In February 2010, the EuropeanCommission approved new StandardContractual Clauses for the transfer of
personal data to processors outside theEuropean Economic Area (NewProcessor Clauses). At the same time,the commission repealed its 2001 deci-sion approving a predecessor version ofsuch clauses (Old Processor Clauses)effective May 15, 2010. As a result,multinational organizations will considerupdating their group-internal and externalcontracts relating to data processing andservice providers can expect requestsfrom their customers to sign updatedforms. Companies should start thisprocess immediately given the amount
of information thatis required by theNew ProcessorClauses and thefact that new con-tracts andchanges to exist-ing arrangementsusually triggernegotiations, such as those relating torisk allocation, pricing, and other com-mercial terms. This article is intended toprovide background, a brief summary ofwhat is new, practical guidance as towhen the new clauses are required or
One of the AmericanRecovery andReinvestment Act of
2009’s (ARRA) (Pub. L. No.111-5) areas of emphasis isexpanding the use of healthinformation technology, both interms of storing and managingmedical records in electronicform and in terms of facilitat-ing the exchange of informa-tion contained in such records. TheRecovery Act included significant fundingto provide incentive payments to health-care providers to adopt electronic healthrecord (EHR) technology; these incen-
tives require eligible providersnot only to acquire and installsystems, but also to demon-strate “meaningful use” ofelectronic health records(§4101). The criteria neededto show meaningful usewere defined in a Notice ofProposed Rulemakingreleased on December 30and subsequently published
in the Federal Register (Proposed Rule,75 Fed. Reg. 1858 (Jan. 13, 2010)) alongwith an Interim Final Rule detailing stan-dards, specifications, and certification cri-teria for EHR systems used by providers
(Interim Final Rule, 75 Fed. Reg. 2028(Jan. 13, 2010)). Following a 60-day com-ment period (through March 15, 2010),the meaningful use criteria will be final-ized as the mechanisms to implementthe incentive payment provisions in theHealth Information Technology forEconomic and Clinical Health (HITECH)Act portion of the Recovery Act.(Comment period notwithstanding, theInterim Final Rule became effective onFebruary 12, 2010.) The rules are organ-ized according to a set of five policy pri-orities specified by the Health IT Policy
New European Standard Contractual
Clauses for data processors
See, Meaningful Use, page 3
This Month
Notes from the Executive Director ...... 2
Risks associated with creating a new information asset ......................... 10
Privacy Classifieds ............................... 12
10 in 2010 ............................................ 13
Surveilled ............................................. 14
What’s a former commissioner to do? ................................................... 16
Global Privacy Dispatches .................... 18
Calendar of Events................................ 22
Privacy and security considerations for EHR incentives
and “meaningful use”
By Stephen Gantz, CIPP/G
See, New Processor Clauses, page 6
Stephen Gantz
By Lothar Determann
Lothar Determann
112272_advisor_Document 3 5/20/10 7:44 PM Page 1
THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335
Publications DirectorTracey [email protected]+207.351.1500
The Privacy Advisor (ISSN: 1532-1509) is published bythe International Association of Privacy Professionalsand distributed only to IAPP members.
ADVISORY BOARD
Miranda Alfonso-Williams, CIPP, CIPP/IT, Global PrivacyLeader, MDx GE Healthcare
Nathan Brooks, CIPP
Kim Bustin, CIPP/C, President, Bustin Consulting Limited
Debra Farber, CIPP, CIPP/G, Privacy Officer, The AdvisoryBoard Company
Benjamin Farrar, CIPP, Manager, Privacy Team, Quality &RM, Ethics & Compliance, Ernst & Young LLP
Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian
Michael Kearney, Student/Research Assistant, William& Mary School of Law
Jim Keese, CIPP, Global Privacy Officer, VP Records &Information Mgmt, The Western Union Company
Stephen Meltzer, CIPP, Privacy and Corporate Counsel,Meltzer Law Offices
David Morgan, CIPP, CIPP/C, Privacy Officer-SecondaryUses, Newfoundland and Labrador Centre for HealthInformation
Dan Ruch, Privacy and Data Protection Consultant, KPMG
Luis Salazar, CIPP, Partner, Infante, Zumpano, Hudson &Miloch, LLC
Heidi Salow, CIPP, Of Counsel, DLA Piper
Julie Sinor, CIPP, Information Management Consultant,PricewaterhouseCoopers, LLP
Eija Warma, Attorney, Castren & Snellman Attorneys Ltd
Frances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC
To Join the IAPP, call:+800.266.6501
Advertising and Sales, call:+800.266.6501
PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909
Subscription PriceThe Privacy Advisor is an IAPP member benefit.Nonmember subscriptions are available at $199 per year.
Requests to ReprintTracey [email protected]
Copyright 2010 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.
Gathering no moss
As I write, we are busy with final preparations
for the IAPP Canada Privacy Symposium in
Toronto. Soon after, we’ll head to Silicon Valley
and then Berlin, Brussels and Paris for this year’s
European delegate tour. A year that started off with
a bang continues to gain momentum. By the end of 2010, we’ll have
hosted more events and programs than in any other year in our decade-
long history.
This is a reflection of the increased need for information and edu-
cation in our field and we will continue building our member offerings
to satisfy it. This summer we will take a big step in this direction by
bringing the Privacy Advisor online. Starting in July, the newsletter will
move to a digital format. This change comes in response to the requests
of many of you who have, in recent years, expressed an interest in
receiving the monthly newsletter electronically. In our 2009 member
survey, 70 percent of you stated your preference for a digital newsletter.
The online edition will continue to deliver the elements you are
accustomed to—expert-written feature articles, news items, and the
popular Global Privacy Dispatches—and will be available to members
only on our Web site.
Importantly, moving the Privacy Advisor online allows us to invest
more in content generation, thereby putting more information
resources in your hands through the e-newsletter and the new
Knowledge Center on our Web site. In the coming months you will
notice more articles, reports, news stories, and other knowledge
resources such as whitepapers, original research, and news analysis as
a result of this.
We are excited to bring these changes to you.
J. Trevor Hughes, CIPP
Executive Director, IAPP
Notes From the Executive Director
2 www.privacyassociation.org
May • 2010
112272_advisor_Document 3 5/20/10 7:44 PM Page 2
170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]
The Privacy Advisor is the official newsletter of the InternationalAssociation of Privacy Professionals. All active association members automatically receive a subscription to The PrivacyAdvisor as a membership benefit. For details about joining IAPP,please use the above contact information.
