why are more companies joining the u.s. - eu safe harbor ...ing shadows of ever-tightening security...
TRANSCRIPT
Establishing an annual privacy risk assessment process toidentify new or changed risks to personal information isa key enhancement to Generally Accepted Privacy
Principles (GAPP). GAPP is an internationally recognized priva-cy framework developed by the American Institute of CertifiedPublic Accountants (AICPA) and the Canadian Institute ofChartered Accountants (CICA).
“An annual risk assessment is critical to understanding the privacy risks within an organization,” said Everett C.Johnson, CPA, chair of the AICPA/CICA Privacy Task Force anda past international president of ISACA. “Once those risks areidentified and assessed, the organization can then take the
The U.S. Department of Commerce (U.S. DOC) recentlyheld its 2009 International Conference on Cross BorderData Flows & Privacy in Washington, DC. The U.S. DOC
announced at the conference that an increasing number ofcompanies are choosing to self-certify compliance with theU.S.-EU Safe Harbor Privacy Framework (Safe Harbor). Everymonth, approximately 50 companies file initial self-certificationsto the Safe Harbor, and approximately 150 companies submitannual re-certifications. More than 50 percent of the compa-nies in the Safe Harbor have joined during the past two years.At present, there are more than 2,100 companies included onthe U.S. DOC’s Safe Harbor list. Placed in context, this means
that more companies join Safe Harbor in a single month thanthe total number of companies that have obtained approval forbinding corporate rules to date (as discussed later, such bindingcorporate rules are another key approach to cross-border datatransfers).
AICPA and CICA update
Generally Accepted Privacy
Principles
By Nancy A. Cohen, CPA.CITP, CIPP, and Nicholas F. Cheung, CA, CIPP/C
See, U.S. - EU Safe Harbor, page 4
This Month
The year ahead: privacy predictions 2010............................. 3
Managing global data privacy ...............… 14
Privacy and pandemic planning.................. 15
The Lisbon Treaty and data protection....... 17
New international privacy principles for lawenforcement and security ........................... 18
FTC privacy roundtable signals policy shift ................................................... 20
Global Privacy Dispatches .......................... 26
Calendar of events ...................................... 29
Privacy news................................................ 29
Surveilled..................................................... 30
10 privacy resolutions................................. 34
Why are more companies joining the U.S. - EU Safe Harbor
privacy framework?
By Brian Hengesbaugh, Michael Mensik, and Amy de LaLama of Baker & McKenzie LLP
See, GAPP update, page 10
Brian Hengesbaugh Michael Mensik Amy de La Lama
Nancy A. Cohen
Nicholas F. Cheung
This story originated as a Baker & McKenzie LLP NorthAmerica Global Privacy Client Alert and is republished herewith permission
110561_Advisor_Document 3 2/17/10 2:54 PM Page 1
THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335
Publications DirectorTracey [email protected]+207.351.1500
The Privacy Advisor (ISSN: 1532-1509) is published bythe International Association of Privacy Professionalsand distributed only to IAPP members.
ADVISORY BOARD
Miranda Alfonso-Williams, CIPP, CIPP/IT, Global PrivacyLeader, MDx GE Healthcare
Nathan Brooks, CIPP
Kim Bustin, CIPP/C, President, Bustin Consulting Limited
Debra Farber, CIPP, CIPP/G, Privacy Officer, The AdvisoryBoard Company
Benjamin Farrar, CIPP, Manager, Privacy Team, Quality &RM, Ethics & Compliance, Ernst & Young LLP
Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian
Michael Kearney, Student/Research Assistant, William& Mary School of Law
Jim Keese, CIPP, Global Privacy Officer, VP Records &Information Mgmt, The Western Union Company
Stephen Meltzer, CIPP, Privacy and Corporate Counsel,Meltzer Law Offices
David Morgan, CIPP, CIPP/C, Privacy Officer-SecondaryUses, Newfoundland and Labrador Centre for HealthInformation
Dan Ruch, Privacy and Data Protection Consultant, KPMG
Luis Salazar, CIPP, Partner, Infante, Zumpano, Hudson &Miloch, LLC
Heidi Salow, CIPP, Of Counsel, DLA Piper
Julie Sinor, CIPP, Information Management Consultant,PricewaterhouseCoopers, LLP
Eija Warma, Associate Attorney, Castren & SnellmanAttorneys Ltd
Frances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC
To Join the IAPP, call:+800.266.6501
Advertising and Sales, call:+800.266.6501
PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909
Subscription PriceThe Privacy Advisor is an IAPP member benefit.Nonmember subscriptions are available at $199 per year.
Requests to ReprintTracey [email protected]
Copyright 2010 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.
Looking forward and back
Rewind 10 years. Social networking involvedthe spoken word, smart phones were less intel-
ligent, and nobody “noticed” when there was asecurity breach. And a handful of people gatheredaround the idea that the emerging role of privacywithin organizations needed a bit more networkingand collaborative education. The IAPP was born.
In the months ahead we will look back over the 10 remarkableyears that have shaped our profession, so far. To kick off the yearlonganniversary celebration, we’ll come together in Washington, DC andat telecast locations around the world to share memories and to lookahead to future decades with the release of our report The RoadAhead: The Next-Generation Privacy Professional. We hope you willjoin us for what is bound to be a memorable milestone.
Not everything is worth remembering, but in today’s world ofhyper-connectivity, massive data flows, and cheap storage, we canrelive faded memories at the click of a mouse. The affect of this near-perfect memory on human processes such as forgiving and healing has been an area of study for Viktor Mayer-Schönberger, aninformation governance scholar who says the act of ‘forgetting’ has asocial value that could be in jeopardy. Mayer-Schönberger is theauthor of Delete: The Virtue of Forgetting in the Digital Age. He willjoin us at the upcoming Global Privacy Summit in April to discuss this and the concept of ‘data expiration dates.’
Also joining us at Summit will be Dan Ariely. Ariely is a behavioral economist and the author of Predictably Irrational: TheHidden Forces That Shape Our Decisions. Why consumers do whatthey do with their data is a question at the very heart of our work inthe privacy field. Ariely will shed light on this and other humanbehaviors that relate to privacy and data protection. We look forwardto seeing you there.
We also look forward in this issue of the Privacy Advisor, withexperts’ forecasts for the year ahead. We hope you enjoy the issue andhope to see you at upcoming events.
J. Trevor Hughes, CIPPExecutive Director, IAPP
Notes From the Executive Director
January-February • 2010
2 www.privacyassociation.org
110561_Advisor_Document 3 2/17/10 2:54 PM Page 2
170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]
The Privacy Advisor is the official newsletter of the InternationalAssociation of Privacy Professionals. All active associationmembers automatically receive a subscription to The PrivacyAdvisor as a membership benefit. For details about joining IAPP,please use the above contact information.
BOARD OF DIRECTORSPresidentNuala O'Connor Kelly, CIPP, CIPP/G, Chief Privacy Leader &Senior Counsel, Information Governance, General ElectricCompany, Washington, DC
Vice PresidentBojana Bellamy, LLM, Director of Data Privacy, Accenture,London, UK
TreasurerJeff Green, CIPP/C, VP Global Compliance & Chief PrivacyOfficer, RBC, Toronto, ON, Canada
SecretaryJane C. Horvath, CIPP, CIPP/G, Senior Global PrivacyCounsel, Google Inc., Washington, DC
Past PresidentJonathan D. Avila, CIPP, Vice President - Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA
Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME
Allen Brandt, CIPP, Corporate Counsel, Chief Privacy Official,Graduate Management, Admissions Council, McLean, VA
Agnes Bundy Scanlan, Esq., CIPP, Chief Regulatory Officer, TDBank, Boston, MA
Malcolm Crompton, CIPP, Managing Director, InformationIntegrity Solutions Pty/Ltd, Chippendale, Australia
Stan Crosley, Esq., CIPP, Partner, Co-Director, Indiana U. Centerfor Strategic Health Information Provisioning, Indianapolis, IN
Dean Forbes, Senior Director Global Privacy, Schering-PloughCorporation, Kenilworth, NJ
D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster, LLP,Washington, DC
Sandra R. Hughes, CIPP, Global Ethics, Compliance and PrivacyExecutive, The Procter & Gamble Company, Cincinnati, OH
Alexander W. Joel, CIPP, CIPP/G, Civil Liberties ProtectionOfficer, Office of the Director of National Intelligence,Bethesda, MD
Brendon Lynch, CIPP, Senior Director, Privacy Strategy,Microsoft Corporation, Redmond, WA
Lisa Sotto, Esq., Partner, Hunton & Williams LLP, New York, NY
Scott Taylor, Chief Privacy Officer, Hewlett-Packard, Palo Alto, CA
Florian Thoma, Chief Data Protection Officer, Siemens,Munich, Germany
Richard Thomas CBE LLD, Centre for Information PolicyLeadership, Hunton & Williams LLP, Surrey, UK
Brian Tretick, CIPP, Executive Director, Advisory Services, Ernst& Young, McLean, VA
Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC
THE PRIVACY ADVISOR
International Association of Privacy Professionals 3
THE YEAR AHEAD:
At the end of each year, the Privacy Advisor polls professionals worldwide tofind out what they see in the year ahead for privacy and data protection. Inthis first issue of 2010, we present their forecasts. We begin with that ofCanadian Privacy Commissioner Jennifer Stoddart. Commissioner Stoddart isentering her seventh and final year as Privacy Commissioner of Canada. In2009 her office made worldwide waves with its unprecedented investigationinto the privacy policies and practices of social networking giant Facebook.Her office will continue to monitor the privacy practices of social networkingsites in the year ahead, in addition to other areas she anticipates will com-mand attention.
Here is Commissioner Stoddart’s forecast. See more 2010 predictionsthroughout the newsletter.
PREDICTIONs for privacy and data protection in Canada, 2010
In 2010, Canada’s privacy landscape will be painted in
many of the same hues and textures familiar to
Americans and others around the globe—the disquiet-
ing shadows of ever-tightening security measures, the
striking, often puzzling, palette of bold new consumer
technologies. And, dawning over the horizon, are unset-
tling new ways to extract even the most personal of
information from the genetic material of human beings.
Focused as we are on helping Canadians protect
the integrity of their identities, my office will continue to advance our long-
standing efforts to hold social networking sites accountable for the personal
information entrusted to them by Canadians. While British Columbia hosts
the world at the 21st Winter Olympics, we will be monitoring the privacy
implications arising from a mounting array of national security initiatives.
Biometrics and genetic technologies pose other privacy challenges of con-
cern to us. And emerging information technologies, such as cloud computing
and the tracking, profiling, and targeting of consumers by business, will
become major focuses of interest as the year unfolds.
The need for consistent and enforceable global privacy standards has
never been more important. We will continue to participate in the interna-
tional dialogue, which will continue to intensify.—Jennifer Stoddart
Privacy Commissioner of Canada
PRIVACY
-2010-2010PREDICTIONS
110561_Advisor_Document 3 2/17/10 2:54 PM Page 3
Why are increasing numbers ofcompanies joining the Safe Harbor?What factors cause companies tochoose Safe Harbor over other approach-es to addressing cross-border data trans-fer restrictions? This article exploressome of the drivers for an increasingnumber of “Safe Harborites,” and identi-fies key differences between SafeHarbor and the alternative approaches. Italso discusses special issues related tooutsourcing service providers, recentenforcement actions, and trends relatedto global privacy compliance.
1. What is the Safe Harbor and how
does it work?
The Safe Harbor is one approach U.S.companies can adopt to address thecross-border data transfer restrictionsunder the European Commission’s 1995Data Protection Directive (95/46/EC)(Directive). Specifically, the Directiveprohibits the transfer of personally iden-tifiable information about individualslocated in the European Union (EUPersonal Data) to the United States orother locations outside the EuropeanEconomic Area, unless the data recipi-ent is subject to a law or other bindingscheme that provides “adequate protec-tion” for such EU Personal Data (DataTransfer Restriction), or otherwise quali-fies for an exception to this require-ment.
Examples of where the DataTransfer Restriction might apply includesituations where a U.S.-based multina-tional needs to receive EU Personal Datarelating to:
i) Employees or contractors of its subsidiaries in the EU (e.g., talent man-agement and performance data, benefitsand payroll information, data related tocodes of conduct or whistleblower hot-lines, or other information);
ii) Consumers or corporate customercontacts in the EU (e.g., customer relationship management or CRM data,or the like);
iii) Customers’ customers or other end users in the EU (e.g., where themultinational is an outsourcing serviceprovider); and
iv) Other categories of individuals(e.g., job candidates, clinical trial subjects, business partners, or others).
As mentioned above, the EuropeanCommission has issued a decision that, if a U.S. organization self-certifiescompliance to the Safe Harbor, it will bedeemed to provide “adequate protec-tion” and satisfy the Data TransferRestriction for the duration of its partici-pation in the Safe Harbor. In practice, aneligible organization in the U.S. can jointhe Safe Harbor by (i) conducting duediligence and taking the necessarysteps to conform its data handling prac-tices to the Safe Harbor rules (e.g., pro-viding data subjects in the EU with asufficient privacy notice, maintainingreasonable security for covered EUPersonal Data, providing individuals inthe EU with access to their own EUPersonal Data, and taking other steps);and (ii) completing the self-certificationform with the U.S. DOC. Once theorganization completes the self-certifica-tion, its name and Safe Harbor registra-tion will be published on the U.S. DOC’slist of Safe Harbor companies, and willbe deemed to provide “adequate pro-tection” for categories of EU PersonalData covered by its self-certification.After that point, any violation of the SafeHarbor rules can be subject to anenforcement action by the U.S. FederalTrade Commission.
2. What alternative approaches could
U.S. companies use to address the
data transfer restriction?
