As the “right to privacy” has evolved from a “right to be let alone” to the right to control other’s use and dissemination of one’s personal data, so too has the economic and technological background of the world changed. Now that global data networks are ubiquitous, personally identifiable data is no longer tied to the locality of its owner or even to the owner’s nation of residence. Exchanges of personal data regularly cross national borders, often between countries where the “right to privacy” means two different things. This chapter considers how international and non-U.S. privacy protection regimes operate, both on their own and where they intersect with U.S. privacy law.
A true binding international agreement protecting privacy does not exist. The differences in national legal systems are a clear obstacle to any agreement, but the many types and forms of data that might be considered “personal” further exacerbate these legal differences. Over the past several decades, however, there has been increasing progress toward identifying and agreeing on at least certain foundational issues. The single most influential document on this subject has been the Guidelines on the Protection of Privacy and 230Transborder Flows of Personal Data (Guidelines)1 produced by the Organization for Economic Co-operation and Development (OECD).
The OECD is a group of 30 countries committed to the promotion of democratic governance and economic development. As part of these efforts, the members of the OECD collaborate to produce various documents, including model treaties, reports, and recommendations to promote an orderly international system and facilitate trade not just between its members, but between all interested nations.
The realization that market forces would create both challenges and opportunities for privacy rights happened during the 1970s, when the OECD began to see arguments over national privacy laws in the context of trade negotiations. On September 23, 1980, after several years of negotiations, the OECD Council approved its proposed Guidelines, which aspired to harmonize national data protection legislation, protect human rights, and facilitate international data transfers. The Guidelines try to bring commonality to the mechanisms of privacy protections in participating countries without attempting to design a complete regulatory 231framework. The Guidelines are only a “soft law” agreement and do not legally bind the signatories; however, these Guidelines also represent a pragmatic consensus that inconsistent privacy laws can be a barrier to economic development.
The OECD Council Recommendation concerning the 1980 Guidelines recognizes that:
• although national laws and policies may differ, Member countries have a common interest in protecting privacy and individual liberties, and in reconciling fundamental but competing values such as privacy and the free flow of information;
• automatic processing and transborder flows of personal data create new forms of relationships among countries and require the development of compatible rules and practices;
• transborder flows of personal data contribute to economic and social development;
• domestic legislation concerning privacy protection and transborder flows of personal data may hinder such transborder flows.2
The Guidelines set out eight basic principles that data protection legislation should follow:
1. Collection Limitation: Personal data should be obtained by lawful means, preferably with the knowledge or consent of the individual whose data is being collected.
2. Data Quality: Controllers of personal data (data controllers) should strive to maintain records, which are accurate, complete, and up-to-date, as well as being relevant to the purposes for which the data is collected.
3. Purpose Specification: Data controllers should disclose the purposes for which personal data will be collected no later than the time of collection, with subsequent use of the data limited to the disclosed purposes or use in a manner not incompatible with the original purposes, although compatible alternative uses should be disclosed when implemented.
4. Use Limitation: Personal data should not be disclosed or used for purposes other than those specified prior to or upon collection unless approved by the individual or to comply with the directions of a legal authority.
5. Security Safeguards: Once collected, if personal data is stored, it should be subject to reasonable security precautions.
6. Openness: Data controllers should provide a readily available means for individuals to determine whether and what type of personal data of theirs is held by the data controller. This should include facilitating the 233identification of the data controller and the purposes for which the data is being used.
7. Individual Participation: Individuals should have the ability to obtain information from a data controller within a reasonable time regarding any personal data held by the collector and be able to have errors or omissions in the data corrected.
8. Accountability: A means should be provided by which data controllers can be accountable for compliance with the Guidelines’ principles.3
The 1980 Guidelines also set out four Basic Principles of International Application concerning Free Flow and Legitimate Restrictions, which are the OECD’s recommendations for applying data protection legislation to international transfers of personal data:
1. Member countries should take into consideration the implications for other Member countries of domestic processing and re-export of personal data.
2. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
3. A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.
4. Member countries should avoid developing laws, policies, and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.4
While the Guidelines have served as the foundation for other agreements concerning transborder data flows, numerous countries continue to have contrary and incompatible data protection legislation. Subsequent efforts, especially the U.S./E.U. Safe Harbor, have been directed at both harmonization of protection regimes and providing for effective enforcement.
In 2013, the OECD Council adopted a major revision to the 1980 Guidelines (Revised Guidelines).5 This is the first revision since the Guidelines were adopted in 1980 and stems from a call by participants in the 2008 Seoul Declaration for the Future of the Internet Economy6 to review the Guidelines in light of “changing technologies, markets and user behaviour, and the growing importance of digital identities.”7
In 2011, the OECD Working Party on Information Security and Privacy (WPISP) agreed on Terms of Reference for that review.8 The Terms of Reference highlighted the fact that in the past 30 years, there has been a profound change of scale in terms of the role of personal data in the economy, society, and in daily life. The WPISP recognized that the environment in which the traditional privacy 236principles are now implemented has undergone substantial changes especially in:
• The volume of personal data being collected, used and stored;
• The range of analytics involving personal data, providing insights into individual and group trends, movements, interests, and activities;
• The value of the societal and economic benefits enabled by new technologies and responsible uses of personal data;
• The extent of threats to privacy;
• The number and variety of actors capable of either putting privacy at risk or protecting privacy;
• The frequency and complexity of interactions involving personal data that individuals are expected to understand and negotiate; and
• The global availability of personal data, supported by communications networks and platforms that permit continuous, multipoint data flows.9
Two themes run through the Revised Guidelines. First, is a focus on privacy protection centered on risk management.10 Second, is the need for 237increased efforts to address the global aspects of privacy by improving interoperability.11
The Council introduced a number of new concepts in the Revised Guidelines, including a focus on national privacy strategies at the highest levels of government, implementation of privacy management programs, and data breach notification requirements.12 Other revisions modernized the OECD approach to transborder data flows, detailed the key elements of what it means to be an accountable organization, and strengthened privacy enforcement.13
In the 1990s, the Guidelines were joined by two more agreements from the OECD that demonstrated the continuing evolution of the attitude toward privacy protection.
In 1992, the OECD published its Guidelines for the Security of Information Systems and Networks (Security Guidelines).14 The OECD reviewed the Security Guidelines in 1997 and concluded that they remained adequate to address the issues and 238purposes for which they were designed.15 In 2000, the OECD initiated a second review of the Security Guidelines focused on “the development of inter-connected and interdependent information systems which are fundamental to modern economies,” and the collection of “information on existing threats, vulnerabilities and actions taken by governments and the private sector.”16
In anticipation of the second review, Japan offered to host a “Workshop on Information Security in a Networked World” in Tokyo on September 12–13, 2001 to facilitate review efforts, exchange and share information, develop an understanding of information security, and increase involvement in this area.17
This review was marked by a sense of urgency, which resulted from: (1) the recognition that developments affecting the security of information systems in a world characterized by global ubiquitous networks significantly reduced the relevance of the 1992 Guidelines; and (2) the events of September 11, which took place the day before the Tokyo Workshop.18
In November 2012, the OECD initiated a third review of the Security Guidelines.19 As of this publication, the OECD has not released the details of this third review.
The OECD published its Guidelines for Cryptography Policy in 1997.20 Subsequent reviews of these guidelines have concluded that they “continue to be adequate to address the issues and purpose for which they were developed.”21
The implementation of these guidelines signaled a shift in the OECD’s thinking. The rise of the Internet meant that international commerce was becoming more important and more democratized as increasing numbers of consumers began dealing directly with businesses in other nations. Yet, at the same time, consumers were also becoming increasingly concerned about the privacy of personal information they might transmit in the course of such transactions. Maintaining the privacy of personal data was recognized as something that encouraged people to use electronic networks 240thereby increasing transborder dataflows, rather than halting them.
Canada, like the United States, has no explicit right to privacy in its constitution. Section Eight of the Canadian Charter of Rights and Freedoms, enacted as part of the Canada Act of 1982, however, has been interpreted by Canadian courts to guarantee a reasonable right to privacy.22 Section Eight, which is much like the U.S. Constitution’s Fourth Amendment, thus governs any constitutional privacy concerns.
Canada’s Privacy Act governs personal privacy in the public sector. The Act was passed in 1983 to “extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.”23
Canadian law allows government institutions to collect information only if it relates directly to an operating program or activity of the institution.24 With few exceptions, government agencies must inform individuals that their personal information is being collected and the purpose for which it is being collected. Moreover, any information gathered by an institution must be used solely for the purpose for which it was gathered.25 Personal information collected by the government, in most instances, cannot be disclosed without the permission of the individual who is the subject of the information.26
Every Canadian citizen has the right to access the information that is “reasonably retrievable” by the governmental institution storing the information for the purpose of correcting the information if it is inaccurate.27 Any individual can complain to the Privacy Commissioner if the individual was denied access to his or her information.28 An individual who is denied access to information has a right to bring suit in the Canadian Federal Court for review of the denial.29 The Privacy Commissioner also receives and investigates any other complaints submitted under the Privacy Act.
The Canadian Privacy Commissioner is a representative who is appointed by the Canadian Federal Cabinet, with the appointment being approved by resolution in the Canadian House of Commons and Senate.30 The position was created pursuant to the Privacy Act, but now has significantly broader authority because of the enactment of additional privacy legislation discussed below. The Commissioner serves for a seven-year term and can be reappointed.31
The Privacy Commissioner, who is considered an agent of Parliament, reports directly to the House and Senate on issues dealing with privacy. The Commissioner is responsible for ensuring that the federal government, as well as the private sector, collect, use, and disclose personal information in a manner that is responsible and consistent with applicable laws and regulations.
The Privacy Commissioner has broad authority within the subject area he or she has been tasked with overseeing.32 The Commissioner can initiate audits of an organization’s information collection, management, and disclosure practices to determine whether adequate protective measures are in place and to verify that the information is being used in a 243lawful manner. When conducting an audit, any person with relevant information can be summoned to appear before the Commissioner.33 The Commissioner also has the power to administer oaths and receive sworn testimony and evidence in quasi-judicial hearings.34
Despite the Privacy Commissioner’s far-reaching investigatory power, the office lacks the ability to issue orders or impose penalties for any violations.35 The Commissioner instead usually arrives at decisions calculated to resolve problems through negotiated settlements. If the Commissioner determines that the violation is sufficiently severe, the office can file litigation against the offender in the Federal Court and proceed through the judicial process.36 As an alternative for disputes that cannot be resolved through a negotiated agreement but are not sufficiently grave to merit the Commissioner pursuing litigation on its own, the Commissioner can, in some situations, provide the results of its investigation to private individuals who have been injured by the privacy breach to facilitate them bringing private litigation against the bad actor.37
The main legislation governing personal privacy in the Canadian private sector is the Personal 244Information Protection and Electronic Documents Act (PIPEDA).38 Beginning with its 1992–93 annual report, the Privacy Commissioner began urging the adoption of legislation extending protection to personal information held by the private sector. Two years later, Canada’s Information Highway Advisory Council joined this call. Contemporaneously with these developments, the European Union (E.U.) was starting to take steps to restrict transmission of its citizens’ personal information to parties in non-E.U. nations with inadequate privacy protections, which would have seriously affected Canadian business.39 In 1998, the supporting bill for PIPEDA was introduced, ultimately passing in 2000.40
Rather than implementing the entire legislation at once, PIPEDA had a tiered implementation schedule. In January of 2001, PIPEDA implementation included all personal information excluding health information held by federally regulated private sector entities. A year later, in January 2002, the act began regulating personal health information. Finally, in January 2004 the act reached full-implementation status. The 2004 implementation encompasses all organizations that 245commercially collect, use, or disclose personal information.41
Personal information under PIPEDA includes “information about an identifiable individual.”42 The name, title, business address, or telephone number of an employee within an “organization,” however, is not considered personal information. “Organization” is broadly defined to include associations, partnerships, and unions.43 PIPEDA does not cover Canadian government institutions that are otherwise subject to the Privacy Act.44 Information that is collected, used, or disclosed by individuals for personal purposes or for “journalistic, artistic, or literary purposes” is also not included.45 Provinces may enact their own privacy legislation provided that it meets or exceeds the level of protection afforded by PIPEDA. The provinces of Alberta, British Columbia, Ontario, Manitoba, and Quebec have enacted such legislation.46
PIPEDA sets forth specific individual rights as well as requiring organizations to follow certain guidelines. PIPEDA gives individuals the right to know why an organization collects, uses, or discloses personal information.47 PIPEDA also gives individuals the right to expect that organizations collect, use, or disclose personal information reasonably and appropriately and only for the purpose for which the individual has consented.48 Individuals have the right to know who in the organization is collecting the personal information, and who is responsible for protecting that information.49 Individuals have the right to expect an organization to implement adequate security measures to protect personal information.50 Individuals are also entitled to expect that the personal information an organization holds is accurate, complete, and up-to-date.51 PIPEDA, like the Privacy Act, allows individuals to obtain access to personal information and make corrections if necessary.52
Under PIPEDA, organizations that commercially use personal information, or make other non-exempt uses of it, are required to follow ten principles of fair information practices, which are modeled on the OECD Guidelines. The principles are: (1) 247accountability; (2) identifying purposes; (3) consent; (4) limiting collection; (5) limiting use, disclosure, and retention; (6) accuracy; (7) safeguards; (8) openness; (9) individual access; and (10) challenging compliance.53 If an organization has safeguards in place to insure compliance with these principles then it is likely fulfilling all its duties under PIPEDA.