BOARD OF DIRECTORSPresidentNuala O’Connor Kelly, CIPP, CIPP/G, Chief Privacy Leader &Senior Counsel, Information Governance, General ElectricCompany, Washington, DC
Vice PresidentBojana Bellamy, LLM, Director of Data Privacy, Accenture,London, UK
TreasurerJeff Green, CIPP/C, VP Global Compliance & Chief PrivacyOfficer, RBC, Toronto, ON, Canada
SecretaryJane C. Horvath, CIPP, CIPP/G, Senior Global Privacy Counsel,Google Inc., Washington, DC
Past PresidentJonathan D. Avila, CIPP, Vice President - Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA
Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME
Allen Brandt, CIPP, Corporate Counsel, Chief Privacy Official,Graduate Management, Admissions Council, McLean, VA
Agnes Bundy Scanlan, Esq., CIPP, Chief Regulatory Officer, TDBank, Boston, MA
Malcolm Crompton, CIPP, Managing Director, InformationIntegrity Solutions Pty/Ltd, Chippendale, Australia
Stan Crosley, Esq., CIPP, Partner, Co-Director, Indiana U. Centerfor Strategic Health Information Provisioning, Indianapolis, IN
Dean Forbes, Senior Director Global Privacy, Schering-PloughCorporation, Kenilworth, NJ
D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster, LLP,Washington, DC
Sandra R. Hughes, CIPP, Global Ethics, Compliance and PrivacyExecutive, The Procter & Gamble Company, Cincinnati, OH
Alexander W. Joel, CIPP, CIPP/G, Civil Liberties ProtectionOfficer, Office of the Director of National Intelligence,Bethesda, MD
Brendon Lynch, CIPP, Senior Director, Privacy Strategy,Microsoft Corporation, Redmond, WA
Lisa Sotto, Esq., Partner, Hunton & Williams LLP, New York, NY
Scott Taylor, Chief Privacy Officer, Hewlett-Packard, Palo Alto, CA
Florian Thoma, Chief Data Protection Officer, Siemens, Munich,Germany
Richard Thomas CBE LLD, Centre for Information PolicyLeadership, Hunton & Williams LLP, Surrey, UK
Brian Tretick, CIPP, Executive Director, Advisory Services, Ernst& Young, McLean, VA
Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC
International Association of Privacy Professionals 3
Committee, one of two advisory bodies(the other is the Health IT StandardsCommittee) created through provisionsin the Recovery Act. These priorities are:
1. Improving quality, safety, efficiencyand reducing health disparities
2. To engage patients and families intheir healthcare
3. To improve care coordination
4. Improving population and public health
5. Ensure adequate privacy and securityprotections for personal health infor-mation
This article focuses on the criteria asso-ciated with the fifth policy priority, whichaddresses security and privacy protec-tions for personal health informationand, in particular, on the lack of privacy-specific requirements in the meaningfuluse rules. For 2011, there is a singlemeaningful use measure for privacy andsecurity: “Conduct or review a securityrisk analysis per 45 CFR 164.308(a)(1)and implement security updates as nec-essary.” The part of the federal codecited is part of the statutory require-ments associated with the HealthInsurance Portability and AccountabilityAct of 1996 (HIPAA); more familiarly therequirement for HIPAA-covered entitiesto conduct regular risk analyses is oneof the administrative safeguardsaddressed in the HIPAA Security Rule.The reference to HIPAA requirements isintentional—by aligning certification cri-teria to existing HIPAA requirements,the intent is to try to help the eligibleprofessionals and eligible hospitals thatare the focus of the meaningful userules to improve their privacy and securi-ty practices in general.
For HIPAA-covered entities seekingto qualify for health IT incentives, the factthat the privacy and security measure isalready an obligation under HIPAA shouldin theory make it easy to satisfy; the
HIPAA Security Rule has been in forcesince April 2003 and the deadline for enti-ties to fully comply with the rule elapsedin April 2006. Despite this requirement,however, not all healthcare organizationscomply; the results of a 2009 securitysurvey of 196 senior-level healthcare pro-fessionals conducted by the HealthcareInformation Management and SystemsSociety (HIMSS) found that only 74 per-cent of these organizations actually per-form risk analyses, and of those just overhalf (55 percent) do so with at least annu-al frequency. This suggests that as manyas 40 percent of healthcare organizationsdo not conduct risk analyses on a regularbasis (and perhaps a quarter do not con-duct them at all), and further suggeststhat similar proportions of healthcareorganizations do not appear prepared tosatisfy the privacy and security measurefor meaningful use.
Privacy and meaningful use
Despite the inclusion of the word privacyin the fifth policy priority, as the mean-ingful use measures and certification cri-teria currently stand, there are no specif-ic privacy requirements that must bemet in order to demonstrate meaningfuluse. However, the healthcare providers,professionals, and organizations eligibleto seek incentive funding to which themeaningful use determination appliesare, without exception, HIPAA-coveredentities, so there is an assumption thatthese entities’ obligations under theHIPAA Privacy Rule serve to make a sep-arate meaningful use privacy require-ment redundant.
The Privacy and Security Policyworkgroup of the Health IT PolicyCommittee has proposed, within itscomments and recommendations onthe meaningful use rules, that an explicitrequirement should be added obligatingeligible entities to demonstrate compli-ance with HIPAA Security and PrivacyRules as a stage one objective for 2011.The rationale behind this recommenda-tion is less about strengthening privacyprovisions in the rules and more aboutmaking sure an entity cannot be consid-
Meaningful Use
continued from page 1
See, Meaningful Use, page 4
THE PRIVACY ADVISOR
112272_advisor_Document 3 5/20/10 7:44 PM Page 3
ered to have met meaningful userequirements if they have been foundliable or fined for a HIPAA violation. Asomewhat broader recommendation isnoted in the Notice of ProposedRulemaking (Proposed Rule, 75 Fed.Reg. 1858 (Jan. 13, 2010)) to include language requiring compliance with boththe HIPAA Privacy and Security Rulesand the fair data sharing practices in theNationwide Privacy and SecurityFramework for Electronic Exchange ofIndividually Identifiable HealthInformation, released by the Office ofthe National Coordinator (ONC) inDecember 2008. However, HHS deter-mined that meaningful use is not theappropriate regulatory tool to ensuresuch compliance, choosing to omit com-pliance as a formal requirement asrequested by the Health IT PolicyCommittee, while acknowledging thatthe use of certified EHR technologyshould support compliance. There are nospecific meaningful use measures asso-ciated with this compliance, in partbecause covered entities are alreadyobligated to comply whether or not theyseek EHR incentives, and also becausethe assessment of meaningful use oruse of certified EHR technology is notby itself indicative of compliance withHIPAA privacy or security requirements.