U.S. companies could also address theData Transfer Restriction through othermeans, such as: obtaining express con-sent from the individuals at issue(Express Consent); adopting and obtain-ing approvals from data protectionauthorities for a set of binding corporaterules (BCRs); or establishing privacyagreements that conform to standardcontractual clauses issued by the
European Commission (ModelContracts). A brief summary of each ofthese options is set out here:
i) Express Consent. Five or 10 yearsago, many companies adopted theExpress Consent approach to interna-tional data transfers, particularly withrespect to EU Personal Data aboutemployees. Today, relatively few compa-nies are selecting Express Consent as acomprehensive solution to addressingData Transfer Restrictions. This is due toseveral factors, including concerns about“drop out” rates where some individu-als may not consent, and recent opin-ions of data protection authorities thatsuch consents, particularly by employ-ees, may not be “freely given” andtherefore may be invalid. It is worth-while to note that Express Consent isstill a useful solution for limited or spe-cific situations (e.g., e-commerce offer-ings with “accept” clicks, employeestock options, and the like).
ii) Binding Corporate Rules (BCRs).BCRs have received significant tradepress attention lately. The concept ofBCRs is attractive because a group ofaffiliated companies will have the flexibility to develop its own articulationof privacy rules for intra-group dataflows. This allows the group to tailor therules to its actual data flows and busi-ness culture. However, the group is notfree to develop whatever rules it likes—itmust still comply with guidance issuedby European data protection authoritiesregarding the data privacy principleswhen developing such rules. The groupmust also seek substantive approvals forthe BCRs from the data protectionauthorities in the relevant EU countries.Also, BCRs only cover intra-group datatransfers, and do not cover transfers toor from unaffiliated parties (e.g., serviceproviders, business partners, M&A par-ties), and in practice many companieshave applied BCRs to human resourcesdata only, due in part to the complexityof obtaining approvals for customer orother categories of data. Despite recentefforts by the European data protectionauthorities to streamline the approval
U.S. - EU Safe Harborcontinued from page 1
January-February • 2010
4 www.privacyassociation.org
110561_Advisor_Document 3 2/17/10 2:54 PM Page 4
process, the negotiations with data pro-tection authorities for the approval forBCRs still require time and resourcesand tend to discourage companies frompursuing this approach unless they havesignificant resources to devote to theprocess. There are no published statis-tics available as to how many companieshave obtained approvals for BCRs,although latest estimates indicate thatthe number is less than 30.
iii) Model Contracts. Model Contractshave advantages in that, unlike BCRs,the terms are pre-approved by theEuropean Commission (no substantivedata protection authority approvalsrequired). Also, unlike Express Consent,there is no need to obtain approval fromaffected individuals. Although SafeHarbor shares both of these advan-tages, Model Contracts do have certainadvantages relative to Safe Harbor,including that they facilitate cross-borderdata transfers from the EU to jurisdic-tions outside the U.S. (e.g., data trans-fers from Europe to Asia, Latin America,and other regions and jurisdictions).Model Contracts also are not subject toenforcement by the U.S. Federal TradeCommission, and rely exclusively onlocal enforcement by data protectionauthorities and courts in the EuropeanUnion. Model Contracts have certaindisadvantages relative to Safe Harbor,including that a proper implementationrequires the execution and maintenanceof a network of intercompany privacyagreements between and among affili-ates worldwide. Acquisitions or othercorporate changes will trigger require-ments to execute new agreements, andchanges in business processes or datatransfers can also require adjustmentsto the existing intercompany framework.In addition, the specific terms in theModel Contracts (which sometimes canbe difficult to understand and follow)cannot be changed in any way withouttriggering a data protection consultationor approval requirement and subse-quently creating a risk that the agree-ments will not be recognized by suchauthority as a valid implementation ofthe “model” agreement. Finally, among
the other terms, the Model Contractscontain express third-party beneficiaryrights for the data subjects to sue theEU affiliate (as “data exporter”) and, incertain circumstances, the U.S. parent(as “data importer”) for violations of theterms of the contract. There are no pre-cise numbers of companies that utilizeModel Contracts to protect internationaldata transfers, although the “pre-approved” nature of the agreementsand their longstanding availability, com-bined with experience, suggests thatthey have been used at least as fre-quently as Safe Harbor to protect datatransfers to the U.S.
3. Why would a U.S. company select
the Safe Harbor?
U.S. companies may choose to join theSafe Harbor for a variety of reasons.Several of the key driving factors mayinclude:
i) Increased demands for cross-borderdata transfers. U.S. companies areexperiencing increased demands forcross-border data transfers, such as: (a) greater integration of global businessoperations, (b) consolidation of informa-tion technology infrastructure and support services, (c) implementation of company codes of conduct andwhistleblower hotlines, (d) increasedrequirements to conduct global internalinvestigations, and to respond to govern-ment inquiries and e-discovery and litiga-tion demands on a worldwide basis.
ii) Increased scrutiny of data transferpractices. U.S. companies are also find-ing that relevant stakeholders are engag-ing in increased scrutiny of company pri-vacy practices, including works councilsand other employee-representative bod-ies, individual employees, data protec-tion authorities, consumers, competi-tors, and others. This requires the com-panies to select and implement reliablesolutions for international data transfers.
iii) More flexibility for onward transferswhere required by U.S. law, ordered
THE PRIVACY ADVISOR
International Association of Privacy Professionals 5
See, U.S. - EU Safe Harbor, page 6
PRIVACY
-2010-2010PREDICTIONS
In between the FTC Roundtables,
federal legislation, and HIPAA
regulations, I believe privacy will
be at the forefront of concerns
for many companies. It will be
important to follow privacy events
in the EU, as well, since those
may affect FTC thinking. With
respect to data security, with the
data breaches that occurred in
2009, unless there is clear federal
preemption, I would envision
more states considering specific
and prescriptive data security
requirements.
—Benita Kahn, CIPP, Partner, Vorys, Sater, Seymour and Pease LLP
Widespread adoption of the
icon for online behavioral
advertising will occur and be visi-
ble across the Internet. Progress
on important legal and policy
issues will occur if all interests
continue to work constructively
together. The public will call for
more aggressive use of personal
information to protect citizens
against terrorism. Technology and
the Information Age will reach
new heights with wireless and
television innovation and benefits
that rely on consumer information.
Public love for the Internet
continues to reach new peaks.
—Stu Ingis, Partner, Venable LLP
110561_Advisor_Document 3 2/17/10 2:54 PM Page 5
by a court, or necessary to perform acontract. Safe Harbor has more flexiblerules than Model Contracts with respectto onward transfers to third parties.Specifically, Model Contracts prohibit therelevant company from disclosing data tothird parties unless it has obtained theagreement of the recipient to abide bythe Model Contract terms, or hasobtained consent from individuals. Suchrules may be difficult for a company tosatisfy fully in the context of U.S. govern-ment demands for data, court orders ine-discovery or litigation, or data transfersthat are necessary to perform a contractwith the individual data subject. Similarly,the specific rules on such onward trans-fers in BCRs need to be negotiated on acase-by-case basis with the Europeandata protection authorities, and may like-wise be difficult to satisfy depending onthe outcome of such negotiations. Incontrast, the Safe Harbor provides impor-tant exceptions to onward transferrestrictions, such as for situations wherethe data sharing is required by a legalrequirement in the U.S. (e.g., in the con-text of government demands for data), acourt order in the U.S. (e.g., the contextof e-discovery), and data sharing that isnecessary to perform a contract with thedata subject, or otherwise qualifies forexceptions in the Directive or nationaldata protection laws.
iv) Greater control for the U.S. company. Safe Harbor provides the U.S.company (versus local affiliates) withgreater control over the cross-borderdata transfer solution than ModelContracts and BCRs. The Safe Harbor pri-marily requires the U.S. company toundertake relevant compliance steps,and does not generally require significantlocal affiliate involvement. In contrast,Model Contracts require the participationof local affiliates in Europe to executethe intercompany agreements. On anongoing basis, Model Contracts by theirown terms provide local affiliates withaudit and other rights over the U.S. com-panies (a situation that often does not
represent the actual hierarchical struc-ture of a U.S.-based company and itslocal affiliates). BCRs require even moreextensive participation of local affiliatesto negotiate for substantive approvalsfrom data protection authorities for theterms in the BCRs.
v) Achievable and practical nature ofSafe Harbor. Safe Harbor is an achiev-able and practical solution because,unlike BCRs, self-certification to SafeHarbor does not require any substantivenegotiations with the European data pro-tection authorities—the U.S. DOCalready completed such negotiations forthe Safe Harbor rules several years ago.
vi) Enhanced brand reputation for out-sourcing providers and satisfaction ofEU customer requirements.Outsourcing service providers in the U.S. may find Safe Harbor participationadvantageous when doing business with corporate customers in the EU (EUCustomers). Among other benefits, SafeHarbor participation can help enhance theU.S. provider’s brand reputation, anddemonstrate to EU Customers that theprovider understands EU data protectionconcerns. Safe Harbor participation canalso help reduce the compliance burdenon the EU Customers by helping themavoid the need to maintain a network ofModel Contracts conforming to theEuropean Commission “data processor”clauses. In addition, Safe Harbor partici-pation can streamline the steps that theEU Customers need to take to complywith local data protection authority regis-tration requirements in some countries(discussed further below in paragraph ix).
vii) Coverage for Switzerland. TheSwiss Federal Data Protection andInformation Commission (Swiss DPA)has recently established the U.S.-SwissSafe Harbor Framework with the U.S.DOC. As a result, U.S. companies canaddress the cross-border data transferrestriction in the Swiss data protectionlaw by self-certifying compliance to theSafe Harbor rules, in the same way ascan be done for transfers from the EU.This development is particularly impor-
January-February • 2010
6 www.privacyassociation.org
U.S. - EU Safe Harborcontinued from page 5
An arousing turn of the year in
the matter of privacy: At the
end of 2009 Eric Schmidt, CEO of
Google, told CNBC: “If you have
something you don‘t want anyone
to know, maybe you shouldn't be
doing it in the first place.” At the
beginning of 2010, Mark
Zuckerberg, founder of Facebook,
told a live audience that if he
were to create Facebook again
today, user information would be
public by default, not private as it
was for years until the end of
December.
It seems that privacy has
become a disused concept. The
new decade is about openness
and total disclosure. Individuals
and organizations will have to
engage even more in protecting
privacy as a rare but necessary
concept for human life in the
digitally networked world.
Remember? Privacy has always
been interpreted as a precondi-
tion for human self-determination
and a free and democratic socie-
ty. I don't remember any convinc-
ing argument that has made this
assumption obsolete. So let's
take care.
—Miriam Meckel, ManagingDirector, MCM-Institute,University of St. Gallen
Switzerland, and 2009-2010Berkman Center for Internet and
Society fellow
PRIVACY
-2010-2010PREDICTIONS
110561_Advisor_Document 3 2/17/10 2:54 PM Page 6
tant for Switzerland, as the definition of“personal data” under Swiss law coversidentifiable information regarding individ-uals and legal entities, making personaldata protections provided under Swisslaw broader than those of many EUmember states, which generally onlyprotect identifiable information regardingnatural persons.
viii) Better fit for “online” data collections. The Safe Harbor is bettersuited to protect online transfers of databecause the U.S. company would notneed to obtain an express consent fromWeb site visitors for the data transfers,and would not need to enter into con-tracts with entities in the EuropeanUnion (both of which may be cumber-some depending on the business modelor application). Instead, the Safe Harborwould require the U.S. company to con-firm that its privacy policy and privacypractices adhere to the Safe Harborrules—a step that may be easier forcompanies to administer in the onlinecontext than obtaining Express Consentor executing Model Contracts.
ix) Streamlining of local filing procedures. In a number of EU memberstates, cross-border transfers of EUPersonal Data may trigger registrationrequirements with the data protectionauthorities. In some of these countries,the Safe Harbor facilitates the local regis-tration process by avoiding “procedural”approvals that apply to use of ModelContracts and the “substantive”approvals for BCRs. For example, inSpain, the use of Model Contractsattracts certain requirements for specialnotary and other procedural approvalswhen the local company registers withthe data protection authority. This
requirement is not triggered when thedata recipient is a U.S. company thatself-certifies with the Safe Harbor.
x) Avoiding administrative burdens ofmaintaining Model Contracts. ModelContracts must be monitored to makesure that they reflect changes in the rel-evant company’s structure. By contrast,particularly in the context of mergers andacquisitions, as well as other businesschanges and developments, Safe Harboravoids the administrative burden ofnegotiating and executing new ModelContracts to cover new affiliates anddata flows.
4. Why would a U.S. company choose
a data transfer solution other than the
Safe Harbor?
Although there are many good reasonsto join Safe Harbor, or use Safe Harboras a baseline to authorize certain datatransfers, there are good reasons whySafe Harbor may not be sufficient for alldata transfers, and why a companymight choose alternative approaches.
i) FTC enforcement. The promise tocomply with Safe Harbor is ultimatelysubject to the enforcement authority ofthe FTC. The FTC has recently taken itsinitial enforcement actions pursuant tothe Safe Harbor. In the first case, theFTC obtained a Temporary RestrainingOrder (TRO) in the United States DistrictCourt for the Central District of Californiaenjoining a consumer electronics compa-ny (Consumer Electronics Company)from engaging in a broad range of unfairand deceptive practices related to onlineconsumer sales, including misrepresent-ing that the company participated in SafeHarbor. According to the FTC complaint,the Consumer Electronics Company had,at various times, advertised on its Websites that it had self-certified to the SafeHarbor, even though it had never doneso. The FTC complaint also alleges thatthe company had engaged in a wide vari-ety of other unfair and deceptive prac-tices relating to commercial practices,such as: (i) failing to notify consumers
THE PRIVACY ADVISOR
International Association of Privacy Professionals 7
See, U.S. - EU Safe Harbor, page 8
“The FTC has recentlytaken its initial enforce-ment actions pursuant tothe Safe Harbor.”
110561_Advisor_Document 3 2/17/10 2:54 PM Page 7
about applicable customs duties andother taxes; (ii) frequently shipping prod-ucts that did not comport to customerorders and that had power chargers thatwere incompatible with local power sys-tems where the consumer was located;(iii) delivering user manuals and electron-ics controls that were in Spanish orChinese entirely; (iv) charging consumercredit cards without providing the prod-ucts ordered; and (v) failing to disclosewarranties and other material terms. Inaddition to the TRO, the FTC seeks fur-ther relief in the form of a permanentinjunction, restitution, disgorgement ofprofits, and other equitable relief.
In a second set of enforcementactions, the FTC agreed to settle caseswith six U.S. businesses that allegedlyfalsely claimed that they participated inSafe Harbor. The FTC complaints chargedWorld Innovators, Inc.; ExpatEdgePartners LLC; Onyx Graphics, Inc.;Directors Desk LLC; Collectify LLC; andProgressive Gaitways LLC (the “SafeHarbor Six”) with representing that theyheld current certifications to the SafeHarbor program, even though the com-panies had allowed their certifications tolapse. Under the proposed settlementagreements, the Safe Harbor Six are pro-hibited from misrepresenting the extentto which they participate in any privacy,security, or other compliance programsponsored by a government or any thirdparty. The FTC did not assess any finesin connection with these settlements.
These cases are important becausethey represent the first enforcementactions the FTC has taken under SafeHarbor since the inception of the pro-gram in November 2000. It may signalthat the FTC will be more active in purs-ing Safe Harbor cases in the comingmonths, and that companies should beeven more diligent in confirming thatthey comply with the Safe Harbor rulesbefore completing a self-certification.
ii) Data transfers not eligible for cover-age by Safe Harbor. U.S. companiesare only eligible to join the Safe Harbor
to protect certain transfers of EUPersonal Data to the United States.Other transfers within a global enter-prise, such as transfers from the EU toAsia or Latin America, are not covered bySafe Harbor. Likewise, financial institu-tions and other organizations that falloutside the scope of FTC and DOTauthority are not eligible to join SafeHarbor, even if the organizations arelocated in the United States. This “cover-age” issue is perhaps one of the mostsignificant reasons why companies mayutilize other approaches.
iii) Development of tailored privacycompliance programs. U.S. companiesthat already have well-established globaldata protection programs may wish toconsider developing more tailored com-pany-wide data protection complianceprograms through BCRs. Such compa-nies can build on the controls that theyhave already established under SafeHarbor and/or Model Contracts, anddevelop rules and procedures thataddress the guidance issued by the dataprotection authorities on BCRs, while tai-loring such terms to the group’s actualdata flows and handling practices. In theinterim period while the group of compa-nies seeks approval for BCRs, they cancontinue to rely on their existing dataprotection framework.
5. What are the current trends in inter-
national data transfers?