PIPEDA requires organizations to obtain consent from the individual, when collecting, using, or disclosing personal information. Organizations must supply an individual with a service or product even if the individual refuses to consent to the collection, use, or disclosure of personal information. Beyond merely collecting information in a lawful fashion, organizations must have personal information policies that are clear, understandable, and readily available.54
PIPEDA has specific procedures for individuals to make complaints to the Office of the Privacy Commissioner concerning violations of PIPEDA. If the Commissioner determines that certain types of violations have occurred the complainant will have a cause of action against the violator, which can be pursued in the Federal Court.55 PIPEDA requires the Commissioner to commence an investigation upon receipt of a properly filed complaint.56 Once an investigation has been opened, the Commissioner 248has one year to complete the investigation and issue a written report, although it may be determined in certain situations that a written report is unnecessary.57
(i) Trans-border data flows under PIPEDA
As previously mentioned, a significant motivating factor for enacting PIPEDA was to assure the European Union that Canada’s privacy laws were strict enough to protect the interests of the citizens of the European Union.58 Currently, Canada and the European Union allow certain personal data to flow freely to Canada from the European Union, subject to PIPEDA, without additional safeguards. This, however, does not include data held by national agencies.59
The Privacy Commissioner has determined that PIPEDA not only governs the collection, use, and disclosure of personal information within Canada, but the law also controls the transmission of personal information internationally pursuant to 249the federal government’s power over international trade and commerce.60
The Privacy Commissioner has given some guidelines to individuals wishing to protect their personal information from inappropriate disclosure to foreign parties.61 Individuals are encouraged to report concerns about the collection or use of their personal information to the Commissioner. Although the Commissioner lacks power to act directly against foreign parties, the Commissioner can raise the issue with the national government of the state where the foreign party is located. Even more powerfully, if a Canadian organization or a multi-national organization with a Canadian presence is cooperating with, or otherwise assisting, the foreign party; it can be subject to regular proceedings under the PIPEDA complaint process.62
(ii) PIPEDA and the Patriot Act
Following the terrorist attacks of September 11, 2001 the United States Congress passed the USA 250PATRIOT Act of 2001 (Patriot Act). The Patriot Act is discussed at length in Chapter 3, which addresses U.S. privacy law; however, certain of its provisions are relevant to PIPEDA, specifically the Patriot Act’s expansion of the U.S. Treasury Secretary’s powers to regulate and monitor financial transactions that involve foreign individuals and entities.63
Canada is the United States’ largest trading partner. As a result, many of the databanks used to store personal information of Canadian residents are located in the United States, thus making them subject to the provisions of the Patriot Act. However, if a U.S.-based company makes a disclosure of a Canadian resident’s personal information to U.S. authorities under the Patriot Act without the consent of the individual who is named, this could result in the Canadian organization that originally transferred the information being liable for a breach of PIPEDA unless the disclosure meets an exception in the applicable Canadian law.
One of the exceptions found in PIPEDA is for investigations of criminal activity under the laws of Canada or foreign jurisdictions.64 Specifically, the statute provides that personal information may be 251disclosed without the knowledge of the subject where “required to comply with a subpoena or warrant issued or an order made by a court … with jurisdiction to compel the production of information.”65 It is unclear; however, from the face of the statute whether PIPEDA only allows disclosure under Canadian court orders or if a U.S. court order would apply.
The office of the Privacy Commissioner recognizes this issue and has urged Canadian organizations to take a number of steps that are intended to assist them in avoiding this dilemma.66 These steps include: (1) informing Canadian residents that their personal information may be transferred to locations in the United States and be subject to search; (2) entering into contracts with United States-based organizations which require them to provide the same level of protection for the personal information of Canadian residents as would be required by PIPEDA; (3) limiting the amount of personal information that is transferred into the United States; and (4) limiting the ability of United States-based organizations to access personal information of Canadian residents stored in Canada.67
These are only recommendations; therefore Canadian organizations likely to be transacting business with U.S. organizations must balance the potential risks of violating Canadian privacy legislation against the benefits of working within the United States.
In 2009, the Privacy Commissioner released guidelines for processing personal data across borders. These guidelines explain how PIPEDA applies to personal information that is transferred to third parties for processing, including those located outside of Canada.68 The guidelines do not cover transfers of personal information for processing by federal, provincial, or territorial public sector entities. Nor do these guidelines address any specific rules governing transfers for processing that may be found in provincial private sector privacy laws. However, organizations not governed by PIPEDA for commercial activities within a province need to be aware that PIPEDA applies to transborder transfers.69
In May of 2013, the Privacy Commissioner released a position paper (Position Paper) calling for 253substantial changes to PIPEDA in keeping with changes to the global landscape.70
The Position Paper outlines four important recommendations for changes to PIPEDA, most of which focus on increasing the accountability of data controllers and processors. Those changes include expanding the Commissioner’s enforcement powers, implementing mandatory breach reporting and notification requirements, requiring notification to consumers of warrantless disclosures of their personal information to government authorities, and providing the Commissioner with the authority to enter into and enforce agreements similar to the use of consent decrees in the U.S. Under these “enforceable agreements,” an organization found to be in violation of law would agree to comply with the Commissioner’s recommendations and to demonstrate such compliance within a set period; otherwise, the Commission would be able to seek judicial enforcement.71
Legislators have attempted to amend PIPEDA several times but ultimately the law has remained unchanged. Most recently, Bill C-12 was proposed. That bill would amend PIPEDA to require organizations to report material breaches of safeguards involving personal information and would require organizations to notify the affected 254individuals if the breach creates a risk of significant harm. The Privacy Commissioner, however, has argued that Bill C-12 is “behind the times” and does not sufficiently address challenges resulting from the massive aggregation of personal data.72 As of this publication, Bill C-12 is awaiting its second reading before the House of Commons.
Since the Second World War, Western European nations have shown an increasingly strong commitment to protecting individual privacy. Long before the Internet boom of the 1990s, European countries were focusing on protection of personal privacy by limiting data access. The German state of Hesse, for example, passed the first law granting individuals control of their personal information in 1970.73 Indeed, the term “data protection” entered the European lexicon from the German word “Datenschutz.” Three years later, Sweden was the first country to pass a privacy protection law.74 While much of the underlying public concern that motivated these early efforts grew from historical concerns about the possible abuses of compilations 255of personal information, technological developments were the immediate stimulus, as both statutes were enacted in response to proposals to combine separate government archives into computerized databases.
The process of political integration in Europe has advanced considerably since the era of these first attempts at legislating protections for personal information. The governing bodies of the European Union now wield considerably more influence over patterns of economic regulation in the E.U. Member States than the national governments do. While individual member states of the European Union still maintain separate laws addressing privacy issues, the scope of European privacy protection has been driven mainly by the European Union for the past decade or more. The European Union’s privacy regime will be reviewed as a “national” policy, notwithstanding its many member states.
The mainstay of privacy protection in the European Union arises from Directive 95/46 (Data Protection Directive).75 The Data Protection Directive was an outgrowth of the national regulatory schemes promoted by the OECD 256Guidelines, which had produced a patchwork of different privacy regimes throughout Europe. The Data Protection Directive was designed to harmonize Member States’ data protection legislation, thereby reducing obstacles to economic activity within the European Union while preserving (or even enhancing, depending on the preexisting level of national data protection) the privacy rights of individual residents.
The Data Protection Directive encompasses “personal data” of E.U. residents, meaning “information relating to an identified or identifiable natural person,”76 where that data is processed77 “wholly or partly by automatic means” or where the data will form part of a filing system, or both.78 A person is “identifiable” if the individual “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to [their] physical, physiological, mental, economic, cultural, or social 257identity.”79 An exception is provided for “purely personal” use by a natural person and for government purposes relating to security, defense, and criminal law.80
The laws enacted in accordance with the Data Protection Directive must apply to data “controllers”81 or “processors”82 located in a Member State, a territory subject to a Member State’s laws, or located elsewhere but relying on equipment located within a Member State for any purpose other than transmission.83
Data must be collected only for “specified, explicit and legitimate purposes,” without any further processing that would be “incompatible with those purposes.”84 The data collected must be “adequate, relevant, and not excessive” given the purposes for 258which it was acquired.85 Data must not only be accurate, but “every reasonable step must be taken” to delete or correct inaccurate and incomplete data.86 The data must not be “kept in a form which permits identification of data subject” for any longer than is necessary for the original purpose it was collected for, except where Member States provide for safeguards if the data is to be retained for “historical, statistical or scientific purposes.”87 Compliance with these requirements is the responsibility of the data controller.
Absent certain legal circumstances, personal data may only be processed if the subject “has unambiguously given … consent.”88 Further protections are required for particularly sensitive personal data,89 which may even override explicit consent by subjects to the use of their personal data.90 These added protections do not apply where that data is necessary for medical care, law enforcement, or other “reasons of substantial public interest” if an exemption has been provided for by the Member State’s data protection legislation.91 259Exceptions based on law enforcement and public interest needs must be notified to the European Commission (Commission). If necessary to avoid unreasonable restrictions on free expression, Member States may provide exemptions for journalism, artistic, or literary works.92
The data controller or its representative must provide subjects from whom data has been collected with “at least” the identity of the controller and any representatives, the intended purposes for which the data will be processed, and any further relevant information necessary to “guarantee fair processing” of the subject’s data.93 If the data has not been obtained directly from the subject, the data controller must provide the same information as above to the subject, either when the personal data is initially recorded or no later than when the data is first disclosed to a third party. In the latter case, particularly if the data has been obtained for historical, statistical, or scientific purposes, the controller does not need to provide such notice if doing so would “involve a disproportionate effort,” or is otherwise exempted by law, providing that proper safeguards are undertaken.94
A data subject must have the right to obtain from the controller confirmation of whether data about the subject is being processed, the purposes of the processing, the types of data involved, and the identities of the data recipients.95 The subject also has the right to receive communications pertaining to the processing that describe the data “in an intelligible form,” the source of the data, and “knowledge of the logic” used in automatic processing of the data, if applicable.96 The subject has the right to rectify, erase, or block data where processing has not complied with the terms of the Data Protection Directive, and of notification to third-party recipients of the data of such corrections or deletions unless doing so would involve a disproportionate effort. Member States, however, have the power to adopt legislation restricting these rights if the limitations are a necessary part of protecting national security, public safety, or law enforcement investigations. Finally, the subject has the right to object “on compelling legitimate grounds” to processing performed because of the public interest exception or the exception provided for processing in the legitimate interest of the controller or third parties, or both.97 If those grounds are found to be justified, the subject has the 261right to have the processing halted.98 If the data is to be used for direct marketing purposes, there is an implicit presumption the objection is legitimate and justified.99
Data controllers must “implement appropriate technical and organizational measures” for protecting personal data from “accidental or unlawful destruction,” loss, alteration, disclosure, or theft.100 The measures must provide a reasonable level of security for the type of data, as determined by the state of the art and cost of implementation, and the risks posed by its processing. The controller is responsible for ensuring that any data processors working on its behalf provide adequate technical and organizational measures to protect the personal data being processed. Agreements between controllers and processors must be by contract or other binding legal act, and the provisions relating to data protection and the protective measures must be in writing or “equivalent form.”101
The controller or its representative must notify the appropriate national supervisory authority of 262any intent to carry out a wholly or partially automatic data processing operation.102 Member States may make exceptions to the notification requirement, or allowances for simplified notice, under certain circumstances. An exception of particular significance exists where a data controller, in compliance with national law, appoints a “personal data protection official,” who is responsible for independently guaranteeing the internal application of the terms of the Data Protection Directive and keeping a record of processing operations directed by the controller. If notification is required, it must at least include:
1. The name and address of the controller and, if appropriate, its representative;
2. The purpose of the processing;
3. A description of the categories of data subjects and the categories of data pertaining to them;
4. The recipients who may receive the data;
5. Proposed transfers to non-Member States; and
6. A general description of the security measures employed to guard the data 263processing sufficient to allow a preliminary determination of their adequacy.103
Member States must also determine which processing operations are likely to pose particular risks to the rights and freedoms of their residents and carry out examinations of these operations prior to their commencement. These examinations are to be carried out by the supervisory authority after notification by the data controller or its data protection official. If the controller or the official cannot decide whether the operation would pose particular risks, the supervisory authority must be consulted. Member States may enact more restrictive pre-implementation notification requirements.104
A public record available for inspection by any person must be kept of all processing operations for which the Member State has received notification.105 Data controllers, or another body appointed by the Member State, must also make available to any person, upon request, records of all processing operations other than those for which notice was required.106 Member States may make an exception for processing done solely for keeping a register mandated by law or regulation, and which 264is intended to provide information to the public, whether generally or for those who can prove a legitimate interest.107
In addition to any administrative remedies provided by the supervisory authority, every person is to have access to a judicial remedy for the breach of any rights incorporated in the Member State’s data protection legislation.108 Some Member States have gone even further and have provided for criminal penalties for breach of their national data protection legislation in addition to civil penalties. Sweden, for example, allows for a fine and a six-month term of imprisonment, with imprisonment up to two years “if the offence is grave.”109 Austria provides for a maximum of one-year imprisonment “unless the offence shall be subject to a more severe punishment pursuant to another provision.”110 The injured party is entitled to damages from the controller for loss, unless the controller can prove it is not responsible for the events leading to the loss.