At the end of the day, at least for2011, this means the meaningful userules will not impose any additional pri-vacy requirements on HIPAA-coveredentities or business associates beyondwhat is already required under HIPAA asstrengthened by the HITECH Act.However, organizations that are not cur-rently fully compliant with those require-ments may put themselves at risk ofbeing found ineligible for EHR incen-tives, particularly if they have been thesubject of any complaints or claims ofviolations.
Notably absent from meaningfuluse rules—as stressed by privacy advo-cates such as the Coalition for PatientPrivacy—are criteria to ensure that indi-viduals (patients) can control the use or
disclosure of the information in theirelectronic health records. Closely relat-ed to this is the ability for EHR systemsand the providers that use them to cap-ture, manage, and respect consumerpreferences about information disclo-sure, but this functionality is also notamong the criteria published in the inter-im final rule. Statutory language alreadyexists (42 CFR Part 2, Subpart C) speci-fying practices for health record informa-tion disclosure with consent, as well asprohibiting re-disclosure absent suchconsent, but these rules only apply torecords concerning alcohol and drugabuse, not healthcare in general. TheONC has been working on consumerpreferences since at least 2008 and hasproduced a Consumer Preferences DraftRequirements Document that is likely toserve as a key input should ONC moveto add consumer preferences criteria toany of the meaningful use stages.
Impacts and implications
For healthcare providers or organizationsinterested in qualifying for EHR incen-tives in order to acquire, implement, andadopt EHR systems and related healthinformation technologies, the meaningfuluse criteria will likely have both externaland internal impacts.
The externally facing implicationsare the constraints that the EHR certifi-cation criteria and technical standardswill put on the selection and acquisitionof health IT solutions, and also in termsof environment configuration, technicalarchitecture, and systems integration.From an internal organizational perspec-tive, it is imperative for healthcareproviders to ensure that their informationsecurity and privacy practices includeregular risk analyses.
Although the meaningful use stan-dards do not come into effect until late2011, healthcare providers and otherHIPAA-covered entities and businessassociates who expect to participate inthe movement towards electronichealth records have several reasons toact now to take appropriate steps to beable to demonstrate compliance withmeaningful use requirements. Firstamong these are the financial incen-
tives tied to meaningful use, qualifica-tion factors for which will be added andstrengthened in two additional phasesin 2013 and 2015. The subsequent eligi-bility criteria are intended to be additive,so organizations that fall behind or areunable to demonstrate meaningful useagainst the first phase criteria for 2011may find themselves in an ongoingstruggle to catch up as new and morerobust requirements come into effect.Second, many of the requirements andobligations in the HIPAA Privacy andSecurity Rules were made tougherunder the provisions of the HITECH Actand those provisions generally applydirectly to business associates just asthey do to covered entities. Thesestricter rules are already in effect, butthe HHS Office of Civil Rights (OCR)has suggested the requirements willnot yet be enforced—as much or moredue to OCR’s lack of readiness to beginenforcement and still pending auditstandards to be applied than to coveredentities or business associates lack ofreadiness to comply. This gives organi-zations a temporary opportunity toclose any gaps in their conformancebefore they will be formally heldaccountable. Third, many of the privacyand security practices healthcare organ-izations should be following underHIPAA and HITECH to demonstratemeaningful use of EHR technology arethe same as those needed to complywith non-health-specific legal require-ments such as those in Massachusetts’new Standards for the Protection ofPersonal Information (201 CMR 17),which went into effect on March 1.Even for organizations without anyMassachusetts residents among theirpatients or customers, the require-ments in the Massachusetts law arelikely to be replicated in other state-level laws, raising the probability that agiven organization will find itself subjectto one or more of these state laws,even if no federal-level legislation isenacted.
For organizations that do not alreadyroutinely conduct risk analyses, or whodo so but are concerned that theirprocesses may not be sufficiently robust
Meaningful Use
continued from page 3
4 www.privacyassociation.org
May • 2010
112272_advisor_Document 3 5/20/10 7:44 PM Page 4
to pass muster under meaningful use,the Health IT Policy Committee is con-sidering recommendations from its ownPrivacy and Security Policy Workgroupand multiple outside commenters thathealthcare professionals and hospitalsbe given explicit guidance on performingrisk analyses. The most likely source forsuch guidance is existing documentationfrom the National Institute of Standardsand Technology (NIST) and the Centerfor Medicare and Medicaid Servicesrelated to complying with the HIPAASecurity Rule where the required riskanalysis is codified. Both the NISTSpecial Publication 800-66, “AnIntroductory Resource Guide forImplementing the Health InsurancePortability and Accountability Act(HIPAA) Security Rule” and CMS’Security Rule Education Paper on“Basics of Risk Analysis and RiskManagement” direct organizations to astandard security risk assessmentprocess, documented in detail in NISTSpecial Publication 800-30, “RiskManagement Guide for InformationTechnology Systems.”
For those preferring to seek guid-ance outside the U.S. federal standards,the ISO/IEC 27000 series of internationalstandards covers risk assessment andrisk management for information sys-tems, particularly in ISO/IEC 27005(Information security risk management)and the risk assessment section ofISO/IEC 27002 (Code of practice forinformation security management).Those seeking to follow any of this guid-ance on risk management or performingrisk analyses should be aware that sub-stantially all of the guidance is written ina way that focuses on risk assessmentsof individual information systems, not onorganizations overall. This limitation isimportant because the risk analysisrequirement under the HIPAA SecurityRule is not limited to systems used bycovered entities, so it is reasonable toassume that despite the emphasis ofthe meaningful use rules on EHR sys-tems, the scope for a risk analysis con-ducted to satisfy the meaningful usemeasure should address all potentialrisks to health information the organiza-
tion has, not just the data associatedwith an EHR system. Organizations looking for more enterprise-level per-spectives on assessing and managingrisk can find relevant guidance in ISO31000 (Risk management—Principlesand guidelines), and within major IT gov-ernance frameworks such as ISACA’s Risk IT Framework based on COBIT® orthe risk management section of theInformation Technology InfrastructureLibrary (ITIL®).
Looking at risk analysis from a privacy perspective, organizations havefew options in terms of official guidancefor privacy risk assessments or evenauditing compliance with the HIPAAPrivacy Rule. While not health-specific,the American Institute of Certified PublicAccountants (AICPA) developed andmaintains a set of “generally acceptedprivacy principles“ (GAPP), most recentlyupdated in April 2009, which addressesrisk assessment among many other cri-teria. AICPA also produced a spread-sheet-based Privacy Risk AssessmentTool that addresses 66 criteria across the10 principles in the GAPP.