Although there are still a wide variety ofpractices, certain trends are emergingwith respect to international data trans-fers. First, common industry practice hasmoved away from reliance on a broad“waiver” of privacy rights throughExpress Consents, particularly in theemployment context. Second, althoughBCRs are up and coming, the burdens ofnegotiating for substantive approval fromdata protection authorities and other fac-tors may place this solution out of reachfor many U.S. organizations, except forcompanies that already have well-devel-oped global privacy programs based onSafe Harbor or Model Contracts.
Third, the “work horses” for compli-ant international data transfers in the cur-
January-February • 2010
8 www.privacyassociation.org
U.S. - EU Safe Harborcontinued from page 7PRIVACY
-2010-2010PREDICTIONS
Privacy in the healthcaresector, 2010
The concept of de-identified data
as a privacy protection will be
challenged by multiple stakeholders;
the results of this discussion will be
critical to healthcare privacy and
related federal laws (e.g., HIPAA,
HITECH). There will be those who
are concerned about the risk of re-
identification, there will be those
espousing de-identification as being
more protective of patients than
handling protected health informa-
tion (PHI) directly and while accom-
plishing the same goals, and there
will be regulators involved in trying
to find common ground that satis-
fies conflicting interests. Ultimately,
I suspect that de-identified data will
prevail as a better alternative to
using PHI in the healthcare sector,
albeit with a more regulated securi-
ty network around it.
—Kim Gray, Chief Privacy Officer,Americas Region, IMS Health
In the field of advertising in 2010,
the mobile Internet will finally
become the new frontier for user
data collection and analysis, and the
use of Flash cookies on the Web will
likely re-ignite the debate on third-
party tracking devices.
—Fernando BermejoAssociate Professor of
Communication at Universidad ReyJuan Carlos in Madrid, Spain and
2009-2010 Berkman Center forInternet and Society fellow
110561_Advisor_Document 3 2/17/10 2:54 PM Page 8
THE PRIVACY ADVISOR
International Association of Privacy Professionals 9
rent environment appear to be SafeHarbor and Model Contracts. Companiesentering the “global privacy compliance”market for the first time at the enterpriselevel often select between these twosolutions. Key considerations in favor ofSafe Harbor include more flexibility withrespect to onward transfers (e.g., to gov-ernment authorities in SEC or other gov-ernment investigations, as well as toother parties in e-discovery and litiga-tion), greater control for the U.S. parentcompany, the avoidance of the mainte-nance of a network of intercompany pri-vacy agreements, and the avoidance ofexpress third-party beneficiary rights fordata subjects. Key considerations infavor of Model Contracts are the avoid-ance of FTC enforcement authority, andthe ability to cover data transfers fromthe EU to non-U.S. jurisdictions (e.g. Asiaor Latin America).
Ultimately, there is no one-size-fits-all solution. Companies make strategicdecisions on cross-border privacy solu-tions based on their own particular situ-ation, including worldwide data flows,
compliance issues, business opera-tions, litigation experience, and otherfactors. One trend that is unmistakable,however, is that companies today oper-ate in an increasingly interconnectedworld and, for enterprise risk manage-ment purposes, are finding that, at aminimum, they benefit from a periodicreview to confirm that the global “priva-cy house” is in order and responsive tothe latest risks and privacy regulatorydevelopments.
Brian Hengesbaugh, CIPP, is a partnerin the Chicago office of Baker &McKenzie. He concentrates on domes-
tic and global data protection, privacy,and information security, and is a mem-ber of the firm’s Global Privacy SteeringCommittee. Mr. Hengesbaugh is a pastmember of the IAPP PublicationsAdvisory Board. Prior to joining Baker &McKenzie, Mr. Hengesbaugh served asthe lead attorney for the U.S.Department of Commerce GeneralCounsel’s Office in the negotiation ofthe U.S. - EU Safe Harbor PrivacyFramework.
Michael Mensik is a partner in theChicago office of Baker & McKenzie,concentrating on information technolo-gy, sourcing, and privacy. He wasrecently elected to the Outsourcing Hallof Fame by the InternationalAssociation of OutsourcingProfessionals.
Amy de La Lama is a senior associatein the Chicago office of Baker &McKenzie, concentrating on domesticand global data protection, privacy, andinformation security.
“…Companies are findingthey benefit from a period review to confirmthat the global ‘privacyhouse’ is in order…”
110561_Advisor_Document 3 2/17/10 2:54 PM Page 9
January-February • 2010
10 www.privacyassociation.org
appropriate steps to address thoserisks. We’ve updated the criteria of ourprivacy principles to mitigate the risks topersonal information.”
Generally Accepted PrivacyPrinciples, last updated in 2006, aredesigned to help an organization’s management develop a program thataddresses their privacy obligations andrisks and to assist them with assessingtheir existing privacy program. It is alsothe basis for a privacy audit that can beperformed by a Certified PublicAccountant or Chartered Accountant.GAPP incorporates concepts from local,national, and international laws, regula-tions, guidelines, and other bodies ofknowledge on privacy into a single priva-cy objective. This objective is supportedby 10 privacy principles:
1. Management – The entity defines, documents, communicates, and assignsaccountability for its privacy policies andprocedures.
2. Notice – The entity provides noticeabout its privacy policies and proceduresand identifies the purposes for whichpersonal information is collected, used,retained, and disclosed.
3. Choice and consent – The entitydescribes the choices available to the indi-vidual and obtains implicit or explicit con-sent with respect to the collection, use,and disclosure of personal information.
4. Collection – The entity collects per-sonal information only for the purposesidentified in the notice.
5. Use, retention, and disposal – Theentity limits the use of personal informa-tion to the purposes identified in thenotice and for which the individual hasprovided implicit or explicit consent. Theentity retains personal information foronly as long as necessary to fulfill thestated purposes or as required by law orregulations, and thereafter appropriatelydisposes of such information.
6. Access – The entity provides individuals with access to their personalinformation for review and update.
7. Disclosure to third parties – Theentity discloses personal information tothird parties only for the purposes identi-fied in the notice and with the implicit orexplicit consent of the individual.
8. Security for privacy – The entity protects personal information againstunauthorized access (both physical and logical).
9. Quality – The entity maintains accurate, complete, and relevant personal information for the purposesidentified in the notice.
10. Monitoring and enforcement – Theentity monitors compliance with its privacy policies and procedures and hasprocedures to address privacy-relatedcomplaints and disputes.
Each principle is supported by objective,measurable criteria for handling personal information throughout anorganization. Together, this set of privacy principles and related criteria are useful to those who:
• oversee and monitor privacy and security programs;
• implement and manage privacy andsecurity;
• oversee and manage risks and compliance;
GAPP updatecontinued from page 1
See, GAPP update, page 12
“Each principle is supported by objective,measurable criteria forhandling personal information throughoutan organization.”
PRIVACY
-2010-2010PREDICTIONS
Data protection in France2010
This year the odds are that the
French data protection environ-
ment will likely see a strengthening
of legal requirements by the intro-
duction of an obligation to provide
data breach notifications and anoth-
er obligation to appoint a data pro-
tection official. At the same time,
on the DPA side we will see more
and more onsite investigations.
One can also foresee the
growth of the privacy profession
and the growth of the AFCDP, the
French Association of Data
Protection Correspondents.
—Pascale Gelly, Partner, Cabinet Gelly;Member, Board of Directors of AFCDP
Privacy and data protection in Israel, 2010
ILITA will submit legislative reform
to Knesset, tightening enforce-
ment, increasing accountability,
and reducing bureaucratic burdens.
The Supreme Court will rule on
major constitutional challenge to
Communications Data Act,
asserting disproportionate effect
on privacy. Privacy professionals
will descend on Jerusalem October
27-28 to celebrate IAPP annual
soccer match (and the 32nd annual
Conference of Privacy and Data
Protection Commissioners).
—Omer Tene, Israeli Legal Consultant,Associate Professor, College of
Management School of Law, Israel
110561_Advisor_Document 3 2/17/10 2:54 PM Page 10
THE PRIVACY ADVISOR
International Association of Privacy Professionals 11
110561_Advisor_Document 3 2/17/10 2:54 PM Page 11
January-February • 2010
12 www.privacyassociation.org
• assess compliance and audit privacyand security programs; regulate privacy.
The changes, which include eight newcriteria (now more than 70 in total) andthe modification of two others, were theresult of deliberations and considerationgiven to comments received from thepublic in response to the exposure draftthat was released in March 2009.
“Safeguarding personal informationis one of the most challenging responsi-bilities an organization has, whether it’sinformation pertaining to employees orcustomers,” said Johnson. “We’veupdated the criteria of our privacy princi-ples to minimize the risks to personalinformation. We have enhanced theguidance on security, breach response,and employee-related matters, alongwith disposal and destruction of person-al information.”
The following is a summary of thenew criteria:
Personal Information Identificationand Classification (1.2.3) – The typesof personal information and sensitivepersonal information and the relatedprocesses, systems, and third partiesinvolved in the handling of such informa-tion are identified. Such information iscovered by the entity’s privacy and relat-ed security policies and procedures.
This may include having an informa-tion-classification process that identifiesand classifies information into categoriessuch as business confidential, personalinformation, business general, and public.
Risk Assessment (1.2.4) – A riskassessment process is used to establisha risk baseline and to, at least annually,identify new or changed risks to person-al information and develop and updateresponses to such risks.
Risks may be external (such as lossof information by vendors or failure tocomply with regulatory requirements) orinternal (such as e-mailing unprotectedsensitive information). Ideally, the
privacy risk assessment should be integrated with the security risk assess-ment and be a part of the entity’s overallenterprise risk management program.The AICPA and CICA have developed aPrivacy Risk Assessment Tool thatorganizations may find useful.
Privacy Incident and Breach (1.2.7) – A privacy incident and breach manage-ment program has been documentedand implemented. It includes, but is notlimited to, the following:
• procedures for the identification, management, and resolution of privacy incidents and breaches;
• defined responsibilities;
• a process to identify incident severityand determine required actions andescalation procedures;
• a process for complying with breachlaws and regulations, including stake-holders breach notification, if required;
• an accountability process for employ-ees or third parties responsible forincidents or breaches with remedia-tion, penalties, or discipline as appro-priate;
• a process for periodic review of actualincidents to identify necessary pro-gram updates;
• periodic testing or walkthroughprocess and associated programremediation as needed.
Privacy Awareness and Training(1.2.10) – A privacy awareness programabout the entity’s privacy policies andrelated matters, and specific training forselected personnel depending on theirroles and responsibilities, are provided.
“Ensuring that employees are edu-cated about privacy will help prevent pri-vacy breaches, improve customer serv-ice, and demonstrate the organization’scommitment to sound business prac-tices,” explains Donald Sheehy, CA·CISA,CIPP/C, associate partner with Deloitte
GAPP updatecontinued from page 10
The IAPP Welcomes our Newest
Corporate Members
110561_Advisor_Document 3 2/17/10 2:54 PM Page 12
THE PRIVACY ADVISOR
International Association of Privacy Professionals 13
(Canada) and a Canadian member of theAICPA/CICA Privacy Task Force.
Information Developed aboutIndividuals (4.2.4) – Individuals areinformed if the entity develops oracquires additional information aboutthem for its use. Such information may be obtained or developed fromthird-party sources, browsing, and credit/purchasing history.
Disposal, Destruction and Redactionof Personal Information (5.2.3) –Personal information no longer retainedis made anonymous, disposed of, ordestroyed in a manner that preventsloss, theft, misuse, or unauthorizedaccess. This can include the removal orredaction of specified personal informa-tion about an individual, such as remov-ing credit card numbers after the trans-action is complete and using companiesthat provide secure destruction services.
Personal Information on PortableMedia (8.2.6) – Personal informationstored on portable media or devices isprotected from unauthorized access.
Policies and procedures prohibit thestorage of personal information onportable media or devices unless a busi-ness need exists and such storage isapproved by management. Such infor-mation is encrypted, password protect-ed, physically protected, and subject tothe entity’s access, retention, anddestruction policies. Upon termination of
employees or contractors, proceduresprovide for the return or destruction ofportable media and devices used toaccess and store personal information,and printed and other copies of suchinformation.
“Portable devices such as laptopsand memory sticks provide convenienceto employees, but appropriate measuresmust be put in place to properly securethem and the data they contain,” relatedSheehy. “We must stay abreast of tech-nological advances to ensure that propermeasures are put into place to defendagainst any new threats.”
Ongoing Monitoring (10.2.5) – Ongoingprocedures are performed for monitoringthe effectiveness of controls over per-sonal information based on a risk assess-ment and for taking timely correctiveactions where necessary. An example ofa control would be reviewing employeefiles to seek evidence of course trainingin compliance with policies that requireall employees take initial privacy trainingwithin 30 days of employment.
Other changes to GAPP includerestricting the use of personal informa-tion in process and systems testing, ref-erences to ISO 27002, and revised lan-guage for auditors to use when prepar-ing reports on a privacy audit.
Several organizations worked inconjunction with the AICPA and CICA onGAPP, including ISACA and the Instituteof Internal Auditors. Copies of GAPP,along with additional privacy resources,are available at www.aicpa.org/privacyand www.cica.ca/privacy.
Nancy A. Cohen, CPA.CITP, CIPP, ([email protected]) is Senior TechnicalManager - Quality Control, Research &Development for the American Instituteof Certified Public Accountants.
Nicholas F. Cheung, CA, CIPP/C,([email protected]) is a principalwith the Canadian Institute of CharteredAccountants.
Both Nancy and Nicholas are membersof the AICPA/CICA Privacy Task Force.
“Portable devices such as laptops and memorysticks provide conven-ience to employees, butappropriate measuresmust be put in place to properly secure themand the data they contain.
Privacy Classifieds
The Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.
PRIVACY RESEARCH ALLIANCE COORDINATORNymityToronto, ON
PRIVACY RESEARCH SPECIALISTNymityToronto, ON
VULNERABILITY MANAGEMENT AND SECURITY COMPLIANCE RISK ASSESORConvergysCincinnati, OH
PRIVACY PROJECT MANAGERGenentechSouth San Francisco, CA
PRIVACY RESEARCH LAWYERNymityToronto, ON
MANAGER/SENIOR MANAGER U.S.CONSUMER AND SMALL BUSINESSPRIVACYAmerican ExpressNew York, NY
SENIOR MANAGER, INFORMATION SYSTEMS SECURITYConvergysDallas, TX
PRIVACY COMPLIANCE SPECIALISTU.S. Department of Homeland Security,Privacy OfficeRosslyn, VA
PRIVACY DIRECTORBlue Shield of CaliforniaSan Francisco, CA
PRIVACY ACT CONSULTANTRGS Associates, Washington Navy YardWashington, DC
110561_Advisor_Document 3 2/17/10 2:54 PM Page 13
January-February • 2010
14 www.privacyassociation.org
Successive revolutions in informa-tion technology raise new chal-lenges, risks, and opportunities for
consumer privacy protection. Perhaps themost basic question is how these newtechnologies are changing the actual prac-tices of companies in processing personalinformation. After all, emerging technolo-gies can make legal regulations obsoleteor out-of-date. The consequences can beineffective regulation and a waste of cor-porate resources without meaningful pro-tections for consumer privacy.
