheld its 2009 International Conference on Cross BorderData Flows & Privacy in Washington, DC. The U.S. DOC

announced at the conference that an increasing number ofcompanies are choosing to self-certify compliance with theU.S.-EU Safe Harbor Privacy Framework (Safe Harbor). Everymonth, approximately 50 companies file initial self-certificationsto the Safe Harbor, and approximately 150 companies submitannual re-certifications. More than 50 percent of the compa-nies in the Safe Harbor have joined during the past two years.At present, there are more than 2,100 companies included onthe U.S. DOC’s Safe Harbor list. Placed in context, this means

that more companies join Safe Harbor in a single month thanthe total number of companies that have obtained approval forbinding corporate rules to date (as discussed later, such bindingcorporate rules are another key approach to cross-border datatransfers).

AICPA and CICA update

Generally Accepted Privacy

Principles

By Nancy A. Cohen, CPA.CITP, CIPP, and Nicholas F. Cheung, CA, CIPP/C

See, U.S. - EU Safe Harbor, page 4

This Month

The year ahead: privacy predictions 2010............................. 3

Managing global data privacy ...............… 14

Privacy and pandemic planning.................. 15

The Lisbon Treaty and data protection....... 17

New international privacy principles for lawenforcement and security ........................... 18

FTC privacy roundtable signals policy shift ................................................... 20

Global Privacy Dispatches .......................... 26

Calendar of events ...................................... 29

Privacy news................................................ 29

Surveilled..................................................... 30

10 privacy resolutions................................. 34

Why are more companies joining the U.S. - EU Safe Harbor

privacy framework?

By Brian Hengesbaugh, Michael Mensik, and Amy de LaLama of Baker & McKenzie LLP

See, GAPP update, page 10

Brian Hengesbaugh Michael Mensik Amy de La Lama

Nancy A. Cohen

Nicholas F. Cheung

This story originated as a Baker & McKenzie LLP NorthAmerica Global Privacy Client Alert and is republished herewith permission

110561_Advisor_Document 3 2/17/10 2:54 PM

THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335

Publications DirectorTracey [email protected]+207.351.1500

The Privacy Advisor (ISSN: 1532-1509) is published bythe International Association of Privacy Professionalsand distributed only to IAPP members.

ADVISORY BOARD

Miranda Alfonso-Williams, CIPP, CIPP/IT, Global PrivacyLeader, MDx GE Healthcare

Nathan Brooks, CIPP

Kim Bustin, CIPP/C, President, Bustin Consulting Limited

Debra Farber, CIPP, CIPP/G, Privacy Officer, The AdvisoryBoard Company

Benjamin Farrar, CIPP, Manager, Privacy Team, Quality &RM, Ethics & Compliance, Ernst & Young LLP

Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian

Michael Kearney, Student/Research Assistant, William& Mary School of Law

Jim Keese, CIPP, Global Privacy Officer, VP Records &Information Mgmt, The Western Union Company

Stephen Meltzer, CIPP, Privacy and Corporate Counsel,Meltzer Law Offices

David Morgan, CIPP, CIPP/C, Privacy Officer-SecondaryUses, Newfoundland and Labrador Centre for HealthInformation

Dan Ruch, Privacy and Data Protection Consultant, KPMG

Luis Salazar, CIPP, Partner, Infante, Zumpano, Hudson &Miloch, LLC

Heidi Salow, CIPP, Of Counsel, DLA Piper

Julie Sinor, CIPP, Information Management Consultant,PricewaterhouseCoopers, LLP

Eija Warma, Associate Attorney, Castren & SnellmanAttorneys Ltd

Frances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC

To Join the IAPP, call:+800.266.6501

Advertising and Sales, call:+800.266.6501

PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909

Subscription PriceThe Privacy Advisor is an IAPP member benefit.Nonmember subscriptions are available at $199 per year.

Requests to ReprintTracey [email protected]

Copyright 2010 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.

Looking forward and back

Rewind 10 years. Social networking involvedthe spoken word, smart phones were less intel-

ligent, and nobody “noticed” when there was asecurity breach. And a handful of people gatheredaround the idea that the emerging role of privacywithin organizations needed a bit more networkingand collaborative education. The IAPP was born.

In the months ahead we will look back over the 10 remarkableyears that have shaped our profession, so far. To kick off the yearlonganniversary celebration, we’ll come together in Washington, DC andat telecast locations around the world to share memories and to lookahead to future decades with the release of our report The RoadAhead: The Next-Generation Privacy Professional. We hope you willjoin us for what is bound to be a memorable milestone.

Not everything is worth remembering, but in today’s world ofhyper-connectivity, massive data flows, and cheap storage, we canrelive faded memories at the click of a mouse. The affect of this near-perfect memory on human processes such as forgiving and healing has been an area of study for Viktor Mayer-Schönberger, aninformation governance scholar who says the act of ‘forgetting’ has asocial value that could be in jeopardy. Mayer-Schönberger is theauthor of Delete: The Virtue of Forgetting in the Digital Age. He willjoin us at the upcoming Global Privacy Summit in April to discuss this and the concept of ‘data expiration dates.’

Also joining us at Summit will be Dan Ariely. Ariely is a behavioral economist and the author of Predictably Irrational: TheHidden Forces That Shape Our Decisions. Why consumers do whatthey do with their data is a question at the very heart of our work inthe privacy field. Ariely will shed light on this and other humanbehaviors that relate to privacy and data protection. We look forwardto seeing you there.

We also look forward in this issue of the Privacy Advisor, withexperts’ forecasts for the year ahead. We hope you enjoy the issue andhope to see you at upcoming events.

J. Trevor Hughes, CIPPExecutive Director, IAPP

Notes From the Executive Director

January-February • 2010

2 www.privacyassociation.org


170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]

The Privacy Advisor is the official newsletter of the InternationalAssociation of Privacy Professionals. All active associationmembers automatically receive a subscription to The PrivacyAdvisor as a membership benefit. For details about joining IAPP,please use the above contact information.

BOARD OF DIRECTORSPresidentNuala O'Connor Kelly, CIPP, CIPP/G, Chief Privacy Leader &Senior Counsel, Information Governance, General ElectricCompany, Washington, DC

Vice PresidentBojana Bellamy, LLM, Director of Data Privacy, Accenture,London, UK

TreasurerJeff Green, CIPP/C, VP Global Compliance & Chief PrivacyOfficer, RBC, Toronto, ON, Canada

SecretaryJane C. Horvath, CIPP, CIPP/G, Senior Global PrivacyCounsel, Google Inc., Washington, DC

Past PresidentJonathan D. Avila, CIPP, Vice President - Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA

Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME

Allen Brandt, CIPP, Corporate Counsel, Chief Privacy Official,Graduate Management, Admissions Council, McLean, VA

Agnes Bundy Scanlan, Esq., CIPP, Chief Regulatory Officer, TDBank, Boston, MA

Malcolm Crompton, CIPP, Managing Director, InformationIntegrity Solutions Pty/Ltd, Chippendale, Australia

Stan Crosley, Esq., CIPP, Partner, Co-Director, Indiana U. Centerfor Strategic Health Information Provisioning, Indianapolis, IN

Dean Forbes, Senior Director Global Privacy, Schering-PloughCorporation, Kenilworth, NJ

D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster, LLP,Washington, DC

Sandra R. Hughes, CIPP, Global Ethics, Compliance and PrivacyExecutive, The Procter & Gamble Company, Cincinnati, OH

Alexander W. Joel, CIPP, CIPP/G, Civil Liberties ProtectionOfficer, Office of the Director of National Intelligence,Bethesda, MD

Brendon Lynch, CIPP, Senior Director, Privacy Strategy,Microsoft Corporation, Redmond, WA

Lisa Sotto, Esq., Partner, Hunton & Williams LLP, New York, NY

Scott Taylor, Chief Privacy Officer, Hewlett-Packard, Palo Alto, CA

Florian Thoma, Chief Data Protection Officer, Siemens,Munich, Germany

Richard Thomas CBE LLD, Centre for Information PolicyLeadership, Hunton & Williams LLP, Surrey, UK

Brian Tretick, CIPP, Executive Director, Advisory Services, Ernst& Young, McLean, VA

Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC

THE PRIVACY ADVISOR

International Association of Privacy Professionals 3

THE YEAR AHEAD:

At the end of each year, the Privacy Advisor polls professionals worldwide tofind out what they see in the year ahead for privacy and data protection. Inthis first issue of 2010, we present their forecasts. We begin with that ofCanadian Privacy Commissioner Jennifer Stoddart. Commissioner Stoddart isentering her seventh and final year as Privacy Commissioner of Canada. In2009 her office made worldwide waves with its unprecedented investigationinto the privacy policies and practices of social networking giant Facebook.Her office will continue to monitor the privacy practices of social networkingsites in the year ahead, in addition to other areas she anticipates will com-mand attention.

Here is Commissioner Stoddart’s forecast. See more 2010 predictionsthroughout the newsletter.

PREDICTIONs for privacy and data protection in Canada, 2010

In 2010, Canada’s privacy landscape will be painted in

many of the same hues and textures familiar to

Americans and others around the globe—the disquiet-

ing shadows of ever-tightening security measures, the

striking, often puzzling, palette of bold new consumer

technologies. And, dawning over the horizon, are unset-

tling new ways to extract even the most personal of

information from the genetic material of human beings.

Focused as we are on helping Canadians protect

the integrity of their identities, my office will continue to advance our long-

standing efforts to hold social networking sites accountable for the personal

information entrusted to them by Canadians. While British Columbia hosts

the world at the 21st Winter Olympics, we will be monitoring the privacy

implications arising from a mounting array of national security initiatives.

Biometrics and genetic technologies pose other privacy challenges of con-

cern to us. And emerging information technologies, such as cloud computing

and the tracking, profiling, and targeting of consumers by business, will

become major focuses of interest as the year unfolds.

The need for consistent and enforceable global privacy standards has

never been more important. We will continue to participate in the interna-

tional dialogue, which will continue to intensify.—Jennifer Stoddart

Privacy Commissioner of Canada

PRIVACY

-2010-2010PREDICTIONS


Why are increasing numbers ofcompanies joining the Safe Harbor?What factors cause companies tochoose Safe Harbor over other approach-es to addressing cross-border data trans-fer restrictions? This article exploressome of the drivers for an increasingnumber of “Safe Harborites,” and identi-fies key differences between SafeHarbor and the alternative approaches. Italso discusses special issues related tooutsourcing service providers, recentenforcement actions, and trends relatedto global privacy compliance.

1. What is the Safe Harbor and how

does it work?

The Safe Harbor is one approach U.S.companies can adopt to address thecross-border data transfer restrictionsunder the European Commission’s 1995Data Protection Directive (95/46/EC)(Directive). Specifically, the Directiveprohibits the transfer of personally iden-tifiable information about individualslocated in the European Union (EUPersonal Data) to the United States orother locations outside the EuropeanEconomic Area, unless the data recipi-ent is subject to a law or other bindingscheme that provides “adequate protec-tion” for such EU Personal Data (DataTransfer Restriction), or otherwise quali-fies for an exception to this require-ment.

Examples of where the DataTransfer Restriction might apply includesituations where a U.S.-based multina-tional needs to receive EU Personal Datarelating to:

i) Employees or contractors of its subsidiaries in the EU (e.g., talent man-agement and performance data, benefitsand payroll information, data related tocodes of conduct or whistleblower hot-lines, or other information);

ii) Consumers or corporate customercontacts in the EU (e.g., customer relationship management or CRM data,or the like);

iii) Customers’ customers or other end users in the EU (e.g., where themultinational is an outsourcing serviceprovider); and

iv) Other categories of individuals(e.g., job candidates, clinical trial subjects, business partners, or others).

As mentioned above, the EuropeanCommission has issued a decision that, if a U.S. organization self-certifiescompliance to the Safe Harbor, it will bedeemed to provide “adequate protec-tion” and satisfy the Data TransferRestriction for the duration of its partici-pation in the Safe Harbor. In practice, aneligible organization in the U.S. can jointhe Safe Harbor by (i) conducting duediligence and taking the necessarysteps to conform its data handling prac-tices to the Safe Harbor rules (e.g., pro-viding data subjects in the EU with asufficient privacy notice, maintainingreasonable security for covered EUPersonal Data, providing individuals inthe EU with access to their own EUPersonal Data, and taking other steps);and (ii) completing the self-certificationform with the U.S. DOC. Once theorganization completes the self-certifica-tion, its name and Safe Harbor registra-tion will be published on the U.S. DOC’slist of Safe Harbor companies, and willbe deemed to provide “adequate pro-tection” for categories of EU PersonalData covered by its self-certification.After that point, any violation of the SafeHarbor rules can be subject to anenforcement action by the U.S. FederalTrade Commission.

2. What alternative approaches could

U.S. companies use to address the

data transfer restriction?