Of particular significance in the Data Protection Directive are its provisions on extraterritorial application of its requirements. Personal data undergoing processing, or to be processed, may only be transferred to a party in a non-Member State, such as the United States, if the non-Member State 265“ensures an adequate level of protection.”111 Adequacy of protection is determined by reference to all the circumstances pertaining to a data transfer operation, particularly the nature of the data, the purpose of the proposed processing operation, the duration of the operation, the countries of origin and destination, as well as the laws, professional rules, and security measures employed by the non-Member State.112 Member States and the Commission must keep each other informed of evidence showing a non-Member State is failing to provide a satisfactory level of security.113 If the Commission determines that a non-Member State is failing to provide adequate protection for personal data originating from the European Union, then Member States must take measures to block further transfer of the same type of data to the non-Member State in question.114 Where such a determination has been made, the Commission must enter into negotiations with the non-Member State to remedy the situation.115
Member States, however, may provide exceptions to the transfer restrictions on the condition that the data subject has given unambiguous consent to the transfer, or meets other criteria.116 Member States 266may also permit transfers to data controllers in non-Member States that have failed to comply legislatively with the Data Protection Directive if the controller itself guarantees adequate safeguards, particularly by contract.117 Member States must inform the Commission of any authorizations they grant under self-certification criteria, and these may be challenged by any other Member State or the Commission itself. The Commission may also decide that a standard contractual clause provides adequate protection, in which case the Member States must permit data transfers made pursuant to contracts containing this type of clause.118
As noted above, the Member States of the European Union enforce the terms of the Data Protection Directive by implementing their own laws—the Directive is not self-executing. Member States were required under the terms of the Directive to have “laws, regulations and administrative provisions” in force no later than three years after the adoption of the directive.119 Member States were to have had their compliant data protection legislation in place by October 24, 1998. Member States were also allowed to grant an exemption for an additional nine years to manual 267filing systems. A number of Member States, however, delayed passing the necessary implementing legislation, leading the Commission to file suit in the European Court of Justice in December 1999 against France, Ireland, Germany, the Netherlands, and Luxembourg. Even under the pressure of litigation, it was not until July 1, 2003, when Ireland’s national data protection legislation became effective that all Member States were compliant.120
Getting all Member States to enact the necessary legislation was by no means the only challenge to implementation. Member States’ various approaches to implementing the Directive have resulted in national requirements sufficiently different to mean that compliance with the bare terms of the Directive will not automatically mean a company is in compliance with the laws of any given Member State. The United Kingdom defines “personal data” as information that may be used to identify a living, natural individual.121 Information concerning deceased individuals, thus, is not ordinarily protected. Austria, on the other hand, protects the information of not just natural persons 268regardless of their vital status, but legal persons as well.122
One of the strong points of the Data Protection Directive is that it is adaptable across a wide range of industries and service providers. The Directive is calculated to avoid technological or economic obsolescence by not depending on the specific details of collection or processing, but rather by focusing on the nature of the data to determine how it should be protected. The Data Protection Directive, did however, focus exclusively on the uses of personal data by “collectors” and “processors.” It did not address the question of transmission of data via third parties who served neither as collectors nor as processors, but who could potentially compromise the security of the data whether deliberately or inadvertently.
The European Union’s response was the E.U. Electronic Communications Directive (Communications Directive).123 The 269Communications Directive creates privacy rules for the telecommunications industry that implement the principles of the Data Protection Directive with respect to communications channels. The Communications Directive speaks specifically to communications privacy in Article 5:
Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage, or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorized to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage, which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.124
Of note is the mention to Article 15(1) in the preceding text. Article 15(1) demonstrates the limits of the strong privacy rights created by the Data Protection Directive:
Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5 … of this 270 Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as referred to in Article 13(1) of [the Data Protection Directive]. To this end, Member States may adopt, inter alia, legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph.125
Article 15(1) of the Communications Directive, when combined with legislation enacted pursuant to Article 13(1) of the Data Protection Directive effectively created an exception with the potential to swallow the rule depending on the actions of the Member States.
Almost immediately after the passage of the Communications Directive, the Member States began enacting national legislation with significant variations in data monitoring and retention requirements for communications providers. In response to the numerous incompatible and in some instances contradictory national legislative schemes, the European Union responded with yet 271another Directive, this time attempting to set uniform limits on data retention policies.126
The preamble clauses of the Data Retention Directive acknowledge the non-uniformity of the Member States’ actions, and the technical problems this was causing service providers:
(5) Several Member States have adopted legislation providing for the retention of data by service providers for the prevention, investigation, detection, and prosecution of criminal offences. Those national provisions vary considerably. (6) The legal and technical differences between national provisions concerning the retention of data for the purpose of prevention, investigation, detection and prosecution of criminal offences present obstacles to the internal market for electronic communications, since service providers are faced with different requirements regarding the types of traffic and location data to be retained and the conditions and periods of retention.127
While uniformity may be welcome to some degree, the Data Retention Directive also serves to further legitimize and institutionalize data collection:
(10) On 13 July 2005, the Council reaffirmed in its declaration condemning the terrorist attacks on London the need to adopt common measures on the retention of telecommunications data as soon as possible. (11) Given the importance of traffic and location data for the investigation, detection, and prosecution of criminal offences, as demonstrated by research and the practical experience of several Member States, there is a need to ensure at European level that data that are generated or processed, in the course of the supply of communications services, by providers of publicly available electronic communications services or of a public communications network are retained for a certain period, subject to the conditions provided for in this Directive.128
The Data Retention Directive in fact not only permits Member States to derogate from the privacy protections of the Data Protection and Electronic Communications Directives, but also affirmatively requires the Member States to do so on several points. Member States must enact legislation which compels service providers to retain “data necessary to trace and identify” the source and destination of electronic communications, including the telephone numbers, IP addresses, or other identifiers of both 273sending and receiving parties. Service providers are also required to preserve information concerning the date, time, and duration of electronic communications as well as the communications protocols used, the transmitting and receiving equipment, and the actual physical location of a mobile device at the time of the communication.129 Service providers may be required to retain the information for between six months to two years. Member States were given until September 15, 2007 to pass implementing legislation, although they were given the right to exempt certain types of Internet communication from the retention requirements until March 15, 2009.
Some countries have either refused to adopt the Data Retention Directive, or have struck down their national data retention laws implementing the directive for violating human rights.
The Data Retention Directive was adopted in Romania, but declared unconstitutional in 2009.130 In 2011, Cyprus declared their national data retention law unconstitutional.131 The Courts in 274Bulgaria also declared their mandatory data retention laws unconstitutional.132 Nations now fighting the Directive include Cyprus, Czech Republic, Germany, Greece, and Romania.133
On November 7, 2013, the Advocate General of the European Court of Justice was scheduled to announce a decision in concerning the constitutionality of the Data Retention Directive. The case stems from a challenge brought by Ireland and Austria’s highest courts and seeks clarification of the purposes, effectiveness, and necessity of the Data Retention Directive in light of Articles 7, 8, and 11 of the European Union Constitution.
In 2012, the European Commission proposed a comprehensive reform to the 1995 data protection rules, in order to strengthen online privacy rights and boost Europe’s “digital economy.”134
Rooted in the European concept that personal data privacy is a human right, the updated directive is intended to modernize the principles enshrined in 275the 1995 Directive and to ensure privacy rights in the future. The suggested reforms include legislative proposals, including a regulation setting out a general framework for data protection.135 This reform is not scheduled to take effect until 2014.136
A key part of the Data Protection Directive is its strong restrictions on the transfer of E.U. residents’ data outside of the European Union—recipients of the transferred data must either be subject to national regulations providing protection equivalent to that of the Directive or otherwise enter into certain contractual arrangements guaranteeing an equivalent level of protection. The United States did not have (and still lacks) a comprehensive privacy protection regime, let alone one that provided equivalent protections to the Data Protection Directive. Some compromise solution had to be reached or E.U.-U.S. trade would be severely impacted. The U.S. Department of Commerce entered into negotiations with the E.U. Commission concerning what steps could be taken to avoid U.S. businesses being summarily cut off from access to E.U. residents’ data.
The result of these negotiations is the agreement called the “Safe Harbor.” The Safe Harbor, which is administered by the U.S. Department of Commerce, is a self-certification system for U.S. businesses to confirm that they have implemented internal 276procedures sufficient to ensure E.U. residents’ data receives protections equivalent to those required by the Data Protection Directive. The E.U. Commission approved the use of the Safe Harbor in July 2000 pursuant to its authority under Article 25 of the Data Protection Directive to certify non-Member States as complying with the provisions of the Directive.137 As a result, U.S. businesses that meet the requirements of the Safe Harbor may safely receive and process data from E.U. residents. The Safe Harbor itself is analyzed in greater detail in Chapter 4, Part III(A)(1) below concerning transborder data flows.
The Mexican Constitution contains privacy guarantees similar to those found in the Fourth Amendment of the U.S. Constitution. Article 16 of the Mexican Constitution sets up the framework for personal privacy: “No one shall be molested in his person, family, domicile, papers, or possessions except by virtue of a written order of the competent authority stating the legal grounds and justification 277for the action taken.”138 This is essentially the “right to be let alone”; the Mexican Constitution does not expressly provide protection for personal data.
Mexico has numerous statutes that address privacy and data protection. In 2010, Mexico enacted its first comprehensive data protection statute, the Federal Law on the Protection of Personal Data held by Private Parties (Federal Law), and related regulations were issued in 2011.139
The Federal Law applies to all private individuals or entities that obtain, use, divulge, or store the personal data of third parties, unless the data is (1) collected by credit bureaus acting under the laws regulating them, or (2) collected exclusively for personal use and without the purpose of divulging it or using it for commercial purposes.
On September 10, 2013, Mexico’s Data Protection Authority (Instituto Federal de Acceso a la Información Pública y Protección de Datos (IFAI)) 278published their draft Data Security Guidelines for public consultation. The guidelines recommend companies adopt a Personal Data Safety Management System, as well as internationally accepted standards issued by the International Organization for Standardization (ISO) (discussed in more detail below) and the OECD (discussed above).140
The Federal Law incorporates eight general principles that data controllers must follow in handling personal data: legality, consent, notice, quality, purpose limitation, fidelity, proportionality, and accountability.141 The Federal Law also addresses data retention, providing that personal data must be deleted when no longer necessary for the purposes set out in the privacy notice and applicable law. Under the Federal Law, data processors must:
• Designate an individual or department to be in charge of securing the personal data obtained by the processor and to handle requests from data subjects;
• Prepare and deliver privacy notices to each data subject (Privacy Notice);
• Obtain the consent of data subjects before collecting, processing, or transferring “sensitive” information;
• Limit the use of the personal data collected to those uses listed in the Privacy Notice; and
• Ensure that the personal data in its databases is pertinent, correct, and current for the purposes the data was collected.142
In 2013, Mexico’s Ministry of Economy, in collaboration with the IFAI, published its Lineamientos del Aviso de Privacidad (Privacy Notice Guidelines).143 These guidelines impose notice and opt-out requirements for the use of cookies and similar technology, and impose broad requirements on the content and delivery of Privacy Notices.
Mexico has also passed laws that address privacy protection in different sectors of the economy and that relate to specific business practices. The Federal Consumer Protection Law, for example, gives consumers the right to request that their personal information be deleted from direct 280marketing lists,144 while the Law of Protection and Defense of the User of Financial Services protects the personal information of individuals engaged in banking and securities transactions.145 Many of these statutes were updated as part of the passage of the E-Commerce Act in 2000 and have been updated periodically since 2000 with no major changes to the data privacy aspects of the legislation. The E-Commerce Act updated the language of the Federal Civil Code, the Federal Rules of Civil Procedure, the Commercial Code, and the Federal Consumer Protection Law. This update added language that provides protection to electronic documents, digital signatures, and online activity.
The focus on data privacy in Mexico centers on the government. The IFAI is an independent body, which serves to both facilitate citizens’ access to information about the internal operations of the government and reviews government activities that affect the privacy interests of Mexican citizens.
Recently, a group of college professors founded the first Non-Governmental Organization (NGO) 281focusing on privacy rights and personal information held by private entities. Founded in 2011, SonTusDatos [It’s Your Data], has been developing an advocacy program and continues to be the only NGO in Mexico focusing on data protection and privacy.146 SonTusDatos’ objectives include raising public awareness, educating and empowering internet users, acting as an intermediary between legislative institutions and the public, and reporting violations of the data privacy laws.147
Criminal prosecution of companies that violate data privacy laws is being openly discussed in Mexico, especially following the discovery of an illegal transfer of personal data to U.S. government agencies, which appears to have been used at least in part by U.S. immigration officials to locate and remove Mexican nationals unlawfully in the United States.
Federal Law also classifies some activities as crimes that can be punished by imprisonment. For example, a person who is authorized to handle personal data and causes a breach of security measures with the intent of gaining a pecuniary benefit could receive a sentence of between three months and three years in prison. Likewise, a person who collects and handles personal data fraudulently with the aim of gaining a pecuniary 282benefit can be punished by imprisonment between six months and five years.148
Like the Fourth Amendment to the U.S. Constitution, the Japanese Constitution provides the basis of personal privacy (right to be let alone). Article 35 provides, “The right of all persons to be secure in their homes, papers, and effects against entries, searches, and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized ….”149 Article 21 maintains secrecy of communications providing, “No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.”150 In 2000, the Japanese Diet established a body called the Research Commission on the Constitution to consider possible amendments to the Japanese Constitution. The Research Commission’s report was released in 2005 and included a 283recommendation that an amendment concerning personal privacy be added,151 but the Diet has not yet taken action.
Personal data collected by the government is regulated by the 1988 Act for the Protection of Computer Processed Personal Data Held by Administrative Organs.152 This law implements the OECD Guidelines of security, access, and correction, and it limits subsequent uses of data for purposes other than those for which the data was originally gathered.
Japan, historically, has allowed businesses and private organizations to self-regulate the handling of personal information. This began to change in 1997, when the Ministry of International Trade and Industry (MITI) issued a set of guidelines concerning data collections in the private sector.153 The momentum toward regulating the private sector continued when Japan enacted the Personal Information Protection Law154 (PIPL) in May 2003, 284which took effect in April 2005. PIPL extends the notice, security, access, and correction principles to the private sector, protecting information both in electronic and in print form.