To understand the impact of newtechnologies on company practices andlegal regulations, I researched how sixleading North American companies man-age their global use of personal informa-tion. This work was sponsored by thePrivacy Projects, a new nonprofit organi-zation devoted to empirical research intoprivacy issues.
My whitepaper, Managing GlobalData Privacy, looks at companies that aredeveloping pharmaceuticals, providingmarketing, selling financial services, andoffering a range of Internet-based soft-ware, technology, and online services.These companies collect and process per-sonal information about clinical healthresearch, customer services, consumersurveys, mortgage renewals, e-mailaccounts, and global job applicants.
The resulting case studies identifythree dramatic changes from the world ofyesterday. The first change shown is thatthe scale of global data flows in the pri-vate sector has increased massively. Inthe recent past, an international exchangeof personal information was a rare eventthat the law tended to regulate on a case-by-case basis. But personal informationnow flows around the world 24/7. The vol-ume is staggering—one company in thestudy created more than five million datapoints in 2008. This figure represents 72new data points every minute.
Second, the nature of this constantflow of global data is dynamic and occursacross borders. In the past, companies
finalized international data transfers inadvance. Personal data were sent at a sin-gle moment from one central location toanother. Today, companies draw on "thecloud" to put computer resources andservices on the Internet. As a result, theprocessing of personal data increasinglytakes place simultaneously throughout aglobal network.
Third, the oversight of data flows atthese leading companies has been pro-fessionalized with a significant investmentof business resources. This developmentis highly promising. In the past, many cor-porations avoided privacy and securityissues and devoted a low level ofresources to them. Companies now arecreating collaborative processes for priva-cy and security, which involve chief secu-rity officers, chief privacy officers, legalcounsel, and internal managementboards.
One regulatory lesson to be drawnfrom these studies is to question thevalue of the approach in certain Europeancountries that require registrations for anydata processing operation involving thepersonal information of citizens. Even aminor change in the location of a singleserver, or an alteration of a single processwill require costly modifications to exist-ing registrations in different Europeancountries. Yet, in the age of dynamic andmassive data flows carried out on “thecloud,” such changes can frequentlyoccur. Moreover, it is far from clear thatthe benefit for individual privacy, if any, isequal to the cost of making companiesfile detailed, national-specific reports oneach database that contains personalinformation.
Paul M. Schwartz, CIPP/C, is professorof law, Berkeley Law School, U.C.-Berkeley, and a director of the BerkeleyCenter for Law & Technology. Hiswhitepaper, Managing Global DataPrivacy, is available at: http://theprivacyprojects.org/privacy-projects.
Managing global data privacy
By Paul M. SchwartzPRIVACY
-2010-2010PREDICTIONS
Privacy protection will remain avery important subject of the
lobbying efforts by the marketingindustry in 2010. The media will con-tinue to be extremely alert to sus-pected violations of data protectionand it is a fact that even after enact-ment of the Data Protection Lawreform in Germany on September 1,2009, consumer data will still bemisused—contrary to what the gov-ernment and the consumer protec-tion agencies promised. This corrob-orates our statement which wehave ever since repeated, like amantra: the so-called “privacy scan-dals” are not a matter of loopholesin the law but of poor enforcementof the existing laws.
Since the new German govern-ment is in place, employee privacyand online privacy have becomeimportant matters, also. InNovember 2009, a draft for anEmployee Privacy Act was submit-ted to the German Bundestag.
Moreover, a considerable levelof uncertainty remains that mar-keters’ use of personal data couldbe placed on the agenda of lawmak-ers again in 2010.
How will these developmentsaffect the core activities of ourmembers—the reputable business-es with “address data”? TheGerman Federation of DirectMarketing will continue campaigningfor a cautious and balancedapproach to further data protectionlaw reforms.
—Dieter Weng, President of the German
Federation of Direct Marketing (DDV e.V.)
110561_Advisor_Document 3 2/17/10 2:54 PM Page 14
As the international communityreadies itself for a second waveof the H1N1 flu pandemic, wise
organizations are brushing off their busi-ness continuity plans (BCPs) and review-ing their applicability to a different kind ofthreat. Unlike traditional business conti-nuity or disaster recovery planning, pan-demic planning requires managementfor a prolonged but unidentified period oftime rather than for the single risk eventthat traditional business continuity plan-ning tends to focus on. The focus of pan-demic planning is on the people withinan organization rather than buildings,structures, or environmental. Shifting thefocus of your BCP to incorporate theorganization’s employees requires a gen-tle reminder that the privacy of employ-ees must remain paramount, even dur-ing business continuity management.
Privacy professionals must remainvigilant in the wake of the H1N1 flu pandemic to ensure the privacy rights of employees remain intact during pan-demic response activities. An all-hazardsapproach to business continuity planningin combination with taking a few common-sense approaches to privacy,will assist in easing the stress of the flu pandemic on organizations.
Privacy professionals need to workwith the business continuity plannersand human resource departments toclarify any questions regarding the col-lection, use, and disclosure of personalemployee information during the devel-opment of organizational BCP plans thatinclude considerations for pandemicplanning. The challenge is to balancethese needs with the needs of theorganization to plan for the potential ofprolonged staff shortages caused byemployee illness, and, potentially,employees staying home from work tocare for loved ones. Due to the way inwhich the illness spreads, a singledepartment within an organization may
be severely affected whileother areas are less affected,or not affected at all.
During times of crisis,management organizationsmay be tempted to collect avariety of information fromstaff, such as their diagnosesand whether they havereceived the H1N1 vaccine.Jurisdictional privacy legislationmay, however, prevent this collection. InCanada, for example, this is likely not areasonable collection of information underprovincial or federal privacy legislation.
Organizations may be tempted touse personal information contained inHR files, such as the number of depend-ents within staff members’ householdsor personal contact information for pan-demic planning or response purposes.This may pose a privacy threat to staffand a legislative or policy breach toorganizations. Finally, organizations maybe tempted to disclose informationabout staff that they would not normallyconsider disclosing in non-pandemic situ-ations, such as an employee diagnosis orreason for an emplyee’s absence atwork. Privacy professionals can, instead,urge their organizations to consider atwofold approach that focuses on infor-mation dissemination and careful pre-planning to manage the flu pandemic.
An informed employeehas the information he needsto care for himself and hisfamily members. Organiza-tions can provide their staffwith information regardingsafe hand washing and otherbasic flu prevention tech-niques, as well as local gov-ernment hotlines or otherresources to help them
understand the best flu preventionmethods. If the flu vaccine is available inyour area, consider posters in commonareas with contact information on howand where they can receive the vaccine.A thorough communication plan willempower employees to manage theirown risks, as well as those in their fami-ly, and in turn keep everyone healthyand at work.
Empowering employees with criticalinformation regarding the H1N1 flu viruscan be combined with the implementa-tion of some basic policies and tech-niques to be used within the office.Offering hand sanitizer in break andmeeting rooms and asking employees to stay home when they are sick are twosimple methods that can be used to further reduce the infection rates in theworkplace. Clear communication withemployees is a key element in pandemicpreparedness.
Perhaps the most important privacyprotection during a pandemic is a proper-ly tailored all-hazard business continuityplan that requires little or no additionalcollection, use, or disclosure of employ-ee information. A holistic approach thatidentifies potential risks and theirimpacts to business operations, includ-ing the risk of a pandemic, will providean organization with the tools it needs torespond to such a crisis. Specifically, theplan should consider prolonged staff
THE PRIVACY ADVISOR
15
Privacy and pandemic planning: a few prudent considerations
for organizations
By Rachel Hayward, CIPP/C
See, Pandemic planning, page 16
Rachel Hayward
“Perhaps the most important
privacy protection during
a pandemic is a properly
tailored all-hazard business
continuity plan that requires
little or no additional
collection, use, or disclosure
of employee information.”
International Association of Privacy Professionals
110561_Advisor_Document 3 2/17/10 2:54 PM Page 15
10January-February • 2010
16 www.privacyassociation.org
The IAPP celebrates its tenthanniversary this year. To com-memorate, the Privacy Advisor
will look back at some of the decade’smost memorable moments, achieve-ments, and milestones. We start with alook inward.
The Privacy Advisor is valuablebecause of you, the experts in the fieldwho so willingly share your knowledgewith IAPP members. Of course, someof you are more prolific than others.
We dusted off the archives todetermine just who has been most
profuse. One byline came up time andtime again. Philip L. Gordon, Esq., con-tributed his first story back in 2003when the newsletter bore a differentname. It was about options for employers facing the HIPAATransaction Rule compliance deadline.Hopefully you’re all compliant by now.If not, call Phil. He is a shareholder andchair of the Privacy Task Force at LittlerMendelson, P.C. in the Mile High City.
Thank you, Phil, for sharing somuch valuable information for the goodof the privacy profession.
shortages rather than the traditional dis-aster planning approaches that tend tofocus only on the infrastructure of anorganization and its ability to detail aspecific timeline for the full resumptionof business. Critical process and posi-tion identification, properly aligned withwell-rounded policies and proceduresand an appropriate plan for full or partialplan implementation will best serve anorganization during a flu pandemic.Careful pre-planning that is flexible andadaptive will reward employers whenfaced with a flu pandemic or other unex-pected disruption to their business.
Prior to deciding to collect, use, ordisclose personal employee informationin an attempt to manage a pandemic sit-uation, organizations need to understandthe requirements of the privacy legisla-tion by which they are bound. It is advisable to seek the assistance of privacy professionals. Organizationsneed to carefully plan their response to a pandemic and consider the careful balance between the protection ofemployee privacy and the continuation of business. Privacy professionals mustremain vigilant in their quest to protectpersonal information and must be pre-pared to advise their organizations whenplans may infringe on the privacy rightsof employees.
The federal privacy commissioner ofCanada and the information and privacycommissioners of the provinces ofAlberta and British Columbia recentlyreleased a publication titled “Privacy inthe Time of a Pandemic,” to assist organ-izations in working through some ofthese issues. The article can be found atwww.oipc.ab.ca/Downloads/document-loader.ashx?id=2492
Rachel Hayward is a privacy and information management specialist andthe information risk management leadfor the Edmonton, Alberta DeloitteOffice. She holds a masters degree inpublic administration and became aCIPP/C in 2007.
Pandemic planningcontinued from page 15Turning 10 in 2010
110561_Advisor_Document 3 2/17/10 2:54 PM Page 16
THE PRIVACY ADVISOR
International Association of Privacy Professionals 17
This article originated as aCovington & Burling LLPPrivacy & Data ProtectionAdvisory and is reprinted herewith permission.
The Lisbon Treatyentered into force onDecember 1, 2009. This
agreement substantially over-hauls the EU’s legal bases,the Treaty on European Union (TEU), andthe Treaty Establishing the EuropeanCommunity (EC Treaty), the latter ofwhich is renamed the Treaty on theFunctioning of the European Union(TFEU). While much attention has beengiven to the Lisbon Treaty’s reform ofthe EU’s institutional arrangements, italso alters the legal grounds for legisla-tion in the data protection area in waysthat could impact privacy regulation.Below, we describe the key changesand consider the potential effect onEurope’s data protection framework.
Data protection under the current
treaties
To date, EU data protection laws havebeen primarily based on provisions inthe EC Treaty empowering the EU tolegislate in furtherance of the internalmarket. Both the landmark DataProtection Directive (95/46/EC) and thee-Privacy Directive (2002/58/EC) werepromulgated on this basis, and, conse-quently, they concern both protection ofprivacy and the free movement of per-sonal data. Two other provisions alsoplay a role. Article 30(1)(b) TEU requiresthat transfers of law enforcement infor-mation be subject to appropriate dataprotection measures, and this was theprincipal basis for Framework Decision2008/977/JHA. In addition, Article 286EC Treaty provides for the application ofdata protection rules to the EUInstitutions and for the establishment of
an independent body to oversee dataprotection in this context (this led to thecreation of the European DataProtection Supervisor).
The new provision on data protection:
individual rights and expanded EU
authority
The most striking change for data pro-tection under the Lisbon Treaty is a new,prominent provision on the subject—Article 16 TFEU—which replaces andexpands on the old Article 286. Article16 states as follows:
1. Everyone has the right to the protec-tion of personal data concerning them.
2. The European Parliament and theCouncil, acting in accordance with theordinary legislative procedure, shalllay down the rules relating to the pro-tection of individuals with regard tothe processing of personal data byUnion institutions, bodies, offices andagencies, and by the Member Stateswhen carrying out activities which fallwithin the scope of Union law, andthe rules relating to the free move-ment of such data. Compliance withthese rules shall be subject to thecontrol of independent authorities.
The rules adopted on the basis of thisArticle shall be without prejudice to thespecific rules laid down in Article 39 ofthe Treaty on European Union.
What does this mean fordata privacy? First, the provi-sion establishes an explicitright to data protection. Itappears that this right wouldbe directly applicable to per-sons, and that they could con-sequently invoke it in court.The right to data protection isreinforced by the revisedArticle 6 TEU, which provides
that the EU Charter of FundamentalRights “shall have the same legal value”as the TEU and the TFEU. This wouldseem to have the effect of incorporatingdirectly into EU law all of the rights inthe Charter, including Article 8 on theProtection of Personal Data. Article 8contains language essentially identical toclause 1 of Article 16 TFEU, and addition-ally establishes rights to fair processingof personal data, access to such data,and rectification. The Data ProtectionDirective already provides that MemberStates should ensure similar protections.
Second, clause 2 of Article 16establishes a clear basis for the Counciland Parliament to regulate the process-ing of personal data by Member Stateauthorities when carrying out activitiesthat fall within EU law, in addition to theEU Institutions previously covered byArticle 286. But the full scope of thisclause is not entirely clear. One couldinterpret the phrase “and the rules relat-ing to the free movement of such data”as granting the Council and Parliament ageneral right to legislate data protectionrules, including for the private sector.This is not, however, the most obviousreading of the text, which insteadseems to refer to regulation of the freemovement of personal data among pub-lic authorities in Europe. Furthermore,there does not appear to be any reasonwhy the EU could not continue to regu-
The Lisbon Treaty and data protection: What’s next for
Europe’s privacy rules?
See, Lisbon Treaty, page 18
Daniel Cooper Henriette Tielemans David Fink
By Daniel Cooper, Henriette Tielemans, and David Fink of Covington & Burling LLP’s Privacy and Data Protection Practice Group
110561_Advisor_Document 3 2/17/10 2:54 PM Page 17
January-February • 2010
18 www.privacyassociation.org
late data protection in the privatesector on the basis of internal marketprovisions.
Finally, the last sentence ofclause 2 references a carve-out fordata protection rules in the context ofthe common foreign and security pol-icy. Under Article 39 TEU, the council,alone, is empowered to adopt ruleson the processing of personal data byMember States in this area.
The abolition of the pillar structure
and its impact on data protection
in law enforcement activities
One of the key structural reforms ofthe Lisbon Treaty—the abolition ofthe pillar system—could also affectprivacy rules. Pre-Lisbon, the EUcomprised three legal pillars withseparate legal bases for legislativeaction: (i) “Community” matters; (ii)Common Foreign and Security Policy;and (iii) Police and JudicialCooperation in Criminal Matters.Crucially, only the council wasempowered to adopt legislation in thethird pillar on data protection, pur-suant to Article 30(1)(b) TEU.