U.S. companies could also address theData Transfer Restriction through othermeans, such as: obtaining express con-sent from the individuals at issue(Express Consent); adopting and obtain-ing approvals from data protectionauthorities for a set of binding corporaterules (BCRs); or establishing privacyagreements that conform to standardcontractual clauses issued by the

European Commission (ModelContracts). A brief summary of each ofthese options is set out here:

i) Express Consent. Five or 10 yearsago, many companies adopted theExpress Consent approach to interna-tional data transfers, particularly withrespect to EU Personal Data aboutemployees. Today, relatively few compa-nies are selecting Express Consent as acomprehensive solution to addressingData Transfer Restrictions. This is due toseveral factors, including concerns about“drop out” rates where some individu-als may not consent, and recent opin-ions of data protection authorities thatsuch consents, particularly by employ-ees, may not be “freely given” andtherefore may be invalid. It is worth-while to note that Express Consent isstill a useful solution for limited or spe-cific situations (e.g., e-commerce offer-ings with “accept” clicks, employeestock options, and the like).

ii) Binding Corporate Rules (BCRs).BCRs have received significant tradepress attention lately. The concept ofBCRs is attractive because a group ofaffiliated companies will have the flexibility to develop its own articulationof privacy rules for intra-group dataflows. This allows the group to tailor therules to its actual data flows and busi-ness culture. However, the group is notfree to develop whatever rules it likes—itmust still comply with guidance issuedby European data protection authoritiesregarding the data privacy principleswhen developing such rules. The groupmust also seek substantive approvals forthe BCRs from the data protectionauthorities in the relevant EU countries.Also, BCRs only cover intra-group datatransfers, and do not cover transfers toor from unaffiliated parties (e.g., serviceproviders, business partners, M&A par-ties), and in practice many companieshave applied BCRs to human resourcesdata only, due in part to the complexityof obtaining approvals for customer orother categories of data. Despite recentefforts by the European data protectionauthorities to streamline the approval

U.S. - EU Safe Harborcontinued from page 1




process, the negotiations with data pro-tection authorities for the approval forBCRs still require time and resourcesand tend to discourage companies frompursuing this approach unless they havesignificant resources to devote to theprocess. There are no published statis-tics available as to how many companieshave obtained approvals for BCRs,although latest estimates indicate thatthe number is less than 30.

iii) Model Contracts. Model Contractshave advantages in that, unlike BCRs,the terms are pre-approved by theEuropean Commission (no substantivedata protection authority approvalsrequired). Also, unlike Express Consent,there is no need to obtain approval fromaffected individuals. Although SafeHarbor shares both of these advan-tages, Model Contracts do have certainadvantages relative to Safe Harbor,including that they facilitate cross-borderdata transfers from the EU to jurisdic-tions outside the U.S. (e.g., data trans-fers from Europe to Asia, Latin America,and other regions and jurisdictions).Model Contracts also are not subject toenforcement by the U.S. Federal TradeCommission, and rely exclusively onlocal enforcement by data protectionauthorities and courts in the EuropeanUnion. Model Contracts have certaindisadvantages relative to Safe Harbor,including that a proper implementationrequires the execution and maintenanceof a network of intercompany privacyagreements between and among affili-ates worldwide. Acquisitions or othercorporate changes will trigger require-ments to execute new agreements, andchanges in business processes or datatransfers can also require adjustmentsto the existing intercompany framework.In addition, the specific terms in theModel Contracts (which sometimes canbe difficult to understand and follow)cannot be changed in any way withouttriggering a data protection consultationor approval requirement and subse-quently creating a risk that the agree-ments will not be recognized by suchauthority as a valid implementation ofthe “model” agreement. Finally, among

the other terms, the Model Contractscontain express third-party beneficiaryrights for the data subjects to sue theEU affiliate (as “data exporter”) and, incertain circumstances, the U.S. parent(as “data importer”) for violations of theterms of the contract. There are no pre-cise numbers of companies that utilizeModel Contracts to protect internationaldata transfers, although the “pre-approved” nature of the agreementsand their longstanding availability, com-bined with experience, suggests thatthey have been used at least as fre-quently as Safe Harbor to protect datatransfers to the U.S.

3. Why would a U.S. company select

the Safe Harbor?

U.S. companies may choose to join theSafe Harbor for a variety of reasons.Several of the key driving factors mayinclude:

i) Increased demands for cross-borderdata transfers. U.S. companies areexperiencing increased demands forcross-border data transfers, such as: (a) greater integration of global businessoperations, (b) consolidation of informa-tion technology infrastructure and support services, (c) implementation of company codes of conduct andwhistleblower hotlines, (d) increasedrequirements to conduct global internalinvestigations, and to respond to govern-ment inquiries and e-discovery and litiga-tion demands on a worldwide basis.

ii) Increased scrutiny of data transferpractices. U.S. companies are also find-ing that relevant stakeholders are engag-ing in increased scrutiny of company pri-vacy practices, including works councilsand other employee-representative bod-ies, individual employees, data protec-tion authorities, consumers, competi-tors, and others. This requires the com-panies to select and implement reliablesolutions for international data transfers.

iii) More flexibility for onward transferswhere required by U.S. law, ordered

THE PRIVACY ADVISOR



PRIVACY


In between the FTC Roundtables,

federal legislation, and HIPAA

regulations, I believe privacy will

be at the forefront of concerns

for many companies. It will be

important to follow privacy events

in the EU, as well, since those

may affect FTC thinking. With

respect to data security, with the

data breaches that occurred in

2009, unless there is clear federal

preemption, I would envision

more states considering specific

and prescriptive data security

requirements.

—Benita Kahn, CIPP, Partner, Vorys, Sater, Seymour and Pease LLP

Widespread adoption of the

icon for online behavioral

advertising will occur and be visi-

ble across the Internet. Progress

on important legal and policy

issues will occur if all interests

continue to work constructively

together. The public will call for

more aggressive use of personal

information to protect citizens

against terrorism. Technology and

the Information Age will reach

new heights with wireless and

television innovation and benefits

that rely on consumer information.

Public love for the Internet

continues to reach new peaks.

—Stu Ingis, Partner, Venable LLP


by a court, or necessary to perform acontract. Safe Harbor has more flexiblerules than Model Contracts with respectto onward transfers to third parties.Specifically, Model Contracts prohibit therelevant company from disclosing data tothird parties unless it has obtained theagreement of the recipient to abide bythe Model Contract terms, or hasobtained consent from individuals. Suchrules may be difficult for a company tosatisfy fully in the context of U.S. govern-ment demands for data, court orders ine-discovery or litigation, or data transfersthat are necessary to perform a contractwith the individual data subject. Similarly,the specific rules on such onward trans-fers in BCRs need to be negotiated on acase-by-case basis with the Europeandata protection authorities, and may like-wise be difficult to satisfy depending onthe outcome of such negotiations. Incontrast, the Safe Harbor provides impor-tant exceptions to onward transferrestrictions, such as for situations wherethe data sharing is required by a legalrequirement in the U.S. (e.g., in the con-text of government demands for data), acourt order in the U.S. (e.g., the contextof e-discovery), and data sharing that isnecessary to perform a contract with thedata subject, or otherwise qualifies forexceptions in the Directive or nationaldata protection laws.

iv) Greater control for the U.S. company. Safe Harbor provides the U.S.company (versus local affiliates) withgreater control over the cross-borderdata transfer solution than ModelContracts and BCRs. The Safe Harbor pri-marily requires the U.S. company toundertake relevant compliance steps,and does not generally require significantlocal affiliate involvement. In contrast,Model Contracts require the participationof local affiliates in Europe to executethe intercompany agreements. On anongoing basis, Model Contracts by theirown terms provide local affiliates withaudit and other rights over the U.S. com-panies (a situation that often does not

represent the actual hierarchical struc-ture of a U.S.-based company and itslocal affiliates). BCRs require even moreextensive participation of local affiliatesto negotiate for substantive approvalsfrom data protection authorities for theterms in the BCRs.

v) Achievable and practical nature ofSafe Harbor. Safe Harbor is an achiev-able and practical solution because,unlike BCRs, self-certification to SafeHarbor does not require any substantivenegotiations with the European data pro-tection authorities—the U.S. DOCalready completed such negotiations forthe Safe Harbor rules several years ago.

vi) Enhanced brand reputation for out-sourcing providers and satisfaction ofEU customer requirements.Outsourcing service providers in the U.S. may find Safe Harbor participationadvantageous when doing business with corporate customers in the EU (EUCustomers). Among other benefits, SafeHarbor participation can help enhance theU.S. provider’s brand reputation, anddemonstrate to EU Customers that theprovider understands EU data protectionconcerns. Safe Harbor participation canalso help reduce the compliance burdenon the EU Customers by helping themavoid the need to maintain a network ofModel Contracts conforming to theEuropean Commission “data processor”clauses. In addition, Safe Harbor partici-pation can streamline the steps that theEU Customers need to take to complywith local data protection authority regis-tration requirements in some countries(discussed further below in paragraph ix).

vii) Coverage for Switzerland. TheSwiss Federal Data Protection andInformation Commission (Swiss DPA)has recently established the U.S.-SwissSafe Harbor Framework with the U.S.DOC. As a result, U.S. companies canaddress the cross-border data transferrestriction in the Swiss data protectionlaw by self-certifying compliance to theSafe Harbor rules, in the same way ascan be done for transfers from the EU.This development is particularly impor-



U.S. - EU Safe Harborcontinued from page 5

An arousing turn of the year in

the matter of privacy: At the

end of 2009 Eric Schmidt, CEO of

Google, told CNBC: “If you have

something you don‘t want anyone

to know, maybe you shouldn't be

doing it in the first place.” At the

beginning of 2010, Mark

Zuckerberg, founder of Facebook,

told a live audience that if he

were to create Facebook again

today, user information would be

public by default, not private as it

was for years until the end of

December.

It seems that privacy has

become a disused concept. The

new decade is about openness

and total disclosure. Individuals

and organizations will have to

engage even more in protecting

privacy as a rare but necessary

concept for human life in the

digitally networked world.

Remember? Privacy has always

been interpreted as a precondi-

tion for human self-determination

and a free and democratic socie-

ty. I don't remember any convinc-

ing argument that has made this

assumption obsolete. So let's

take care.

—Miriam Meckel, ManagingDirector, MCM-Institute,University of St. Gallen

Switzerland, and 2009-2010Berkman Center for Internet and

Society fellow

PRIVACY



tant for Switzerland, as the definition of“personal data” under Swiss law coversidentifiable information regarding individ-uals and legal entities, making personaldata protections provided under Swisslaw broader than those of many EUmember states, which generally onlyprotect identifiable information regardingnatural persons.

viii) Better fit for “online” data collections. The Safe Harbor is bettersuited to protect online transfers of databecause the U.S. company would notneed to obtain an express consent fromWeb site visitors for the data transfers,and would not need to enter into con-tracts with entities in the EuropeanUnion (both of which may be cumber-some depending on the business modelor application). Instead, the Safe Harborwould require the U.S. company to con-firm that its privacy policy and privacypractices adhere to the Safe Harborrules—a step that may be easier forcompanies to administer in the onlinecontext than obtaining Express Consentor executing Model Contracts.

ix) Streamlining of local filing procedures. In a number of EU memberstates, cross-border transfers of EUPersonal Data may trigger registrationrequirements with the data protectionauthorities. In some of these countries,the Safe Harbor facilitates the local regis-tration process by avoiding “procedural”approvals that apply to use of ModelContracts and the “substantive”approvals for BCRs. For example, inSpain, the use of Model Contractsattracts certain requirements for specialnotary and other procedural approvalswhen the local company registers withthe data protection authority. This

requirement is not triggered when thedata recipient is a U.S. company thatself-certifies with the Safe Harbor.

x) Avoiding administrative burdens ofmaintaining Model Contracts. ModelContracts must be monitored to makesure that they reflect changes in the rel-evant company’s structure. By contrast,particularly in the context of mergers andacquisitions, as well as other businesschanges and developments, Safe Harboravoids the administrative burden ofnegotiating and executing new ModelContracts to cover new affiliates anddata flows.

4. Why would a U.S. company choose

a data transfer solution other than the

Safe Harbor?

Although there are many good reasonsto join Safe Harbor, or use Safe Harboras a baseline to authorize certain datatransfers, there are good reasons whySafe Harbor may not be sufficient for alldata transfers, and why a companymight choose alternative approaches.

i) FTC enforcement. The promise tocomply with Safe Harbor is ultimatelysubject to the enforcement authority ofthe FTC. The FTC has recently taken itsinitial enforcement actions pursuant tothe Safe Harbor. In the first case, theFTC obtained a Temporary RestrainingOrder (TRO) in the United States DistrictCourt for the Central District of Californiaenjoining a consumer electronics compa-ny (Consumer Electronics Company)from engaging in a broad range of unfairand deceptive practices related to onlineconsumer sales, including misrepresent-ing that the company participated in SafeHarbor. According to the FTC complaint,the Consumer Electronics Company had,at various times, advertised on its Websites that it had self-certified to the SafeHarbor, even though it had never doneso. The FTC complaint also alleges thatthe company had engaged in a wide vari-ety of other unfair and deceptive prac-tices relating to commercial practices,such as: (i) failing to notify consumers

THE PRIVACY ADVISOR



“The FTC has recentlytaken its initial enforce-ment actions pursuant tothe Safe Harbor.”


about applicable customs duties andother taxes; (ii) frequently shipping prod-ucts that did not comport to customerorders and that had power chargers thatwere incompatible with local power sys-tems where the consumer was located;(iii) delivering user manuals and electron-ics controls that were in Spanish orChinese entirely; (iv) charging consumercredit cards without providing the prod-ucts ordered; and (v) failing to disclosewarranties and other material terms. Inaddition to the TRO, the FTC seeks fur-ther relief in the form of a permanentinjunction, restitution, disgorgement ofprofits, and other equitable relief.

In a second set of enforcementactions, the FTC agreed to settle caseswith six U.S. businesses that allegedlyfalsely claimed that they participated inSafe Harbor. The FTC complaints chargedWorld Innovators, Inc.; ExpatEdgePartners LLC; Onyx Graphics, Inc.;Directors Desk LLC; Collectify LLC; andProgressive Gaitways LLC (the “SafeHarbor Six”) with representing that theyheld current certifications to the SafeHarbor program, even though the com-panies had allowed their certifications tolapse. Under the proposed settlementagreements, the Safe Harbor Six are pro-hibited from misrepresenting the extentto which they participate in any privacy,security, or other compliance programsponsored by a government or any thirdparty. The FTC did not assess any finesin connection with these settlements.

These cases are important becausethey represent the first enforcementactions the FTC has taken under SafeHarbor since the inception of the pro-gram in November 2000. It may signalthat the FTC will be more active in purs-ing Safe Harbor cases in the comingmonths, and that companies should beeven more diligent in confirming thatthey comply with the Safe Harbor rulesbefore completing a self-certification.

ii) Data transfers not eligible for cover-age by Safe Harbor. U.S. companiesare only eligible to join the Safe Harbor

to protect certain transfers of EUPersonal Data to the United States.Other transfers within a global enter-prise, such as transfers from the EU toAsia or Latin America, are not covered bySafe Harbor. Likewise, financial institu-tions and other organizations that falloutside the scope of FTC and DOTauthority are not eligible to join SafeHarbor, even if the organizations arelocated in the United States. This “cover-age” issue is perhaps one of the mostsignificant reasons why companies mayutilize other approaches.

iii) Development of tailored privacycompliance programs. U.S. companiesthat already have well-established globaldata protection programs may wish toconsider developing more tailored com-pany-wide data protection complianceprograms through BCRs. Such compa-nies can build on the controls that theyhave already established under SafeHarbor and/or Model Contracts, anddevelop rules and procedures thataddress the guidance issued by the dataprotection authorities on BCRs, while tai-loring such terms to the group’s actualdata flows and handling practices. In theinterim period while the group of compa-nies seeks approval for BCRs, they cancontinue to rely on their existing dataprotection framework.

5. What are the current trends in inter-

national data transfers?

Although there are still a wide variety ofpractices, certain trends are emergingwith respect to international data trans-fers. First, common industry practice hasmoved away from reliance on a broad“waiver” of privacy rights throughExpress Consents, particularly in theemployment context. Second, althoughBCRs are up and coming, the burdens ofnegotiating for substantive approval fromdata protection authorities and other fac-tors may place this solution out of reachfor many U.S. organizations, except forcompanies that already have well-devel-oped global privacy programs based onSafe Harbor or Model Contracts.

