LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19, 2011
LexisNexis Confidential EU versus US: Privacy Philosophy United States – Most data privacy laws and rules arise out of consumer protection concepts rather than a right of the individual. European Union – privacy and protection of personal information is treated as a human right. Thus one will see requirements in the EU that give an individual control over data about them even though they were not the source of the data in any way. 1
LexisNexis Confidential 2 EU Data Protection: The Basics What is personal information in the EU? “Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. (1995 Data Directive)
LexisNexis Confidential EU Data Protection: The Basics (cont’d) Some personal information elements are considered more sensitive than others. The definition of what is considered sensitive may vary depending on jurisdiction and particular regulations. EU: Sensitive personal information called special categories of data. This refers to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, and data relating to offenses, or criminal convictions. 3
LexisNexis Confidential Processing “Processing” is anything you can do with personal information. Processing includes: CollectionRecording OrganizationStorage UpdatingModification RetrievalConsultation UseDisclaoure TransmissionDissemination LinkingErasure Destruction 4
LexisNexis Confidential Controllers and Processors Controller - A Controller is the person or entity that determines the purposes and means of the processing of personal information. Processor - A Processor processes personal data on behalf of the Controller and at the direction of the Controller. Controllers and Processors have different obligations. 5
LexisNexis Confidential EU Directive Basics Processing of personal information is prohibited unless: Notice to and consent of the data subject; Other exemptions; Special processing rules for sensitive data. Ensure data security and quality. Give data subject the right to access and object/correct. Controls on automated decisions. Transfer restrictions. 6
LexisNexis Confidential UK DPA Law Example For example, UK law (DPA, Section 4(4) and Schedule 1) provides that personal data shall be: (a) processed fairly and lawfully; (b) processed for one or more specified and lawful purposes; (c) adequate, relevant and not excessive; (d) accurate and up to date; (e) not kept for longer than necessary; (f) processed in accordance with individuals’ rights; (g) afforded appropriate technical and organizational security; and (h) not transferred outside the EEA unless adequate data protection is assured. 7
LexisNexis Confidential Processing Grounds Processing must be based on legitimate grounds, including one or more of the following: Data subject has given unambiguous consent Processing is necessary to perform a contract to which the data subject is a party or to take step sat the request of the data subject prior to entering into a contract. The processing is necessary to comply with a legal obligation to which that party is subject. The processing is necessary to protect the vital interests of the data subject. OR 8
LexisNexis Confidential Processing Grounds (cont’d) The processing is necessary for the purposes of the legitimate interests pursued by a party or by a third party to whom the data are disclosed. except where the processing is “unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.” (quoting UK law) This last ground is more open-ended... CCTV example Watch lists 9
LexisNexis Confidential EU Special Categories Stricter Criteria for Processing Sensitive Data: Data subject has given explicit consent. Data subject is physically and legally incapable of giving consent and processing is necessary to protect vital interests. Necessary for the establishment, exercise or defense of legal claims. Information has been made public by the data subject. Processing is necessary to carry out the obligations and specific rights. 10
LexisNexis Confidential Data Transfers Transfers of personal data from the EEA to other countries are prohibited unless to a country with “adequate” protection (e.g., Canada) they qualify for an exception: (i)the data subject freely and unambiguously provides specific consent, (ii)the transfer is necessary on various grounds (i.e., performance or conclusion of a contract, legally required for the public interest or legal claims or protection of the vital interests of the data subject) or (iii)the transfer is made from a register intended to provide information to the public in accordance with law. 11
LexisNexis Confidential Data Transfers (cont’d) If no exception is available, a company may utilize one of the following methods to comply: uses a model contract signed by both the EU data exporter and U.S. data importer; adopts binding corporate rules approved by the EU countries from which personal data is to be transferred (within a corporate family); or self-certifies under the Safe Harbor framework. 12
LexisNexis Confidential EU Hot Topics Expanding Scope and Protections Viviane Reding, the European Commissioner for Justice: promised to "expand data protection to other areas" in a proposal by the end of the year. "We're looking at...localization data services, behavioral advertising, basically anything that's dealing with new technology.“ She supports the “right to be forgotten”. 13
LexisNexis Confidential EU Geo-Location Data Geo-location data on the agenda of the “Article 29 Working Party” last December; report expected by early June. Expected Proposal: treat information collected by phone and Internet companies on customer locations same as “personal data” (that is, treated the same as names, birthdays and other personal data). Article 29 Working Party opinions, working documents and recommendations are not legally binding, but they often become the “EU standard.” France, Germany, Italy, Ireland and the U.K. have already opened their own investigations into geo-location data. 14
LexisNexis Confidential Issues Arising Elsewhere India: Just published new privacy rules (in April Ministry of Communications and Information Technology issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.) New rules are arguably stricter than the EU rules, addressing consent, opt out, limits on use, data security, etc. Definitely requires a review of operations outsourced to India to confirm compliance. 15
LexisNexis Confidential Issues Arising Elsewhere Philippines – Proposed Privacy Legislation (already passed their House (H. No. 4115)) Adopted to SUPPORT outsourcing industry and become an acceptable country for the EU. Undercuts that goal by creating data rights and restrictions that may not otherwise apply to that data (e.g., requires notice, express consent, access, security, breach notification). Trade Assoc in Ph is hearing concerns from very few US firms ( 16