With the elimination of the pillarstructure, it appears that any futurelaws on data protection in the policeand judicial context would be basedon Article 16 TFEU, where both thecouncil and the Parliament are co-leg-islators. But some privacy advocatesargue that Framework Decision2008/977/JHA must also be revised—with input from the Parliament—toreflect the co-legislation requirement,or, alternatively, that the DataProtection Directive must be amend-ed to encompass the use of personaldata by police and judicial authorities(this would also involve co-legislationby the council and Parliament).Others, however, might argue that achange in the procedure for adoptinglegislation does not require the re-opening of laws validly adopted underan old procedure. It remains to beseen how this will play out.
Lisbon Treatycontinued from page 17
Cross-border data flowshave long been a sub-ject of global dialogue.
In the late 1970s, theOrganization for EconomicCooperation andDevelopment (OECD) and theCouncil of Europe began toexplore cross-border transac-tions, with OECD issuing theGuidelines on the Protectionof Privacy and Transborder Flows ofPersonal Data in 1980, and the Councilof Europe issuing the Convention for theProtection of Individuals with regard toAutomatic Processing of Personal Datain 1981. In 1990, the United Nationsadopted the Guidelines for theRegulation of Computerized PersonalFiles. In 2004, the Asia Pacific EconomicCooperation issued its PrivacyFramework. All four guidelines apply tothe public sector, although they alsoinclude exemptions for law enforcementand security, which remain prevalent innational and European law.
Exemptions for law enforcementand security did not occur because of adearth in sharing in this area, nor for thedesire to limit law enforcement coopera-tion, but were necessary to protectlegitimate individual cases. Almost everycountry with the capability of doing soexchanges information on at least acase-by-case, if not routine basis. Noneof these guidelines explicitly addressexchanges between police workingtogether on an investigation, which areguided by individual officers’ applicationsof domestic law. As a result, sharingbetween countries traditionally occurredon the basis of trust and mutual recogni-tion, built on long-standing relationshipsbetween allies, or has been governed bybroad cooperation agreements that givescant detail to privacy protections.
With the extensive increase in bothinternational travel and security risks,
there has been proportionalgrowth in the need to sharelarger amounts of personaldata for law enforcement andnational security purposes.Data protection laws havealso grown in complexity andsophistication. As a result,countries need to follow thelead of the private sector andprovide greater transparency
on privacy protections for data flows inthe law enforcement and security con-text. Last month saw a landmarkachievement in this area: U.S. and EUrecognition of a set of core privacy prin-ciples for law enforcement and security.
The U.S.-EU High Level Contact Group
On October 28, officials representing theU.S. Departments of Homeland Security,Justice and State, together with the EUPresidency (represented by the SwedishJustice Minister) and the Vice Presidentof the EU Commission, culminatedalmost three years of work by acknowl-edging the completion of the so-calledHigh Level Contact Group (HLCG) princi-ples. While the HLCG principles are notby themselves a binding agreement, thispublic acknowledgement reflects U.S.-EU shared values of democracy, rule oflaw, and respect for human rights andfundamental freedoms and the conse-quent commitment to effective data protection. These core principles will notonly be the basis of future information-sharing agreements between the EUand the U.S., but will hopefully raise thestandard for information sharing in thelaw enforcement and security contextfor the rest of the world.
There has long been an exchange ofinformation between the EU memberstates and the U.S. for law enforcementand security purposes, resulting innumerous prosecutions. Most informa-tion sharing has occurred without contro-
New international privacy principles for
law enforcement and security
By Mary Ellen Callahan, CIPP
Mary Ellen Callahan
110561_Advisor_Document 3 2/17/10 2:54 PM Page 18
THE PRIVACY ADVISOR
International Association of Privacy Professionals 19
versy and without a single complaint ofviolation of the previously mentionedstandards. However, the EU’s growingauthority in border and security mattersvis-à-vis the member states changed thecontext of cooperation. The information-sharing relationship with the U.S.appears to have become part of theevolving political dynamic between theEU and its member states. For example,the EU’s Data Protection FrameworkDecision, adopted to protect privacywhen European authorities share dataamong themselves, is prejudiced againstthe cooperation with non-EU partners.Likewise, the laws governing EU datasystems for asylum seekers and bordercontrol (Eurodac and the SchengenInformation System, respectively) restrictthe transfer of data to third countries forlegitimate law enforcement purposes.Unfortunately, in the name of protectingprivacy, these restrictions negativelyimpact the equally legitimate activities oflaw enforcement to investigate and fightcrime and terrorism.
The HLCG was formed in late 2006to start discussions about privacy in theexchange of information for lawenforcement purposes as part of awider reflection between the EU andthe U.S. on how best to prevent andfight terrorism and serious transnationalcrime. Composed of senior officialsfrom the European Commission, theEuropean Council Presidency, and theU.S. Departments of HomelandSecurity, Justice, and State, the goal ofthe HLCG was to explore ways toenable the EU and the U.S. to workmore closely and efficiently together inthe exchange of law enforcement infor-mation while ensuring that the protec-tion of personal data and privacy areguaranteed. In October 2009, the groupconcluded the first step of that goal,producing a text that identifies the fun-damentals or “common principles” ofan effective regime for privacy. The nextstep will be for both sides to seek abinding international agreement.
The HLCG principles on privacy andpersonal data protection for law enforce-ment purposes apply in the EU for theprevention, detection, investigation, or
prosecution of any criminal offense, andin the U.S. for the prevention, detection,suppression, investigation, or prosecu-tion of any criminal offense or violationof law related to border enforcement,public security, and national security, aswell as for non-criminal judicial or admin-istrative proceedings related directly tosuch offenses or violations.
The HLCG data privacy principlesinclude:
1. Purpose specification/purpose limitation
2. Integrity/data quality
3. Relevant and necessary/proportionality
4. Information security
5. Special categories of personal information
6. Accountability
7. Independent and effective oversight
8. Individual access and rectification
9. Transparency and notice
10. Redress
11. Automated individual decisions
12.Restrictions on onward transfers tothird countries
Other HLCG principles addressed issues pertinent to the transatlantic relationship, including:
1. Private entities’ obligations
2. Preventing undue impact on relationswith third countries
3. Specific agreements relating to infor-mation exchanges
4. Issues related to the institutionalframework of the EU and the U.S.
5. Equivalent and reciprocal applicationof data privacy law
The full text of the HLCG principles isavailable at http://useu.usmission.gov/Dossiers/Data_Privacy/Oct2809_SLCG_principles.asp.
Implementation
Of course, identification of commonprinciples and incorporation into a bind-ing agreement does not end the obliga-tions of the parties in providing privacyprotection. As these principles areapplied, the role of privacy authoritieson both sides of the Atlantic will be toensure that the relevant organizationsare held accountable to them. Beyond abinding agreement, we may expectjoint projects to include identification ofbest practices for ensuring accountabili-ty, such as assessments of decision-making frameworks for the collectionand use of personal information, “priva-cy by design” tools, and privacy enhanc-ing technologies (PETs). A practical, out-comes-driven focus would be a wel-come contribution to law enforcementand security agencies throughout theworld who adopt the HLCG principles.
Mary Ellen Callahan is the chief privacyofficer of the U.S. Department ofHomeland Security. Together with hercolleagues from the Departments ofJustice and State, she participated inthe discussions related to the finalHLCG principles. She wants to thankher International Privacy PolicyDirectors, Shannon Ballard and Lauren Saadat, for their assistance inthe HLCG generally, and with this article, in particular.
“As these principles are
applied, the role of privacy
authorities on both sides
of the Atlantic will be to
ensure that the relevant
organizations are held
accountable to them.”
110561_Advisor_Document 3 2/17/10 2:54 PM Page 19
January-February • 2010
20 www.privacyassociation.org
This article originated as a December 15Morrison & Foerster Client Alert and isreprinted here with permission.
First FTC roundtable on privacy:
December 7, 2009, in Washington, DC
BackgroundThe Federal Trade Commission (FTC) heldthe first in a three-part series of one-dayroundtable meetings focused on privacyon December 7, 2009, in Washington,DC. These events are designed to bringtogether a variety of participants fromindustry, consumer advocacy organiza-tions, trade associations, think tanks, aca-demia and elsewhere, each with a stronginterest in helping to shape the commis-sion’s approach to privacy regulation andenforcement.
The panel discussions during thisfirst event featured vigorous debate andlittle consensus among industry, aca-demic, and advocacy representatives. Insum, as explained in greater detailbelow, industry members urged contin-ued self-regulation based on principles ofnotice and choice. They tended to con-solidate around the Self-RegulatoryPrinciples for Online BehavioralAdvertising backed by the DirectMarketing Association (DMA), InteractiveAdvertising Bureau, Association ofNational Advertisers, the AmericanAssociation of Advertising Agencies, andthe Council of Better Business Bureaus(The DMA Program), which includeenhanced notice coupled with increasedconsumer education, as well as princi-ples addressing consumer control, datasecurity, material changes, sensitivedata, and accountability.
Consumer advocates, on the otherhand, largely argued that both self regu-lation and the notice-and-choiceapproach had failed, and most called fornew laws or rules, either alone, as abaseline for those who do not adhere to
strong self-regulation, or in addition tothe DMA Program.
Commission Chairman Jon Leibowitzopened the meeting by declaring that thisis “a watershed moment in privacy”because companies continue to developmore and more sophisticated technolo-gies to collect information from con-sumers and use it in new ways, withoutconsumers necessarily understanding anyof this. Accordingly, he said, it is an appro-priate time for the commission to take abroad look at the subject. He went on toremark that the commission’s two priorapproaches to privacy—the notice andchoice regime and a harm-basedapproach—had not been as successful asthe currently-constituted commissionwould like, and, accordingly, that the com-mission is searching for a new paradigmfor privacy regulation and enforcement.The director of the Bureau of ConsumerProtection (BCP), David Vladeck, echoedChairman Leibowitz, but, at the sametime, seemed to be more openly recep-tive to legislation or regulation.
Take-AwayAlthough it’s not yet clear how the com-mission will proceed, it was possible toglean some hints of where the commis-sion could be heading. Based on this firstroundtable event, it appears unlikely thatthe FTC will make any radical policy deci-sions at this point. The likely immediateresult of the three events will be a staff
report outlining a new framework,although it is possible that, as in 2000,the commission or its staff will prepare areport to Congress with certain recom-mendations, including, potentially, a callfor new legislation. Were it to make aradical change in policy now, such asrequiring opt-in for behavioral advertisingor applying principles of the Fair CreditReporting Act (FCRA) to databases notnow subject to FCRA (as the WorldPrivacy Forum and other advocates havecalled for), the commission may finditself not just ahead of the business com-munity, but also Congress.
As the commission learned nearlytwo decades ago, getting ahead ofCongress is dangerous business. The lasttime the commission did so, in connec-tion with a proposed trade regulation rulethat would have curtailed televisionadvertising to children, Congressreversed the FTC and ultimately reducedthe commission’s authority and funding.For this reason, we think the commissionwill continue to build a record on privacy,especially where there appear to be gapsbetween consumer expectations andbusiness practices, so that it is well-poised at the conclusion of the three-partseries to adopt a new interpretation ofthe requirements of the FTC Act and anaccompanying enforcement position or torecommend new legislation it thinksappropriate based on the record.
In the meantime, we expect that thecommission is likely to keep an eye onthe roll-out of the DMA Program, includ-ing the extent to which it is adopted byindustry, and to pursue enforcementactions against those that do not join,those that join and do not comply, andthose that engage in fringe activity, suchas collecting sensitive information likehealth, financial, or children’s data for usein behavioral advertising.
U. S. FTC holds first of three privacy roundtable events
and signals policy shift
By D. Reed Freeman, Jr., CIPP, and Julie O'Neill of Morrison & Foerster
Julie O'NeillD. Reed Freeman, Jr
See, FTC roundtable, page 22
110561_Advisor_Document 3 2/17/10 2:54 PM Page 20
Our focus is Privacy...but our blog is open for discussion
Proskauer’s Privacy and Data Security Practice is an outgrowth of our Internet, intellectual property, labor andemployment, health care, First Amendment, international law and litigation practices. Indicative of our Chambers USAranked experience and reputation in this relatively new field of law, is the fact that the venerable Practising Law Institute(PLI) asked our firm to create its first-ever treatise on the subject of privacy and data security law, called “Proskauer onPrivacy,” published in 2006. For more information about this practice area, please visit www.proskauer.com.
Subscribe to our Privacy Law Blog at
http://privacylaw.proskauer.com/index.xml
1585 Broadway, New York, NY 10036-8299 | 212.969.3000 | Attorney Advertising
110561_Advisor_Document 3 2/17/10 2:54 PM Page 21
January-February • 2010
22 www.privacyassociation.org
We also expect the FTC to continueits program using its authority underSection 5 of the FTC Act to enforceagainst those who fail to disclose materi-al information about (1) the collection,uses, and disclosure of data outside theprivacy policy in a clear and conspicuousway, especially in the case of sensitiveinformation, and (2) disclosures and usesof data for purposes other than that forwhich the consumer provides the infor-mation in the first instance.
Roundtable debateWe have structured our summary of theroundtable discussions around the twoprimary themes of the debate aboutwhere the commission’s approach to privacy should head: (1) whether thenotice-and-choice regime remains viable;and (2) how to evaluate and respond tothe harms associated with informationpractices.
Is the notice-and-choice regime dead?Chairman Leibowitz stated that, in thecommission’s view, the notice-and-choiceapproach to privacy has not succeeded.He explained that he has long been aproponent of opt-in (versus opt-out)choice to the collection of personal infor-mation, but he pointed out that even thatcan fail if notice is inadequate. He furtherexplained the inadequacy of notice andchoice with his statement that “we allagree” that consumers don’t read privacypolicies or EULAs.
Advocates’ positionsMany consumer advocates agreed withthe chairman, taking the position thatchoice is illusory when consumers—evenwhen given notice—have no way to fullyunderstand the complicated technologyused to collect information from them,the extent of the data collected, and thevariety of uses and disclosures made ofit, including, sometimes, undisclosedsecondary uses. In their view, no noticecan be sufficient in this context. They alsoargued that regulators and industry havefocused on notice and choice when they
should instead focus on the substance ofinformation practices, i.e., ensuring thatpersonal data is collected and processedfairly. For these reasons, consumer advo-cates largely encouraged reliance on afull set of Fair Information Practices prin-ciples (FIPs) (not just notice and choice)to craft legislation, regulation, or, at least,a regulatory policy framework. In theirview, the FIPs require, among otherthings, opt-in consent to information col-lection and the consumer’s ongoing abili-ty to control how his or her information isused and shared.
Some advocates, such as the WorldPrivacy Forum, also called for the protec-tions of the Fair Credit Reporting Act tobe applied to marketing databases thatare not now subject to FCRA. BCPDirector Vladeck noted that the data bro-ker industry is largely unknown and maywarrant attention; if the commission fol-lows the recommendation of the WorldPrivacy Forum, it would mark a dramaticdeparture from current industry practices.