Third, the “work horses” for compli-ant international data transfers in the cur-



U.S. - EU Safe Harborcontinued from page 7PRIVACY


Privacy in the healthcaresector, 2010

The concept of de-identified data

as a privacy protection will be

challenged by multiple stakeholders;

the results of this discussion will be

critical to healthcare privacy and

related federal laws (e.g., HIPAA,

HITECH). There will be those who

are concerned about the risk of re-

identification, there will be those

espousing de-identification as being

more protective of patients than

handling protected health informa-

tion (PHI) directly and while accom-

plishing the same goals, and there

will be regulators involved in trying

to find common ground that satis-

fies conflicting interests. Ultimately,

I suspect that de-identified data will

prevail as a better alternative to

using PHI in the healthcare sector,

albeit with a more regulated securi-

ty network around it.

—Kim Gray, Chief Privacy Officer,Americas Region, IMS Health

In the field of advertising in 2010,

the mobile Internet will finally

become the new frontier for user

data collection and analysis, and the

use of Flash cookies on the Web will

likely re-ignite the debate on third-

party tracking devices.

—Fernando BermejoAssociate Professor of

Communication at Universidad ReyJuan Carlos in Madrid, Spain and

2009-2010 Berkman Center forInternet and Society fellow


THE PRIVACY ADVISOR


rent environment appear to be SafeHarbor and Model Contracts. Companiesentering the “global privacy compliance”market for the first time at the enterpriselevel often select between these twosolutions. Key considerations in favor ofSafe Harbor include more flexibility withrespect to onward transfers (e.g., to gov-ernment authorities in SEC or other gov-ernment investigations, as well as toother parties in e-discovery and litiga-tion), greater control for the U.S. parentcompany, the avoidance of the mainte-nance of a network of intercompany pri-vacy agreements, and the avoidance ofexpress third-party beneficiary rights fordata subjects. Key considerations infavor of Model Contracts are the avoid-ance of FTC enforcement authority, andthe ability to cover data transfers fromthe EU to non-U.S. jurisdictions (e.g. Asiaor Latin America).

Ultimately, there is no one-size-fits-all solution. Companies make strategicdecisions on cross-border privacy solu-tions based on their own particular situ-ation, including worldwide data flows,

compliance issues, business opera-tions, litigation experience, and otherfactors. One trend that is unmistakable,however, is that companies today oper-ate in an increasingly interconnectedworld and, for enterprise risk manage-ment purposes, are finding that, at aminimum, they benefit from a periodicreview to confirm that the global “priva-cy house” is in order and responsive tothe latest risks and privacy regulatorydevelopments.

Brian Hengesbaugh, CIPP, is a partnerin the Chicago office of Baker &McKenzie. He concentrates on domes-

tic and global data protection, privacy,and information security, and is a mem-ber of the firm’s Global Privacy SteeringCommittee. Mr. Hengesbaugh is a pastmember of the IAPP PublicationsAdvisory Board. Prior to joining Baker &McKenzie, Mr. Hengesbaugh served asthe lead attorney for the U.S.Department of Commerce GeneralCounsel’s Office in the negotiation ofthe U.S. - EU Safe Harbor PrivacyFramework.

Michael Mensik is a partner in theChicago office of Baker & McKenzie,concentrating on information technolo-gy, sourcing, and privacy. He wasrecently elected to the Outsourcing Hallof Fame by the InternationalAssociation of OutsourcingProfessionals.

Amy de La Lama is a senior associatein the Chicago office of Baker &McKenzie, concentrating on domesticand global data protection, privacy, andinformation security.

“…Companies are findingthey benefit from a period review to confirmthat the global ‘privacyhouse’ is in order…”




appropriate steps to address thoserisks. We’ve updated the criteria of ourprivacy principles to mitigate the risks topersonal information.”

Generally Accepted PrivacyPrinciples, last updated in 2006, aredesigned to help an organization’s management develop a program thataddresses their privacy obligations andrisks and to assist them with assessingtheir existing privacy program. It is alsothe basis for a privacy audit that can beperformed by a Certified PublicAccountant or Chartered Accountant.GAPP incorporates concepts from local,national, and international laws, regula-tions, guidelines, and other bodies ofknowledge on privacy into a single priva-cy objective. This objective is supportedby 10 privacy principles:

1. Management – The entity defines, documents, communicates, and assignsaccountability for its privacy policies andprocedures.

2. Notice – The entity provides noticeabout its privacy policies and proceduresand identifies the purposes for whichpersonal information is collected, used,retained, and disclosed.

3. Choice and consent – The entitydescribes the choices available to the indi-vidual and obtains implicit or explicit con-sent with respect to the collection, use,and disclosure of personal information.

4. Collection – The entity collects per-sonal information only for the purposesidentified in the notice.

5. Use, retention, and disposal – Theentity limits the use of personal informa-tion to the purposes identified in thenotice and for which the individual hasprovided implicit or explicit consent. Theentity retains personal information foronly as long as necessary to fulfill thestated purposes or as required by law orregulations, and thereafter appropriatelydisposes of such information.

6. Access – The entity provides individuals with access to their personalinformation for review and update.

7. Disclosure to third parties – Theentity discloses personal information tothird parties only for the purposes identi-fied in the notice and with the implicit orexplicit consent of the individual.

8. Security for privacy – The entity protects personal information againstunauthorized access (both physical and logical).

9. Quality – The entity maintains accurate, complete, and relevant personal information for the purposesidentified in the notice.

10. Monitoring and enforcement – Theentity monitors compliance with its privacy policies and procedures and hasprocedures to address privacy-relatedcomplaints and disputes.

Each principle is supported by objective,measurable criteria for handling personal information throughout anorganization. Together, this set of privacy principles and related criteria are useful to those who:

• oversee and monitor privacy and security programs;

• implement and manage privacy andsecurity;

• oversee and manage risks and compliance;

GAPP updatecontinued from page 1

See, GAPP update, page 12

“Each principle is supported by objective,measurable criteria forhandling personal information throughoutan organization.”

PRIVACY


Data protection in France2010

This year the odds are that the

French data protection environ-

ment will likely see a strengthening

of legal requirements by the intro-

duction of an obligation to provide

data breach notifications and anoth-

er obligation to appoint a data pro-

tection official. At the same time,

on the DPA side we will see more

and more onsite investigations.

One can also foresee the

growth of the privacy profession

and the growth of the AFCDP, the

French Association of Data

Protection Correspondents.

—Pascale Gelly, Partner, Cabinet Gelly;Member, Board of Directors of AFCDP

Privacy and data protection in Israel, 2010

ILITA will submit legislative reform

to Knesset, tightening enforce-

ment, increasing accountability,

and reducing bureaucratic burdens.

The Supreme Court will rule on

major constitutional challenge to

Communications Data Act,

asserting disproportionate effect

on privacy. Privacy professionals

will descend on Jerusalem October

27-28 to celebrate IAPP annual

soccer match (and the 32nd annual

Conference of Privacy and Data

Protection Commissioners).

—Omer Tene, Israeli Legal Consultant,Associate Professor, College of

Management School of Law, Israel


THE PRIVACY ADVISOR





• assess compliance and audit privacyand security programs; regulate privacy.

The changes, which include eight newcriteria (now more than 70 in total) andthe modification of two others, were theresult of deliberations and considerationgiven to comments received from thepublic in response to the exposure draftthat was released in March 2009.

“Safeguarding personal informationis one of the most challenging responsi-bilities an organization has, whether it’sinformation pertaining to employees orcustomers,” said Johnson. “We’veupdated the criteria of our privacy princi-ples to minimize the risks to personalinformation. We have enhanced theguidance on security, breach response,and employee-related matters, alongwith disposal and destruction of person-al information.”

The following is a summary of thenew criteria:

Personal Information Identificationand Classification (1.2.3) – The typesof personal information and sensitivepersonal information and the relatedprocesses, systems, and third partiesinvolved in the handling of such informa-tion are identified. Such information iscovered by the entity’s privacy and relat-ed security policies and procedures.

This may include having an informa-tion-classification process that identifiesand classifies information into categoriessuch as business confidential, personalinformation, business general, and public.

Risk Assessment (1.2.4) – A riskassessment process is used to establisha risk baseline and to, at least annually,identify new or changed risks to person-al information and develop and updateresponses to such risks.

Risks may be external (such as lossof information by vendors or failure tocomply with regulatory requirements) orinternal (such as e-mailing unprotectedsensitive information). Ideally, the

privacy risk assessment should be integrated with the security risk assess-ment and be a part of the entity’s overallenterprise risk management program.The AICPA and CICA have developed aPrivacy Risk Assessment Tool thatorganizations may find useful.

Privacy Incident and Breach (1.2.7) – A privacy incident and breach manage-ment program has been documentedand implemented. It includes, but is notlimited to, the following:

• procedures for the identification, management, and resolution of privacy incidents and breaches;

• defined responsibilities;

• a process to identify incident severityand determine required actions andescalation procedures;

• a process for complying with breachlaws and regulations, including stake-holders breach notification, if required;

• an accountability process for employ-ees or third parties responsible forincidents or breaches with remedia-tion, penalties, or discipline as appro-priate;

• a process for periodic review of actualincidents to identify necessary pro-gram updates;

• periodic testing or walkthroughprocess and associated programremediation as needed.

Privacy Awareness and Training(1.2.10) – A privacy awareness programabout the entity’s privacy policies andrelated matters, and specific training forselected personnel depending on theirroles and responsibilities, are provided.

“Ensuring that employees are edu-cated about privacy will help prevent pri-vacy breaches, improve customer serv-ice, and demonstrate the organization’scommitment to sound business prac-tices,” explains Donald Sheehy, CA·CISA,CIPP/C, associate partner with Deloitte

GAPP updatecontinued from page 10

The IAPP Welcomes our Newest

Corporate Members


THE PRIVACY ADVISOR


(Canada) and a Canadian member of theAICPA/CICA Privacy Task Force.

Information Developed aboutIndividuals (4.2.4) – Individuals areinformed if the entity develops oracquires additional information aboutthem for its use. Such information may be obtained or developed fromthird-party sources, browsing, and credit/purchasing history.

Disposal, Destruction and Redactionof Personal Information (5.2.3) –Personal information no longer retainedis made anonymous, disposed of, ordestroyed in a manner that preventsloss, theft, misuse, or unauthorizedaccess. This can include the removal orredaction of specified personal informa-tion about an individual, such as remov-ing credit card numbers after the trans-action is complete and using companiesthat provide secure destruction services.

Personal Information on PortableMedia (8.2.6) – Personal informationstored on portable media or devices isprotected from unauthorized access.

Policies and procedures prohibit thestorage of personal information onportable media or devices unless a busi-ness need exists and such storage isapproved by management. Such infor-mation is encrypted, password protect-ed, physically protected, and subject tothe entity’s access, retention, anddestruction policies. Upon termination of

employees or contractors, proceduresprovide for the return or destruction ofportable media and devices used toaccess and store personal information,and printed and other copies of suchinformation.

“Portable devices such as laptopsand memory sticks provide convenienceto employees, but appropriate measuresmust be put in place to properly securethem and the data they contain,” relatedSheehy. “We must stay abreast of tech-nological advances to ensure that propermeasures are put into place to defendagainst any new threats.”

Ongoing Monitoring (10.2.5) – Ongoingprocedures are performed for monitoringthe effectiveness of controls over per-sonal information based on a risk assess-ment and for taking timely correctiveactions where necessary. An example ofa control would be reviewing employeefiles to seek evidence of course trainingin compliance with policies that requireall employees take initial privacy trainingwithin 30 days of employment.

Other changes to GAPP includerestricting the use of personal informa-tion in process and systems testing, ref-erences to ISO 27002, and revised lan-guage for auditors to use when prepar-ing reports on a privacy audit.

Several organizations worked inconjunction with the AICPA and CICA onGAPP, including ISACA and the Instituteof Internal Auditors. Copies of GAPP,along with additional privacy resources,are available at www.aicpa.org/privacyand www.cica.ca/privacy.

Nancy A. Cohen, CPA.CITP, CIPP, ([email protected]) is Senior TechnicalManager - Quality Control, Research &Development for the American Instituteof Certified Public Accountants.

Nicholas F. Cheung, CA, CIPP/C,([email protected]) is a principalwith the Canadian Institute of CharteredAccountants.

Both Nancy and Nicholas are membersof the AICPA/CICA Privacy Task Force.

“Portable devices such as laptops and memorysticks provide conven-ience to employees, butappropriate measuresmust be put in place to properly secure themand the data they contain.

Privacy Classifieds

The Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.

PRIVACY RESEARCH ALLIANCE COORDINATORNymityToronto, ON

PRIVACY RESEARCH SPECIALISTNymityToronto, ON

VULNERABILITY MANAGEMENT AND SECURITY COMPLIANCE RISK ASSESORConvergysCincinnati, OH

PRIVACY PROJECT MANAGERGenentechSouth San Francisco, CA

PRIVACY RESEARCH LAWYERNymityToronto, ON

MANAGER/SENIOR MANAGER U.S.CONSUMER AND SMALL BUSINESSPRIVACYAmerican ExpressNew York, NY

SENIOR MANAGER, INFORMATION SYSTEMS SECURITYConvergysDallas, TX

PRIVACY COMPLIANCE SPECIALISTU.S. Department of Homeland Security,Privacy OfficeRosslyn, VA

PRIVACY DIRECTORBlue Shield of CaliforniaSan Francisco, CA

PRIVACY ACT CONSULTANTRGS Associates, Washington Navy YardWashington, DC




Successive revolutions in informa-tion technology raise new chal-lenges, risks, and opportunities for

consumer privacy protection. Perhaps themost basic question is how these newtechnologies are changing the actual prac-tices of companies in processing personalinformation. After all, emerging technolo-gies can make legal regulations obsoleteor out-of-date. The consequences can beineffective regulation and a waste of cor-porate resources without meaningful pro-tections for consumer privacy.

To understand the impact of newtechnologies on company practices andlegal regulations, I researched how sixleading North American companies man-age their global use of personal informa-tion. This work was sponsored by thePrivacy Projects, a new nonprofit organi-zation devoted to empirical research intoprivacy issues.

My whitepaper, Managing GlobalData Privacy, looks at companies that aredeveloping pharmaceuticals, providingmarketing, selling financial services, andoffering a range of Internet-based soft-ware, technology, and online services.These companies collect and process per-sonal information about clinical healthresearch, customer services, consumersurveys, mortgage renewals, e-mailaccounts, and global job applicants.