While some healthcare organiza-tions may respond with a sense ofrelief that the meaningful use rules donot contain more specific requirementsabout privacy, it seems highly unlikelythat this will remain the case for futurestages in 2013 and 2015. These organi-zations should instead look to theabsence of new requirements as anopportunity to either validate existingprivacy protections and practices, or toaugment or establish appropriate secu-rity controls and privacy practicesbefore organizations become subject toaudit or are otherwise held accountablefor them.
Stephen Gantz, CISSP-ISSAP CEH,CGEIT, CIPP/G, is an associate professorin information assurance at University ofMaryland University College and directssecurity and privacy services for theHealth Solutions division of Vangent, lnc.He can be reached at [email protected] or through his Web site,www.securityarchitecture.com.
International Association of Privacy Professionals 5
THE PRIVACY ADVISOR
112272_advisor_Document 3 5/20/10 7:44 PM Page 5
recommended, as well as considerationsas to the pros and cons and alternativesto adopting the New Processor Clauses.
I. BACKGROUND AND CONTEXT
1. Data subjects, controllers, and
processors
The EC Data Protection Directive and thevarious national implementation laws andregulations distinguish between data sub-jects (i.e., the individuals to whom per-sonal data relates), data controllers (i.e.,companies and other entities that deter-mine the purposes and means of dataprocessing) and data processors (i.e.,companies and entities that process per-sonal data on behalf of others, namelythe data controllers). The terms “personaldata” and “processing” are defined verybroadly: Any information relating to anidentifiable individual is “personal data”and any collection, use, and transfer—even the redaction and deletion thereof—constitutes “processing.” As a result,many businesses and functions within anorganization qualify as “data processor,”including software-as-a-service compa-nies, outsourcing service businesses,payroll providers, and shared servicesentities within a group of affiliated compa-nies (e.g., a U.S. parent company hostingan e-mail or voice mail server for its globalsubsidiaries). The exact demarcation linesbetween data controllers, data processorsand neither-entities are still subject to con-troversy and very little case law and clearguidance is available to date. But it seemsrelatively clear that a service providerrisks becoming a data controller if it con-tractually reserves or exercises too muchcontrol over the purposes or means ofdata processing, server locations, engage-ment of sub-processors and other keyaspects of data processing arrangements.This typically has adverse effects forprovider and customer, as filings, con-sent, notice, and other compliancerequirements can be triggered in con-troller-controller transfer situations thatmay not apply in controller-processor sce-narios. Also, companies risk becoming
data processors by reserving rights orsecuring technical possibilities to accesstheir customers’ personal data. Therefore,from a data protection law perspective, itis generally in both parties’ interests—customer and service provider alike—tokeep the customer in control and mini-mize the amount of discretion and dataaccess service providers have. In techno-logically complex situations, serviceproviders can proactively prompt theirless tech-savvy customers to give certainpre-formulated instructions or approveproposals by the service provider, but thecustomer and data controller shouldretain the right to withhold consent orissue different instructions (which mayhave to come at a hefty price point in thecontext of standardized services).
2. Three hurdles
Under national laws implementing theEC Data Protection Directive, companiesin the European Economic Area (EEA)that collect and use data for their ownpurposes (i.e., act as “data controllers”)have to cross three hurdles before theycan share personal data with dataprocessors outside the EEA. Firstly, theEuropean data controllers must complywith formal and substantive require-ments of local data protection laws,including notifications to data protectionauthorities and data subjects, appoint-ment of data protection officers, mini-mization of data collection, usage andretention, data security, and variousother data protection law principles.These laws apply regardless of whetherthe data controller transfers any datawithin or outside the EEA.
Secondly, the data controller mustconfirm that the selected data processorprovides sufficient data protection guar-antees and conclude a contract providingthat the processor shall act only onbehalf of and pursuant to instructionsfrom the data controller and in compli-ance with all data security requirementsthat apply to the data controller; thisrequirement applies whenever a datacontroller transfers any data to a dataprocessor, regardless of whether suchdata processor is established within oroutside the EEA.
Thirdly, the European data controllerhas to ensure an adequate level of dataprotection if the data processor is estab-lished outside the EEA. With the NewProcessor Clauses, European companiescan take this third hurdle, but only thisthird hurdle. Companies should not losesight of the fact they have to address thefirst two hurdles separately and if they failto do so, any subsequent data processingactivities will be illegal even if the NewProcessor Clauses are signed.
3. (Limited) effect of commission
decision
The EC decision is addressed to theMember States of the EEA, but individ-ual companies or citizens are not directlybound. Based on the decision, nationaldata protection authorities in the EEAhave to accept agreements incorporatingthe New Processor Clauses as sufficientto take the third of the three hurdlesdescribed in Section 2 of this article.And, after May 15, 2010, national authori-ties no longer have to—but could contin-ue to—accept the Old ProcessorClauses. National authorities have toaccept that the New Processor Clausesprovide adequate safeguards withrespect to transfers of personal data toprocessors outside the EEA. The dataprotection authorities may still prohibit aparticular data transfer under nationallaw if the data controller has failed totake the first or second hurdle.
Also, the decision allows data pro-tection authorities to take action in caseof serious concerns regarding a particu-lar data processor or destination jurisdic-tion. Moreover, the data protectionauthorities can apply and enforce nation-al laws to the extent EC law does notapply or lacks jurisdiction. And the deci-sion does not prohibit the national dataprotection authorities from establishingstricter standards for data transfers with-in the EEA (although this would appearto be hard to justify for the nationalauthorities from a policy and perhaps EClaw perspective, given the resulting bur-den for multinational enterprises thatwould be prevented from establishingthe New Processor Clauses as a stan-dard). Data transfers from controllers to
6 www.privacyassociation.org
May • 2010
New Processor Clauses
continued from page 1
112272_advisor_Document 3 5/20/10 7:44 PM Page 6
International Association of Privacy Professionals 7
THE PRIVACY ADVISOR
controllers are not covered by the NewProcessor Clauses but are governed bytwo other commission decisions approv-ing two sets of standard contractualclauses for data transfers to controllers.
II. NEW AND OLD CLAUSES
1. What is new?
Most notably, the New ProcessorClauses expressly mention and restrictdata transfers from one processor toanother (referred to as “sub-processor”).A processor who wants or needs totransfer data to a sub-processor must:
• obtain written consent from the datacontroller,
• conclude a data transfer agreementwith the sub-processor based on theNew Processor Clauses under thelaws of the jurisdiction where the datacontroller is based,
• assume unlimited liability for anyactions and inactions of any sub-processor (even those selected by the data controller or another sub-processor) vis-à-vis the data controllerand the data subjects, and
• keep a list of sub-processing agree-ments and make the list and copies of the agreements available to datasubjects, the data controller, and thedata controller's data protection supervisory authority.