Industry responseNot surprisingly, industry representativestook an opposing view. They believe thatindustry has provided, and continues towork on ways to improve appropriatenotice, as well as tools that consumerscan use to exercise control over theirdata. They acknowledged the need tocontinue with consumer educationefforts and noted the steps they arealready taking in this direction, particularlythe self-regulatory principles issued bythe DMA and other trade associations inJuly and the development of an icon-based notice regime being developed bythe Future of Privacy Forum.
Moreover, industry representativesstressed that the provision of notice andchoice is more effective than legislation orregulation in meeting consumer needsbecause privacy is a subjective value;some consumers may be willing to relin-quish data in exchange for certain things,such as targeted offers, while others arenot. Because it is extremely difficult todetermine what choices consumers willactually make in any particular context,the industry representatives argued thatthe government should not attempt to
dictate a one-size-fits-all choice on behalfof them. Moreover, the government’sattempt to “protect” privacy in such away would impose significant costs in theform of stifled innovation and the reduc-tion of funding for online content that isnow offered to consumers for free.
What’s the harm?As mentioned above, the commission hasalso relied on a harm-based approach toprivacy, bringing enforcement actionswhen consumers have suffered tangibleharm. Apart from saying that thisapproach has not been as successful asthe commission would like, ChairmanLeibowitz did not directly address thequestion of what harms arise in the priva-cy context and whether they should beactionable.
Comments from BCP DirectorVladeck suggest, however, that the com-mission may be moving away from onlyexercising its authority against tangibleharms. In earlier interviews, he hastaken the position that privacy-relatedharm can occur without tangible injury.Specifically, he has said that “harm”includes not just tangible injury, such asmonetary loss, but also intangible harmssuch as “dignity violations.” Former BCPDirector Howard Beales noted that thereis nothing in the commission’s harm-based approach that says that harmmust be tangible to be actionable, but hecautioned that the harms must be realand articulated. He also stressed that thegovernment must find the most effectiveand least costly way to avoid the harmsit identifies.
Consumer advocates expressedtheir agreement with Director Vladeck’sthinking, saying, for example, thatanonymity is an important social valueand that consumers have the right toknow what data is collected about themand how they are categorized based onthe data. In its written comments to theroundtable, the Center for Democracyand Technology took this a step further byurging the commission to affirm that aviolation of any one of the FIPs results inindividual harm and to use the FTC’sunfairness authority under Section 5 ofthe FTC Act to pursue such violations. If
FTC roundtablecontinued from page 20
110561_Advisor_Document 3 2/17/10 2:54 PM Page 22
Reprinted with permission from Slane Cartoons Limited.
In the Privacy Tracker this month…
Looking back, looking ahead
This month on the Privacy Tracker Web site subscribershave exclusive access to a collaborative article that
forecasts the privacy landscape for the year ahead.Experts provide sector-specific privacy forecasts for 2010.
In addition, the audio archive of the January PrivacyTracker call is now available. The call features a dynamicconversation that looks back at 2009 privacy legislationin 2009 and looks ahead to 2010.
Privacy Tracker keeps you up-to-date on all federal and state privacy legislationwith monthly interactive audio conferences where you can request specificcoverage, weekly e-mails, and a Web dashboard of timely articles and reports.Privacy is the hot bipartisan issue for 2010—subscribe today to keep upwith the latest developments affecting your business.
Try it before you buy it! E-mail us to get a free week-long demo subscription to the Privacy Tracker. [email protected].
www.privacytracker.org
International Association of Privacy Professionals 23
the CDT’s recommendation were tobecome a reality, a company could faceliability for, for instance, “harming” con-sumers by collecting even one elementof data that is more than that “relevant”or “necessary to accomplish a specifiedpurpose” (i.e., violation of the “data mini-mization” principle).
What’s next?As discussed above, Chairman Leibowitzacknowledged the limitations of thecommission’s notice-and-choice andharm-based approaches to privacy. Hesaid that the commission is open to newapproaches and that, over the next sixmonths, it will be working to figure outthe best approach. He did not expressan inclination toward one approach oranother.
In his remarks closing the round-table, BCP Director Vladeck echoed thechairman but also gave a hint that hisviews may be leaning toward regulation.He stated that consumers do not reallyunderstand privacy and that consumerdisclosure as we currently know it doesnot work. He gave a nod to companiesthat are giving consumers better toolsto learn about tracking. At the sametime, he noted that few consumers usethem and wondered whether con-sumers are making bad decisions evenwhen they understand the harms. If thecommission’s approach is shaped by thistheory—e.g., in the form of a trade reg-ulation rule—it will signify a drastic shiftaway from giving consumers the infor-mation they need to make their ownchoices to the government’s makingchoices for them.
Related news
The Federal Trade CommissionImprovements ActIn related news, the FTC ImprovementsAct passed the House of Representativeson December 11, 2009, on a vote of223–202. If it passes the Senate in itscurrent form, the bill will give the commission substantially more power.Specifically, the bill would:
See, FTC roundtable, page 24
THE PRIVACY ADVISOR
110561_Advisor_Document 3 2/17/10 2:54 PM Page 23
January-February • 2010
24 www.privacyassociation.org
• permit the commission to impose civilpenalties for violations of Section 5 ofthe FTC Act, which prohibits unfair anddeceptive acts and practices (currently,it can seek only equitable relief);
• give the commission AdministrativeProcedures Act rulemaking authority,which is far more flexible than its cur-rent rulemaking authority under theMagnuson-Moss Act; and
• expressly permit the commission to pursue cases of secondary liability (i.e.,where a person has provided substantialassistance to another who has violated alaw enforced by the commission).
It is not yet clear how the Senate willreact. The bill has to move through theBanking Committee (the FTC provisionsare just part the Wall Street Reform andConsumer Protection Act), but Senators
on the Commerce Committee may alsobe trying for a seat at the table before thebill goes to the Senate floor—somethingBanking Committee members may resist.Democrats on the Senate CommerceCommittee may be more inclined to sup-port the extension of FTC authority thanthose on the Banking Committee, whichdoes not have jurisdiction over the FTC.
The bill faces substantive hurdles inaddition to the jurisdictional onesdescribed above. Some Democrats areuncomfortable with the underlying billitself, and, of course, many Republicansare uncomfortable with not only the cre-ation of an entirely new agency—theCFPA, which would be created by theWall Street Reform and ConsumerProtection Act—but also such sweepingnew powers being granted to an existingagency (the FTC). There are so manymoving pieces that it’s difficult to predictthe provisions’ chances. In addition, withhealthcare reform consuming so much ofthe Senate’s energy, few expect resolu-tion soon. Nevertheless, this is a very
important bill to watch, given the powersit would confer on the FTC.
D. Reed Freeman, Jr., CIPP, is a partner in Morrison & Foerster’s Privacyand Data Security Group. He focuses onall aspects of consumer protection law,including privacy, data security, andbreach notification, online and offlineadvertising, and direct marketing.
Julie O'Neill, of counsel in theWashington DC office of Morrison &Foerster, counsels clients in all areas ofstate and federal consumer protectionlaw. Ms. O’Neill previously served as astaff attorney in the FTC’s New Yorkregional office, where she investigatedviolations of federal antitrust and con-sumer protection law.
The final roundtable takes place on March 17 in
Washington, DC.
FTC roundtablecontinued from page 23
110561_Advisor_Document 3 2/17/10 2:54 PM Page 24
THE PRIVACY ADVISOR
YOU CANENHANCE YOURRESPONSIVENESS
IBM
and
the I
BM lo
go ar
e reg
ister
ed tr
adem
arks
of I
nter
natio
nal B
usin
ess M
achi
nes C
orpo
ratio
n in
the U
nited
Sta
tes an
d/or
oth
er co
untri
es. O
ther
com
pany
, pro
duct
and
serv
ice n
ames
may
be
trade
mar
ks o
r ser
vice m
arks
of o
ther
s. ©
2008
IBM
Cor
pora
tion.
All r
ight
s res
erve
d. P
2199
5
Governments at all levels face difficult challenges. Economic slowdown. High expectations from key constituents – citizens, businesses,suppliers, employees and other agencies. Escalating costs and budget shortfalls. Security issues. How do you respond? How do youtransform the way you work?
Enter IBM. With a unique combination of privacy and data protection experience, business insight and end-to-end solutions, IBM canhelp your business succeed. Innovate. Grow. Respond in real time. Prepare for tomorrow. You’re ready to differentiate your business.
IBM holds more security and privacy copyrights and patents than any other company. We know what we are doing...now you know too.Why go anywhere else? To learn more about IBM Global Business Services Public Sector’s Security, Privacy, Wireless, & IT Governanceofferings, email us at [email protected].
110561_Advisor_Document 3 2/17/10 2:54 PM Page 25
CANADA
By John Jager, CIPP/C
A look at Bill 54
During the pastyears, a number ofCanadian privacylaws have beenundergoing statuto-ry review. A reviewof the federalPersonal InformationProtection andElectronicDocuments Act(PIPEDA) commenced in the fall of 2006,a review of the Alberta PersonalInformation Protection Act (AB PIPA)commenced in 2007 and a review of theBritish Columbia Personal InformationProtection Act (BC PIPA) began in 2008.
While all of these reviews haveresulted in committee reports to therespective legislatures, only the govern-ment of Alberta has tabled a bill toamend its private-sector privacy legisla-tion. On October 27, 2009, the govern-ment of Alberta introduced Bill 54—Personal Information ProtectionAmendment Act, 2009.
The bill contains an extensive numberof amendments. This dispatch focuses onsome key issues that will impact private-sector organizations going forward.
Breach notification:Bill 54 creates a statutory requirementfor notification when personal informa-tion (PI) is lost or has been subject tounauthorized access or disclosure. Ratherthan creating a mandatory requirementfor organizations to notify affected par-ties, Bill 54 requires that organizationshaving PI under their control must, with-out unreasonable delay, provide notice tothe privacy commissioner of any incidentinvolving the loss of or unauthorizedaccess to or disclosure of the PI, where a
reasonable person would consider thatthere exists a real risk of significant harmto an individual as a result of the loss orunauthorized access or disclosure.
If an organization suffers a loss of orunauthorized access to or disclosure ofPI where the organization would berequired to provide notice to the privacycommissioner, the commissioner mayrequire the organization to notify individ-uals to whom there is a real risk of sig-nificant harm as a result of the loss orunauthorized access or disclosure. Thenotification to affected individuals wouldhave to be in a form and manner as pre-scribed by the regulations, and within atime period determined by the commis-sioner. Under the bill, the commissionermust establish an expedited process fordetermining whether to require anorganization to notify individuals in cir-cumstances where the real risk of signif-icant harm to an individual as a result ofthe loss or unauthorized access or dis-closure is obvious and immediate.
Access requests:Bill 54 includes a number of amend-ments to the sections relating to accessand correction, and includes a numberof clarifications and the reorganization ofsome sections. On the matter of fees,Bill 54 proposes that organizations maynot charge a fee in respect of a requestfor personal employee information.Section 33, which requires organizationsto make reasonable efforts to ensurethat PI is accurate and complete, isamended by adding the words “to theextent that is reasonable for the organi-zation’s purposes in collecting, using, ordisclosing the information.”
Employee personal information:Currently PIPA permits the collection,use, and disclosure of personal informa-tion of employees and prospectiveemployees if the information is to beused for a purpose that is reasonableand related to an employment relation-ship. Bill 54 amends these relevant sec-tions to extend the collection, use, anddisclosure of employee personal infor-mation to the management of the post-employment relationship.
Privacy notice:Bill 54 adds a new section which dealswith notification requirements respectingservice providers outside Canada.Organizations using foreign serviceproviders to collect PI with the consentof an individual must notify the individualof that collection. If the organizationtransfers PI, directly or indirectly, to aservice provider outside Canada, individu-als must be so notified. The notificationsmust be made at or before the collectionor transfer, in writing or orally, and mustinclude how individuals can obtain accessto written information about the organiza-tion’s policies and practices with respectto service providers outside Canada. Thenotification must also include the nameor title of a person who is able to answer,on behalf of the organization, an individ-ual’s questions.
A copy of Bill 54 is available at theAlberta government Web site, or at thefollowing URL: www.assembly.ab.ca/ISYS/LADDAR_files/docs/bills/bill/legislature_27/session_2/20090210_bill-054.pdf.
John Jager, CIPP/C, is vice president ofresearch services at Nymity, Inc., whichoffers Web-based privacy support to help organizations control their privacyrisk. He can be reached at [email protected].
Global Privacy Dispatches
John Jager
January-February • 2010
26 www.privacyassociation.org
“The notifications must be made at or before thecollection or transfer, inwriting or orally…”
110561_Advisor_Document 3 2/17/10 2:54 PM Page 26
FRANCE
By Pascale Gelly
CNIL sanction procedure overruled
by the Court of Appeal
In late 2006, theFrench data protec-tion authority issueda 30,000 euro sanc-tion against InterConfort for improperhandling of objec-tion requests todirect marketing viatelephone. Thesanction followedthe CNIL’s onsite investigation of InterConfort. Inter Confort challenged thissanction decision before the Court ofAppeal (Conseil d’Etat) on proceduralgrounds. The onsite investigation procedural rules set forth by the DataProtection Act and its implementationdecree provide extensive powers to theauthority to access private premises,even outside of business hours, withoutprior warning and without the data controller being present. These powersbeing almost limitless, the court considered that it was essential “forproportionality purposes” to counterbal-ance them by putting them under thecontrol of a judge of the judiciary sys-tem. The court considers this to beachieved by the DP Act insofar as itgives the right to the data controller toobject to the investigation, in whichcase the investigation can occur onlywith the prior authorization of a judge.As defendants must be made aware oftheir rights, the Appeal Court cancelledthe CNIL decision because the authorityfailed to inform the data controller of itsright to object to the investigation.
French senators pursue their goal for
an “enhanced” Data Protection Act
Following their report, Privacy in the Era of Digital Memory: For anIncreased Trust Between Citizens andThe Information Society, two senatorsfiled a bill on November 10 to modifythe French Data Protection Act.
The bill intends to introduce sever-al changes to the law, including require-ments such as:
• mandatory installation of a data protection officer for organizations withmore than 50 employees;
• an obligation to notify the CNIL of datasecurity breaches;
• an obligation for organizations‘ Websites to enable individuals to exercisetheir data protection rights online;
• changing the existing right of objectionto a right of deletion;
• changing the content of privacy noticesto specify the data retention limit;
• publicizing the hearings of the CNIL litigation committee;
• increasing CNIL sanction powers toinclude fines of up to 300,000 eurosand the option to publicize the sanc-tions, even against a “good faith”infringer, so that the CNIL enforce-ment powers will be more efficient.
The senators are also joining the effortsof the French Secretary of State for thedigital economy to work on a “droit àl’oubli”—a sort of right “to oblivion” or,some would say right “to deletion,” aFrench cousin to the right “to be leftalone.” At a November conference atSciencesPo, CNIL President Alex Türkdisclosed very personal informationabout his youth and recruiters present-ed a code of conduct.
www.senat.fr/dossierleg/ppl09-093.html
Calling on call centres
The CNIL announced in mid-Novemberthat it had conducted onsite investiga-tions at two major customer call centres.
The main check was on the security
and confidentiality of customer data col-lected and processed by the call cen-tres. An area of improvement was iden-tified: the need for action logs e.g., whoaccessed what, who modified what andwhen, etc...