It is important to note, however, that the PIPL is merely a set of implementing guidelines, and Japan’s government ministries are ultimately responsible for issuing specific administrative guidelines to the business sectors under their respective authority.155 Various Japanese ministries have in fact issued guidelines on the use of personal information pursuant to PIPL. The activities of a majority of businesses are covered by the guidelines promulgated by one of the following agencies: the Ministry of Economy, Trade and Industry (METI)156; the Ministry of Health, Labor and Welfare (MHLW)157, the Financial Services Agency (FSA)158, the Ministry of Internal Affairs and Communications (MIAC)159, and the Ministry of 285Land, Infrastructure, and Transport (MLIT).160 As of 2007, these ministries have established 35 sets of guidelines, covering 22 business areas.161
A recent series of high profile database breaches and cases of identity theft have prompted an attitude of increased vigilance on the part of the Japanese government and the private sector. The Ministry of Justice revised its internal regulations to place greater emphasis on prosecuting privacy violations and identity theft. Meanwhile Japanese businesses have moved quickly to adopt the data security management best practices reflected in ISO 27001, with more Japanese businesses being certified as compliant as of December 2006 than the rest of the world combined.162 In 2012, Japanese 286businesses continued to hold more than one-third163 of the world’s certifications.164
The constitution of South Korea contains provisions guaranteeing the traditional “right to be let alone,” as well as an express right of privacy. Article 16 states: “All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented.”165 Article 17 provides that the “privacy of no citizen may be infringed”166 and Article 18 provides secrecy of communication: “The secrecy of correspondence of no citizen may be infringed.”167
South Korea has both comprehensive and sectoral legislation addressing the use of personal information. The comprehensive Protection of Personal Information Act (PIPA) went into effect on 287September 30, 2011.168 In addition, to the extent that they have not been superseded by any specific provision of PIPA, personal data in the private sector is protected through many laws, each covering different categories of business. These laws include the Protection of Communications Secrets Act,169 the Telecommunications Business Act,170 the Framework Act on Electronic Commerce,171 and the Digital Signatures Act.172
Like the statutes of many other countries, PIPA adopts an approach to regulation that follows the OECD privacy principles. PIPA sets forth eight Personal Information Protection Principles that encompass the concepts of transparency, accuracy, fair use and collection, and security.173 Under PIPA, data subjects have the right to receive notice of processing of their personal information, the right to consent or not to such processing, the right to demand access to, or correction of their personal 288information, and the right to terminate the processing of their information.174
Also like many other statutory regimes, PIPA provides additional protections related to “sensitive” data about an individual, such as that related to ideology, health, or other categories of information that could be used to do harm to the privacy of the data subject.175 Additionally, PIPA requires the processor of personal information to issue a privacy policy176 and to designate an officer in charge of processing personal information.177 Following an international trend, PIPA also includes a requirement that data processors notify data subjects in the event of a data breach.178
The Minister of Public Administration and Security (MPAS) is the enforcement authority for PIPA, and public entities that process data are required to register with the authority.179 Under PIPA, MPAS may request reports from processors on their handling of personal information and issue orders relating to compliance.180 On July 30, 2013, the MPAS announced amendments to PIPA addressed at strengthening protections for Korean 289resident registration numbers, including a provision allowing for a maximum fine of up to .5 billion Korean won on a processor of personal information who fails to protect resident registration numbers.
The Chinese Constitution has a number of provisions dedicated to personal privacy. Article 37 protects individuals from unlawful searches, while Article 39 provides the same protection for private residences.181 Article 40 expressly protects the privacy of correspondence from both public and private actors, but includes an express reservation of the power “to censor correspondence in accordance with procedures prescribed by law.”182 In addition to this rather significant derogation, the Chinese government has admitted that its domestic law enforcement agencies are not always consistent in applying procedural protections and that any constitutional guarantees may not be applied evenly or systematically.
Provisions relating to personal data protection are found in various Chinese laws and regulations, but 290China does not yet have comprehensive national legislation regulating the use and protection of personal data. In the past few years, however, China has passed numerous rules related to data privacy protection in telecommunications and on the Internet.
In 2011, China’s Ministry of Industry and Information Technology promulgated the “Several Regulations on Standardizing Market Order for Internet Information Services,”183 which created nationwide privacy standards specific to Internet information service providers, including general disclosure, consent, secure storage, and breach reporting requirements.184 In 2012, China’s Standing Committee of the National People’s Congress issued a decision further strengthening online personal data protection. The 2012 directive creates more stringent requirements for Internet service providers such as the adoption of technological measures to prevent the breach of individual information and more stringent breach reporting requirements. Additionally, under the 2912012 directive, Internet users must use their real names to identify themselves to service providers.185
Finally, in mid-2013, China’s Ministry of Industry and Information Technology released the “Rules on Protecting Personal Information of Telecommunication and Internet Users,” which heightens protection in the areas of collection and use of personal information, information security measures, supervision, and inspection by relevant Chinese authorities, and liability for breach of the rules.186
Outside of the areas of telecommunications and the Internet, privacy breaches in China, when they are addressed, are handled through tort law, local ordinances, and criminal law. For example, Shanghai’s consumer protection rules provide some limited guidance on information privacy and there are Articles of the Chinese criminal code that penalize physical intrusions of privacy, including illegally inspecting mail or entering a private residence,187 but there is no general law that 292prohibits personal data collection. The Chinese government is essentially unfettered in its ability to collect, store, and use all manner of personally identifiable data, and service providers are unlimited in their ability to use data related to electronic communications, whether telephonic or Internet.
The Chinese tradition has long been one of keeping close track of its citizens. As far back as the 4th century B.C.E., Chinese provinces kept accurate records of their populations in order to tax and conscript their subjects, and unquestionably, the Chinese legal system has for the past several decades shown little concern for “privacy rights” under any definition one might apply to the term. However, in an implicit recognition of the economic advantages privacy protections can confer, the Chinese government is beginning to research adopting measures, including electronic signature certification authorities and database protection standards, in an attempt to increase the level of e-commerce in China. Several municipalities and provinces have also adopted “Open Government” acts, which allow citizens to check on their personal data stored by the municipal government and request that errors be corrected. Critics, however, have suggested that these experiments with privacy protection are likely to be undermined by broad national security exceptions contained within them.
Article 21 of the Indian Constitution states, “No person shall be deprived of his life or personal liberty except according to procedure established by law.”188 Although this provision most closely resembles the Fifth Amendment to the U.S. Constitution, which is not generally considered a source of privacy rights in U.S. jurisprudence, the Indian Supreme Court found in Rajgopal v. State of Tamil Nadu (1994)189 and PUCL v. Union of India (1996)190 that the right to privacy is implicitly encompassed within the term “personal liberty” and “life.” In Shashank Shekhar Mishra v. Ajay Gupta (2011),191 the New Delhi High Court confirmed that money damages were available for invasion of the right to privacy under Article 21.
The concept of privacy as the “right to be let alone” is protected in tort and criminal law in India; India has no specific legislation directed at the protection and use of personal information. In the last few years, however, pressure from both E.U. and U.S. firms, who rely on Indian companies for 294business outsourcing, has resulted in significant though incremental changes in India’s privacy landscape.
India’s Information Technology Act of 2000 did not initially address information privacy, but it was amended in 2008 to provide the Indian Government with the power to enact rules and regulations in line with the 2000 Act.192 From this enabling legislation, in 2011, India’s Ministry of Communications and Information Technology implemented the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (IT Rules).193 These IT Rules establish data collection, processing, and transfer requirements for sensitive personal data or other information of any person located anywhere in the world that is collected or processed in India.194
The IT Rules are in line with the E.U. Directive and other global data protection regulations, and require that data subjects be apprised of, and affirmatively consent to the collection, processing, and transfer of their personal information, amongst other requirements for retention, collection, and 295transfer of data.195 The IT Rules also set forth requirements that companies protect against the negligent and intentional disclosure of sensitive personal information.196
Notably, a clarification to the IT Rules carves out an exception to required adherence for entities providing certain services under contractual obligation with a legal entity located within or outside India, provided the outsourcing company does not have direct contact with the data subject.197 Accordingly, outsourcing service providers in India should be exempt from obtaining consent from the individuals whose data they process. Additionally, India has some sectoral privacy protection, including the Public Financial Institutions Act of 1993, which mandates confidentiality in bank transactions.
A more comprehensive Indian data privacy law is in the works. The Indian Government has established a planning commission on privacy law to study international privacy laws, analyze existing Indian legal provisions, and make specific proposals for incorporation into future Indian law.198 In 296October 2012, the group released a report and informal draft privacy legislation making recommendations for a regulatory framework, but the legislation is still under consideration.
Indian law enforcement agencies have not prioritized data protection issues. The National Association of Software and Service Companies (NASSCOM), a trade group composed of businesses in the information technology field, is actively engaged in lobbying for more stringent legislation, as well as developing mechanisms for self-regulation in the interim. For example, NASSCOM has established the National Skills Registry, which is a centralized database of information technology workers who have been subject to background checks and whose employment histories have been verified. While the National Skills Registry itself presents challenges to employee privacy (as NASSCOM acknowledges), it serves as an important check on individuals potentially planning on committing serial identity theft or other violations of consumer privacy by moving from job to job.
With the advent of the Internet, information has been sent across borders in greater volumes and 297with greater frequency than ever before. This transfer of information is typically referred to as “trans-border data flows” or “cross-border data flows.” In the context of privacy protection, these transfers pose challenges and opportunities to the public and private sectors.
Two major inter-governmental attempts have been made to deal with the issue of trans-border data flows: The OECD Guidelines on Privacy, discussed at Section I.1 above, and the E.U./U.S. Safe Harbor.
Unlike the United States, the European Union has effectively adopted the OECD principles into its law. As discussed earlier in Chapter 4, the European Union has enacted Directive 95/46/EC, commonly called the “Data Protection Directive,” modeled on the OECD Guidelines, which required the Member States of the European Union to enact national legislation for the protection of E.U. residents’ personal data. The Data Protection Directive included restrictions on the ability of parties inside the European Union to transfer the personal data of E.U. residents to recipients in non-Member States. Given the extremely expansive nature of what constitutes “personal data” subject to protection under the Directive, this posed a serious threat to the viability of inter-U.S./E.U. trade, particularly in services. Shortly after the passage of 298the Directive, representatives of the U.S. Department of Commerce (DOC) began negotiating with the E.U. Commission over what steps the United States could take to receive recognition that it was providing sufficient levels of privacy protection for personal data transferred from the European Union.
Although the parties agreed that improvements in data protection were necessary, the DOC and the Commission were divided on the best solution. The DOC concurred with a report by the FTC that found, given the fluid, evolving nature of the “information economy,” self-regulation by industry was the superior method by which to achieve maximum protection with minimal constraint on future development.199 The Commission stood at the opposite extreme, arguing that anything less than comprehensive data protection legislation of the sort Member States were required to enact was insufficient. Through 1998 and into 1999, the DOC submitted multiple proposed self-regulation schemes (referred to as “safe harbors”), all of which were rejected by the E.U. Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (Working Party). The Working Party was established pursuant to Article 29 of the Data Protection Directive to give the Commission opinions on the level of data protection 299both within the European Union and in other nations. As the Working Party stated in its last opinion on the subject, We “deplore[ ] that most of the comments made in … previous position papers do not seem to be addressed in the latest version of the US documents.”200
By the summer of 2000, however, the DOC had worn down the Commission’s resistance to permitting some form of self-regulation. With extensive behind the scenes lobbying, and despite the strenuous objections of the Working Party, the Commission issued a decision on July 26, 2000 confirming the adequacy of the draft Safe Harbor proposal submitted by the DOC on July 21 of that year.201 The decision of the Commission means that national data protection agencies in Member States can only restrict the transmission and processing of personal data by a U.S. business subject to the Safe 300Harbor under two circumstances.202 The first is if either the DOC or another authorized U.S. government agency notifies the agency that the business breached the terms of the Safe Harbor.203 The second situation is where there is a likelihood that the Safe Harbor has been, or will be, breached.204 The Commission thus effectively surrendered enforcement of the Data Protection Directive to the DOC as it pertained to businesses within the United States. The decision recognizing the Safe Harbor went into effect on November 1, 2000.
The Safe Harbor consists primarily of two parts: the Safe Harbor Privacy Principles (Principles) and the Safe Harbor Frequently Asked Questions (FAQ), which offer additional high-level interpretation by the DOC on the meaning of the Principles.205 Together, the two provide “authoritative guidance” to U.S. organizations that receive personal data from the European Union.206 Compliance with the Safe Harbor is considered sufficient to meet the requirements of the Data Protection Directive. 301Issued under the DOC’s general power to “foster, promote, and develop international commerce,” compliance with the Safe Harbor is voluntary and no specific methodology is prescribed.207 Joining an existing self-regulatory privacy program that complies with the Principles or developing an internal privacy policy that meets the Principles are both acceptable. To fall within the Safe Harbor, these programs or policies must be drafted to make organizations subject to action under Section 5 of the Federal Trade Commission Act concerning unfair or deceptive trade practices. Compliance with the Safe Harbor becomes effective immediately upon self-certifying adherence to the Principles.
(i) The Principles
The Principles cover all “personal data” or “personal information” received by a U.S. organization from the European Union, in any recorded form, which is defined as “data about an identified or identifiable individual that are within the scope of the [Data Protection] Directive.”208 The Principles are based on the OECD Guidelines and are divided into the following seven categories: (1) Notice, (2) Choice, (3) Onward Transfer, (4) Security, (5) Data Integrity, (6) Access, and (7) Enforcement.209
Under the principle of “Notice,” an organization is obliged to tell individuals about the purposes for 302which data is to be collected and how that data is to be used.210 The organization must also explain how individuals can make complaints or inquiries, the types of third parties to which the data may be disclosed, and the opportunities individuals have to limit such disclosure. The notice must be presented in “clear and conspicuous language” at the time individuals are asked to give personal information or as soon afterwards as feasible, but notice must be given before the organization employs the information for a purpose other than for which it was originally collected or discloses it to a third party. Notice is not required if disclosure or transfer is being made to an agent of the organization, although the Onward Transfer Principle would apply.