This change had been proposed by theInternational Chamber of Commerce andvarious other pro-business organizations,and its adoption has been praised as animprovement. However, from a practicalperspective it seems difficult to perceivea benefit to companies—either to dataprocessors or data controllers—com-pared to the situation under the OldProcessor Clauses: The EuropeanCommission already acknowledged inthe recitals of its 2001 decision on theOld Processor Clauses that data proces-sors may transfer data “under certainconditions.” The operative text of the OldProcessor Clauses did not impose any
specific additional conditions, thus,processors were permitted to transferdata to sub-processors so long as allother legal requirements were compliedwith. The Old Processor Clauses did notdictate any particular content or formatfor sub-processor agreements, whichgave the parties a flexibility that hasbeen eliminated by the New ProcessorClauses. For example, under the OldProcessor Clauses companies involved inpayment processing may have been able
to rely on a combination of bank secrecylaws and industry-standard non-disclo-sure agreements with respect to inter-mediary payment processors and clear-inghouses to provide for adequate safe-guards. Under Clause 11.1 of the NewProcessor Clauses, however, data con-trollers and processors now have to signthe New Processor Clauses with eachand every member of the data transmis-
See, New Processor Clauses, page 8
The World of Privacy Professionals is Gathering Are You Ready? Experian Is.
Engage in the conversation about
privacy at the 2010 IAPP Global
Summit.
Tackling a data breach can be like weathering a per fect storm. With a proven track record of servicing over 1,500 data breach incidents in virtually every industry, Experian has the experience and resources to help you steer the way to calm waters. Join us at the Global Summit to
understand how we can help you.
Experian is proud to be a Gold Sponsor of the 2010 IAPP Global Summit!
VISIT us at Booth #1LEARN more at www.experian.com/databreachCALL 866 751 1323 for your FREE consultation
THE POWER OF EXPERIENCE
EXPERIAN®
112272_advisor_Document 3 5/20/10 7:44 PM Page 7
sion chain. Similar concerns apply inother industries, e.g., telecom providers(who have to send data via cables,routers, switches, and other equipmentoperated by myriad other serviceproviders) and providers of technological-ly complex services that rely on subcon-tractors for some of their functionality.
In the more than four-year-longprocess of deciding on what ultimatelyturned out to be very few changes to theOld Processor Clauses, the Article 29Working Group of national data protec-tion authorities noted that onward datatransfers were already permissible underthe Old Processor Clauses and thatonward transfer agreements could beconcluded by imposing similar terms onthe subcontractors (without a strictrequirement to sign up sub-processorsto the Old Processor Clauses. The Article29 Working Group noted that Clause 11in the New Processor Clauses afford bet-ter protections to data subjects (which,conversely, means more obligations ondata controller and processor relating todata processing).
Another change is that in addition tothe cooperation and notification dutiesalready contained in the Old ProcessorClauses (which were slightly reinforcedhere and there), data processors nowagree to “abide by the advice of thesupervisory authority” in Section 5(e) ofthe New Processor Clauses. Based onthis clause, companies may now findthat through the backdoor of contractualagreements, otherwise non-binding guid-ance or opinions generally published orspecifically provided by data protectionauthorities can now receive legally bind-ing character. This is particularly worri-some as the data protection authoritiesin some EEA Member States have beenquite active in publishing more or lessformal opinions and guidance that doesnot always appear to be supported byexisting legislation and rarely receivesreality checks in courts because the dataprotection authorities enforce their opin-ions relatively rarely.
On the positive side, the New
Processor Clauses clarify that dataimporters are exempt from liabilityunless the data exporter goes out ofbusiness and no successor-in-interestassumes its liabilities, the arbitrationrequirement was abolished and the sam-ple indemnification clause was moved toan Exhibit to clarify its optional characterthat was already specified in the OldProcessor Clauses.
2. What did not change?
The International Chamber of Commerceand other organizations that had request-ed changes to the Old ProcessorClauses had proposed a number of rea-sonable changes that would have madelife easier for businesses, for exampleallowing for multi-party agreementsunder one choice of law (so that multina-tional organizations can reduce the num-ber of contracts they have to sign andmaintain), eliminating bureaucraticrequirements in the context of govern-ment approvals or notifications (e.g., sig-nature notarization), striking the clauseinviting enforcement actions by an“association or other body,” and clarify-ing that the parties have to provide onlyexemplary, not exhaustive descriptionsof their security measures and proce-dures in the appendix to the clauses.However, the European Commissiondoes not have legislative jurisdiction toregulate administrative process details inthe EEA Member States, and where ithad jurisdiction, it nevertheless optedagainst most of the changes.
As a result, the New ProcessorClauses continue to (with some minormodifications):
• require the data processor to act onlyon behalf of the data controller,
• require the data processor to complywith data security obligations underthe law of the jurisdiction where thedata controller is based and grant auditrights to the data controller,
• grant third-party beneficiary rights todata subjects, who can bring lawsuitsunder local law and in local courts con-venient to them,
• impose relatively harsh liability on thedata controller (for any actions or omis-sions by the data processor and itsagent) whereas the data processorremains liable only for its own (or itssubcontractor’s) breaches, and only ifthe data controller has gone out ofbusiness, and
• require the data processor to notify thedata controller and in certain circum-stances the data protection authoritiesabout security breaches, changes inlegislations, law enforcement actionsand certain other events that couldhave an adverse impact on the datasubjects or data controller and thatmay allow the data controller to termi-nate the agreement.
III. ALTERNATIVES
1. Safe Harbor
If a service provider in the United Statesis registered under the EU-U.S. SafeHarbor program, European data con-trollers do not have to take a third hur-dle. As a matter of EC law, national dataprotection authorities have to accept aSafe Harbor registration as providingadequate safeguards. The EU-U.S. SafeHarbor principles in turn allow onwarddata transfers to sub-processors that arein the EEA, registered under the EU-U.S.Safe Harbor program or sign a writtenagreement requiring the sub-processorto provide at least the same level of pri-vacy protection as is required by the rel-evant Safe Harbor Principles. Under theSafe Harbor Principles, data controllersand processors do not have to use thestandard contractual clauses approved bythe European Commission, but they arefree to draft the language for the onwardcontracts and have relatively few specificadditional requirements or obligations tocope with. Also, the Safe HarborPrinciples contain less draconian com-mercial risk allocation mechanisms.Overall, the Safe Harbor route seems tobe preferable for data controllers andprocessors alike. But only U.S.-basedcompanies that are subject to FTC juris-diction can register, and in situationswhere data is transferred from the EEA
8 www.privacyassociation.org
New Processor Clauses
continued from page 7
May • 2010
112272_advisor_Document 3 5/20/10 7:44 PM Page 8
International Association of Privacy Professionals 9
to processors in countries other than theUnited States, a Safe Harbor filing is notavailable. In cases where data is sentfrom the EEA to the U.S. and othercountries, controller and processorshould consider whether it is technicallyand operationally possible to route alldata through the United States.