Employee-monitoring tools werealso investigated. More onsite “calls”are expected.
www.cnil.fr/la-cnil/actu-cnil/article/arti-cle/2/les-centres-dappel-sous-controle/#
Pascale Gelly of the French law firmCabinet Gelly can be reached at [email protected].
GERMANY
By Flemming Moos
The privacy work programme of
the new German Federal
Government
The newly electedGerman governmenthas set out in acoalition agreementhow it intends togovern during thenext four years.Remarkably, the 124-page documentcontains a specificchapter on privacy issues. The privacywork programme of the new govern-ment focuses on the following issues:
• The law that would allow Germanintelligence agencies to engage inonline surveillance of private comput-ers will remain. However, the “pro-tection of the core area of privatelifestyles,” shall be improved. Thecoalition will await a ruling by theConstitutional Court on the retentionof data before allowing intelligenceagencies to access telecommunica-tions companies‘ data on their cus-tomers’ call details.
See, Global Privacy Dispatches, page 28
Pascale Gelly
THE PRIVACY ADVISOR
International Association of Privacy Professionals 27
“The CNIL announced that it had conductedonsite investigations attwo major customer call centres.”
Flemming Moos
110561_Advisor_Document 3 2/17/10 2:55 PM Page 27
• The government wants to better protect employees from theiremployers spying on them.Employers will be allowed to useonly data that affects the employer-employee relationship. The govern-ment intends to add to the federalGerman Data Protection Act (BDSG)a new chapter on employee privacy.
• Even more, the government strives atan overall modernization of the BDSG.It is intended to make the law morereadable and technology-neutral; alsothe framework for clear and unam-biguous declarations of consent byindividuals shall be improved andexisting information obligations shallbe expanded. In performing this task,the government also wants to exam-ine whether changes can be madewith a view to eliminating superfluousred tape.
• Also, the issue of sharing financial datawith the U.S. seems to be under fur-ther scrutiny. The coalition agreementsays any SWIFT agreement shouldhave a "high level of data protection"and should only be used for the pur-pose for which it was requested.
• The government wants to makegreater use of biometric procedures(passports, identity cards, visas, resi-dence permits) and amend the ActGoverning Passports and Identity
Cards to this end while maintainingdata protection.
• The creation a "foundation on data pri-vacy" is planned. The foundation willtest and certify services and productswith respect to data protection lawcompliance and adherence to the prin-ciples of data avoidance and dataeconomy.
Decision of the Federal Court of
Justice: opt-out consent to postal
advertising
On November 11, 2009, the GermanFederal Court of Justice handed down ajudgment on the privacy aspects of the”HappyDigits” bonus programme. Thecourt held that an opt-out consent byparticipants relating to postal advertis-ing that was included in the registrationform for the programme is compliantwith applicable German data protectionlaw provisions. In this respect, the courtapplied Sec. 4 of the BDSG, accordingto which consent also can be givensimultaneously with other declarations(here, the participation in the bonus programme) in case special prominenceis given to the declaration of consent(e.g. by printing in bold). Interestingly,the court also stated clearly that, in thisrespect, the September 1, 2009 amend-ment of the BDSG has not broughtabout any changes to the law. Rather,also the recently introduced Sec. 28paragraph 3a BDSG shall provide for arespective opt-out solution. It must beborne in mind however, that this is onlytrue for postal advertising. With respectto advertising via telephone, telefax, e-mail, or other electronic means, anopt-in consent is generally requiredunder German law, as the Federal Courtof Justice had earlier declared in its ruling dated July 16, 2008 on the“Payback” bonus programme.
DPA of Berlin: strict approach to
denied person screenings
As already reported in the OctoberIssue of the Privacy Advisor, theDüsseldorfer Kreis adopted a resolutionon privacy aspects of employee screen-ings in April 2009, following a moderate
approach what concerns the overall per-missibility of such screenings. The DPAof Berlin apparently applies a muchstricter approach; according to aninformative letter to other GermanDPAs dated August 31, 2009, he is ofthe opinion that even a usage of thedenied persons lists included in the EURegulations 2580/2001 and 881/2002(which are per se binding in Germany)cannot be justified under German dataprotection law provisions. In particular,the Data Privacy Officer of Berlin criti-cizes that the provisions of these EURegulations are too broad to qualify fora statutory provision that would allowthe usage of the data for screening pur-poses. Moreover, he takes the viewthat the balancing of interest test is infavour of the affected individualsbecause the lists seem to be outdatedand erroneous and in fact the compa-nies would not face any relevant sanc-tions for non-compliance with the appli-cable EU Regulations. It seems doubt-ful whether this approach is in fact inline with the findings and the resolutionof the Düsseldorfer Kreis. Anyhow, it isrecommendable for German businessesto consult with the competent DPAbefore introducing a denied personscreening system in Germany.
Flemming Moos is an attorney at DLA Piper and the chair of the IAPPKnowledgeNet in Hamburg, Germany.He is a certified specialist for informa-tion technology law and a former member of the IAPP PublicationsAdvisory Board. He can be reached [email protected].
Global Privacy Dispatchescontinued from page 27
January-February • 2010
28 www.privacyassociation.org
“The creation of a founda-tion on data privacy isplanned. The foundationwill test and certify servic-es and products withrespect to data protectionlaw compliance…”
“It seems doubtfulwhether this approach is in fact in line with the findings and the resolution of theDusseldorfer Kreis.”
110561_Advisor_Document 3 2/17/10 2:55 PM Page 28
THE PRIVACY ADVISOR
International Association of Privacy Professionals 29
FEBRUARY
4 Université AFCDP des
Correspondants Informatique
& Libertés
Paris, Francewww.afcdp.net
11 IAPP KnowledgeNet – Paris
16 IAPP KnowledgeNet –
Hamburg
24 IAPP Certification Testing –
Columbus, OH
24 IAPP Certification Testing –
New York, NY
24 IAPP Certification Testing –
Victoria, BC
26 IAPP Certification Testing –
St. Paul, MN
MARCH
16 IAPP Tenth Anniversary
Celebration
Washington, DC/Various other
locations via telecastwww.privacyassociation.org
17 FTC Privacy Roundtable
FTC Conference CenterWashington, DC
APRIL
19-21 IAPP Global Privacy Summit
Washington, DCwww.privacysummit.org
21 IAPP Certification Testing –
Washington, DC
MAY
2-8 APPA Privacy Awareness Weekwww.privacyawarenessweek.org
26-28 IAPP Canada Privacy
Symposium 2010
Toronto, ON
JUNE
14-15 IAPP Practical Privacy Series
Santa Clara, California
SEPTEMBER
29-1 IAPP Privacy Academy
Baltimore, MDwww.privacyacademy.org
30 Privacy Dinner
Baltimore, MDwww.privacyassociation.org
OCTOBER
27-29 32nd International Conference
of Data Protection and Privacy
Commissioners
Jerusalem, Israel
DECEMBER
7-8 IAPP Practical Privacy Series
Washington, DCwww.privacyassociation.org
Calendar of Events
To list your privacy event in the PrivacyAdvisor, e-mail Tracey Bentley [email protected]
Privacy News
European legislative update
Linklaters has released its 2009/2010 edition ofLinklaters’ Data Protected , a summary of
European data protection legislation. The updatedreport includes reviews of data protection legisla-tion in all Member States, European EconomicArea States (Iceland, Liechtenstein, and Norway),and Switzerland and Russia.
The update reflects major changes to dataprotection laws in Germany, and new contentincluding questions on the formal requirementsfor consent and Linklaters' proposals for thereform of the Data Protection Directive.
www.linklaters.com/pdfs/extranet/DataProtected/2009_2010.pdf
ONC names privacy, security
workgroup members
The Office of the National Coordinator for Health IT named 17 to the Health IT Policy Committee privacy and security
workgroup in December.
The members are as follows:
• Deven McGraw, Chair, Center for Democracy & Technology
• Rachel Block, Co-Chair, NYS Department ofHealth
• Paul Tang, Palo Alto Medical Foundation
• Latanya Sweeney, Carnegie Mellon University
• Gayle Harrell, Consumer Representative/Florida
• Mike Klag, Johns Hopkins University, Public Health
• Judy Faulkner, Epic, Inc.
• Paul Egerman, Consultant
• Dixie Baker, SAIC
• Paul Uhrig, SureScripts
• Terri Shaw, Children’s Partnership
• John Houston, University of PittsburghMedical Center
• Joyce DuBow, AARP
• A. John Blair, MD, Provider
• Peter Basch, MD, Provider
• Justine Handelman, Blue Cross Blue Shield
• Dave Wanser, National Data InfrastructureImprovement Consortium
• Kathleen Connor, Microsoft
110561_Advisor_Document 3 2/17/10 2:55 PM Page 29
Privacy pros gathered at the WillardInterContinental Hotel for the two-day Practical Privacy Series event inearly December. Day one exploredthe role of the Federal TradeCommission in consumer privacyprotection. Day two focused on newdimensions in government privacy:cookies, clouds, and collaborativecomputing.
Scenes from the IAPP Practical Privacy Series in Washington, DC.
Left: FTC Bureau ofConsumer ProtectionDirector David Vladeck (left)opened the day-one event“The Role of the FTC inConsumer PrivacyProtection.” Bob Belair ofOldaker Belair & Wittie LLPlistens.
January-February • 2010
30 www.privacyassociation.org
110561_Advisor_Document 3 2/17/10 2:55 PM Page 30
Top: On day two, attendees explorednew dimensions in government privacy. Greg Dupier of Booz AllenHamilton, Lewis Oleinick of theDefense Logistics Agency, PeterFleischer of Google, and consultantRobert Gellman lead the session“Perspectives on Cloud Computing.”
Right: Robert Clark (standing), theoversight and compliance officer forthe Office of DHS AssistantSecretary for Cybersecurity andCommunications elicits a laugh fromRick Aldrich, a Booz Allen Hamiltoncontractor, during the session“Banners, Notices and MOAs: Whatthe National Cybersecurity StrategyMeans for Your Agency.”
THE PRIVACY ADVISOR
International Association of Privacy Professionals 31
Despite wet weather and trying travel conditions, the room was full.
Privacy News
• Bojana Bellamy, Director of Data Privacy,Accenture
• Ruth Boardman, Partner, Bird & Bird
• Gary Davis, Deputy Commissioner, Office of theData Protection Commissioner, Ireland
• Rafael Garcia Gozalo, Head of the InternationalDepartment, Spanish Data Protection Authority
• Pascale Gelly, Cabinet Gelly, AFCDP BoardMember
• Sue Gold, Executive Counsel, The Walt DisneyCompany Limited
• Christoph Klug, Managing Director, GermanAssociation for Data Protection and Data Security(GDD)
• Gabriela Krader, Data Protection Officer, Deutsche Post
• Christopher Kuner, Partner, Hunton & Williams
• Denise Lebeau-Marianna, Partner - Avocat à lacour, ITC Department, Baker & McKenzie SCP
• Xavier Leclerc, Vice President AFCDP, ManagingDirector Axil-Consultants
• Neil Matthews, UK Privacy Officer, Acxiom Limited
• Rocco Panetta, Partner, Panetta & Associati –Studio Legale
• Florence Raynal, Head of International andEuropean Affairs of the CNIL
• David Smith, Deputy Commissioner, InformationCommissioner’s Office, United Kingdom
• Toby Stevens, Director, Enterprise Privacy Group
• Florian Thoma, Chief Data Protection Officer,Siemens
• Richard Thomas CBE LLD, Centre for InformationPolicy Leadership, Hunton & Williams LLP
• Henriette (“Jetty”) Tielemans, Partner, Co-Chair ofthe Global Privacy and Data Security Group,Covington & Burling LLP
• Bridget Treacy, Partner, Hunton & Williams
• Eduardo Ustaran, Partner and Head of the Privacyand Information Law Group, Field FisherWaterhouse LLP
New IAPP Europe
Board members
The IAPP has announced newmembers for its European
Advisory Board. Privacy experts froma variety of government and industrysectors will help inform the expan-sion of IAPP Europe, which waslaunched in November to provide tai-lored education, networking, and cer-tification opportunities for Europeandata protection professionals.
New IAPP Europe board members
110561_Advisor_Document 3 2/17/10 2:55 PM Page 31
Congratulations, Certified Professionals!
Periodically, the IAPP publishes the names of graduates from our various privacy credentialing programs. Whilewe make every effort to ensure the currency and accuracy of such lists, we cannot guarantee that your name willappear in an issue the very same month (or month after) you officially became certified.
If you are a recent CIPP, CIPP/G or CIPP/C graduate but do not see your name listed above then you can expect tobe listed in a future issue of the Advisor. Thank you for participating in IAPP privacy certification!
John Patrick Ahern, CIPP/GLalit Kumar Ahluwalia, CIPP
Ann Allinson, CIPP Joan Susan Antokol, CIPP
Julian Appel, CIPP/ITJennifer Carroll Archie, CIPP
Asif Arman, CIPPBrian W. Arney, CIPP/IT
Wayne Joeseph Bate, CIPP/CEssie Louise Bell, CIPP/GKevin Charles Boyle, CIPP
Margaret Kathleen Bramwell, CIPPJane L. Braun, CIPP/IT
William B. Brinkley, CIPP/GMark A. Brown, CIPP/GPamela S. Bruce, CIPP
James Lesley Bryant, CIPPGerald Burton, CIPP/G
Edward Allen Byrd, CIPPSang Kyung Byun, CIPP
Colin Alexander Campbell, CIPP/ITKerey L. Carter, CIPP/G
Debra Marie Castanon, CIPP/ITRuben D. Chacon, CIPP
Darren Curtis Chin, CIPP/C
Mithin Jay Chintaram, CIPPChristopher Joel Clancy, CIPPPatrick Michael Clary, CIPP
Maureen Ann Clements, CIPPKelly Hugh Cook, CIPP/GBrett Joseph Croker, CIPPLaquawn M. Curry, CIPP/G
Ania Magdalena Czyznielewska, CIPP Lina D'Aversa, CIPP/C
Lashaunne Graves David, CIPP/GDaryl Edward Davis, CIPP/GHelene Demoulin, CIPP/IT
Sophie Dessalle, CIPP Marsha L. Devine, CIPP/G
Roderick Wayne Duff, CIPP/GJacquelyn Louise Dutcher, CIPP
Joanne Easdow , CIPP/CKristen Marie Ellis, CIPP/G
James Vincent Episcopio, CIPPAnthony C. Escobedo, CIPP/G
Brian DuPerre, Esq., CIPPTraci Lynne Ewers, CIPP/GKelly Frances Farmer, CIPP
Meghan Kathleen Farmer, CIPP/GMichael Joseph Ferguson, CIPP/C
LeRoy Elliot Foster, CIPP/ITStephen Todd Fraley, CIPP
Marc Gagne, CIPP/C Ronald Paul Gandy, CIPP
Cheri Gatland-Lightner, CIPP/GKathryn Gillia, CIPP
Scott Matthew Giordano, CIPP/ITMark Henry Goldstein, CIPP John G. Goodson, CIPP/GConnie Ann Graham, CIPP
Philip McKinley Greene, CIPP/ITWilliam Edward Growney, CIPP
Wayne Lee Gustafson, CIPPSheila A. Guthrie, CIPP/CCynthia Ann Gutz, CIPP
Brian Douglas Hall, CIPPMindy Ayn Harbeson, CIPPMary Louise Harter, CIPP/IT
Tammy A. Hastie, CIPP/CSari Lyn Heller Ratican, CIPP
Jacob J. Herstek, CIPPGregory Robert Hewes, CIPP/ITElizabeth Susan Hidaka, CIPP
Travis James Hildebrand, CIPP/GGeorges Houde, CIPP/IT
The IAPP is pleased to announce the latest graduates of our privacy certification programs. The followingindividuals successfully completed IAPP privacy certification examinations held in fall and winter 2009.