In regards to the principle of “Choice,” the organization must provide individuals with an opportunity to decide on an opt-out basis whether their personal information can be disclosed to a third party or be used for a purpose other than one related to those that have previously been authorized.211 For “sensitive information,”212 the individual must affirmatively opt-in before that information may be disclosed to third parties or be used for an alternative purpose.
The principle of “Onward Transfer” applies where the original data controller intends to disclose personal information to a third party. All of the following Onward Transfer rules are found in the Safe Harbor as reported in the Federal Register.213 The controller may only disclose personal information to a third party acting as an agent after having determined whether the third party meets the requirements of the Safe Harbor, the Data Protection Directive or another adequate measure of data protection. This provision of the Safe Harbor implies that if the intended recipient is bound by another nation’s personal data protection scheme, which has been found acceptable by the Commission, then the requirements of the Onward Transfer principle have been satisfied. Alternatively, the controller may enter into a written agreement with the third party, which guarantees that the recipient of the data will offer at least the same level of data protection as the Safe Harbor. If the original controller makes the determination or otherwise enters into an agreement with the third party, the original controller will not be held at fault if the third party breaches the terms of the Safe Harbor, provided that the original controller did not know and should not have known that the third party would commit the breach.
Under the principle of “Security,” data controllers must “take reasonable precautions” to guard against “loss, misuse and unauthorized access, disclosure, 304alteration and destruction.” The “security” principle is the least developed part of the Safe Harbor’s Principles, meriting only a single-sentence description. The fifth principle, “Data Integrity,” holds that personal data collected must be relevant to its specified purpose. The data controller must not process data “in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” Controllers are required to take reasonable steps to ensure the integrity of the data.
“Access” is the next principle, stipulating that data subjects must be able to examine personal data concerning them and “be able to correct, amend, or delete” the data if found inaccurate. If the financial and temporal costs to the controller, however, would be disproportionate to the risks posed to the subject’s privacy, controllers are not obliged to provide access. Controllers may also withhold personal data where access could threaten the rights of individuals other than the requesting party.
The final principle is “Enforcement.” For data protection to be considered effective, data controllers must implement measures to guarantee compliance with the Principles, provide recourse for data subjects whose personal data may have been compromised, and make clear the consequences of failure to comply with the Principles. The measures implemented by the controller must at least include “readily available and affordable independent recourse mechanisms” which will allow a subject’s 305complaint to be investigated and resolved in accordance with the Principles, including damage awards if applicable. There must also be procedures to verify that the controller is in fact complying with the Principles and a commitment to remedy the problems that led to the breach of the Principles. There must be adequate sanctions to make certain that the controller complies. The FTC and the U.S. Department of Transportation (DOT) are recognized by the European Union as being competent to investigate complaints of unfair or deceptive practices that are in breach of the Principles.
(ii) The FAQ
The FAQ is divided into fifteen parts, covering the Principles and related issues. The first FAQ asks, “Must an organization always provide explicit (opt-in) choice with respect to sensitive data?”214 The opt-in choice is not required if the data processing operation meets any of six criteria. These include situations where the processing is in the vital interests of the data subject, is necessary for medical treatment, is done by a non-profit organization as part of its mission, involves personal data that has been made public by the subject, is necessary for establishing a legal claim or defense, or where the organization is required to process the information to comply with other statutes or regulations. The second FAQ asks, “Do the Safe Harbor Principles apply to personal information gathered, maintained, or disseminated for 306journalistic purposes?” Due to First Amendment concerns, journalistic interests in data will typically trump privacy interests, although common law privacy torts, contractual obligations, or other regulations of the sort discussed elsewhere in this text might impose independent restrictions. Personal information, which has been previously published or otherwise made available to the public through another outlet, may be republished without violating the Principles.
The third FAQ asks, “Are Internet service providers (ISPs) … or other organizations liable under the … Principles when on behalf of another organization they merely transmit, route, switch or cache information that may violate their terms?” The answer is no, the Principles do not give rise to any secondary liability where a party merely acts as a conduit for data transmission. The fourth FAQ asks, “Under what circumstances is [the processing of personal data by auditors and investment bankers] permitted by the Notice, Choice, and Access Principles?” Auditors and investment bankers are permitted to process personal data without the data subject’s approval only for the duration and to the extent necessary to comply with other legislation or to meet the legitimate needs of the auditor or banker. These needs include verifying compliance with legal obligations and accounting practices, along with transactions concerning mergers, acquisitions, and joint ventures.
The fifth FAQ asks, “How will companies that commit to cooperate with European Union Data 307Protection Authorities (DPAs) make those commitments and how will they be implemented?” Data controllers may make these commitments by declaring in their Safe Harbor certification that they will comply with all terms of the Enforcement Principle, cooperate with data protection agencies in investigating and resolving complaints related to the Principles, comply with the advice from the agencies on remedies and compensation, and provide written confirmation of their action to the agencies. The data protection agencies in turn will give their advice through a panel operating at the supra-national level within the European Union that will consider both complaints by E.U. residents and submissions by controllers who have joined the Safe Harbor. In the event of a complaint, both the E.U. resident and the U.S. controller will have the opportunity to present their case before the panel, with a non-binding decision to be issued within sixty days where possible. Failure to comply with the panel’s decision within twenty-five days of its delivery will result in notification by the panel to the FTC or other federal or state agencies with the power to enforce laws against deceptive trade practices. The panel may also choose to notify the DOC about the controller’s failure to meet the terms of the Principles and request that the controller be stricken from the roster of Safe Harbor participants.
The sixth FAQ asks, “How does an organization self-certify that it adheres to the Safe Harbor Principles?” Certification becomes effective immediately after the following information is submitted:
1. The name of the data controller, mailing address, e-mail address, telephone and fax numbers;
2. A description of the controller’s activities with regard to personal data received from the European Union;
3. A description of the controller’s privacy policy, including where the policy is available for public viewing, the date of its implementation, a contact for handling Safe Harbor-related issues, the government agency under whose authority the controller is subject; any privacy programs the controller is part of, method of verifying compliance with the Safe Harbor, and the mechanism for investigating unresolved complaints.215
If the controller wants to gain Safe Harbor protection for its E.U.-based human resources information, it may do so only if a government body has jurisdiction over claims relating to that data. The controller also must indicate a desire to include human resources data in its self-certification and make itself subject to relevant E.U. authorities.
The DOC maintains a list of all data controllers who have self-certified. The list is updated using annual statements from controllers certifying that they are still in compliance with the Principles and noting any changes that have occurred. Data received while a controller is certified under the 309Safe Harbor must continue to receive Safe Harbor protections even if the controller later leaves the Safe Harbor. Where a data controller that is currently operating under the Safe Harbor will be merged into, or taken over by, another organization which does not enjoy Safe Harbor status, the DOC must be notified in advance as to whether the new controller will continue the existing Safe Harbor protections, make a new self-certification, or provide some other safeguards such as creating a written guarantee of adherence to the Principles. If the new controller does not wish to comply, it must delete all personal data received under the terms of the Safe Harbor.
A critical point about this process is that it relies entirely on the honesty of the party making the certification. As the DOC states on the Safe Harbor website:
In maintaining the [Safe Harbor] list, the Department of Commerce does not assess and makes no representation as to the adequacy of any organization’s privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or 310any other action related to the maintenance of the list.216
The seventh FAQ asks, “How do organizations provide follow up procedures for verifying [compliance] … with the Safe Harbor Principles?”217 A data controller may meet the verification requirements of the Enforcement Principle through either self-assessment or a compliance audit by a third party. A self-assessment must indicate that the controller’s privacy statement is “accurate, comprehensive, prominently displayed, completely implemented, and accessible.” Furthermore, the self-assessment must show the controller’s privacy policy meets the conditions of the Principles, that data subjects are informed as to how they may make complaints, that employees are trained in the privacy policy and are disciplined for failing to follow it, and that there are internal means for “conducting objective reviews of compliance” with the aforementioned requirements. Annually, a corporate officer or other authorized representative of the controller must sign a statement confirming the self-assessment. This document must be kept on file and be made available to individuals upon request or in the event of an investigation concerning whether the company’s conduct and certification were proper.
A compliance audit must demonstrate that the controller’s privacy policy conforms to the Principles, is being complied with, and that data subjects are told how they may make complaints. There is no prescribed method for how such a review should be conducted. An annual statement confirming that the audit has been satisfactorily completed should be signed by the reviewer or an authorized representative of the controller and made available upon request or in case of investigation.
The eighth FAQ is divided into eleven sub-questions concerning the Access Principle. Summarized briefly, there is not an absolute right of access.218 Instead, data subjects are limited by questions of “proportionality or reasonableness.” The Access Principle does not require the same degree of thoroughness as a response to a subpoena. Rather, the controller should work to provide only the information specifically requested by the subject. If a request for information is vague or extremely broad, it is appropriate for the controller to ask the subject questions that will help narrow the focus of the request. Importantly, individuals requesting access to their own personal data are under no obligation to justify their petitions. The amount of effort expended by the controller should be dependent upon the significance of the request by 312the subject. “Confidential commercial information”219 may be denied to a subject.
“Access” merely means disclosure of information to the subject.220 The controller does not have to permit literal physical access to databases or other repositories of information. The controller may deny information to a subject where important public interests, such as law enforcement investigations, would be impacted or where other limitations on disclosure, such as professional privilege, would apply. Access may also be refused where the costs or efforts involved would be disproportionate or excessive, although controllers are entitled to charge reasonable fees for providing information to the subject and may limit requests to a certain number of times per period. The burden is on the controller to demonstrate why access should be restricted. An example of a legitimate reason for denying access exists where personal data is inextricably bound up with confidential commercial information, such as marketing data. Responses to access requests should be made “within a reasonable time period.”221
The ninth FAQ concerns human resources information and is divided into four sub-questions.222 313The Safe Harbor covers personal data collected as part of an employment relationship in the EU and transmitted to the United States. A data controller may only disclose such information, or use it for a purpose other than for which it was originally collected, if it conforms to the Notice and Choice Principles. The data collected may be subject to specific national data protection legislation that will impose additional restrictions on its use beyond the limitations of the Safe Harbor. Controllers “should make reasonable efforts to accommodate employee privacy preferences,” including anonymizing data or otherwise dissociating it from the employee’s identity if feasible. Complaints about misuse of E.U. employee data are to be handled according to the national data protection legislation where the employee is located.
The tenth FAQ asks, “[w]hen data is transferred from the [European Union] to the United States only for processing purposes, will a contract be required, regardless of participation by the processor in the Safe Harbor?” The answer is yes; however, data controllers are instructed to remember that the contract is intended for their own protection from liability in the event that the data processor mishandles the data. A U.S. processor is not directly responsible for applying the Principles, as they will be encapsulated in the required contract with the E.U. controller. However, processors that are not enrolled in the Safe Harbor 314may be subject to pre-authorization requirements by the Member States, substantially delaying operations. By joining the Safe Harbor, the processor may enjoy faster approval of such contracts.
The eleventh FAQ asks, “How should the dispute resolution requirements of the Enforcement Principle be implemented, and how will an organization’s persistent failure to comply with the Principles be handled?” A data controller may meet the Enforcement Principle’s requirements in any of three ways:
(1) Compliance with private sector developed privacy program that incorporate the Safe Harbor Principles in their rules and that include effective enforcement mechanisms …; (2) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (3) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives.223
Controllers should encourage data subjects to raise concerns with them before proceeding to contact other enforcement bodies. The enforcement process should function with great independence from the controller or processor, as demonstrated by such matters as “transparent composition and financing or a proven track record.”
Any remedies provided must have the effect of reversing or correcting the breach of the Principles vis-à-vis the data subject and ensure that future processing will be in compliance. A range of penalties would best serve private sector regulatory bodies so that they may respond with some finesse based on how egregious the breach is. A private sector regulatory body must alert the appropriate government agency if a controller subject to the Safe Harbor refuses to comply with its rulings. The FTC will review referrals by such regulatory bodies and E.U. Member States to determine whether a controller has violated Section 5 of the FTC Act concerning unfair or deceptive trade practices.224 These reviews are to be made on a priority basis. If the FTC determines a violation has occurred, it may obtain an administrative cease-and-desist order addressing the bad conduct or file a complaint with a federal district court. As discussed above in Chapter 3, Part II(E)(1), the FTC may assess its own penalties. The FTC is required to notify the DOC of any action it takes to penalize a failure to comply with the Safe Harbor’s Principles.
If a data controller “persistently fails to comply with the Principles,” then it is no longer entitled to the benefits of the Safe Harbor.225 “Persistent failure to comply” results when a controller refuses to obey a final determination by any private sector regulatory body or a government agency or where such an organization has found that the controller 316has failed to comply with the Principles so frequently that its claim of compliance is no longer credible. The DOC must be notified by the controller about the finding, and failure to do so may be punishable under the Fraud and False Statements Act, 18 U.S.C. § 1001. After receiving notice of a persistent failure to comply, the DOC must grant the controller thirty days to respond, after which, assuming the matter is not resolved satisfactorily, the controller will be cited on the Safe Harbor list for persistent failure to comply and be stripped of Safe Harbor benefits. A controller that has received a citation and later seeks enrollment in another private sector regulatory body must provide that body with a complete accounting of its previous participation in the Safe Harbor. The exact dynamics of the enforcement of the Safe Harbor remain unclear. In over seven years of operation, no entity registered with the Safe Harbor has been subject to an enforcement action or otherwise cited for failure to comply.