2. Modified, custom-made Old
Processor Clauses
Companies are not prohibited fromkeeping data transfer agreements basedon the Old Processor Clauses in placebeyond May 15, 2010, or from modifyingthe New Processor Clauses or fromconceiving and implementing entirelydifferent data transfer agreements.Neither the Data Protection Directive,the commission decisions on the stan-dard contractual clauses, nor nationaldata protection laws expressly rule thisout. But in EEA Member States wherecompanies have to notify or obtain gov-ernment approval for international datatransfers, or in any EEA Member Statein case of an audit or controversy, com-panies would have to persuade theauthorities why and how the modified oralternate clauses are sufficient to pro-vide adequate safeguards. This shouldbe relatively compelling with respect tothe Old Processor Clauses becausethese have been found to be sufficientfor nearly 10 years and should not havebecome insufficient overnight. However,it has been and likely will remain verydifficult to persuade authorities toaccept modifications or entirely newagreements. In any event, it is time- andresource-consuming to seek approval orjustify non-standard approaches.Authorities may accept modifications ifthey protect the data subjects equally orbetter than the New Processor Clauses,but companies that are willing to agreeto increased protections might as wellsign the New Processor Clauses with-out modifications and include the modi-fications in an attachment or separateagreement; so long as the additionalclauses do not take precedent over theNew Processor Clauses, the nationaldata protection authorities would bebound by the commission decision and
have to accept the agreement as suffi-cient.
3. Binding Corporate Rules
Companies cannot rely on BindingCorporate Rules (BCRs) for any data pro-cessing arrangements with unaffiliatedservice providers because BCRs can onlylegitimize data transfers between entitiesthat subscribe to the same set of terms.For group-internal transfers of humanresources data, companies could rely onBCRs, but they would still have to signgroup-internal agreements to satisfy thesecond of the three hurdles described inSection 2 of this article. Despite somerecent improvements, most companiesshy away from pursuing the BCR routegiven the costs and delays following fromthe need to obtain government approvalfor the BCRs and the fact that the dataprotection authorities tend to insist onthe same types of protections in theBCRs that are contained in the standardcontractual clauses.
IV. OUTLOOK AND PRACTICAL
RECOMMENDATIONS
It remains to be seen whether, in prac-tice, the stricter requirements in theNew Processor Clauses will actuallytranslate into additional liabilities forcompanies and protections for data sub-jects, and whether the majority of com-panies will accept and implement theproposed multilayered structure of bilat-eral agreements incorporating the NewProcessor Clauses, or whether compa-nies will try to pursue alternatives or fallfurther behind on compliance because ofa perceived unreasonableness andimpossibility of compliance require-ments. The author is not aware of anypublicized cases in which any of thestandard contractual clauses approved bythe European Commission or the SafeHarbor Principles have been asserted orenforced by authorities, individuals, or incourts in the near 10-year history of theirrespective existence.
Data processing service providersoutside the EEA are or will very soon beconfronted with customer requests tosign contracts based on the New
Processor Clauses. Smaller providers willlikely bow to pressure and sign theforms, whether they like it or not. To pre-pare for such requests and secure acompetitive advantage, providers will tryto pass on the New Processor Clauses(and/or Safe Harbor registration require-ments, where possible) to their subcon-tractors, or reduce the number of sub-contractors that qualify as “data proces-sors” under the European rules. As aconsequence, the New ProcessorClauses can be expected to spread“virally” like the Old Processor Clausesand Safe Harbor registrations.
Providers that do not subcontract orthat are able to secure their subcontrac-tor’s agreement to the New ProcessorClauses should consider preparing stan-dard contracts adopting the NewProcessor Clauses, ideally along withclauses addressing similar requirementsarising under other jurisdictions’ laws,e.g., under the California Civil Code, theMassachusetts regulations, and HIPAA.
Providers that believe they do notqualify as “data processors” becausethey are too tangentially involved in theprocessing of personal data or withoutaccess at all can either insist on thisposition vis-à-vis their customers (andpossibly suffer consequences of lostbusiness or delayed sales cycles wherecustomers prove hard to be persuaded),or they can accept the clauses condition-ally (i.e., based on a contractual agree-ment that the New Processor Clausesapply only in case the provider qualifiesas a data processor).
In the contract terms incorporatingthe New Processor Clauses by refer-ence, and without derogating from theNew Processor Clauses, customers andservice providers should consider includ-ing details on processes and additionalsafeguards to protect their respectiveinterests; for example, service providersshould insist that customers cannotapprove additional subprocessors with-out the service provider’s consent, giventhat the service provider will automatical-ly become liable vis-à-vis data subjectsfor actions and omissions of all sub-
THE PRIVACY ADVISOR
See, New Processor Clauses, page 22
112272_advisor_Document 3 5/20/10 7:44 PM Page 9
The creation of newinformation assets (e.g.databases) offers the
potential for greater collabora-tion, efficient work, new dis-coveries, and accomplishedobjectives. These benefitsoften overshadow the risksarising from a lack of due con-sideration about resourceavailability, privacy, businesscontinuity, and organizational reputa-tion.
Before a new information asset iscreated, it is important to properly eval-uate the associated risks. Once theserisks have been enumerated and esti-mated, they can be weighed againstthe potential benefits. Depending onthe outcome of this risk assessment, itmight be more appropriate to seekapproval to repurpose an existing assetor to identify an alternative activity toachieve the same objective.
This article is intended to offer astarting point from which to evaluatethe risks associated with the creationof an information asset. It is not meantto replace other valuable risk-manage-ment tools.
Accountability
Information assets must have a clearaccountability structure. This structurebegins with a person who is responsi-ble for day-to-day activities, and endswith a person who is accountable forthe asset. Within this governance structure, there must be designatedauthority for making decisions aboutwho can have access, what constitutesan acceptable use, what informationthe asset will contain, and when it willbe destroyed. It is also important forthe accountable person to know aboutother information assets that could belinked to the new asset, including publicdatabases and other information assetsheld by the accountable person or custodian.
Questions for consideration:
Has a sufficient governance
structure been established
for the information asset?
Do the stakeholders support
the governance structure?
Hosting and maintenance
Consideration should also begiven to who will host and maintain theinformation asset. Hosting and mainte-nance can be done either internally orexternally. Each option has its pros andcons; however, this choice will affectmany other risks associated with thecreation of the asset.
Questions for consideration:
Can sufficient resources be allocated
to host and maintain the information
asset internally?