The resulting case studies identifythree dramatic changes from the world ofyesterday. The first change shown is thatthe scale of global data flows in the pri-vate sector has increased massively. Inthe recent past, an international exchangeof personal information was a rare eventthat the law tended to regulate on a case-by-case basis. But personal informationnow flows around the world 24/7. The vol-ume is staggering—one company in thestudy created more than five million datapoints in 2008. This figure represents 72new data points every minute.

Second, the nature of this constantflow of global data is dynamic and occursacross borders. In the past, companies

finalized international data transfers inadvance. Personal data were sent at a sin-gle moment from one central location toanother. Today, companies draw on "thecloud" to put computer resources andservices on the Internet. As a result, theprocessing of personal data increasinglytakes place simultaneously throughout aglobal network.

Third, the oversight of data flows atthese leading companies has been pro-fessionalized with a significant investmentof business resources. This developmentis highly promising. In the past, many cor-porations avoided privacy and securityissues and devoted a low level ofresources to them. Companies now arecreating collaborative processes for priva-cy and security, which involve chief secu-rity officers, chief privacy officers, legalcounsel, and internal managementboards.

One regulatory lesson to be drawnfrom these studies is to question thevalue of the approach in certain Europeancountries that require registrations for anydata processing operation involving thepersonal information of citizens. Even aminor change in the location of a singleserver, or an alteration of a single processwill require costly modifications to exist-ing registrations in different Europeancountries. Yet, in the age of dynamic andmassive data flows carried out on “thecloud,” such changes can frequentlyoccur. Moreover, it is far from clear thatthe benefit for individual privacy, if any, isequal to the cost of making companiesfile detailed, national-specific reports oneach database that contains personalinformation.

Paul M. Schwartz, CIPP/C, is professorof law, Berkeley Law School, U.C.-Berkeley, and a director of the BerkeleyCenter for Law & Technology. Hiswhitepaper, Managing Global DataPrivacy, is available at: http://theprivacyprojects.org/privacy-projects.

Managing global data privacy

By Paul M. SchwartzPRIVACY


Privacy protection will remain avery important subject of the

lobbying efforts by the marketingindustry in 2010. The media will con-tinue to be extremely alert to sus-pected violations of data protectionand it is a fact that even after enact-ment of the Data Protection Lawreform in Germany on September 1,2009, consumer data will still bemisused—contrary to what the gov-ernment and the consumer protec-tion agencies promised. This corrob-orates our statement which wehave ever since repeated, like amantra: the so-called “privacy scan-dals” are not a matter of loopholesin the law but of poor enforcementof the existing laws.

Since the new German govern-ment is in place, employee privacyand online privacy have becomeimportant matters, also. InNovember 2009, a draft for anEmployee Privacy Act was submit-ted to the German Bundestag.

Moreover, a considerable levelof uncertainty remains that mar-keters’ use of personal data couldbe placed on the agenda of lawmak-ers again in 2010.

How will these developmentsaffect the core activities of ourmembers—the reputable business-es with “address data”? TheGerman Federation of DirectMarketing will continue campaigningfor a cautious and balancedapproach to further data protectionlaw reforms.

—Dieter Weng, President of the German

Federation of Direct Marketing (DDV e.V.)


As the international communityreadies itself for a second waveof the H1N1 flu pandemic, wise

organizations are brushing off their busi-ness continuity plans (BCPs) and review-ing their applicability to a different kind ofthreat. Unlike traditional business conti-nuity or disaster recovery planning, pan-demic planning requires managementfor a prolonged but unidentified period oftime rather than for the single risk eventthat traditional business continuity plan-ning tends to focus on. The focus of pan-demic planning is on the people withinan organization rather than buildings,structures, or environmental. Shifting thefocus of your BCP to incorporate theorganization’s employees requires a gen-tle reminder that the privacy of employ-ees must remain paramount, even dur-ing business continuity management.

Privacy professionals must remainvigilant in the wake of the H1N1 flu pandemic to ensure the privacy rights of employees remain intact during pan-demic response activities. An all-hazardsapproach to business continuity planningin combination with taking a few common-sense approaches to privacy,will assist in easing the stress of the flu pandemic on organizations.

Privacy professionals need to workwith the business continuity plannersand human resource departments toclarify any questions regarding the col-lection, use, and disclosure of personalemployee information during the devel-opment of organizational BCP plans thatinclude considerations for pandemicplanning. The challenge is to balancethese needs with the needs of theorganization to plan for the potential ofprolonged staff shortages caused byemployee illness, and, potentially,employees staying home from work tocare for loved ones. Due to the way inwhich the illness spreads, a singledepartment within an organization may

be severely affected whileother areas are less affected,or not affected at all.

During times of crisis,management organizationsmay be tempted to collect avariety of information fromstaff, such as their diagnosesand whether they havereceived the H1N1 vaccine.Jurisdictional privacy legislationmay, however, prevent this collection. InCanada, for example, this is likely not areasonable collection of information underprovincial or federal privacy legislation.

Organizations may be tempted touse personal information contained inHR files, such as the number of depend-ents within staff members’ householdsor personal contact information for pan-demic planning or response purposes.This may pose a privacy threat to staffand a legislative or policy breach toorganizations. Finally, organizations maybe tempted to disclose informationabout staff that they would not normallyconsider disclosing in non-pandemic situ-ations, such as an employee diagnosis orreason for an emplyee’s absence atwork. Privacy professionals can, instead,urge their organizations to consider atwofold approach that focuses on infor-mation dissemination and careful pre-planning to manage the flu pandemic.

An informed employeehas the information he needsto care for himself and hisfamily members. Organiza-tions can provide their staffwith information regardingsafe hand washing and otherbasic flu prevention tech-niques, as well as local gov-ernment hotlines or otherresources to help them

understand the best flu preventionmethods. If the flu vaccine is available inyour area, consider posters in commonareas with contact information on howand where they can receive the vaccine.A thorough communication plan willempower employees to manage theirown risks, as well as those in their fami-ly, and in turn keep everyone healthyand at work.

Empowering employees with criticalinformation regarding the H1N1 flu viruscan be combined with the implementa-tion of some basic policies and tech-niques to be used within the office.Offering hand sanitizer in break andmeeting rooms and asking employees to stay home when they are sick are twosimple methods that can be used to further reduce the infection rates in theworkplace. Clear communication withemployees is a key element in pandemicpreparedness.

Perhaps the most important privacyprotection during a pandemic is a proper-ly tailored all-hazard business continuityplan that requires little or no additionalcollection, use, or disclosure of employ-ee information. A holistic approach thatidentifies potential risks and theirimpacts to business operations, includ-ing the risk of a pandemic, will providean organization with the tools it needs torespond to such a crisis. Specifically, theplan should consider prolonged staff

THE PRIVACY ADVISOR

15

Privacy and pandemic planning: a few prudent considerations

for organizations

By Rachel Hayward, CIPP/C

See, Pandemic planning, page 16

Rachel Hayward

“Perhaps the most important

privacy protection during

a pandemic is a properly

tailored all-hazard business

continuity plan that requires

little or no additional

collection, use, or disclosure

of employee information.”

International Association of Privacy Professionals


10January-February • 2010


The IAPP celebrates its tenthanniversary this year. To com-memorate, the Privacy Advisor

will look back at some of the decade’smost memorable moments, achieve-ments, and milestones. We start with alook inward.

The Privacy Advisor is valuablebecause of you, the experts in the fieldwho so willingly share your knowledgewith IAPP members. Of course, someof you are more prolific than others.

We dusted off the archives todetermine just who has been most

profuse. One byline came up time andtime again. Philip L. Gordon, Esq., con-tributed his first story back in 2003when the newsletter bore a differentname. It was about options for employers facing the HIPAATransaction Rule compliance deadline.Hopefully you’re all compliant by now.If not, call Phil. He is a shareholder andchair of the Privacy Task Force at LittlerMendelson, P.C. in the Mile High City.

Thank you, Phil, for sharing somuch valuable information for the goodof the privacy profession.

shortages rather than the traditional dis-aster planning approaches that tend tofocus only on the infrastructure of anorganization and its ability to detail aspecific timeline for the full resumptionof business. Critical process and posi-tion identification, properly aligned withwell-rounded policies and proceduresand an appropriate plan for full or partialplan implementation will best serve anorganization during a flu pandemic.Careful pre-planning that is flexible andadaptive will reward employers whenfaced with a flu pandemic or other unex-pected disruption to their business.

Prior to deciding to collect, use, ordisclose personal employee informationin an attempt to manage a pandemic sit-uation, organizations need to understandthe requirements of the privacy legisla-tion by which they are bound. It is advisable to seek the assistance of privacy professionals. Organizationsneed to carefully plan their response to a pandemic and consider the careful balance between the protection ofemployee privacy and the continuation of business. Privacy professionals mustremain vigilant in their quest to protectpersonal information and must be pre-pared to advise their organizations whenplans may infringe on the privacy rightsof employees.

The federal privacy commissioner ofCanada and the information and privacycommissioners of the provinces ofAlberta and British Columbia recentlyreleased a publication titled “Privacy inthe Time of a Pandemic,” to assist organ-izations in working through some ofthese issues. The article can be found atwww.oipc.ab.ca/Downloads/document-loader.ashx?id=2492

Rachel Hayward is a privacy and information management specialist andthe information risk management leadfor the Edmonton, Alberta DeloitteOffice. She holds a masters degree inpublic administration and became aCIPP/C in 2007.

Pandemic planningcontinued from page 15Turning 10 in 2010


THE PRIVACY ADVISOR


This article originated as aCovington & Burling LLPPrivacy & Data ProtectionAdvisory and is reprinted herewith permission.

The Lisbon Treatyentered into force onDecember 1, 2009. This

agreement substantially over-hauls the EU’s legal bases,the Treaty on European Union (TEU), andthe Treaty Establishing the EuropeanCommunity (EC Treaty), the latter ofwhich is renamed the Treaty on theFunctioning of the European Union(TFEU). While much attention has beengiven to the Lisbon Treaty’s reform ofthe EU’s institutional arrangements, italso alters the legal grounds for legisla-tion in the data protection area in waysthat could impact privacy regulation.Below, we describe the key changesand consider the potential effect onEurope’s data protection framework.

Data protection under the current

treaties

To date, EU data protection laws havebeen primarily based on provisions inthe EC Treaty empowering the EU tolegislate in furtherance of the internalmarket. Both the landmark DataProtection Directive (95/46/EC) and thee-Privacy Directive (2002/58/EC) werepromulgated on this basis, and, conse-quently, they concern both protection ofprivacy and the free movement of per-sonal data. Two other provisions alsoplay a role. Article 30(1)(b) TEU requiresthat transfers of law enforcement infor-mation be subject to appropriate dataprotection measures, and this was theprincipal basis for Framework Decision2008/977/JHA. In addition, Article 286EC Treaty provides for the application ofdata protection rules to the EUInstitutions and for the establishment of

an independent body to oversee dataprotection in this context (this led to thecreation of the European DataProtection Supervisor).

The new provision on data protection:

individual rights and expanded EU

authority

The most striking change for data pro-tection under the Lisbon Treaty is a new,prominent provision on the subject—Article 16 TFEU—which replaces andexpands on the old Article 286. Article16 states as follows:

1. Everyone has the right to the protec-tion of personal data concerning them.

2. The European Parliament and theCouncil, acting in accordance with theordinary legislative procedure, shalllay down the rules relating to the pro-tection of individuals with regard tothe processing of personal data byUnion institutions, bodies, offices andagencies, and by the Member Stateswhen carrying out activities which fallwithin the scope of Union law, andthe rules relating to the free move-ment of such data. Compliance withthese rules shall be subject to thecontrol of independent authorities.

The rules adopted on the basis of thisArticle shall be without prejudice to thespecific rules laid down in Article 39 ofthe Treaty on European Union.

What does this mean fordata privacy? First, the provi-sion establishes an explicitright to data protection. Itappears that this right wouldbe directly applicable to per-sons, and that they could con-sequently invoke it in court.The right to data protection isreinforced by the revisedArticle 6 TEU, which provides

that the EU Charter of FundamentalRights “shall have the same legal value”as the TEU and the TFEU. This wouldseem to have the effect of incorporatingdirectly into EU law all of the rights inthe Charter, including Article 8 on theProtection of Personal Data. Article 8contains language essentially identical toclause 1 of Article 16 TFEU, and addition-ally establishes rights to fair processingof personal data, access to such data,and rectification. The Data ProtectionDirective already provides that MemberStates should ensure similar protections.

Second, clause 2 of Article 16establishes a clear basis for the Counciland Parliament to regulate the process-ing of personal data by Member Stateauthorities when carrying out activitiesthat fall within EU law, in addition to theEU Institutions previously covered byArticle 286. But the full scope of thisclause is not entirely clear. One couldinterpret the phrase “and the rules relat-ing to the free movement of such data”as granting the Council and Parliament ageneral right to legislate data protectionrules, including for the private sector.This is not, however, the most obviousreading of the text, which insteadseems to refer to regulation of the freemovement of personal data among pub-lic authorities in Europe. Furthermore,there does not appear to be any reasonwhy the EU could not continue to regu-

The Lisbon Treaty and data protection: What’s next for

Europe’s privacy rules?

See, Lisbon Treaty, page 18

Daniel Cooper Henriette Tielemans David Fink

By Daniel Cooper, Henriette Tielemans, and David Fink of Covington & Burling LLP’s Privacy and Data Protection Practice Group




late data protection in the privatesector on the basis of internal marketprovisions.

Finally, the last sentence ofclause 2 references a carve-out fordata protection rules in the context ofthe common foreign and security pol-icy. Under Article 39 TEU, the council,alone, is empowered to adopt ruleson the processing of personal data byMember States in this area.

The abolition of the pillar structure

and its impact on data protection

in law enforcement activities

One of the key structural reforms ofthe Lisbon Treaty—the abolition ofthe pillar system—could also affectprivacy rules. Pre-Lisbon, the EUcomprised three legal pillars withseparate legal bases for legislativeaction: (i) “Community” matters; (ii)Common Foreign and Security Policy;and (iii) Police and JudicialCooperation in Criminal Matters.Crucially, only the council wasempowered to adopt legislation in thethird pillar on data protection, pur-suant to Article 30(1)(b) TEU.