The twelfth FAQ asks, “Does the Choice Principle permit an individual to exercise choice only at the beginning of a relationship or at any time?” A data subject should have the right to opt out of having her data used for direct marketing at any time, subject to reasonable limits related to processing. A controller may also request information to confirm the identity of the subject before permitting the subject to opt out. If it is not feasible to contact subjects before using their data for direct mailings, the mailing itself should offer them a means to opt out of future mailings.
The thirteenth FAQ asks, “When can … travel information, such as frequent flyer or hotel reservation information … be transferred to organizations located outside the [European Union]?” If a data controller has joined the Safe Harbor such data may be automatically transferred, subject only to specific national data protection legislation. If the controller has not joined the Safe Harbor, then the transfer must be “necessary to provide the services requested by the consumer or to fulfill the terms of an agreement” or, alternatively, the transfer can be made if the data subject (traveler) has given unambiguous consent. An example of a transfer “necessary to provide the services requested by the consumer,” would be participation in a frequent flyer program.
The fourteenth FAQ deals with medical privacy concerns and is divided into seven sub-questions.226 Medical data gathered from individual E.U. residents is subject to the national data protection legislation of the Member State where they reside and becomes subject to the Principles when transmitted to the United States. To minimize the likelihood of breaching the Safe Harbor, data controllers are instructed to anonymize personal data concerning medical care and conditions when possible. Where the data has been gathered as part of a particular medical research project, the Notice and Choice Principles must be met before the data is employed in a different research project. Since future lines of research are not always predictable, a 318general clause stating that the personal data collected from the subject may be used in other forms of research is acceptable unless the purposes of the new research project prove inconsistent with the original purpose.227
Finally, the fifteenth FAQ asks, “[i]s it necessary to apply the Notice, Choice and Onward Transfer Principles to public record information or publicly available information?”228 The answer is no, so long as the public data is not combined with personal data and there are no restrictions imposed by specific national data protection legislation. Data controllers suffer no liability under the Principles if they obtain data from published sources, but if controllers intentionally publish personal data for the purpose of removing it from the scope of the Safe Harbor, they will lose their Safe Harbor certification.
The Safe Harbor is a voluntary self-regulatory program, thus no entity is legally required to join it under U.S. law. Because of the scope of the Data Protection Directive any business that has contact with E.U. residents on anything other than an anonymous cash-only basis, has effectively collected some form of personal data and thus would be subject to the Data Protection Directive. In the realm of e-commerce, any organization that operates a Web site and collects information from web-surfers 319for commercial purposes, including serving advertising to them, will be at risk of violating the Directive if an E.U. resident should happen to visit the site. On the other hand, the Safe Harbor is limited to only those entities that are subject to FTC or DOC regulatory jurisdiction, since they are the only two U.S. administrative agencies recognized to enforce it. Certain types of businesses, including telecommunications common carriers or insurance companies are ineligible and must pursue alternative means of complying with the Data Protection Directive.229
Following the terrorist attacks of September 11, 2001, Congress passed the Aviation and Transportation Security Act (ATSA).230 ATSA required the Department of Homeland Security (DHS) to promulgate regulations to be followed by airlines for international flights landing at U.S. airports. Among the regulations implemented by DHS is 19 C.F.R. § 122.49(a)–(d), collectively referred to as the “Passenger Manifest provision.”
The Passenger Manifest provision requires that an airline provide to the U.S. Commissioner of Customs, or other designee, a passenger and crew 320manifest for any international flight bound for the United States prior to the departure of the flight. As part of this manifest, airlines are required to provide the full names of passengers, date of birth, sex, nation of citizenship and residence, passport information, and other personal data. Airlines that fail to provide the information required face fines or the possibility of losing landing rights at all of the United States’ airports.231
The adoption of the Passenger Manifest provision immediately caused tension with the European Union, as it set up a sharp conflict with the E.U. Data Protection Directive’s restrictions on the collection and use of E.U. residents’ personal information. In 2003, as the DHS pressed forward with plans to begin enforcement of the Passenger Manifest provision, the E.U. Parliament passed a resolution denouncing both the scope of the data collected and the apparent inadequacy of protection against misuse of personal information once received by U.S. authorities.232 Airlines operating flights between points in the United States and the European Union were naturally put in the awkward position of deciding whether to disclose passenger information and face fines or even criminal penalties from E.U. Member States, or to withhold the information and face fines in the United States and possible revocation of their landing rights.
The conflict seemed to be resolved in May of 2004 when the United States and the E.U. Commission and Council reached agreements, which made the sharing of passenger information subject to usage limitations and retention policies.233 Yet still dissatisfied with the level of protection afforded E.U. residents’ personal data, the E.U. Parliament sued the Commission and the Council in a proceeding before the European Court of Justice arguing that the agreements were in conflict with the Data Protection Directive, and beyond the scope of authority conferred on the Commission to negotiate agreements with other nations concerning the handling of personal data. The Court of Justice agreed with the Parliament’s analysis and annulled the agreements in a 2006 ruling.234
The Court of Justice decision compelled the United States and E.U. Council to negotiate further and establish a new agreement governing the transfer of airline passenger information. Adopted July 23, 2007, the new agreement permits DHS to collect personal information pursuant to the Passenger Manifest provision, but places greater 322restrictions on its ability to use or retain such information beyond an initial screening of passenger identities.235 The E.U. Parliament registered an objection to the agreement before it even took effect, but the Parliament did not commence litigation to try to set it aside.236 A new agreement, the Passenger Name Records Agreement (PNR), was adopted by the E.U. Council on April 26, 2012.237 The PNR replaces the 2007 agreement, which had been applied on a provisional basis. The PNR has strict controls over the retention of personally identifiable information, requiring such information to be “masked” after six months.
Outsourcing may be defined as the transfer of responsibility for execution of a business activity from one organization to an external service provider that assumes a primary role in performing the activity and returns a value-added product or 323service. Historically, outsourcing was primarily associated with manufactured products, but with declining communication costs and the ability to transmit documents at near instantaneous speeds, services are increasingly subject to outsourcing as well. Outsourcing services on an international basis has become particularly attractive given “transportation” costs are almost non-existent, thus profit margins realized from wage differentials can be even greater than for manufactured products.
While outsourcing is, all things being equal, generally a good strategy for increasing profits in those service sectors that can be performed remotely, it also poses significant privacy challenges. Many of the services businesses consider outsourcing, including medical transcription, payroll record management, or insurance claim processing, which may implicate personal information of customers or employees. Compounding this situation further is that, given the increasingly multinational nature of many businesses, personal information (both customer and employee) may have been collected in multiple nations and be subject to different privacy protection regimes. This poses the possibility of a business inadvertently committing violations of numerous laws. For example, if an E.U. resident purchases shares listed on the Toronto Stock Exchange through the Canadian branch of a U.S.-headquartered brokerage house, and the brokerage house transmits the information concerning that transaction to an outside vendor in India for processing, it is possible the brokerage house has almost simultaneously violated (a) the 324E.U. Member State’s national data protection legislation enacted pursuant to the Data Protection Directive, (b) PIPEDA; and (c) the Gramm-Leach-Bliley Act.238 Strategies for dealing with this challenge break down into four principle approaches.
The first is the “ostrich” approach. Companies using this approach, assuming they are even fully aware of the intricacies of the statutes and regulations affecting their collection, use, or retransmission of personal information, ignore the problems they are facing and simply proceed with their activities. Although no systematic study has been made of business strategies for coping with the challenge of international transfers of personal information, what evidence exists suggests this approach is the most popular. By way of example, although the U.S./E.U. Safe Harbor has been open for registration for over seven years, fewer than 1,400 businesses are currently enrolled in it. While this approach may seem surprising in light of the general reputation of businesses being cautious with regard to liability exposure, it is a rational approach in the short term. Enforcement of privacy laws in the context of international transactions has been limited, except in cases of serious criminal conduct. The cost of compliance, thus, can be significantly greater than the costs of non-compliance when the latter is adjusted for the very low risk of being held 325accountable for violations. Anecdotal accounts suggest that many European corporate entities actually take this approach, retain appropriate privacy counsel, and ultimately pay whatever fines are assessed. How viable this approach will remain in the end is questionable though, as agencies within the European Union increase enforcement activity.
A second approach has been termed the “Just in Time” approach. Companies using this approach deal with privacy issues in outsourcing as problems are brought to their attention. A typical example of this sort of approach arises when a Canadian customer informs a U.S.-based vendor that it will require compliance with PIPEDA from the vendor before continuing to do business. This approach allows companies to deal with challenges on a more manageable level, but at the risk of creating contradictory or incomplete internal processes. The vendor in the example above, after making the requested changes, would still be at risk of violating the Data Protection Directive if it was also collecting personal information from E.U. customers, since PIPEDA compliance by a U.S. business has no impact on the legality of transfers between the European Union and the United States.
The third approach sometimes called the “E.U. Gambit,” has companies simply complying with the Data Protection Directive, relying on the fact that there is substantial overlap between the Directive and most other data protection regimes. While of course this strategy is effective when dealing with 326parties located in E.U. Member States, it is still an incomplete approach.239 National variations still result in compliance gaps and, when the onward transfer restrictions of the Data Protection Directive are factored in, a business relaying personal information from E.U. residents to a third party in another country might still be violating the Directive even if its internal compliance is sufficient.
The final approach is the “audit” strategy. Under this approach, companies conduct audits on their privacy compliance. The audits analyze three things: (1) the privacy protection regime in each jurisdiction where the company collects or processes personal information; (2) the categories of personal information the company collects; and (3) the internal procedures the company employs for handling the information and the procedures its outsourcing vendors use in handling transferred information. The purpose of the audit approach is to permit a company to segregate personal information by its point of origin and treat each category of information with the necessary level of care to comply with the law of the country of origin. This approach can be characterized as a “best practice” and, anecdotally, seems to be on the rise.
_______________________________________
1 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, ORG. FOR ECONOMIC COOPERATION & DEV. (Sept. 23, 1980), http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm [hereinafter Guidelines].
2 Id.
3 Id. at ¶¶ 7–14.
4 Id. at ¶¶ 15-18.
5 OECD, RECOMMENDATION OF THE COUNCIL CONCERNING GUIDELINES GOVERNING THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA (2013), http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf [hereinafter Revised Guidelines] (last visited Nov. 5, 2013).
6 DIRECTORATE FOR SCI., TECH. & INDUS. COMM. FOR INFO., COMPUTER AND COMMC’NS POLICY, OECD, THE SEOUL DECLARATION FOR THE FUTURE OF THE INTERNET ECONOMY (2008), available at http://www.oecd.org/internet/consumer/40839436.pdf (last visited Nov. 5, 2013).
7 Id. at 10.
8 WPISP, OECD, TERMS OF REFERENCE FOR THE REVIEW OF THE OECD GUIDELINES GOVERNING THE PROTECTION OF PRIVACY AND TRANSBORDER DATA FLOWS OF PERSONAL DATA (2011), available at http://www.oecd.org/sti/ieconomy/48975226.pdf.
9 Id. at 3 (emphasis in original).
10 See generally Revised Guidelines, supra note 5, at 19–30.
11 Id. at 33–34.
12 Id. at 22.
13 Id. at 17.
14 OECD Guidelines for the Security of Information Systems, 1992, OECD (Nov. 26, 1992), http://www.oecd.org/sti/ieconomy/oecdguidelinesforthesecurityofinformationsystems1992.htm [hereinafter 1992 Security Guidelines].
15 The Role of the 2002 Security Guidelines: Towards Cybersecurity for an Open and Interconnected Economy, WPISP, OECD 4 (Nov. 16, 2012), http://search.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=DSTI/ICCP/REG(2012)8/FINAL&docLanguage=En.
16 Id.
17 Id.
18 See id. (citing Summary Record of the WPISP meeting on October 9–10, 2001 (OECD, 2001c) where “delegates concurred that, particularly in light of the events of September 11, a thorough and expedited review should be conducted ….”)
19 See Terms of Reference for the Review of the OECD Guidelines for the Security of Information Systems and Networks (OECD Digital Economy Papers, No. 210, Nov. 16, 2012), available at http://www.oecd-ilibrary.org/science-and-technology/terms-of-reference-for-the-review-of-the-oecd-guidelines-for-the-security-of-information-systems-and-networks_5k8zq92zhqhl-en.
20 Guidelines for Cryptography Policy, OECD (Mar. 27, 1997), http://www.oecd.org/internet/ieconomy/guidelinesforcryptographypolicy.htm.
21 See id.
22 See Hunter v. Southam, Inc., [1984] 2 S.C.R. 145, 159–60 (Can.).
23 Privacy Act, R.S.C. 1985, c. P-21 § 2 (Can.).
24 Id. at § 4.
25 Id. at § 7(a).
26 Id. at § 8(1).
27 Id. at § 12(1)(b).
28 Id. at § 16(1).
29 Id. at § 41.
30 Id. at § 53(1).
31 Id. at § 53(2)–(3).
32 Id. at § 34(1); see also About the Office of the Privacy Commissioner, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.priv.gc.ca/au-ans/index_e.asp#cn-tphp (last modified Jul. 19, 2010).
33 Privacy Act § 34(1)(a).
34 Id. at § 34(1)(c).
35 Id. at § 42(a)–(c).
36 Id.
37 Id. at § 35(5).
38 Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (Can.) [hereinafter PIPEDA].
39 The European Union’s efforts at privacy protection are discussed in detail in Chapter 4, Part II(B).
40 Legal Information Related to PIPEDA, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.privcom.gc.ca/legislation/02_06_02b_e.asp (last modified Apr. 1, 2004).