Is it less expensive or more conven-
ient to have it hosted externally?
Are there considerations that rule out
one of the hosting options?
Are there organization policies that
place restrictions on hosting informa-
tion assets externally?
If it is hosted externally, have the roles
of the custodian and the information
manager been agreed upon in writing?
Does this agreement specify who is
the custodian of the asset and the
information contained within?
What provisions must be found in a
contract for external hosting?
Protection
Every information asset contains usefulinformation that reveals facts aboutsomething; as such, it should be pro-
tected accordingly. Sufficient resourcesmust be allocated to ensure protection,whether the asset is hosted internally orexternally.
Questions for consideration:
What physical, administrative, and
technical safeguards will need to be
placed on the information asset?
Have sufficient resources been
allocated to protect the asset?
How will access be restricted to those
who are authorized?
Will authorized individuals need to
complete confidentiality agreements?
What protocol must be followed if
there is a security breach?
If the asset is hosted externally, how
do you ensure that any claims made
about information protection are
being met?
Copying
Information assets are copied withalarming frequency. Every copy madeincreases the likelihood of informationtheft or loss, or inappropriate use or disclosure.
Questions for consideration:
Can the number of copies of the
information asset be controlled?
Can a protocol be established to
regulate when a copy can be made?
Can copies be protected to the same
extent as the original?
Backups
To ensure business continuity, informa-tion assets need to be backed up. If theloss of the asset has the potential to
10 www.privacyassociation.org
Risks associated with creating a new information asset
By David Morgan, CIPP/C
May • 2010
David Morgan
112272_advisor_Document 3 5/20/10 7:44 PM Page 10
cause harm to an individual or group ofindividuals, backup procedures shouldbe established and sufficient time, per-sonnel, and storage resources shouldbe allotted. In addition, since the back-up is a copy of the asset, it will alsorequire sufficient protection.
Questions for consideration:
Has a backup strategy been
established for the information asset?
Does it allocate sufficient time,
personnel, and storage resources?
Can sufficient measures be taken to
protect the backup from theft, loss,
or destruction?
Accuracy and updates
Some information assets are meant torepresent a moment of time: once theinformation is added, it never changes.Other information assets are intendedto be dynamic—their utility depends onregular updates. Compared to staticinformation assets, dynamic assetsrequire significantly more effort toensure that the information is up to dateand accurate. Conclusions drawn frominaccurate information are incorrect and,in some cases, harmful.
Questions for consideration:
Can the amount of work required to
maintain the accuracy of the informa-
tion in a dynamic information asset
be forecasted and budgeted?
What possible damage could be
done by drawing incorrect conclu-
sions from inaccurate information?
Linkages
By itself, the content of an informationasset may present little threat to individ-ual privacy or corporate confidentiality;however, when the information is linkedwith information from other sources,some of which might be publicly avail-able, the level of threat can increasesubstantially.
Questions for consideration:
Has the information asset been exam-
ined to enumerate potential data link-
ages and the associated risks?
Can suitable mechanisms be estab-
lished to prevent or reduce the num-
ber of linkages?
Inappropriate, unintended, and
unforeseen uses
Information assets are valued differentlyby different people. Even after all the pos-sible uses of an asset have been consid-ered, there may be others that arise, notall of which may be appropriate.
Questions for consideration:
Has sufficient consideration been
given to the possible uses for the
information asset?
Can inappropriate uses be controlled?
Disclosures
Once an information asset is created,others will want to have access to itscontents. Before information can beshared, it is important to understandwhat regulations and policies provideauthority to disclose information; as well,it is important to understand what agree-ments might limit the ability to disclosecertain information. In some cases, regu-lations and policies might compel certaininformation to be disclosed to authoritiesor reporting organizations.
Questions for consideration:
Are the regulations and policies
authorizing disclosure well-under-
stood?
Is individual consent required before
information is disclosed?
What conditions might need to be
placed on disclosures?
Is the party receiving the information
allowed to disclose it to someone
else?
Has a process been established to
respond to, vet, and audit requests to
disclose information?
Does the process allocate sufficient
time and personnel resources?
What agreements might govern the
ability to disclose certain information?
Are the original sources of informa-
tion known?
What regulations and policies might
compel disclosure?
If the asset is hosted externally, can it
be accessed to facilitate disclosure?
Transparency
Depending on the nature of the informa-tion asset and the custodian’s policiesaround transparency, a profile may needto be made public or disclosed to a reg-ulating body. Some individuals or groupsmay not understand why the informa-tion asset has been created, or theymight disagree with the reasoning, pos-sibly causing damage to the custodian’sreputation. Moreover, if the asset isdynamic, this profile may need to beupdated on a regular basis.
Questions for consideration:
Does the information asset require
the creation and maintenance of a
profile? If so, who will do this?
Might individuals or groups disagree
with the creation or proposed uses of
the asset?
International Association of Privacy Professionals 11
THE PRIVACY ADVISOR
See, Information asset risks, page 12
“Before information can
be shared, it is important
to understand what
regulations and policies
provide authority to
disclose information.”
112272_advisor_Document 3 5/20/10 7:44 PM Page 11
12 www.privacyassociation.org
May • 2010
Individual access
With very few exceptions, individualshave the right to see the informationheld about them whenever that infor-mation is available in an identifiable orre-identifiable format. Procedures mustbe established to allow an individual toreceive a copy of this information uponrequest.
Questions for consideration:
Has a process been established to
respond to access requests?
Does the process allocate sufficient
time and personnel resources?
Are the regulations and response
timelines pertaining to access
requests well-understood?
Can sufficient measures be taken
to confirm the identity of individuals
who request access?
Is it necessary to record when
someone accesses an individual’s
information and/or when the
information is disclosed?
Bankruptcy, insolvency, or closure
In the event of bankruptcy, insolvency,or closure, a custodian may want orneed to sell or transfer its informationassets. In some cases, selling or trans-ferring information assets might beprohibited, while in others it may berequired. The level of risk associatedwith closure will depend on the natureof the information asset and who is inpossession of it; if the asset is hostedexternally or on infrastructure ownedby another organization, contractualarrangements may be necessary toensure that it is safely returned and toprevent it from being sold.
Questions for consideration:
Can appropriate mechanisms be
established with respect to the
information asset in order to ensure
privacy, security, and business
continuity in the event that the owner
or hosting organization closes?
Destruction
There may come a time when the information asset is no longer needed orpermitted; at that time, the asset shouldbe destroyed. Unfortunately, informationdestruction is complex: assets are regularly copied and backed-up, andinformation may have been extracted to share with others.
Questions for consideration:
Can the information asset be
destroyed when it reaches the end
of its life?
