Post on 08-May-2018
transcript
Presenters
• Moderator: Nuala O'Connor Kelly, CIPP, CIPP/G, Senior Counsel, Information Governance & Chief Privacy Leader, General Electric
• Moderator: Christopher Wolf, Co-Chair Privacy and Data Security Practice Group, Hogan Lovells US LLP
• Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario
www.hoganlovells.com 2
• Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario
• Ken Anderson, Assistant Commissioner of Privacy, Information and Privacy Commissioner/Ontario
• Julie Brill, Commissioner, Federal Trade Commission
• Jacqueline Peschard, President Commissioner, Federal Institute of Access to Information and Data Protection (IFAI), Mexico
Introduction to Privacy Law in North America
• All three NAFTA jurisdictions share a commitment to the protection or personal information, but there are differences in legal protections.
– Can businesses adopt uniform policies and procedures to
www.hoganlovells.com 3
– Can businesses adopt uniform policies and procedures to satisfy the various legal requirements?
• What modifications are necessary by jurisdiction?
– How do the conflicting laws affect cross-border transfers?
– What can be expected in the way of cross-border enforcement cooperation?
Mexico’s New Law
• Technological developments have surpassed geopolitical boundaries and agreements.
•NAFTA ruled on trade flows
4
•NAFTA ruled on trade flows yet information travels without visa.
Main background
• After NAFTA, Mexico addressed FOIA and data protection.
• In this framework the Federal Institute for Access to Public Governmental Information (now known as Federal
5
Information (now known as Federal Institute for Access to Information and Data Protection, IFAI) created with five commissioners (2003).
• IFAI is the authority for FOIA and data protection
Advantages of the Mexican model
• The new law and its regulatory framework allow international data transfers.
• A free and speedy procedure to exercise the right of the individuals
7
exercise the right of the individuals (access, rectification, cancellation and opposition).
Economic Advantages of the model
• The model places Mexico in a competitive context as it aligns us with the international system, mainly with the OECD, European Union and APEC (focusing on the accountability principle).
8
• Legal certainty for trans-border economic trade, encouraging investment flows.
• Consequently, a rise in the creation of employment.
High cost vs. low cost?
• It does not requires the registry ofdatabases.
• Consent is based on the op-outmodel except for sensitive data.
9
• Security measures according to
innovative criteria.
Security within Privacy
• Our main objective: prevent unauthorized access to personal information
10
Security within Privacy
• Our strategy: define risk levels based on:
– type of data and
11
– number of individuals
Risk based approach
• Minimum security controls based on risk level of information– Efficient
– Effective
12
– EffectiveIntentional
RiskAccidental Risk
Re
latio
n / c
on
ne
ctio
n
∞
0
Redundancy
Availability
Filtering
ConfidentialityIntegrityExternal
ThreatInternalImpact
Opportunistic Risk
Private Public
Proportionate
– 80% of businesses will only need to complete a self-evaluation form
13
– 90% of Minimum Security Controls should already be in place in most industries
• Repurposing controls
Self-regulation
• The model allows self-regulated mechanism like privacy seals, codes of conduct and so on.
• It does not foresee authorization for data
14
• It does not foresee authorization for data transfers. Hence, encourages the data flow with our main trade partners (USA & Canada).
• It improves the image of the companies.
What are we looking for?
• The aforementioned will place Mexico in the international trend to reach new levels of integration that will allow the
15
integration that will allow the free flow of trade, goods, people and resources while protecting personal data.
Timeline for Compliance and Timeline for Compliance and
EnforcementEnforcement
• July 6th 2010 → the Law entered into effect.
•• By July 2011 → The By July 2011 → The
16
•• By July 2011 → The By July 2011 → The
Executive Branch will issue Executive Branch will issue
the secondary regulation.the secondary regulation.
Timeline for Compliance and Timeline for Compliance and
EnforcementEnforcement
By July 2011
• Private parties will appoint a person or department of data protection (depending on its size) to answer any requests of access, rectification, cancellation or
17
any requests of access, rectification, cancellation or oppositon/objetion of personal data.
• Private parties must issue privacy notices and
policies according to the requirements stated on the Law (Secondary framework and Guidelines).
Timeline for Compliance and Timeline for Compliance and
EnforcementEnforcement
By February 2012
• Any person can start a tutelage procedure before the IFAI.
18
before the IFAI.
• Every person may exercise their right of access, rectification, cancellation or objetion acordingly to Chapter IV of the Law.
Sanctions and fines
• Fines → taking into considera�on economic
capacity of the controller, technology, type of
data and so on.
• Private parties may file a petition for
19
• Private parties may file a petition for
annulment against decisions issued by the
Institute with the Federal Tax and
Administrative Court.
Encouraging a cultural shift
and dialogue
• Promoting a cultural shift towards the protection of data protection through education.
20
• Preventive perspective → as fines are considered the last resource.