41 Id.
42 PIPEDA § 2(1).
43 Id. at § 2(1).
44 Id. at § 4(2)(a).
45 Id. at § 4(2)(b)–(c).
46 Personal Information Protection Act, S.A. 2003, c. P-6.5 (Can. Alta.); Personal Information Protection Act, S.B.C. 2003, c. 63 (Can. B.C.); An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1 (Can. Que.); Personal Information Protection and Identity Theft Prevention Act, S.M. 2013, c. 17 (Man. Can.); see also Fact Sheets, Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia’s Personal Information Protection Acts, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.privcom.gc.ca/fs-fi/02_05_d_26_e.asp (last modified Nov. 05, 2004).
47 PIPEDA § 7; PIPEDA sch. 1, cl. 4.9.
48 PIPEDA sch. 1, cl. 4.3.
49 Id. at sch. 1, cl. 4.8.
50 Id. at sch. 1, cl. 4.7.
51 PIPEDA § 5; PIPEDA sch. 1, cl. 4.6.
52 PIPEDA § 8; PIPEDA sch. 1, cl. 4.9.
53 PIPEDA sch. 1.
54 Id. at sch. 1, 4.8.1.
55 PIPEDA § 14(1)–(3).
56 Id. at § 12(1)(a)–(c).
57 Id. at § 13(1).
58 ARTICLE 29-DATA PROTECTION WORKING PARTY, OPINION 2/2001 ON THE ADEQUACY OF THE CANADIAN PERSONAL INFORMATION AND ELECTRONIC DOCUMENTS ACT (2001), available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2001/wp39en.pdf (last visited Nov. 5, 2013).
59 Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided by the Canadian Personal Information Protection and Electronic Documents Act, 2002/2/EC, 2002 O.J. (L 2/13) (2002), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:002:0013:0016:EN:PDF (last visited Nov. 5, 2013).
60 A Privacy Handbook for Lawyers, PIPEDA and Your Practice, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.priv.gc.ca/information/pub/gd_phl_201106_e.pdf (last modified Aug. 16, 2011).
61 Fact Sheets, What Canadians Can Do to Protect Their Personal Information Transferred Across Borders, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.privcom.gc.ca/fs-fi/02_05_d_23_e.asp (last modified Aug. 18, 2004).
62 A Privacy Handbook for Lawyers, PIPEDA and Your Practice, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.priv.gc.ca/information/pub/gd_phl_201106_e.pdf (last modified Aug. 16, 2011); see also Lawson v. Accusearch Inc., 2007 FC 125.
63 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act [USA PATRIOT Act], Pub. L. 107-56, U.S.C.C.A.N. (115 Stat.) 272. (2001) (codified as amended in scattered sections 8, 12, 15, 18, 20, 31, 42, 47, 49, and 50 U.S.C.).
64 See PIPEDA, S.C. 2000, c. 5 § 7(2)(a) (Can.).
65 Id. at § 7(3)(c).
66 Heather Black, Assistant Privacy Comm’r of Can., The Latest Developments in Privacy Compliance: PIPEDA Review and the USA PATRIOT Act, Address at the 11th Annual Meeting on Regulatory Compliance for Financial Institutions (Nov. 18, 2005), available at http://www.privcom.gc.ca/speech/2005/sp-d_051118_hb_e.asp (last modified Nov. 18, 2005).
67 Id.
68 Processing Personal Data Across Borders: Guidelines, OFFICE OF THE PRIVACY COMM’R OF CAN., http://www.priv.gc.ca/information/guide/2009/gl_dab_090127_e.pdf (last visited Nov. 15, 2013).
69 Id.
70 The Case for Reforming the Personal Information Protection and Electronic Documents Act, OFFICE OF THE PRIVACY COMM’R OF CAN. (May 2013), http://www.priv.gc.ca/parl/2013/pipeda_r_201305_e.pdf.
71 Id.
72 Address by Jennifer Stoddart, Privacy Commissioner of Canada, Privacy protection in Canada – Keeping Pace with Advancing Global Norms, Remarks at the 2012 Access and Privacy Conference, organized by University of Alberta, June 14, 2012 Edmonton, Alberta, http://www.priv.gc.ca/media/sp-d/2012/sp-d_20120614_e.asp.
73 Hessisches Datenschutzgesetz [HDSG] [Data Protection Act of the German Federal State of Hessen], Sept. 30 1970, v 7.10.1970 GVB1, Hesse I § 625 (Ger.).
74 Datalag (1973:289) [Data Act] (Swed.).
75 Council Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri=OJ:L:1995:281:0031:0050:EN:PDF [hereinafter Data Protection Directive].
76 Data Protection Directive, 95/46/EC, ch. I, art. 2(a), 1995 O.J. (L281) 31, 38.
77 “Processing of personal data” is defined as any operation pertaining to personal data including “collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” Data Protection Directive, 95/46/EC, art. 2(b), 1995 O.J. (L281) 31, 38.
78 A “filing system” is “any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.” Data Protection Directive, 95/46/EC, ch. I, art. 2(c), 1995 O.J. (L281) 31, 38.
79 Data Protection Directive, 95/46/EC, ch. I, art. 2(a), 1995 O.J. (L281) 31, 38.
80 Id. at art. 3(2), 1995 O.J. (L281) 31, 39.
81 A data “controller” is any “natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” Id. at art. 2(d), 1995 O.J. (L281) 31, 38.
82 A data “processor” is any “natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” Id. at art. 2(e), 1995 O.J. (L281) 31, 38. A data processor may not legitimately process personal data unless instructed by the data controller or otherwise required by law to process the data. Id. at ch. II, § 7, art. 16, 1995 O.J. (L281) 31, 43.
83 Id. at ch. I, art. 4(1)(a)–(c), 1995 O.J. (L281) 31, 39.
84 Processing of previously collected personal data for “historical, statistical or scientific purposes” is permissible with “appropriate safeguards.” Id. at ch. II, art. 6(1)(b), 1995 O.J. (L281) 31, 40.
85 Id. at ch. II, § I, art. 6(1)(c), 1995 O.J. (L281) 31, 40.
86 Id. at art. 6(1)(d), 1995 O.J. (L281) 31, 40.
87 Id. at art. 6(1)(e), 1995 O.J. (L281) 31, 40.
88 Id. at ch. II, § II, art. 7(a)–(f), 1995 O.J. (L281) 31, 40.
89 Referred to as “special categories of data,” this includes data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership … [or] concerning health or sex life.” Id. at art. 8(1), 1995 O.J. (L281) 31, 40.
90 Id. at ch. II, § III, art. 8(2)(a), 1995 O.J. (L281) 31, 40.
91 Id. at art. 8(3)–(5), 1995 O.J. (L281) 31, 41.
92 Id. at art. 9, 1995 O.J. (L281) 31, 41.
93 Other information can include the recipients of the data, whether providing the data is voluntary or mandatory (including the consequences of not providing the data), and the existence of the right to review and correct the data. Id. at ch. II, § IV, art. 10(a)–(c), 1995 O.J. (L281) 41.
94 Id. at ch. II, § IV, art. 11(2), 1995 O.J. (L281) 31, 42.
95 Id. at ch. II, § V, art. 12(a)–(c), 1995 O.J. (L281) 31, 42. This right must be able to be exercised at “reasonable intervals and without excessive delay or expense.”
96 Id. at ch. II, § V, art. 12(a), 1995 O.J. (L281) 31, 42.
97 This is so unless national legislation provides otherwise. Id. at ch. II, § VII, art. 14(a), 1995 O.J. (L281) 31, 42-43.
98 Id.
99 See generally Id. at ch. II, § VII, art. 14(b), 1995 O.J. (L281) 31, 43 (bestowing a right to object upon the data subject where the information will be used for direct marketing).
100 Id. at ch. II, § VIII, art. 17(1), 1995 O.J. (L281) 31, 43.
101 The Data Protection Directive itself does not stipulate what an “equivalent form” would be, indicating that it is left to the Member States to determine that point. For example, Austria does not recognize an “equivalent form,” requiring all such contracts to be in writing. Id. at ch. II, § VIII, art. 17(4), 1995 O.J. (L281) 31, 43.
102 Id. at ch. II, § IX, art. 18(1), 1995 O.J. (L281) 43. Member States are required to establish or empower one or more independent public agencies to be responsible for monitoring the implementation of the Data Protection Directive. Id. at ch. VI, art. 28(1), 1995 O.J. (L281) 31, 47.
103 Id. at ch. II, art. 19(1)(a)–(f), 1995 O.J. (L281) 31, 44.
104 Id. at ch. II, § IX, art. 20(1)–(3), 1995 O.J. (L281) 31, 44.
105 This record must contain at least the notification information required by the Data Protection Directive, with the exception of a description of the security measures used to protect the data. See Id. at ch. II, art. 21(2), 1995 O.J. (L281) 31, 44–45.
106 Id. at ch. II, § IX, art. 21(3), 1995 O.J. (L281) 31, 45.
107 Id. at ch. II, § IX, art. 21(3), 1995 O.J. (L281) 31, 45.
108 Id. at ch. III, § IX, art. 22, 1995 O.J. (L281) 31, 45.
109 49 § Personuppgiftslagen (1998:204) [Personal Data Act] (Swed.).
110 Datenschutzgesetz [DSG] [Federal Act Concerning the Protection of Personal Data] No. 165/1999, § 51 ¶ 1 (Austria).
111 Data Protection Directive, 95/46/EC, ch. IV, art 25(1), 1995 O.J. (L281) 31, 45.
112 Id. at ch. IV, art 25(2), 1995 O.J. (L281) 31, 45.
113 Id. at ch. IV, art 25(3), 1995 O.J. (L281) 31, 46.
114 Id. at ch. IV, art 25(4), 1995 O.J. (L281) 31, 46.
115 Id. at ch. IV, art 25(5), 1995 O.J. (L281) 31, 46.
116 Id. at ch. IV, art 26(1)(a), 1995 O.J. (L281) 31, 46.
117 Id. at ch. IV, art 26(2), 1995 O.J. (L281) 31, 46.
118 Id. at ch. IV, art 26(3), 1995 O.J. (L281) 31, 46.
119 Id. at ch. VII, art. 32(1), 1995 O.J. (L281) 31, 49.
120 Member States joining the European Union subsequent to the Directive taking effect were obligated to enact compliant legislation as a condition of entry. See Justice, Status of Implementation of Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data, EUROPEAN COMM’N, http://ec.europa.eu/justice/data-protection/law/status-implementation/index_en.htm (last updated July 16, 2013).
121 Data Protection Act, 1998, c. 29, § 1(1) (Eng.), available at http://www.legislation.gov.uk/ukpga/1998/29/data.pdf.
122 Bundesgesetz über den Schutz Personenbezogener Daten [DSG 2000] [Federal Act Concerning the Protection of Personal Data] Bundesgesetzblatt I [BGB1] No. 165/1999, amended by [BGB1] No. 135/2009, § 4(1), (3) (Austria), available at http://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.pdf.
123 Council Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002 O.J. (L 201) 37, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:201:0037:0037:EN:PDF [hereinafter Communications Directive].
124 Communications Directive, 2002/58/EC, art. 5(1), 2002 O.J. (L 201) 37, 43.
125 Id. at art. 15(1), 2002 O.J. (L 201) 37, 46.
126 Council Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF [hereinafter Data Retention Directive].
127 Data Retention Directive, 2006/24/EC, (5) & (6), 2006 O.J. (L105) 54.
128 Id. at (10) & (11), 2006 O.J. (L105) 54, 55.
129 Id. at art. 5(1)(a)–(f), 2006 O.J. (L105) 54, 57–58.
130 Romanian Senate Rejects the new Data Retention Law, Digital Civil Rights in Europe, EDRI, (Jan. 18, 2012), http://edri.org/edrigramnumber10-1romanian-senate-rejects-data-retention/ (last visited January 11, 2014).
131 Retention of Telecommunication Data for Purposes of Investigation of Serious Criminal Offences Law of 2007, 183(I)/2007 (Cyprus); see also Data retention law provisions declared unlawful in Cyprus, Digital Civil Rights in Europe, EDRI, (Feb. 9, 2011), http://edri.org/edrigramnumber9-3data-retention-un-lawful-cyprus/ (last visited January 11, 2014).
132 Bulgarian Court Annuls a Vague Article of the Data Retention Law, Digital Civil Rights in Europe, EDRI, (Dec. 17, 2008), http://edri.org/edri-gramnumber6-24bulgarian-administrative-case-data-retention/ (last visited January 11, 2014).
133 European Union, ELEC. FRONTIER FOUND., https://www.eff.org/issues/mandatory-data-retention/eu (last visited Nov. 7, 2013).
134 Press Release, European Commission, Commission Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of their Data and to Cut Costs for Businesses (Jan. 25, 2012), available at http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en (last updated Sept. 19, 2013).
135 Id.
136 Id.
137 See Commission Decision 2000/520/EC of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbor Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, art. 1(1), 2000 O.J. (L 215) 7, 8, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML [hereinafter Safe Harbor Decision].
138 Constitución Política de los Estados Unidos Mexicanos [C.P.], art. 16, Diario Oficial de la Federación [D.O.], 5 de Febrero de 1917 (Mex.), available at http://www.oas.org/juridico/mla/en/mex/en_mex-int-text-const.pdf (English translation).
139 Ley Federal de Protección de Datos Personales en Posesión de Particulares [L.F.P.D.P.P.P.][Federal Protection of Personal Data in Possession of Private Parties Law] Diario Oficial de la Federación [D.O.], 5 de Julio de 2010 (Mex.), available at https://www.privacyassociation.org/media/pdf/knowledge_center/Mexico_Federal_Data_Protection_Act_July2010.pdf (Unofficial English Translation).
140 Mexico: IFAI Publishes Security Guidelines for Public Consultation, DATAGUIDANCE, http://www.dataguidance.com/news.asp?id=2105 (last updated Sept. 12, 2013).