With the elimination of the pillarstructure, it appears that any futurelaws on data protection in the policeand judicial context would be basedon Article 16 TFEU, where both thecouncil and the Parliament are co-leg-islators. But some privacy advocatesargue that Framework Decision2008/977/JHA must also be revised—with input from the Parliament—toreflect the co-legislation requirement,or, alternatively, that the DataProtection Directive must be amend-ed to encompass the use of personaldata by police and judicial authorities(this would also involve co-legislationby the council and Parliament).Others, however, might argue that achange in the procedure for adoptinglegislation does not require the re-opening of laws validly adopted underan old procedure. It remains to beseen how this will play out.

Lisbon Treatycontinued from page 17

Cross-border data flowshave long been a sub-ject of global dialogue.

In the late 1970s, theOrganization for EconomicCooperation andDevelopment (OECD) and theCouncil of Europe began toexplore cross-border transac-tions, with OECD issuing theGuidelines on the Protectionof Privacy and Transborder Flows ofPersonal Data in 1980, and the Councilof Europe issuing the Convention for theProtection of Individuals with regard toAutomatic Processing of Personal Datain 1981. In 1990, the United Nationsadopted the Guidelines for theRegulation of Computerized PersonalFiles. In 2004, the Asia Pacific EconomicCooperation issued its PrivacyFramework. All four guidelines apply tothe public sector, although they alsoinclude exemptions for law enforcementand security, which remain prevalent innational and European law.

Exemptions for law enforcementand security did not occur because of adearth in sharing in this area, nor for thedesire to limit law enforcement coopera-tion, but were necessary to protectlegitimate individual cases. Almost everycountry with the capability of doing soexchanges information on at least acase-by-case, if not routine basis. Noneof these guidelines explicitly addressexchanges between police workingtogether on an investigation, which areguided by individual officers’ applicationsof domestic law. As a result, sharingbetween countries traditionally occurredon the basis of trust and mutual recogni-tion, built on long-standing relationshipsbetween allies, or has been governed bybroad cooperation agreements that givescant detail to privacy protections.

With the extensive increase in bothinternational travel and security risks,

there has been proportionalgrowth in the need to sharelarger amounts of personaldata for law enforcement andnational security purposes.Data protection laws havealso grown in complexity andsophistication. As a result,countries need to follow thelead of the private sector andprovide greater transparency

on privacy protections for data flows inthe law enforcement and security con-text. Last month saw a landmarkachievement in this area: U.S. and EUrecognition of a set of core privacy prin-ciples for law enforcement and security.

The U.S.-EU High Level Contact Group

On October 28, officials representing theU.S. Departments of Homeland Security,Justice and State, together with the EUPresidency (represented by the SwedishJustice Minister) and the Vice Presidentof the EU Commission, culminatedalmost three years of work by acknowl-edging the completion of the so-calledHigh Level Contact Group (HLCG) princi-ples. While the HLCG principles are notby themselves a binding agreement, thispublic acknowledgement reflects U.S.-EU shared values of democracy, rule oflaw, and respect for human rights andfundamental freedoms and the conse-quent commitment to effective data protection. These core principles will notonly be the basis of future information-sharing agreements between the EUand the U.S., but will hopefully raise thestandard for information sharing in thelaw enforcement and security contextfor the rest of the world.

There has long been an exchange ofinformation between the EU memberstates and the U.S. for law enforcementand security purposes, resulting innumerous prosecutions. Most informa-tion sharing has occurred without contro-

New international privacy principles for

law enforcement and security

By Mary Ellen Callahan, CIPP

Mary Ellen Callahan


THE PRIVACY ADVISOR


versy and without a single complaint ofviolation of the previously mentionedstandards. However, the EU’s growingauthority in border and security mattersvis-à-vis the member states changed thecontext of cooperation. The information-sharing relationship with the U.S.appears to have become part of theevolving political dynamic between theEU and its member states. For example,the EU’s Data Protection FrameworkDecision, adopted to protect privacywhen European authorities share dataamong themselves, is prejudiced againstthe cooperation with non-EU partners.Likewise, the laws governing EU datasystems for asylum seekers and bordercontrol (Eurodac and the SchengenInformation System, respectively) restrictthe transfer of data to third countries forlegitimate law enforcement purposes.Unfortunately, in the name of protectingprivacy, these restrictions negativelyimpact the equally legitimate activities oflaw enforcement to investigate and fightcrime and terrorism.

The HLCG was formed in late 2006to start discussions about privacy in theexchange of information for lawenforcement purposes as part of awider reflection between the EU andthe U.S. on how best to prevent andfight terrorism and serious transnationalcrime. Composed of senior officialsfrom the European Commission, theEuropean Council Presidency, and theU.S. Departments of HomelandSecurity, Justice, and State, the goal ofthe HLCG was to explore ways toenable the EU and the U.S. to workmore closely and efficiently together inthe exchange of law enforcement infor-mation while ensuring that the protec-tion of personal data and privacy areguaranteed. In October 2009, the groupconcluded the first step of that goal,producing a text that identifies the fun-damentals or “common principles” ofan effective regime for privacy. The nextstep will be for both sides to seek abinding international agreement.

The HLCG principles on privacy andpersonal data protection for law enforce-ment purposes apply in the EU for theprevention, detection, investigation, or

prosecution of any criminal offense, andin the U.S. for the prevention, detection,suppression, investigation, or prosecu-tion of any criminal offense or violationof law related to border enforcement,public security, and national security, aswell as for non-criminal judicial or admin-istrative proceedings related directly tosuch offenses or violations.

The HLCG data privacy principlesinclude:

1. Purpose specification/purpose limitation

2. Integrity/data quality

3. Relevant and necessary/proportionality

4. Information security

5. Special categories of personal information

6. Accountability

7. Independent and effective oversight

8. Individual access and rectification

9. Transparency and notice

10. Redress

11. Automated individual decisions

12.Restrictions on onward transfers tothird countries

Other HLCG principles addressed issues pertinent to the transatlantic relationship, including:

1. Private entities’ obligations

2. Preventing undue impact on relationswith third countries

3. Specific agreements relating to infor-mation exchanges

4. Issues related to the institutionalframework of the EU and the U.S.

5. Equivalent and reciprocal applicationof data privacy law

The full text of the HLCG principles isavailable at http://useu.usmission.gov/Dossiers/Data_Privacy/Oct2809_SLCG_principles.asp.

Implementation

Of course, identification of commonprinciples and incorporation into a bind-ing agreement does not end the obliga-tions of the parties in providing privacyprotection. As these principles areapplied, the role of privacy authoritieson both sides of the Atlantic will be toensure that the relevant organizationsare held accountable to them. Beyond abinding agreement, we may expectjoint projects to include identification ofbest practices for ensuring accountabili-ty, such as assessments of decision-making frameworks for the collectionand use of personal information, “priva-cy by design” tools, and privacy enhanc-ing technologies (PETs). A practical, out-comes-driven focus would be a wel-come contribution to law enforcementand security agencies throughout theworld who adopt the HLCG principles.

Mary Ellen Callahan is the chief privacyofficer of the U.S. Department ofHomeland Security. Together with hercolleagues from the Departments ofJustice and State, she participated inthe discussions related to the finalHLCG principles. She wants to thankher International Privacy PolicyDirectors, Shannon Ballard and Lauren Saadat, for their assistance inthe HLCG generally, and with this article, in particular.

“As these principles are

applied, the role of privacy

authorities on both sides

of the Atlantic will be to

ensure that the relevant

organizations are held

accountable to them.”




This article originated as a December 15Morrison & Foerster Client Alert and isreprinted here with permission.

First FTC roundtable on privacy:

December 7, 2009, in Washington, DC

BackgroundThe Federal Trade Commission (FTC) heldthe first in a three-part series of one-dayroundtable meetings focused on privacyon December 7, 2009, in Washington,DC. These events are designed to bringtogether a variety of participants fromindustry, consumer advocacy organiza-tions, trade associations, think tanks, aca-demia and elsewhere, each with a stronginterest in helping to shape the commis-sion’s approach to privacy regulation andenforcement.

The panel discussions during thisfirst event featured vigorous debate andlittle consensus among industry, aca-demic, and advocacy representatives. Insum, as explained in greater detailbelow, industry members urged contin-ued self-regulation based on principles ofnotice and choice. They tended to con-solidate around the Self-RegulatoryPrinciples for Online BehavioralAdvertising backed by the DirectMarketing Association (DMA), InteractiveAdvertising Bureau, Association ofNational Advertisers, the AmericanAssociation of Advertising Agencies, andthe Council of Better Business Bureaus(The DMA Program), which includeenhanced notice coupled with increasedconsumer education, as well as princi-ples addressing consumer control, datasecurity, material changes, sensitivedata, and accountability.

Consumer advocates, on the otherhand, largely argued that both self regu-lation and the notice-and-choiceapproach had failed, and most called fornew laws or rules, either alone, as abaseline for those who do not adhere to

strong self-regulation, or in addition tothe DMA Program.

Commission Chairman Jon Leibowitzopened the meeting by declaring that thisis “a watershed moment in privacy”because companies continue to developmore and more sophisticated technolo-gies to collect information from con-sumers and use it in new ways, withoutconsumers necessarily understanding anyof this. Accordingly, he said, it is an appro-priate time for the commission to take abroad look at the subject. He went on toremark that the commission’s two priorapproaches to privacy—the notice andchoice regime and a harm-basedapproach—had not been as successful asthe currently-constituted commissionwould like, and, accordingly, that the com-mission is searching for a new paradigmfor privacy regulation and enforcement.The director of the Bureau of ConsumerProtection (BCP), David Vladeck, echoedChairman Leibowitz, but, at the sametime, seemed to be more openly recep-tive to legislation or regulation.

Take-AwayAlthough it’s not yet clear how the com-mission will proceed, it was possible toglean some hints of where the commis-sion could be heading. Based on this firstroundtable event, it appears unlikely thatthe FTC will make any radical policy deci-sions at this point. The likely immediateresult of the three events will be a staff

report outlining a new framework,although it is possible that, as in 2000,the commission or its staff will prepare areport to Congress with certain recom-mendations, including, potentially, a callfor new legislation. Were it to make aradical change in policy now, such asrequiring opt-in for behavioral advertisingor applying principles of the Fair CreditReporting Act (FCRA) to databases notnow subject to FCRA (as the WorldPrivacy Forum and other advocates havecalled for), the commission may finditself not just ahead of the business com-munity, but also Congress.

As the commission learned nearlytwo decades ago, getting ahead ofCongress is dangerous business. The lasttime the commission did so, in connec-tion with a proposed trade regulation rulethat would have curtailed televisionadvertising to children, Congressreversed the FTC and ultimately reducedthe commission’s authority and funding.For this reason, we think the commissionwill continue to build a record on privacy,especially where there appear to be gapsbetween consumer expectations andbusiness practices, so that it is well-poised at the conclusion of the three-partseries to adopt a new interpretation ofthe requirements of the FTC Act and anaccompanying enforcement position or torecommend new legislation it thinksappropriate based on the record.

In the meantime, we expect that thecommission is likely to keep an eye onthe roll-out of the DMA Program, includ-ing the extent to which it is adopted byindustry, and to pursue enforcementactions against those that do not join,those that join and do not comply, andthose that engage in fringe activity, suchas collecting sensitive information likehealth, financial, or children’s data for usein behavioral advertising.

U. S. FTC holds first of three privacy roundtable events

and signals policy shift

By D. Reed Freeman, Jr., CIPP, and Julie O'Neill of Morrison & Foerster

Julie O'NeillD. Reed Freeman, Jr

See, FTC roundtable, page 22


Our focus is Privacy...but our blog is open for discussion

Proskauer’s Privacy and Data Security Practice is an outgrowth of our Internet, intellectual property, labor andemployment, health care, First Amendment, international law and litigation practices. Indicative of our Chambers USAranked experience and reputation in this relatively new field of law, is the fact that the venerable Practising Law Institute(PLI) asked our firm to create its first-ever treatise on the subject of privacy and data security law, called “Proskauer onPrivacy,” published in 2006. For more information about this practice area, please visit www.proskauer.com.

Subscribe to our Privacy Law Blog at

http://privacylaw.proskauer.com/index.xml

1585 Broadway, New York, NY 10036-8299 | 212.969.3000 | Attorney Advertising




We also expect the FTC to continueits program using its authority underSection 5 of the FTC Act to enforceagainst those who fail to disclose materi-al information about (1) the collection,uses, and disclosure of data outside theprivacy policy in a clear and conspicuousway, especially in the case of sensitiveinformation, and (2) disclosures and usesof data for purposes other than that forwhich the consumer provides the infor-mation in the first instance.

Roundtable debateWe have structured our summary of theroundtable discussions around the twoprimary themes of the debate aboutwhere the commission’s approach to privacy should head: (1) whether thenotice-and-choice regime remains viable;and (2) how to evaluate and respond tothe harms associated with informationpractices.

Is the notice-and-choice regime dead?Chairman Leibowitz stated that, in thecommission’s view, the notice-and-choiceapproach to privacy has not succeeded.He explained that he has long been aproponent of opt-in (versus opt-out)choice to the collection of personal infor-mation, but he pointed out that even thatcan fail if notice is inadequate. He furtherexplained the inadequacy of notice andchoice with his statement that “we allagree” that consumers don’t read privacypolicies or EULAs.

Advocates’ positionsMany consumer advocates agreed withthe chairman, taking the position thatchoice is illusory when consumers—evenwhen given notice—have no way to fullyunderstand the complicated technologyused to collect information from them,the extent of the data collected, and thevariety of uses and disclosures made ofit, including, sometimes, undisclosedsecondary uses. In their view, no noticecan be sufficient in this context. They alsoargued that regulators and industry havefocused on notice and choice when they

should instead focus on the substance ofinformation practices, i.e., ensuring thatpersonal data is collected and processedfairly. For these reasons, consumer advo-cates largely encouraged reliance on afull set of Fair Information Practices prin-ciples (FIPs) (not just notice and choice)to craft legislation, regulation, or, at least,a regulatory policy framework. In theirview, the FIPs require, among otherthings, opt-in consent to information col-lection and the consumer’s ongoing abili-ty to control how his or her information isused and shared.

Some advocates, such as the WorldPrivacy Forum, also called for the protec-tions of the Fair Credit Reporting Act tobe applied to marketing databases thatare not now subject to FCRA. BCPDirector Vladeck noted that the data bro-ker industry is largely unknown and maywarrant attention; if the commission fol-lows the recommendation of the WorldPrivacy Forum, it would mark a dramaticdeparture from current industry practices.

Industry responseNot surprisingly, industry representativestook an opposing view. They believe thatindustry has provided, and continues towork on ways to improve appropriatenotice, as well as tools that consumerscan use to exercise control over theirdata. They acknowledged the need tocontinue with consumer educationefforts and noted the steps they arealready taking in this direction, particularlythe self-regulatory principles issued bythe DMA and other trade associations inJuly and the development of an icon-based notice regime being developed bythe Future of Privacy Forum.

