Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | brandon-hood |
View: | 212 times |
Download: | 0 times |
EU Privacy Directive
What is a directive?
• A piece of European legislation, passed by bureaucrats, addressed to member states
• Member states must ensure that directives are implemented in their legal systems
The EU Privacy Directive
• Passed in 1995
• Operative 10/24/98
• Does not allow transfer of data outside the EU to countries that lack adequate personal data privacy safeguards
Applies to “Data Controllers”
• If you operate a Website the collects any personal information, then you are a data controller
• This includes “cookies”
• Visible collection of data from online users gives rise to argument that user has given consent
Seven Guiding Principles
• Notice – users should know data is being collected
• Purpose – data should be used only for stated purpose
• Consent – no disclosure without subject’s consent
• Security – data should be kept secure from abuses
• Disclosure – subjects should know is collecting data
• Access – review and correction of data
• Accountability – collectors of data should be accountable
The Safe Harbor
• Benefits
– All 27 EU member states are bound
– Deemed adequate by EU and data flows will continue
– Requirements for prior approval waived
– Claims brought by EU citizens generally heard in the U.S.
How To Join
• Must certify compliance annually with Dep’t of Commerce
• Must state compliance in privacy policy
• Can join a self-regulatory privacy program
• Develop own self-regulatory privacy program
What do Safe Harbor Principles Require?
• Notice
– Must notify individuals as to why data is being collected
– Must notify about disclosures to third parties
– Must describe choices for limiting use and disclosure
– Must provide contact information for complaints
Choice and Onward Transfer
• Must give individuals a chance to opt out
• For “sensitive” information, must require users to opt in
• On transfer, written agreements with 3d parties are permitted so long as they certify to compliance
Access and Security
• Individuals must be able to access personal info
• Must be able to correct or delete personal info
• Organizations required to take reasonable measures to protect data
• Must be procedures and contacts to fix any problems stemming from noncompliance
• Dispute resolution programs (Truste or BBBonline)
Impact
• Relatively few U.S. companies have signed up for the safe harbor
– Although many companies are coming close to it in any event
• EU not enforcing that much – if at all
• Companies that do comply have large European presence and large data collection activities or are in eye of European regulators for other reasons
• Sort of like the Venus de Milo – Often discussed, much admired, but rarely embraced
• All of this could change very fast