141 Ley Federal de Protección de Datos Personales en Posesión de Particulares [L.F.P.D.P.P.P.][Federal Protection of Personal Data in Possession of Private Parties Law], art 6, Diario Oficial de la Federación [D.O.], 5 de Julio de 2010 (Mex.).
142 See generally Ley Federal de Protección de Datos Personales en Posesión de Particulares [L.F.P.D.P.P.P.][Federal Protection of Personal Data in Possession of Private Parties Law], art. 30, Diario Oficial de la Federación [D.O.], 5 de Julio de 2010 (Mex.).
143 Lineamientos del Aviso de Privacidad, [Privacy Notice Guidelines], Diario Oficial de la Federación [D.O.], 17 de Enero de 2013 (Mex.), available at http://www.dof.gob.mx/nota_detalle. php?codigo=5284966&fecha=17/01/2013.
144 Ley Federal de Protección al Consumidor [L.F.P.C.] [Federal Consumer Protection Law], as amended, 16 de Enero de 2013, Diario Oficial de la Federación [D.O.], 24 de Diciembre de 1992 (Mex.).
145 Ley de Protección y Defensa al Usuario de Servicios Financieros [L.P.D.U.S.F.] [Financial Services User Protection and Defense Law], as amended, 4 de Septiembre de 2012, Diario Oficial de la Federación [D.O.], 18 de Enero de 1999 (Mex.).
146 SONTUSDATOS, ACERA DE, ANTECEDENTES, http://sontusdatos.org/acerca-de/antecedentes/ (last visited Nov. 5, 2013).
147 Id.
148 Ley Federal de Protección de Datos Personales en Posesión de Particulares [L.F.P.D.P.P.P.][Federal Protection of Personal Data in Possession of Private Parties Law] Diario Oficial de la Federación [D.O.], 5 de Julio de 2010 (Mex.), available at https://www.privacyassociation.org/media/pdf/knowledge_center/Mexico_Federal_Data_Protection_Act_July2010.pdf (Unofficial English Translation).
149 NIHONKOKU KENPŌ [KENPŌ] [CONSTITUTION], art. 35, para. 1 (Japan), available at http://www.kantei.go.jp/foreign/constitution_and_government_of_japan/constitution_e.html (English translation).
150 Id. at art. 21, para. 2.
151 RESEARCH COMM’N ON THE CONST., HOUSE OF COUNCILLORS, HANDBOOK ON THE RESEARCH REPORT ON THE CONSTITUTION OF JAPAN 21 (2005), available at http://www.sangiin.go.jp/eng/report/ehb/ehb.pdf.
152 Act on the Protection of Computer Processed Personal Information held by Administrative Organs, Act No. 58 of 2003.
153 MITI, Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector, Mar. 4, 1997.
154 Act on the Protection of Personal Information, Law No. 57 of 2003 (Japan) available at http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdf (English translation).
155 David A. Laverty, JAPAN: Internet Privacy and Related Developments, INTERNATIONAL COUNSEL (Mar. 2000), http://www.internationalcounsel.com/pubs/updates/update008.htm.
156 Eric Kosinski, Japanese Privacy Guidelines Require Tighter Oversight of Data Processors, PRIVACY LAWS AND BUS. INT’L NEWSLETTER, Issue 92 (April 2008).
157 Section 4. Promotion of Information-Oriented Society, MINISTRY OF HEALTH, LABOUR AND WELFARE, http://www.mhlw.go.jp/english/wp/wp-hw2/part2/p2c11s4.pdf (last visited Nov. 15, 2013).
158 Guidelines for Personal Protection in the Financial Field, FIN. SERVS. AGENCY, http://www.fsa.go.jp/frtc/kenkyu/event/20070424_02.pdf (unofficial English translation) (last visited Nov. 5, 2013).
159 Guideline on Protection of Personal Information in Telecommunications Business-Efforts with Security Control Measures to Prevent Personal Information Leakage, MINISTRY OF INTERNAL AFFAIRS AND COMMC’NS, http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Resources/others/110214_1.pdf (last visited Nov. 15, 2013).
160 MINISTRY OF LAND, INFRASTRUCTURE AND TECH., http://www.mlit.go.jp/en/index.html (search “guidelines”) (last visited Nov. 15, 2013).
161 International Privacy and Data Protection Laws; Japan, MCAFEE, http://www.mcafee.com/us/regulations/apac/japan.aspx (last visited Nov. 15, 2013); see also Privacy International, Report: Japan, PRIVACY INT’L, https://www.privacyinternational.org/reports/japan/iii-privacy-issues#footnote1_w1ifmyj (last visited Nov. 5, 2013).
162 INT’L ORG. FOR STANDARDIZATION (ISO), The ISO Survey—2006, 40–41 (2006), available at http://www.iso.org/iso/survey2006.pdf.
163 In 2012, Japanese businesses held 7,199 of 19,577 ISO certifications, or 1 out of every 2.71 certifications issued worldwide.
164 Certifications by country can be accessed at http://www.iso.org/iso/home/standards/certification/iso-survey.htm.
165 Constitution of the Republic of Korea, ch. 1, art. 16, available at http://www.ccourt.go.kr/home/att_file/download/Constitution_of_the_Republic_of_Korea.pdf (English translation).
166 Id. at art. 17.
167 Id. at art. 18.
168 BUSINESS SOFTWARE ALLIANCE (BSA), COUNTRY REPORT: KOREA (2012), available at http://cloudscorecard.bsa.org/2012/assets/PDFs/country_reports/Country_Report_Korea.pdf. English version of the Personal Information Protection Act is available at http://koreanlii.or.kr/w/images/9/98/DPAct1110en.pdf.
169 Protection of Communications Secrets Act (1993), Act No. 4650, amended by Act No. 8867, February 29, 2008.
170 Telecommunications Business Act (1991), Act No. 4394, last amended by Act No. 8867, February 29, 2008.
171 Framework Act on Electronic Commerce (1999), Act No. 5834, amended by Act No. 8979, March 21, 2008.
172 Digital Signatures Act (1999), Act No. 5792, amended by Act No. 8852, February 29, 2008.
173 Personal Information Protection Act, ch. I, art. 3 (S. Kor.) [hereinafter PIPA].
174 Id. at ch. I, art. 3.
175 Id. at ch. III, sec. 2, art. 23.
176 Id. at ch. IV, art. 30.
177 Id. at ch. IV, art. 31.
178 Id. at ch. IV, art. 34.
179 Id. at ch. IV, art. 32.
180 Id. at ch. IV, arts. 61–64.
181 XIANFA [CONSTITUTION] ch. 2, arts. 37, 39 (1982) (China), available at http://www.purdue.edu/crcs/itemResources/PRCDoc/pdf/Constitution.pdf (English translation).
182 Id. at ch. 2, art. 40.
183 Several Regulations on Standardizing Market Order for Internet Information Services, MINISTRY OF INDUS. AND INFO. TECH. OF THE PEOPLE’S REPUBLIC OF CHINA, http://www.miit.gov.cn/n11293472/n11293832/n12771663/14417081.html (Chinese language version) (last visited Nov. 16, 2013).
184 China: New Measures to Standardize Internet Services and Protect Users Launched, LIBRARY OF CONG., http://www.loc.gov/lawweb/servlet/lloc_news?disp3_l205403038_text (last updated Mar. 19, 2012).
185 Laney Zhang, China: NPC Decision on Network Information Protection, LIBRARY OF CONG., http://www.loc.gov/lawweb/servlet/lloc_news?disp3_l205403445_text (last updated Jan. 4, 2013).
186 Telecommunication and Internet Personal User Data Protection Regulations, CHINA COPYRIGHT AND MEDIA (July 16, 2013), http://chinacopyrightandmedia.wordpress.com/2013/07/16/telecommunications-and-internet-user-individual-information-protection-regulations/ (English translation) (last visited January 11, 2014).
187 Criminal Law of China, pt. I, ch. IV, arts. 245 & 252 (1997), available at http://www.procedurallaw.cn/english/law/200807/t20080724_40992.html (English translation).
188 INDIA CONST. art. 21.
189 Rajagopal v. State of T.N. (1994) 6 S.C.C. 632, 649 (India).
190 PUCL v. Union of India, A.I.R. 2003 S.C. 2363 (India).
191 Shashank Shekhar Mishra v. Ajay Gupta (2011) 184 DLT 675 (Del.).
192 Information Technology Amendment Act of 2008, Act. No. 10 of 2009, available at http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf (India).
193 Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, MINISTRY OF COMMC’N AND INFO. TECH., available at http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf (India).
194 Id. at §§ 3–8.
195 Id. at §§ 5, 7.
196 Id. at § 6.
197 Press Release, Press Information Bureau, Government of India, Clarification on Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 Under Section 43A of the Information Technology ACT, 2000 (Aug. 24, 2011), available at http://pib.nic.in/newsite/erelease.aspx?relid=74990.
198 Ajit Prakash Shah, Report of the Group of Experts on Privacy, GOV. OF INDIA PLANNING COMM. (Oct. 16, 2012), available at http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.
199 For the text of the report, see FTC, SELF-REGULATION AND PRIVACY ONLINE: A REPORT TO CONGRESS (1999), available at http://www.ftc.gov/news-events/press-releases/1999/07/self-regulation-and-privacy-online-ftc-report-congress (last visited Jan. 11, 2014).
200 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, Opinion 7/99 on the Level of Data Protection Provided by the “Safe Harbor” Principles as Published together with the Frequently Asked Questions (FAQs) and other Related Documents on 15 and 16 November 1999 by the US Department of Commerce, 5146/99/EN/final at 3 (Dec. 3, 1999), available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1999/wp27en.pdf.
201 Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, 2000/520/EC, art. 1(1), 2000 O.J. (L 215) 7, 8, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2000D0520:20000825:en:PDF [hereinafter Adequacy Decision].
202 Id. at art. 3, 2000 O.J. (L215) 7, 10.
203 Id. at art. 3(1)(a), 2000 O.J. (L215) 7, 10.
204 Id. at art. 3(1)(b), 2000 O.J. (L215) 7, 10.
205 See Issuance of Safe Harbor Principles and Transmission to European Commission, 65 Fed. Reg. 45,666 (July 24, 2000) [hereinafter Safe Harbor].
206 Only “U.S. organizations” may qualify for inclusion in the Safe Harbor; however, what constitutes a “U.S. organization” is not defined. Safe Harbor, 65 Fed. Reg. at 45,666–67.
207 Safe Harbor, 65 Fed. Reg. at 45,667.
208 Id.
209 Id. at 45,667–68.
210 Id. at 45,667.
211 Id.
212 This is equivalent to the Data Protection Directive’s “special categories of data,” see Data Protection Directive, 95/46/EC, art. 8(1), 1995 O.J. (L281) 31, 40.
213 Safe Harbor, 65 Fed. Reg. at 45,668.
214 Id. Each FAQ is found in this section.
215 Id. at 45,669–70.
216 See Safe Harbor Workbook, U.S. DEP’T OF COMMERCE, available at http://export.gov/safeharbor/eg_main_018238.asp (last updated July 1, 2013).
217 Safe Harbor, 65 Fed. Reg. at 45,670.
218 See id. at 45,670–72.
219 “Confidential commercial information” is defined as “information which an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market.” Id. at 45,671.
220 Id.
221 Id. at 45,672.
222 Id. All references to the ninth and tenth FAQs are found in the Safe Harbor.
223 Id. at 45,673.
224 Id.
225 Id. at 45,674.
226 Id. at 45,674–75.
227 Id. at 45,674.
228 Id. at 45,667.
229 See Safe Harbor Workbook, U.S. DEP’T OF COMMERCE, http://export.gov/safeharbor/eg_main_018238.asp (last visited Oct. 15 2013) (identifying types of businesses not subject to FTC or DOT authority).
230 Aviation and Transportation Security Act, Pub. L. No. 107–71, 115 Stat. 597 (2001) (codified as amended in scattered sections of Title 5, 26, 31, and 49 U.S.C.).
231 19 C.F.R. § 122.49(b) (2011).
232 European Parliament Resolution on Transfer of Personal Data by Airlines to the US Immigration Service, 2003 O.J. (C 61), 381 (2003), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2004:061E:0381:0384:EN:PDF.
233 Commission Decision of 14 May 2004 on the Adequate Protection of Personal Data Contained in the Passenger Name Record of Air Passengers Transferred to the United States Bureau of Customs and Border Protection, 2004/535/EC, 2004 O.J. (L235) 11, ¶¶ 15, 31, 46, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:235:0011:0022:EN:PDF.
234 Joined Cases C-317/04 and C-318/04, European Parliament v. Council of the European Union and Comm’n of the European Communities, 2006 ECJ CELEX LEXIS 239 (May 30, 2006).
235 Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), 2007 O.J. (L204) 18.
236 European Parliament Resolution on the Passenger Name Records (PNR) Agreement with the United States of America, Bulletin EU 7/8–2007, §§ 1.10.17-18, 1.20.22-23 (2007), available at http://www.eulib.com/documents/bulletin200707en.pdf.
237 Press Release, Council of the European Union, Council Adopts New EU-US Agreement on Passenger Name Records (PNR) (Apr. 26, 2012), available at http://consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/129806.pdf.
238 In this example, the U.S./E.U. Safe Harbor is not implicated because the SEC rather than the FTC would regulate the customer’s transaction and thus be outside the Safe Harbor’s scope.
239 It bears mention that even in that instance the strategy is not completely safe. As discussed in Chapter 4, Part II.B. concerning the Data Protection Directive and the Safe Harbor, each E.U. Member State has enacted its own variant of the Directive and compliance with the bare terms of the Directive without Safe Harbor certification or being subject to PIPEDA (or equivalent legislation approved by the E.U. Commission) will be insufficient.