Moreover, industry representativesstressed that the provision of notice andchoice is more effective than legislation orregulation in meeting consumer needsbecause privacy is a subjective value;some consumers may be willing to relin-quish data in exchange for certain things,such as targeted offers, while others arenot. Because it is extremely difficult todetermine what choices consumers willactually make in any particular context,the industry representatives argued thatthe government should not attempt to

dictate a one-size-fits-all choice on behalfof them. Moreover, the government’sattempt to “protect” privacy in such away would impose significant costs in theform of stifled innovation and the reduc-tion of funding for online content that isnow offered to consumers for free.

What’s the harm?As mentioned above, the commission hasalso relied on a harm-based approach toprivacy, bringing enforcement actionswhen consumers have suffered tangibleharm. Apart from saying that thisapproach has not been as successful asthe commission would like, ChairmanLeibowitz did not directly address thequestion of what harms arise in the priva-cy context and whether they should beactionable.

Comments from BCP DirectorVladeck suggest, however, that the com-mission may be moving away from onlyexercising its authority against tangibleharms. In earlier interviews, he hastaken the position that privacy-relatedharm can occur without tangible injury.Specifically, he has said that “harm”includes not just tangible injury, such asmonetary loss, but also intangible harmssuch as “dignity violations.” Former BCPDirector Howard Beales noted that thereis nothing in the commission’s harm-based approach that says that harmmust be tangible to be actionable, but hecautioned that the harms must be realand articulated. He also stressed that thegovernment must find the most effectiveand least costly way to avoid the harmsit identifies.

Consumer advocates expressedtheir agreement with Director Vladeck’sthinking, saying, for example, thatanonymity is an important social valueand that consumers have the right toknow what data is collected about themand how they are categorized based onthe data. In its written comments to theroundtable, the Center for Democracyand Technology took this a step further byurging the commission to affirm that aviolation of any one of the FIPs results inindividual harm and to use the FTC’sunfairness authority under Section 5 ofthe FTC Act to pursue such violations. If

FTC roundtablecontinued from page 20


Reprinted with permission from Slane Cartoons Limited.

In the Privacy Tracker this month…

Looking back, looking ahead

This month on the Privacy Tracker Web site subscribershave exclusive access to a collaborative article that

forecasts the privacy landscape for the year ahead.Experts provide sector-specific privacy forecasts for 2010.

In addition, the audio archive of the January PrivacyTracker call is now available. The call features a dynamicconversation that looks back at 2009 privacy legislationin 2009 and looks ahead to 2010.

Privacy Tracker keeps you up-to-date on all federal and state privacy legislationwith monthly interactive audio conferences where you can request specificcoverage, weekly e-mails, and a Web dashboard of timely articles and reports.Privacy is the hot bipartisan issue for 2010—subscribe today to keep upwith the latest developments affecting your business.

Try it before you buy it! E-mail us to get a free week-long demo subscription to the Privacy Tracker. [email protected].

www.privacytracker.org


the CDT’s recommendation were tobecome a reality, a company could faceliability for, for instance, “harming” con-sumers by collecting even one elementof data that is more than that “relevant”or “necessary to accomplish a specifiedpurpose” (i.e., violation of the “data mini-mization” principle).

What’s next?As discussed above, Chairman Leibowitzacknowledged the limitations of thecommission’s notice-and-choice andharm-based approaches to privacy. Hesaid that the commission is open to newapproaches and that, over the next sixmonths, it will be working to figure outthe best approach. He did not expressan inclination toward one approach oranother.

In his remarks closing the round-table, BCP Director Vladeck echoed thechairman but also gave a hint that hisviews may be leaning toward regulation.He stated that consumers do not reallyunderstand privacy and that consumerdisclosure as we currently know it doesnot work. He gave a nod to companiesthat are giving consumers better toolsto learn about tracking. At the sametime, he noted that few consumers usethem and wondered whether con-sumers are making bad decisions evenwhen they understand the harms. If thecommission’s approach is shaped by thistheory—e.g., in the form of a trade reg-ulation rule—it will signify a drastic shiftaway from giving consumers the infor-mation they need to make their ownchoices to the government’s makingchoices for them.

Related news

The Federal Trade CommissionImprovements ActIn related news, the FTC ImprovementsAct passed the House of Representativeson December 11, 2009, on a vote of223–202. If it passes the Senate in itscurrent form, the bill will give the commission substantially more power.Specifically, the bill would:

See, FTC roundtable, page 24

THE PRIVACY ADVISOR




• permit the commission to impose civilpenalties for violations of Section 5 ofthe FTC Act, which prohibits unfair anddeceptive acts and practices (currently,it can seek only equitable relief);

• give the commission AdministrativeProcedures Act rulemaking authority,which is far more flexible than its cur-rent rulemaking authority under theMagnuson-Moss Act; and

• expressly permit the commission to pursue cases of secondary liability (i.e.,where a person has provided substantialassistance to another who has violated alaw enforced by the commission).

It is not yet clear how the Senate willreact. The bill has to move through theBanking Committee (the FTC provisionsare just part the Wall Street Reform andConsumer Protection Act), but Senators

on the Commerce Committee may alsobe trying for a seat at the table before thebill goes to the Senate floor—somethingBanking Committee members may resist.Democrats on the Senate CommerceCommittee may be more inclined to sup-port the extension of FTC authority thanthose on the Banking Committee, whichdoes not have jurisdiction over the FTC.

The bill faces substantive hurdles inaddition to the jurisdictional onesdescribed above. Some Democrats areuncomfortable with the underlying billitself, and, of course, many Republicansare uncomfortable with not only the cre-ation of an entirely new agency—theCFPA, which would be created by theWall Street Reform and ConsumerProtection Act—but also such sweepingnew powers being granted to an existingagency (the FTC). There are so manymoving pieces that it’s difficult to predictthe provisions’ chances. In addition, withhealthcare reform consuming so much ofthe Senate’s energy, few expect resolu-tion soon. Nevertheless, this is a very

important bill to watch, given the powersit would confer on the FTC.

D. Reed Freeman, Jr., CIPP, is a partner in Morrison & Foerster’s Privacyand Data Security Group. He focuses onall aspects of consumer protection law,including privacy, data security, andbreach notification, online and offlineadvertising, and direct marketing.

Julie O'Neill, of counsel in theWashington DC office of Morrison &Foerster, counsels clients in all areas ofstate and federal consumer protectionlaw. Ms. O’Neill previously served as astaff attorney in the FTC’s New Yorkregional office, where she investigatedviolations of federal antitrust and con-sumer protection law.

The final roundtable takes place on March 17 in

Washington, DC.

FTC roundtablecontinued from page 23


THE PRIVACY ADVISOR

YOU CANENHANCE YOURRESPONSIVENESS

IBM

and

the I

BM lo

go ar

e reg

ister

ed tr

adem

arks

of I

nter

natio

nal B

usin

ess M

achi

nes C

orpo

ratio

n in

the U

nited

Sta

tes an

d/or

oth

er co

untri

es. O

ther

com

pany

, pro

duct

and

serv

ice n

ames

may

be

trade

mar

ks o

r ser

vice m

arks

of o

ther

s. ©

2008

IBM

Cor

pora

tion.

All r

ight

s res

erve

d. P

2199

5

Governments at all levels face difficult challenges. Economic slowdown. High expectations from key constituents – citizens, businesses,suppliers, employees and other agencies. Escalating costs and budget shortfalls. Security issues. How do you respond? How do youtransform the way you work?

Enter IBM. With a unique combination of privacy and data protection experience, business insight and end-to-end solutions, IBM canhelp your business succeed. Innovate. Grow. Respond in real time. Prepare for tomorrow. You’re ready to differentiate your business.

IBM holds more security and privacy copyrights and patents than any other company. We know what we are doing...now you know too.Why go anywhere else? To learn more about IBM Global Business Services Public Sector’s Security, Privacy, Wireless, & IT Governanceofferings, email us at [email protected].


CANADA

By John Jager, CIPP/C

A look at Bill 54

During the pastyears, a number ofCanadian privacylaws have beenundergoing statuto-ry review. A reviewof the federalPersonal InformationProtection andElectronicDocuments Act(PIPEDA) commenced in the fall of 2006,a review of the Alberta PersonalInformation Protection Act (AB PIPA)commenced in 2007 and a review of theBritish Columbia Personal InformationProtection Act (BC PIPA) began in 2008.

While all of these reviews haveresulted in committee reports to therespective legislatures, only the govern-ment of Alberta has tabled a bill toamend its private-sector privacy legisla-tion. On October 27, 2009, the govern-ment of Alberta introduced Bill 54—Personal Information ProtectionAmendment Act, 2009.

The bill contains an extensive numberof amendments. This dispatch focuses onsome key issues that will impact private-sector organizations going forward.

Breach notification:Bill 54 creates a statutory requirementfor notification when personal informa-tion (PI) is lost or has been subject tounauthorized access or disclosure. Ratherthan creating a mandatory requirementfor organizations to notify affected par-ties, Bill 54 requires that organizationshaving PI under their control must, with-out unreasonable delay, provide notice tothe privacy commissioner of any incidentinvolving the loss of or unauthorizedaccess to or disclosure of the PI, where a

reasonable person would consider thatthere exists a real risk of significant harmto an individual as a result of the loss orunauthorized access or disclosure.

If an organization suffers a loss of orunauthorized access to or disclosure ofPI where the organization would berequired to provide notice to the privacycommissioner, the commissioner mayrequire the organization to notify individ-uals to whom there is a real risk of sig-nificant harm as a result of the loss orunauthorized access or disclosure. Thenotification to affected individuals wouldhave to be in a form and manner as pre-scribed by the regulations, and within atime period determined by the commis-sioner. Under the bill, the commissionermust establish an expedited process fordetermining whether to require anorganization to notify individuals in cir-cumstances where the real risk of signif-icant harm to an individual as a result ofthe loss or unauthorized access or dis-closure is obvious and immediate.

Access requests:Bill 54 includes a number of amend-ments to the sections relating to accessand correction, and includes a numberof clarifications and the reorganization ofsome sections. On the matter of fees,Bill 54 proposes that organizations maynot charge a fee in respect of a requestfor personal employee information.Section 33, which requires organizationsto make reasonable efforts to ensurethat PI is accurate and complete, isamended by adding the words “to theextent that is reasonable for the organi-zation’s purposes in collecting, using, ordisclosing the information.”

Employee personal information:Currently PIPA permits the collection,use, and disclosure of personal informa-tion of employees and prospectiveemployees if the information is to beused for a purpose that is reasonableand related to an employment relation-ship. Bill 54 amends these relevant sec-tions to extend the collection, use, anddisclosure of employee personal infor-mation to the management of the post-employment relationship.

Privacy notice:Bill 54 adds a new section which dealswith notification requirements respectingservice providers outside Canada.Organizations using foreign serviceproviders to collect PI with the consentof an individual must notify the individualof that collection. If the organizationtransfers PI, directly or indirectly, to aservice provider outside Canada, individu-als must be so notified. The notificationsmust be made at or before the collectionor transfer, in writing or orally, and mustinclude how individuals can obtain accessto written information about the organiza-tion’s policies and practices with respectto service providers outside Canada. Thenotification must also include the nameor title of a person who is able to answer,on behalf of the organization, an individ-ual’s questions.

A copy of Bill 54 is available at theAlberta government Web site, or at thefollowing URL: www.assembly.ab.ca/ISYS/LADDAR_files/docs/bills/bill/legislature_27/session_2/20090210_bill-054.pdf.

John Jager, CIPP/C, is vice president ofresearch services at Nymity, Inc., whichoffers Web-based privacy support to help organizations control their privacyrisk. He can be reached at [email protected].

Global Privacy Dispatches

John Jager



“The notifications must be made at or before thecollection or transfer, inwriting or orally…”


FRANCE

By Pascale Gelly

CNIL sanction procedure overruled

by the Court of Appeal

In late 2006, theFrench data protec-tion authority issueda 30,000 euro sanc-tion against InterConfort for improperhandling of objec-tion requests todirect marketing viatelephone. Thesanction followedthe CNIL’s onsite investigation of InterConfort. Inter Confort challenged thissanction decision before the Court ofAppeal (Conseil d’Etat) on proceduralgrounds. The onsite investigation procedural rules set forth by the DataProtection Act and its implementationdecree provide extensive powers to theauthority to access private premises,even outside of business hours, withoutprior warning and without the data controller being present. These powersbeing almost limitless, the court considered that it was essential “forproportionality purposes” to counterbal-ance them by putting them under thecontrol of a judge of the judiciary sys-tem. The court considers this to beachieved by the DP Act insofar as itgives the right to the data controller toobject to the investigation, in whichcase the investigation can occur onlywith the prior authorization of a judge.As defendants must be made aware oftheir rights, the Appeal Court cancelledthe CNIL decision because the authorityfailed to inform the data controller of itsright to object to the investigation.

French senators pursue their goal for

an “enhanced” Data Protection Act

Following their report, Privacy in the Era of Digital Memory: For anIncreased Trust Between Citizens andThe Information Society, two senatorsfiled a bill on November 10 to modifythe French Data Protection Act.

The bill intends to introduce sever-al changes to the law, including require-ments such as:

• mandatory installation of a data protection officer for organizations withmore than 50 employees;

• an obligation to notify the CNIL of datasecurity breaches;

• an obligation for organizations‘ Websites to enable individuals to exercisetheir data protection rights online;

• changing the existing right of objectionto a right of deletion;

• changing the content of privacy noticesto specify the data retention limit;

• publicizing the hearings of the CNIL litigation committee;

• increasing CNIL sanction powers toinclude fines of up to 300,000 eurosand the option to publicize the sanc-tions, even against a “good faith”infringer, so that the CNIL enforce-ment powers will be more efficient.

The senators are also joining the effortsof the French Secretary of State for thedigital economy to work on a “droit àl’oubli”—a sort of right “to oblivion” or,some would say right “to deletion,” aFrench cousin to the right “to be leftalone.” At a November conference atSciencesPo, CNIL President Alex Türkdisclosed very personal informationabout his youth and recruiters present-ed a code of conduct.

www.senat.fr/dossierleg/ppl09-093.html

Calling on call centres

The CNIL announced in mid-Novemberthat it had conducted onsite investiga-tions at two major customer call centres.

The main check was on the security

and confidentiality of customer data col-lected and processed by the call cen-tres. An area of improvement was iden-tified: the need for action logs e.g., whoaccessed what, who modified what andwhen, etc...