January-February • 2010
www.privacyassociation.org32
110561_Advisor_Document 3 2/17/10 2:55 PM Page 32
Gretchen Kreller Hiley, CIPPCarolyn Cunnold Holcomb, CIPP
Gail A. Horlick, CIPP/GAmy J. Howe, CIPP/G
Max Montgomery Howie, CIPP/GAlan Andrew Isham, CIPP/IT
Keith Alan Jantzen, CIPP Carol Anne Jaques, CIPP/C
Myrl B. Jowell, CIPP/GAlbert King, CIPP/G
Catherine Sansum Kirkman, CIPP/GFelicia P. Kittles, CIPP/G
David H. Knowles, CIPP/GVava Kolinski, CIPP/CLinda Komperda , CIPP
Andrew Brian Lachman, CIPP/GJames Lai, CIPP
James Michael Laskowski, CIPPGigi Waitsz Leung, CIPP/IT
Greg Levine, CIPP/GThomas P. Levis, CIPPRyan Kyle Liu, CIPP
Marc S. Loewenthal, CIPPKenneth W. Long, CIPP/G
Raymond Lopez, CIPPElena Antoinette Lovoy, CIPP/C
Victor A. Loy, CIPP/ITKevin Lyday, CIPP/G
John David Macias, CIPP/GThomas Patrick Madden, CIPP/G
Kelly Marie Matoney, CIPP/GLester Masao Mayeda, CIPP/ITMatthew David McAllister, CIPP
Brian McKay, CIPPSam D. Monasteri, CIPP/ITCarlos Mondesir, CIPP/C
Robert James Morgan, CIPPTimothy W. Morrison, CIPP
Mehmet Munur, CIPPPolly J. Nelson, CIPP
Julie Hua Ni, CIPPBrian Christopher Nicholson, CIPP/G
Jennifer Nikolaisen , CIPP/GVictoria Barbara Ocholla, CIPP
Charles R. Offer, CIPP/IT
Michael Robert Overly, CIPPSylvia Ortega , CIPPRay Pathak, CIPP/C
James David Pearson, CIPP/GCecil Francis Pineda, CIPP
Claudiu Popa, CIPPKaren C. Powell, CIPP
Marion A. Reeves, CIPP/GJeanne Marie Robinson, CIPP
Michele L. Robinson, CIPPSusan Loraine Rohland, CIPP/C
Nicole Marie Rosen, CIPP/ITGlenn Ross, CIPP/C
K Roal, CIPPAnita L. Sandmann-Hill, CIPP/G
Carla Scher , CIPP/ITVineet R. Shahani, CIPP
Ramachandra Kudgi Shenoy, CIPP Inamullah Siddiqui, CIPP
Ryan Thomas Smyth, CIPPDavid Michael Sutton, CIPP/C
Angela Swan, CIPP/ITGray E. Terry, CIPP
Elliott Caleb Tomes, CIPP/GKatharine Tomko, CIPP
Robert Thomas Traver, CIPP/ITSherri Trip , CIPP/IT
John Laurence Trotti, CIPPWilliam A. Turner, CIPP/CMary E. Vansickle, CIPP/CRalph S. Vaughn, CIPP/G
Danny Lamonte Wade, CIPP/GCarol Elaine Waller, CIPP/GJacquay D. Waller, CIPP/G
Terry Wang, CIPP/GDouglas Keith West, CIPP/G
Laurene West, CIPPJeff Wilson, CIPP
Alexander Windel, CIPP/ITJeffrey Yarges, CIPP
Clark Kiyoshi Yogi, CIPP/ITSabiha Gulshan Zafar, CIPP/G
Paola Zeni , CIPP
International Association of Privacy Professionals 33
PRIVACY
-2010-2010PREDICTIONS
Businesses will continue
to push for new tech-
nologies such as “cloud com-
puting” and increasing use of
mobile technologies, which
will put pressure on privacy
professionals to understand
the implications of these new
and rapidly evolving technolo-
gies. Business will continue
to grapple with the implica-
tions of social networking
applications as they relate
to privacy and by the end of
2010 there will be first-
generation products on the
marketplace focused on
helping business monitor
and control such products.
Regulation will continue to
become more complex and
prescriptive in an attempt to
address privacy breaches.
The accountability for privacy
in situations where a process
has been outsourced/off-
shored will come under
scrutiny in 2010 as the result
of a major breach some-
where in the world. The U.S.will move closer to a national
privacy/data security law,
but will fail to obtain a
federal DPA.
—Jeff Green, CIPP/C, Vice President, Global
Compliance & Chief PrivacyOfficer, RBC
110561_Advisor_Document 3 2/17/10 2:55 PM Page 33
January-February • 2010
34 www.privacyassociation.org
By Luis Salazar, CIPP, and Jorge Rey
A group of South Florida IAPP membersbraved the winter elements—blue skies,sunshine, warm temperatures—toattend a KnowledgeNet meeting inMiami in December. Jorge Rey led theinteractive session on the apropos topic:Privacy Resolutions.
Although attendees represented awide range of industries—pharma, bank-ing, education, professional services,and more—all shared remarkably similarconcerns and goals. Here are their topresolutions (in reverse order).
10. Perform internal/external penetra-
tion and social engineering testing
No matter the industry, all participantsagreed that “knowing” is a critical partof the privacy battle. And while IT secu-rity weaknesses remain critical, good-ole fashioned social engineering is amajor concern, especially in these diffi-cult financial times. Rey, in particular,advised that simply testing employeesand testing their compliance with securi-ty measures is critical. Will the helpdesk release passwords? Will a recep-tionist divulge crit-ical employeenames?
“People canviolate privacyprotocols justbecause they areeager to help andbe service-orient-ed,” offered LindaClark, CIPP, anddirector and sen-ior corporatecounsel atLexisNexis. “Weteach employeesto be aware ofsocial engineeringand provide guid-ance on how torespond in certainsituations—something like ‘at
Lexis we value privacy, and I can’t dis-close the information that you are ask-ing for’—to help them comfortably andpolitely refuse such requests.”
9. Assess and update legal agreements
and vendor due-diligence procedures
Like losing weight or eating right, this isone of those resolutions that everyoneundertakes each year, but often findsnearly impossible to actually carry out tothe level they would like. OdelinFernandez, Jr. (Odie to his friends), whomanages the vendor program as opera-tions and technology risk supervisor atMercantil Commercebank, noted that“making sure vendors’ contracts are up-to-date on changing requirements, audit-ing vendor requirements, plus conduct-ing due diligence on potential vendors istime consuming and often frustrating,but it’s an absolutely essential compli-ance step. So often, vendors are theweak link.”
8. Assess and update marketing
programs to maintain privacy
compliance
Two concerns drove this resolution: theevolving nature of behavioral marketingand the need to limit data intake. CAN-SPAM, behavioral marketing, and eventhe revised product endorsement guide-lines concern South Florida privacy pro-fessionals. But for David Vance, seniordirector and compliance counsel forNoven Pharmaceuticals, avoidingunwanted data intake is critical.
“Noven does promote some pre-scription products direct to customers,”said Vance. “And even inadvertent intakeof information can potentially subjectthe company to healthcare privacy lawsand regulations. So, like other pharma-ceutical companies, we maintain safe-guards against consumers sending uspersonal medical information—evenwhen we don’t ask for it. We also makesure that vendors that must use somepersonal medical information to adminis-ter patient assistance programs or co-pay voucher programs, do not share that
10 New Year’s privacy resolutions
Jorge Rey
Luis Salazar
PRIVACY
-2010-2010PREDICTIONS
Privacy and data protectionin Australia and NewZealand, 2010
Legislation to implement sub-
stantial proportions of the ALRC
report on privacy, as set out in the
Federal Government Response of
October 2009, will be introduced
into Parliament in the first half of
2010 but may not be passed before
the next federal election, delaying
its final enactment until 2011. The
federal government will announce
its response to the remainder of
the ALRC report after the federal
election, likely to be held in the
second half of 2010. Significant
progress will be made in introduc-
ing electronic health identifiers for
all Australians and providing them
with additional legal protection.
A number of initiatives to connect
electronic health information for
clinical purposes will emerge, con-
necting the significant repositories
already developing in individual
hospitals and medical practices.
The New Zealand Law Commission
will make significant progress with
its inquiry into privacy law in New
Zealand. Banking and other sectors
of the economy will make a signifi-
cant push into mobile transactions.
The iappANZ will hold another
highly successful annual confer-
ence later in the year.
Malcolm Crompton, CIPP,Managing Director, Information
Integrity Solutions P/L
110561_Advisor_Document 3 2/17/10 2:55 PM Page 34
THE PRIVACY ADVISOR
International Association of Privacy Professionals 35
information with us. If a consumerwants to report an apparent adverseevent, however, we of course take thatvery seriously.”
7. Hire information security and/or
privacy professionals
It should come as no surprise given thecurrent economic climate that all of themeeting’s participants are running verylean privacy programs. Yet many aretasked with handling a wider variety ofresponsibilities than they have in thepast. “Everyone is happy to beemployed these days, but it is equallyimportant to have the right people in theright position,” noted one.
Thus this key resolution: Hire theright personnel to address critical prob-lems. Perhaps an unspoken resolution isneeded: Get more money and resourcesfor privacy.
6. Perform a privacy and/or
information security compliance due
diligence for current vendors
Sure, vendors sign contracts agreeing to comply with privacy laws and procedures, but are they really doing it?One attendee voiced a common con-cern: “Too often it seems as if vendorswill say and agree to anything to get the business, but actual execution isanother thing.”
Auditing and spot-checking are indispensible methods of making surethat vendors are in compliance. All attendees resolved to make this one of their top tasks for 2010.
5. Perform internal privacy and infor-
mation security compliance audits
Measuring performance is crucial tomanaging it, and privacy is no different.All participants agreed that living up tothis resolution requires covering someaudit basics, namely “what’s in scope,what’s not?”
But at perhaps the other extreme,simply creating some “self-checklists”to educate employees and raise privacyawareness is remarkably effective,”noted Todd Sussman, privacy officer forthe Broward County Florida PublicSchool System.4. Implement technologies to prevent
data leakage
If it weren’t for budget constraints, thisresolution would probably top the list.Be it e-mail encryption, electronic shred-ding, or data-leakage software, rollingout robust technology is somethingevery privacy professional wants to do.
3. Develop specialized privacy and/or
information security training
Like learning a new language or travel-ling abroad, this is another one of thoseresolutions that everyone makes butoften struggles to carry out. Attendeesnoted resource constraints, especially,as part of the challenge. But work forceresistance doesn’t help. “Training the C-Level is a big challenge,” noted onemember. “They often present the great-est risk, but are the shortest on timeand desire.”
Attendees resolved to focus ondeveloping the “right” training, alongwith creative means for capturing attention and attendance.
2. Create/update an accurate
inventory of information assets and
supporting technologies
All attendees resolved to undertake a step-by-step analysis to identify allinformation assets, along with existingand desired resources, to defend themand keep them private. Once again,given resource constraints brought onby the economic recession, it is more
See, 10 privacy resolutions, page 36
Password insecurity
Researchers found that the topfive most-popular passwords ofone million users of a social networking site are 1) 123456 2) 12345 3) 123456789 4) password, and 5) iloveyou, leading one CTO to comment that humans might have a geneticflaw that prevents them fromchoosing strong passwords.
Source: New York Times
Weaning off the Web
The South Korean government hasestablished Internet Rescuecamps to treat individuals whohave developed online addictions.Two-week intensives led byInternet addiction counselors havehelped youths wean themselvesoff the Web. Treatment includesactivities intended to recapturechildhood lost to virtual environ-ments, such as outdoor activities.
Source: Frontline
10 million addicts
In China, an estimated 10 to 14percent of adolescent Internetusers qualify as “addicted” to the Internet. That’s about 10 million teens.
Source: Frontline
“Auditing and spot-checking are indispensi-ble methods of makingsure that vendors are in compliance. All attendees resolved tomake this one of theirtop tasks for 2010.”
110561_Advisor_Document 3 2/17/10 2:55 PM Page 35
IAPP members:
Does your organization offerfree or discounted products orservices to other IAPP members?
If so, let them know!
Advertise at a DISCOUNTED RATEhere in our new member-to-memberbenefits section.
MEMBER to MEMBER Benefit
Contact Wills Catling [email protected] +1.207.351.1500, ext. 118
MEMBER to MEMBER Benefit enefit
IAPP members:
ganization ofDoes your oree or discounted prfr
vices to other IAPP members?ser
If so, let them know!
tise at a Advere in our new memberher
ferganization ofoducts oree or discounted pr
vices to other IAPP members?
If so, let them know!
DISCOUNTED RATE-to-membere in our new member
e in our new memberherbenefits section.
Contact wills@pror +1.207.351.1500,
-to-membere in our new memberbenefits section.
ills Catling atWContact gassociation.oracyviiwills@pr
118ext..+1.207.351.1500,,
January-February • 2010
36
important than ever to understandwhat’s at stake.
1. Implement and/or update the
privacy risk management program
Everyone agreed that a new year callsfor a fresh look at the “risk” programs.Having obtained a good inventory ofinformation assets and defenses, a goodrisk analysis is the natural next step. “A good risk-management program isparticularly essential in these lean economic times,” noted one participant.“Businesses need to get the biggestbang for their buck.”
Personal resolutions
On a personal level, each participatingmember resolved to take care of theirown identities, too. Topping the “person-al” resolutions were: shredding all mailand sensitive documents before they
end up in the trash; getting a lock forthe home mailbox; and signing up forfraud alerts.
Keeping resolutions
Only time will tell whether these resolu-tions fall by the wayside in the face oflimited resources, limited time, and com-
peting demands. But the old saying isthat “if you aren’t careful, you’ll end upexactly where you are headed.” So, ifanything, setting resolutions is as muchabout correcting course as fully meetingeach resolution.
Luis Salazar is a shareholder in theGreenberg Traurig Miami office and amember of the firm’s BusinessBankruptcy and ReorganizationDepartment and Data Privacy andSecurity Law Task Force. He is a mem-ber of the IAPP Publications AdvisoryBoard. He can be reached [email protected].
Jorge Rey is a manager at Florida-basedKaufman, Rossin & Co., one of the topaccounting firms in the Southeast regionin. He provides consulting services in ITSecurity, Information Management, ande-Discovery. He can be reached [email protected].
10 privacy resolutionscontinued from page 35
www.privacyassociation.org
“A good risk-manage-ment program is particularly essential inthese lean economictimes. Businesses needto get the biggest bangfor their buck.”
110561_Advisor_Document 3 2/17/10 2:54 PM Page 36