• Underline the importance of compliance to the Law and its regulatory framework.
Where are we now?
• A joint effort with the Ministry of the Economy and IFAI → The creation of a secondary regulatory framework.
• This will help legal compliance.
21
• The Mexican government will issue the secondary regulation on July of this year.
Where are we now?
• At the same, IFAI works on the creation of privacy notice models in accordance with international standards.
• It also works towards privacy policy
22
• It also works towards privacy policy publication in accordance with better practices.
• IFAI is undergoing a restructuring.
What do we want?
• The main purpose of the Law and the secondary regulation is the harmonization with international
standards and with our commercial
partners to encourage trade while
guaranteeing the protection of data.
23
guaranteeing the protection of data.
• Therefore, Mexico welcomes privacy oriented businesses.
33 International Conference
• IFAI will host the 33 International Conference of Data Protection and Privacy Commissioners.
• 1-4 November in Mexico City.
• With the need to harmonized the legal
24
• With the need to harmonized the legal frameworks and practices, the subject of this years' Conference is precisely the harmonization, a global approached to make privacy effective.
Canadian Approach to Privacy
• PIPEDA
– Nationwide coverage
– Broad principles
– Satisfies EU “adequate protection” requirement
• Provincial Laws and Commissioners
www.hoganlovells.com 26
• Provincial Laws and Commissioners
– Roles of National and Provincial Commissioners are
complimentary
• Cross-border transfers
Adoption of “Privacy by Design Resolution”
Landmark Resolution Passed to Preserve
the Future of PrivacyBy Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
JERUSALEM, October 29, 2010 – A landmark resolution by Ontario's
Information and Privacy Commissioner, Dr. Ann Cavoukian, was
approved by international Data Protection and Privacy Commissioners in
www.hoganlovells.com 28
approved by international Data Protection and Privacy Commissioners in
Jerusalem today at their annual conference. The resolution recognizes
Commissioner Cavoukian's concept of Privacy by Design - which
ensures that privacy is embedded into new technologies and business
practices, right from the outset - as an essential component of
fundamental privacy protection. Full Article:
http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
U.S. Approach to Regulation and Prospects for New
Privacy Paradigm
• FTC Act: Section 5 Deceptive and Unfair practices in commerce
• State Consumer Protection laws (“Mini-FTC Acts)– State Security Breach Notification laws
• Telemarketers: Do Not Call Rule
www.hoganlovells.com 29
• Telemarketers: Do Not Call Rule
• Electronic communications: CAN-SPAM Act
• Financial Institutions: Gramm-Leach-Bliley Act
• Credit information: Fair Credit Reporting Act
• Health information: HIPAA and FTC’s Health Breach Notification rule
• Children’s online information: Children’s Online Privacy Protection Act
US Regulators Involved
• FTC
• CFBP
• "Prudential" regulators (OCC, Fed, FDIC, NCUA) for depository institutions with assets $10 B and under, and FTC for other entities, for Safeguards, Red
www.hoganlovells.com 30
and FTC for other entities, for Safeguards, Red Flags and Disposal rules
• HHS
• State Attorneys General
Whether Global Harmonization on Protection of Personal Privacy is Likely or Possible
• The corporate CPO perspective
www.hoganlovells.com 31
www.hoganlovells.comwww.hoganlovells.com
Hogan Lovells has offices in:
Abu DhabiAlicanteAmsterdamBaltimoreBeijingBerlinBoulderBrusselsBudapest*
CaracasColorado SpringsDenverDubaiDusseldorfFrankfurtHamburgHanoiHo Chi Minh City
Hong KongHoustonJeddah*LondonLos AngelesMadridMiamiMilanMoscow
MunichNew YorkNorthern VirginiaParisPhiladelphiaPragueRiyadh*RomeSan Francisco
ShanghaiSilicon ValleySingaporeTokyoUlaanbaatar*WarsawWashington DCZagreb*
"Hogan Lovells" or the "firm" refers to the international legal practice comprising Hogan Lovells International LLP, Hogan Lovells US LLP, Hogan Lovells Worldwide Group (a Swiss Verein), and their affiliated businesses, each of which is a separate legal entity. Hogan Lovells International LLP is a limited liability partnership registered in England and Wales with registered number OC323639. Registered office and principal place of business: Atlantic House, Holborn Viaduct, London EC1A 2FG. Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia.
The word "partner" is used to refer to a member of Hogan Lovells International LLP or a partner of Hogan Lovells US LLP, or an employee or consultant with equivalent standing and qualifications, and to a partner, member, employee or consultant in any of their affiliated businesses who has equivalent standing. Rankings and quotes from legal directories and other sources may refer to the former firms of Hogan & Hartson LLP and Lovells LLP. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. New York State Notice: Attorney Advertising.
© Hogan Lovells 2011. All rights reserved.
* Associated offices