Employee-monitoring tools werealso investigated. More onsite “calls”are expected.

www.cnil.fr/la-cnil/actu-cnil/article/arti-cle/2/les-centres-dappel-sous-controle/#

Pascale Gelly of the French law firmCabinet Gelly can be reached at [email protected].

GERMANY

By Flemming Moos

The privacy work programme of

the new German Federal

Government

The newly electedGerman governmenthas set out in acoalition agreementhow it intends togovern during thenext four years.Remarkably, the 124-page documentcontains a specificchapter on privacy issues. The privacywork programme of the new govern-ment focuses on the following issues:

• The law that would allow Germanintelligence agencies to engage inonline surveillance of private comput-ers will remain. However, the “pro-tection of the core area of privatelifestyles,” shall be improved. Thecoalition will await a ruling by theConstitutional Court on the retentionof data before allowing intelligenceagencies to access telecommunica-tions companies‘ data on their cus-tomers’ call details.

See, Global Privacy Dispatches, page 28

Pascale Gelly

THE PRIVACY ADVISOR


“The CNIL announced that it had conductedonsite investigations attwo major customer call centres.”

Flemming Moos


• The government wants to better protect employees from theiremployers spying on them.Employers will be allowed to useonly data that affects the employer-employee relationship. The govern-ment intends to add to the federalGerman Data Protection Act (BDSG)a new chapter on employee privacy.

• Even more, the government strives atan overall modernization of the BDSG.It is intended to make the law morereadable and technology-neutral; alsothe framework for clear and unam-biguous declarations of consent byindividuals shall be improved andexisting information obligations shallbe expanded. In performing this task,the government also wants to exam-ine whether changes can be madewith a view to eliminating superfluousred tape.

• Also, the issue of sharing financial datawith the U.S. seems to be under fur-ther scrutiny. The coalition agreementsays any SWIFT agreement shouldhave a "high level of data protection"and should only be used for the pur-pose for which it was requested.

• The government wants to makegreater use of biometric procedures(passports, identity cards, visas, resi-dence permits) and amend the ActGoverning Passports and Identity

Cards to this end while maintainingdata protection.

• The creation a "foundation on data pri-vacy" is planned. The foundation willtest and certify services and productswith respect to data protection lawcompliance and adherence to the prin-ciples of data avoidance and dataeconomy.

Decision of the Federal Court of

Justice: opt-out consent to postal

advertising

On November 11, 2009, the GermanFederal Court of Justice handed down ajudgment on the privacy aspects of the”HappyDigits” bonus programme. Thecourt held that an opt-out consent byparticipants relating to postal advertis-ing that was included in the registrationform for the programme is compliantwith applicable German data protectionlaw provisions. In this respect, the courtapplied Sec. 4 of the BDSG, accordingto which consent also can be givensimultaneously with other declarations(here, the participation in the bonus programme) in case special prominenceis given to the declaration of consent(e.g. by printing in bold). Interestingly,the court also stated clearly that, in thisrespect, the September 1, 2009 amend-ment of the BDSG has not broughtabout any changes to the law. Rather,also the recently introduced Sec. 28paragraph 3a BDSG shall provide for arespective opt-out solution. It must beborne in mind however, that this is onlytrue for postal advertising. With respectto advertising via telephone, telefax, e-mail, or other electronic means, anopt-in consent is generally requiredunder German law, as the Federal Courtof Justice had earlier declared in its ruling dated July 16, 2008 on the“Payback” bonus programme.

DPA of Berlin: strict approach to

denied person screenings

As already reported in the OctoberIssue of the Privacy Advisor, theDüsseldorfer Kreis adopted a resolutionon privacy aspects of employee screen-ings in April 2009, following a moderate

approach what concerns the overall per-missibility of such screenings. The DPAof Berlin apparently applies a muchstricter approach; according to aninformative letter to other GermanDPAs dated August 31, 2009, he is ofthe opinion that even a usage of thedenied persons lists included in the EURegulations 2580/2001 and 881/2002(which are per se binding in Germany)cannot be justified under German dataprotection law provisions. In particular,the Data Privacy Officer of Berlin criti-cizes that the provisions of these EURegulations are too broad to qualify fora statutory provision that would allowthe usage of the data for screening pur-poses. Moreover, he takes the viewthat the balancing of interest test is infavour of the affected individualsbecause the lists seem to be outdatedand erroneous and in fact the compa-nies would not face any relevant sanc-tions for non-compliance with the appli-cable EU Regulations. It seems doubt-ful whether this approach is in fact inline with the findings and the resolutionof the Düsseldorfer Kreis. Anyhow, it isrecommendable for German businessesto consult with the competent DPAbefore introducing a denied personscreening system in Germany.

Flemming Moos is an attorney at DLA Piper and the chair of the IAPPKnowledgeNet in Hamburg, Germany.He is a certified specialist for informa-tion technology law and a former member of the IAPP PublicationsAdvisory Board. He can be reached [email protected].

Global Privacy Dispatchescontinued from page 27



“The creation of a founda-tion on data privacy isplanned. The foundationwill test and certify servic-es and products withrespect to data protectionlaw compliance…”

“It seems doubtfulwhether this approach is in fact in line with the findings and the resolution of theDusseldorfer Kreis.”


THE PRIVACY ADVISOR


FEBRUARY

4 Université AFCDP des

Correspondants Informatique

& Libertés

Paris, Francewww.afcdp.net

11 IAPP KnowledgeNet – Paris

16 IAPP KnowledgeNet –

Hamburg

24 IAPP Certification Testing –

Columbus, OH


New York, NY


Victoria, BC


St. Paul, MN

MARCH

16 IAPP Tenth Anniversary

Celebration

Washington, DC/Various other

locations via telecastwww.privacyassociation.org

17 FTC Privacy Roundtable

FTC Conference CenterWashington, DC

APRIL

19-21 IAPP Global Privacy Summit

Washington, DCwww.privacysummit.org


Washington, DC

MAY

2-8 APPA Privacy Awareness Weekwww.privacyawarenessweek.org

26-28 IAPP Canada Privacy

Symposium 2010

Toronto, ON

JUNE

14-15 IAPP Practical Privacy Series

Santa Clara, California

SEPTEMBER

29-1 IAPP Privacy Academy

Baltimore, MDwww.privacyacademy.org

30 Privacy Dinner

Baltimore, MDwww.privacyassociation.org

OCTOBER

27-29 32nd International Conference

of Data Protection and Privacy

Commissioners

Jerusalem, Israel

DECEMBER

7-8 IAPP Practical Privacy Series

Washington, DCwww.privacyassociation.org

Calendar of Events

To list your privacy event in the PrivacyAdvisor, e-mail Tracey Bentley [email protected]

Privacy News

European legislative update

Linklaters has released its 2009/2010 edition ofLinklaters’ Data Protected , a summary of

European data protection legislation. The updatedreport includes reviews of data protection legisla-tion in all Member States, European EconomicArea States (Iceland, Liechtenstein, and Norway),and Switzerland and Russia.

The update reflects major changes to dataprotection laws in Germany, and new contentincluding questions on the formal requirementsfor consent and Linklaters' proposals for thereform of the Data Protection Directive.

www.linklaters.com/pdfs/extranet/DataProtected/2009_2010.pdf

ONC names privacy, security

workgroup members

The Office of the National Coordinator for Health IT named 17 to the Health IT Policy Committee privacy and security

workgroup in December.

The members are as follows:

• Deven McGraw, Chair, Center for Democracy & Technology

• Rachel Block, Co-Chair, NYS Department ofHealth

• Paul Tang, Palo Alto Medical Foundation

• Latanya Sweeney, Carnegie Mellon University

• Gayle Harrell, Consumer Representative/Florida

• Mike Klag, Johns Hopkins University, Public Health

• Judy Faulkner, Epic, Inc.

• Paul Egerman, Consultant

• Dixie Baker, SAIC

• Paul Uhrig, SureScripts

• Terri Shaw, Children’s Partnership

• John Houston, University of PittsburghMedical Center

• Joyce DuBow, AARP

• A. John Blair, MD, Provider

• Peter Basch, MD, Provider

• Justine Handelman, Blue Cross Blue Shield

• Dave Wanser, National Data InfrastructureImprovement Consortium

• Kathleen Connor, Microsoft


Privacy pros gathered at the WillardInterContinental Hotel for the two-day Practical Privacy Series event inearly December. Day one exploredthe role of the Federal TradeCommission in consumer privacyprotection. Day two focused on newdimensions in government privacy:cookies, clouds, and collaborativecomputing.

Scenes from the IAPP Practical Privacy Series in Washington, DC.

Left: FTC Bureau ofConsumer ProtectionDirector David Vladeck (left)opened the day-one event“The Role of the FTC inConsumer PrivacyProtection.” Bob Belair ofOldaker Belair & Wittie LLPlistens.




Top: On day two, attendees explorednew dimensions in government privacy. Greg Dupier of Booz AllenHamilton, Lewis Oleinick of theDefense Logistics Agency, PeterFleischer of Google, and consultantRobert Gellman lead the session“Perspectives on Cloud Computing.”

Right: Robert Clark (standing), theoversight and compliance officer forthe Office of DHS AssistantSecretary for Cybersecurity andCommunications elicits a laugh fromRick Aldrich, a Booz Allen Hamiltoncontractor, during the session“Banners, Notices and MOAs: Whatthe National Cybersecurity StrategyMeans for Your Agency.”

THE PRIVACY ADVISOR


Despite wet weather and trying travel conditions, the room was full.

Privacy News

• Bojana Bellamy, Director of Data Privacy,Accenture

• Ruth Boardman, Partner, Bird & Bird

• Gary Davis, Deputy Commissioner, Office of theData Protection Commissioner, Ireland

• Rafael Garcia Gozalo, Head of the InternationalDepartment, Spanish Data Protection Authority

• Pascale Gelly, Cabinet Gelly, AFCDP BoardMember

• Sue Gold, Executive Counsel, The Walt DisneyCompany Limited

• Christoph Klug, Managing Director, GermanAssociation for Data Protection and Data Security(GDD)

• Gabriela Krader, Data Protection Officer, Deutsche Post

• Christopher Kuner, Partner, Hunton & Williams

• Denise Lebeau-Marianna, Partner - Avocat à lacour, ITC Department, Baker & McKenzie SCP

• Xavier Leclerc, Vice President AFCDP, ManagingDirector Axil-Consultants

• Neil Matthews, UK Privacy Officer, Acxiom Limited

• Rocco Panetta, Partner, Panetta & Associati –Studio Legale

• Florence Raynal, Head of International andEuropean Affairs of the CNIL

• David Smith, Deputy Commissioner, InformationCommissioner’s Office, United Kingdom

• Toby Stevens, Director, Enterprise Privacy Group

• Florian Thoma, Chief Data Protection Officer,Siemens

• Richard Thomas CBE LLD, Centre for InformationPolicy Leadership, Hunton & Williams LLP

• Henriette (“Jetty”) Tielemans, Partner, Co-Chair ofthe Global Privacy and Data Security Group,Covington & Burling LLP

• Bridget Treacy, Partner, Hunton & Williams

• Eduardo Ustaran, Partner and Head of the Privacyand Information Law Group, Field FisherWaterhouse LLP

New IAPP Europe

Board members

The IAPP has announced newmembers for its European

Advisory Board. Privacy experts froma variety of government and industrysectors will help inform the expan-sion of IAPP Europe, which waslaunched in November to provide tai-lored education, networking, and cer-tification opportunities for Europeandata protection professionals.

New IAPP Europe board members


Congratulations, Certified Professionals!

Periodically, the IAPP publishes the names of graduates from our various privacy credentialing programs. Whilewe make every effort to ensure the currency and accuracy of such lists, we cannot guarantee that your name willappear in an issue the very same month (or month after) you officially became certified.

If you are a recent CIPP, CIPP/G or CIPP/C graduate but do not see your name listed above then you can expect tobe listed in a future issue of the Advisor. Thank you for participating in IAPP privacy certification!

John Patrick Ahern, CIPP/GLalit Kumar Ahluwalia, CIPP

Ann Allinson, CIPP Joan Susan Antokol, CIPP

Julian Appel, CIPP/ITJennifer Carroll Archie, CIPP

Asif Arman, CIPPBrian W. Arney, CIPP/IT

Wayne Joeseph Bate, CIPP/CEssie Louise Bell, CIPP/GKevin Charles Boyle, CIPP

Margaret Kathleen Bramwell, CIPPJane L. Braun, CIPP/IT

William B. Brinkley, CIPP/GMark A. Brown, CIPP/GPamela S. Bruce, CIPP

James Lesley Bryant, CIPPGerald Burton, CIPP/G

Edward Allen Byrd, CIPPSang Kyung Byun, CIPP

Colin Alexander Campbell, CIPP/ITKerey L. Carter, CIPP/G

Debra Marie Castanon, CIPP/ITRuben D. Chacon, CIPP

Darren Curtis Chin, CIPP/C

Mithin Jay Chintaram, CIPPChristopher Joel Clancy, CIPPPatrick Michael Clary, CIPP

Maureen Ann Clements, CIPPKelly Hugh Cook, CIPP/GBrett Joseph Croker, CIPPLaquawn M. Curry, CIPP/G

Ania Magdalena Czyznielewska, CIPP Lina D'Aversa, CIPP/C

Lashaunne Graves David, CIPP/GDaryl Edward Davis, CIPP/GHelene Demoulin, CIPP/IT

Sophie Dessalle, CIPP Marsha L. Devine, CIPP/G

Roderick Wayne Duff, CIPP/GJacquelyn Louise Dutcher, CIPP

Joanne Easdow , CIPP/CKristen Marie Ellis, CIPP/G

James Vincent Episcopio, CIPPAnthony C. Escobedo, CIPP/G

Brian DuPerre, Esq., CIPPTraci Lynne Ewers, CIPP/GKelly Frances Farmer, CIPP

Meghan Kathleen Farmer, CIPP/GMichael Joseph Ferguson, CIPP/C

LeRoy Elliot Foster, CIPP/ITStephen Todd Fraley, CIPP

Marc Gagne, CIPP/C Ronald Paul Gandy, CIPP

Cheri Gatland-Lightner, CIPP/GKathryn Gillia, CIPP

Scott Matthew Giordano, CIPP/ITMark Henry Goldstein, CIPP John G. Goodson, CIPP/GConnie Ann Graham, CIPP

Philip McKinley Greene, CIPP/ITWilliam Edward Growney, CIPP

Wayne Lee Gustafson, CIPPSheila A. Guthrie, CIPP/CCynthia Ann Gutz, CIPP

Brian Douglas Hall, CIPPMindy Ayn Harbeson, CIPPMary Louise Harter, CIPP/IT

Tammy A. Hastie, CIPP/CSari Lyn Heller Ratican, CIPP

Jacob J. Herstek, CIPPGregory Robert Hewes, CIPP/ITElizabeth Susan Hidaka, CIPP

Travis James Hildebrand, CIPP/GGeorges Houde, CIPP/IT

The IAPP is pleased to announce the latest graduates of our privacy certification programs. The followingindividuals successfully completed IAPP privacy certification examinations held in fall and winter 2009.


www.privacyassociation.org32


Gretchen Kreller Hiley, CIPPCarolyn Cunnold Holcomb, CIPP

Gail A. Horlick, CIPP/GAmy J. Howe, CIPP/G

Max Montgomery Howie, CIPP/GAlan Andrew Isham, CIPP/IT

Keith Alan Jantzen, CIPP Carol Anne Jaques, CIPP/C

Myrl B. Jowell, CIPP/GAlbert King, CIPP/G

Catherine Sansum Kirkman, CIPP/GFelicia P. Kittles, CIPP/G

David H. Knowles, CIPP/GVava Kolinski, CIPP/CLinda Komperda , CIPP

Andrew Brian Lachman, CIPP/GJames Lai, CIPP

James Michael Laskowski, CIPPGigi Waitsz Leung, CIPP/IT

Greg Levine, CIPP/GThomas P. Levis, CIPPRyan Kyle Liu, CIPP

Marc S. Loewenthal, CIPPKenneth W. Long, CIPP/G

Raymond Lopez, CIPPElena Antoinette Lovoy, CIPP/C

Victor A. Loy, CIPP/ITKevin Lyday, CIPP/G

John David Macias, CIPP/GThomas Patrick Madden, CIPP/G

Kelly Marie Matoney, CIPP/GLester Masao Mayeda, CIPP/ITMatthew David McAllister, CIPP

Brian McKay, CIPPSam D. Monasteri, CIPP/ITCarlos Mondesir, CIPP/C

Robert James Morgan, CIPPTimothy W. Morrison, CIPP

Mehmet Munur, CIPPPolly J. Nelson, CIPP

Julie Hua Ni, CIPPBrian Christopher Nicholson, CIPP/G

Jennifer Nikolaisen , CIPP/GVictoria Barbara Ocholla, CIPP

Charles R. Offer, CIPP/IT

Michael Robert Overly, CIPPSylvia Ortega , CIPPRay Pathak, CIPP/C

James David Pearson, CIPP/GCecil Francis Pineda, CIPP

Claudiu Popa, CIPPKaren C. Powell, CIPP

Marion A. Reeves, CIPP/GJeanne Marie Robinson, CIPP

Michele L. Robinson, CIPPSusan Loraine Rohland, CIPP/C

Nicole Marie Rosen, CIPP/ITGlenn Ross, CIPP/C

K Roal, CIPPAnita L. Sandmann-Hill, CIPP/G

Carla Scher , CIPP/ITVineet R. Shahani, CIPP

Ramachandra Kudgi Shenoy, CIPP Inamullah Siddiqui, CIPP

Ryan Thomas Smyth, CIPPDavid Michael Sutton, CIPP/C

Angela Swan, CIPP/ITGray E. Terry, CIPP

Elliott Caleb Tomes, CIPP/GKatharine Tomko, CIPP

Robert Thomas Traver, CIPP/ITSherri Trip , CIPP/IT

John Laurence Trotti, CIPPWilliam A. Turner, CIPP/CMary E. Vansickle, CIPP/CRalph S. Vaughn, CIPP/G

Danny Lamonte Wade, CIPP/GCarol Elaine Waller, CIPP/GJacquay D. Waller, CIPP/G

Terry Wang, CIPP/GDouglas Keith West, CIPP/G

Laurene West, CIPPJeff Wilson, CIPP

Alexander Windel, CIPP/ITJeffrey Yarges, CIPP

Clark Kiyoshi Yogi, CIPP/ITSabiha Gulshan Zafar, CIPP/G

Paola Zeni , CIPP


PRIVACY


Businesses will continue

to push for new tech-

nologies such as “cloud com-

puting” and increasing use of

mobile technologies, which

will put pressure on privacy

professionals to understand

the implications of these new

and rapidly evolving technolo-

gies. Business will continue

to grapple with the implica-

tions of social networking

applications as they relate

to privacy and by the end of

2010 there will be first-

generation products on the

marketplace focused on

helping business monitor

and control such products.

Regulation will continue to

become more complex and

prescriptive in an attempt to

address privacy breaches.

The accountability for privacy

in situations where a process

has been outsourced/off-

shored will come under

scrutiny in 2010 as the result

of a major breach some-

where in the world. The U.S.will move closer to a national

privacy/data security law,

but will fail to obtain a

federal DPA.

—Jeff Green, CIPP/C, Vice President, Global

Compliance & Chief PrivacyOfficer, RBC




By Luis Salazar, CIPP, and Jorge Rey

A group of South Florida IAPP membersbraved the winter elements—blue skies,sunshine, warm temperatures—toattend a KnowledgeNet meeting inMiami in December. Jorge Rey led theinteractive session on the apropos topic:Privacy Resolutions.

Although attendees represented awide range of industries—pharma, bank-ing, education, professional services,and more—all shared remarkably similarconcerns and goals. Here are their topresolutions (in reverse order).

10. Perform internal/external penetra-

tion and social engineering testing

No matter the industry, all participantsagreed that “knowing” is a critical partof the privacy battle. And while IT secu-rity weaknesses remain critical, good-ole fashioned social engineering is amajor concern, especially in these diffi-cult financial times. Rey, in particular,advised that simply testing employeesand testing their compliance with securi-ty measures is critical. Will the helpdesk release passwords? Will a recep-tionist divulge crit-ical employeenames?

“People canviolate privacyprotocols justbecause they areeager to help andbe service-orient-ed,” offered LindaClark, CIPP, anddirector and sen-ior corporatecounsel atLexisNexis. “Weteach employeesto be aware ofsocial engineeringand provide guid-ance on how torespond in certainsituations—something like ‘at

Lexis we value privacy, and I can’t dis-close the information that you are ask-ing for’—to help them comfortably andpolitely refuse such requests.”

9. Assess and update legal agreements

and vendor due-diligence procedures

Like losing weight or eating right, this isone of those resolutions that everyoneundertakes each year, but often findsnearly impossible to actually carry out tothe level they would like. OdelinFernandez, Jr. (Odie to his friends), whomanages the vendor program as opera-tions and technology risk supervisor atMercantil Commercebank, noted that“making sure vendors’ contracts are up-to-date on changing requirements, audit-ing vendor requirements, plus conduct-ing due diligence on potential vendors istime consuming and often frustrating,but it’s an absolutely essential compli-ance step. So often, vendors are theweak link.”

8. Assess and update marketing

programs to maintain privacy

compliance

Two concerns drove this resolution: theevolving nature of behavioral marketingand the need to limit data intake. CAN-SPAM, behavioral marketing, and eventhe revised product endorsement guide-lines concern South Florida privacy pro-fessionals. But for David Vance, seniordirector and compliance counsel forNoven Pharmaceuticals, avoidingunwanted data intake is critical.

“Noven does promote some pre-scription products direct to customers,”said Vance. “And even inadvertent intakeof information can potentially subjectthe company to healthcare privacy lawsand regulations. So, like other pharma-ceutical companies, we maintain safe-guards against consumers sending uspersonal medical information—evenwhen we don’t ask for it. We also makesure that vendors that must use somepersonal medical information to adminis-ter patient assistance programs or co-pay voucher programs, do not share that

10 New Year’s privacy resolutions

Jorge Rey

Luis Salazar

PRIVACY


Privacy and data protectionin Australia and NewZealand, 2010

Legislation to implement sub-

stantial proportions of the ALRC

report on privacy, as set out in the

Federal Government Response of

October 2009, will be introduced

into Parliament in the first half of

2010 but may not be passed before

the next federal election, delaying

its final enactment until 2011. The

federal government will announce

its response to the remainder of

the ALRC report after the federal

election, likely to be held in the

second half of 2010. Significant

progress will be made in introduc-

ing electronic health identifiers for

all Australians and providing them

with additional legal protection.

A number of initiatives to connect

electronic health information for

clinical purposes will emerge, con-

necting the significant repositories

already developing in individual

hospitals and medical practices.

The New Zealand Law Commission

will make significant progress with

its inquiry into privacy law in New

Zealand. Banking and other sectors

of the economy will make a signifi-

cant push into mobile transactions.

The iappANZ will hold another

highly successful annual confer-

ence later in the year.

Malcolm Crompton, CIPP,Managing Director, Information

Integrity Solutions P/L


THE PRIVACY ADVISOR


information with us. If a consumerwants to report an apparent adverseevent, however, we of course take thatvery seriously.”

7. Hire information security and/or

privacy professionals

It should come as no surprise given thecurrent economic climate that all of themeeting’s participants are running verylean privacy programs. Yet many aretasked with handling a wider variety ofresponsibilities than they have in thepast. “Everyone is happy to beemployed these days, but it is equallyimportant to have the right people in theright position,” noted one.

Thus this key resolution: Hire theright personnel to address critical prob-lems. Perhaps an unspoken resolution isneeded: Get more money and resourcesfor privacy.

6. Perform a privacy and/or

information security compliance due

diligence for current vendors

Sure, vendors sign contracts agreeing to comply with privacy laws and procedures, but are they really doing it?One attendee voiced a common con-cern: “Too often it seems as if vendorswill say and agree to anything to get the business, but actual execution isanother thing.”

Auditing and spot-checking are indispensible methods of making surethat vendors are in compliance. All attendees resolved to make this one of their top tasks for 2010.

5. Perform internal privacy and infor-

mation security compliance audits

Measuring performance is crucial tomanaging it, and privacy is no different.All participants agreed that living up tothis resolution requires covering someaudit basics, namely “what’s in scope,what’s not?”

But at perhaps the other extreme,simply creating some “self-checklists”to educate employees and raise privacyawareness is remarkably effective,”noted Todd Sussman, privacy officer forthe Broward County Florida PublicSchool System.4. Implement technologies to prevent

data leakage

If it weren’t for budget constraints, thisresolution would probably top the list.Be it e-mail encryption, electronic shred-ding, or data-leakage software, rollingout robust technology is somethingevery privacy professional wants to do.

3. Develop specialized privacy and/or

information security training

Like learning a new language or travel-ling abroad, this is another one of thoseresolutions that everyone makes butoften struggles to carry out. Attendeesnoted resource constraints, especially,as part of the challenge. But work forceresistance doesn’t help. “Training the C-Level is a big challenge,” noted onemember. “They often present the great-est risk, but are the shortest on timeand desire.”

Attendees resolved to focus ondeveloping the “right” training, alongwith creative means for capturing attention and attendance.

2. Create/update an accurate

inventory of information assets and

supporting technologies

All attendees resolved to undertake a step-by-step analysis to identify allinformation assets, along with existingand desired resources, to defend themand keep them private. Once again,given resource constraints brought onby the economic recession, it is more

See, 10 privacy resolutions, page 36

Password insecurity

Researchers found that the topfive most-popular passwords ofone million users of a social networking site are 1) 123456 2) 12345 3) 123456789 4) password, and 5) iloveyou, leading one CTO to comment that humans might have a geneticflaw that prevents them fromchoosing strong passwords.

Source: New York Times

Weaning off the Web

The South Korean government hasestablished Internet Rescuecamps to treat individuals whohave developed online addictions.Two-week intensives led byInternet addiction counselors havehelped youths wean themselvesoff the Web. Treatment includesactivities intended to recapturechildhood lost to virtual environ-ments, such as outdoor activities.

Source: Frontline

10 million addicts

In China, an estimated 10 to 14percent of adolescent Internetusers qualify as “addicted” to the Internet. That’s about 10 million teens.

Source: Frontline

“Auditing and spot-checking are indispensi-ble methods of makingsure that vendors are in compliance. All attendees resolved tomake this one of theirtop tasks for 2010.”


IAPP members:

Does your organization offerfree or discounted products orservices to other IAPP members?

If so, let them know!

Advertise at a DISCOUNTED RATEhere in our new member-to-memberbenefits section.

MEMBER to MEMBER Benefit

Contact Wills Catling [email protected] +1.207.351.1500, ext. 118

MEMBER to MEMBER Benefit enefit

IAPP members:

ganization ofDoes your oree or discounted prfr

vices to other IAPP members?ser


tise at a Advere in our new memberher

ferganization ofoducts oree or discounted pr

vices to other IAPP members?


DISCOUNTED RATE-to-membere in our new member

e in our new memberherbenefits section.

Contact wills@pror +1.207.351.1500,

-to-membere in our new memberbenefits section.

ills Catling atWContact gassociation.oracyviiwills@pr

118ext..+1.207.351.1500,,


36

important than ever to understandwhat’s at stake.

1. Implement and/or update the

privacy risk management program

Everyone agreed that a new year callsfor a fresh look at the “risk” programs.Having obtained a good inventory ofinformation assets and defenses, a goodrisk analysis is the natural next step. “A good risk-management program isparticularly essential in these lean economic times,” noted one participant.“Businesses need to get the biggestbang for their buck.”

Personal resolutions

On a personal level, each participatingmember resolved to take care of theirown identities, too. Topping the “person-al” resolutions were: shredding all mailand sensitive documents before they

end up in the trash; getting a lock forthe home mailbox; and signing up forfraud alerts.

Keeping resolutions

Only time will tell whether these resolu-tions fall by the wayside in the face oflimited resources, limited time, and com-

peting demands. But the old saying isthat “if you aren’t careful, you’ll end upexactly where you are headed.” So, ifanything, setting resolutions is as muchabout correcting course as fully meetingeach resolution.

Luis Salazar is a shareholder in theGreenberg Traurig Miami office and amember of the firm’s BusinessBankruptcy and ReorganizationDepartment and Data Privacy andSecurity Law Task Force. He is a mem-ber of the IAPP Publications AdvisoryBoard. He can be reached [email protected].

Jorge Rey is a manager at Florida-basedKaufman, Rossin & Co., one of the topaccounting firms in the Southeast regionin. He provides consulting services in ITSecurity, Information Management, ande-Discovery. He can be reached [email protected].

10 privacy resolutionscontinued from page 35

www.privacyassociation.org

“A good risk-manage-ment program is particularly essential inthese lean economictimes. Businesses needto get the biggest bangfor their buck.”