Will all copies, backups, and extracts
of the asset need to be destroyed
as well?
The author acknowledges Brian Foranand Lucy McDonald for their contribu-tions to this article. Brian Foran is a privacy specialist with Canada HealthInfoway. Lucy McDonald is a privacyconsultant.
David Morgan is the privacy officer-secondary uses at the Newfoundlandand Labrador Centre for HealthInformation, where he provides privacyguidance on provincial Electronic HealthRecord initiatives. He also oversees theorganization’s program on secondaryuse of health information for researchand policy development. David has aPhD in computing science fromUniversity of Alberta and holds CertifiedInformation Privacy Professional designations from the InternationalAssociation of Privacy Professionals. He serves on the IAPP PublicationsAdvisory Board and a number of provincial and national health information privacy committees. Find David on LinkedIn at:http://ca.linkedin.com/in/dmorgan-linkedin.
Information asset risks
continued from page 11Privacy Classifieds
The Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.
SENIOR COUNSEL AND DEPUTY CHIEFPRIVACY OFFICERSprint NextelReston, VA
CORPORATE COUNSEL FOR PRIVACYT-MobileBellevue, WA
DIRECTOR, CHIEF PRIVACY OFFICERAlliance DataEaston, OH
EBUSINESS COMPLIANCE AND RISK MANAGERSunTrust Banks, Inc.Atlanta, GA
PRIVACY COUNSELThe Walt Disney CompanyTokyo, Japan
LEAD ANALYST - INFORMATIONGOVERNANCEGeneral ElectricVan Buren Township, MI
COUNSEL, EUROPEAN PRIVACY ANDREGULATORY AFFAIRS, EU PRIVACYLEADERGeneral ElectricBrussels
DIRECTOR, PLATFORM PRIVACYYahoo!Sunnyvale, CA
CSMB GLOBAL DATA PROTECTIONAND PRIVACYDell Computers UK
PRIVACY MANAGERWestern UnionVictoria, BC
112272_advisor_Document 3 5/20/10 7:44 PM Page 12
13International Association of Privacy Professionals
THE PRIVACY ADVISOR
Privacy Advisor: What privacy-related advancements are
you working on currently?
Suzanne Rodway: Our main advancement is in relationto the Th!nk Privacy Awareness Consortium, which weare a member of. We have joined with a number of otherorganizations to collaborate on ways to improve staffawareness of privacy issues. One of the essential ele-ments for improving privacy compliance levels within anorganization is engineering cultural change amongstemployees. Awareness is a key part of getting that mes-sage out to staff. We do not see this as a competitiveissue; instead, we see it as a way of improving levels ofprivacy compliance across organizations, benefiting all ofour customers and employees.
The consortium will, through a creative agency, shareconcepts, awareness materials, and ideas about how tomeasure the effectiveness of awareness initiatives. One ofthe first actions of the consortium was to produce a set ofgeneric Th!nk Privacy materials that could be used by anyorganization, but particularly those smaller and medium-sized organizations with fewer resources.
The consortium approached the InformationCommissioner’s Office (the UK privacy regulator) to see if it would include these materials on its Web site fororganizations to download and use free of charge. The ICO agreed and the materials are now on the Web site(www.ico.gov.uk/).
We are now focusing on theother ways the consortium canhelp improve privacy aware-ness and encourage more people to “Think Privacy.”
Privacy Advisor: What do you
see as the next big challenge
for privacy professionals in
the financial sector?
Suzanne Rodway: I think oneof the greatest challenges forthe privacy professional in the
financial services sector is in relation to balancing privacyprinciples with implementation of new technology andnew business practices. A prime example of this wouldbe the utilization of suppliers who employ cloud comput-ing technology. Many financial institutions must complywith not only data protection laws, but also complexbanking secrecy laws, too.
The use of technologies like cloud computing withinthe current legal framework we have to operate in is veryproblematic. Similar issues are found with suppliers whoutilize a follow-the-sun model, whereby the financial orga-nization's data may be transferred to/accessible from anumber of jurisdictions. The current laws relating to inter-national data transfers are not really compatible with suchmodels of free-flowing personal data. Many articles havebeen written and discussions had about the privacyissues involved in the use of these supplier models, with-out any clear conclusions. So I think as more suppliersstart to utilize the cloud environment this will continue tobe an area that lacks clarity and proves challenging forprivacy professionals, especially those in the financialservices sector.
For more information about the Th!nk Privacy AwarenessConsortium, e-mail Suzanne [email protected].
10 in 2010
A chat with Suzanne Rodway, Group Privacy Director, Barclays Bank
Suzanne Rodway
In our continuing series to celebrate the IAPP’s tenth anniversary, this month we check in with Suzanne Rodway. As group privacy director for Barclays Bank, Suzanne is responsible for overseeing compliance with privacy, data protection, and freedom of information laws worldwide. Barclays received the HP- IAPP 2009 Privacy Innovation Award in the large organization category for its cross-company approach to privacy. The Privacy Advisor chatted with Suzanneabout new privacy challenges and how she’s helping her organization—and others—rise to meet them.
“ I think one of the greatest challenges
for the privacy professional in the
financial services sector is in relation to
balancing privacy principles with the
implementation of new technology and
new business practices.”
112272_advisor_Document 3 5/20/10 7:44 PM Page 13
Despite certain geological
disruptions, more than 1,700
privacy pros attended this year’s
Global Privacy Summit in
Washington, DC.
Scenes from the IAPP Global Privacy Summit 2010
14 www.privacyassociation.org
May • 2010
(Above) Three-minute mixers were abig hit among new and not-so-newmembers.
(Left) This year’s event featured morethan 70 breakout sessions covering avariety of topics. In this session,Rebecca Herold of Rebecca Herold &Associates discussed the privacyimplications of the smart power grid.
112272_advisor_Document 3 5/20/10 7:44 PM Page 14
(Above) In his keynote address, Dan Arielysaid that whoever controls the defaultcontrols, controls behavior.
THE PRIVACY ADVISOR
(Above) The IAPP mobile bookstore
(Right) Viktor Mayer Schöenbergerexplained the biological importance of“forgetting” in an age where it’ssometimes hard to do so.
International Association of Privacy Professionals 15
THE PRIVACY ADVISOR
(Left) This year’s Global Privacy Summit scholarship recipients at lunch in the exhibit hall with their KPMG mentor.
112272_advisor_Document 3 5/20/10 7:44 PM Page 15
Privacy Advisor: What would you say
are the most significant changes you
have witnessed over these past years?
Pamela Jones Harbour: I am gratifiedthat, as I leave the commission, bothprivacy and data security have become aprimary focus of the agency—whethermeasured by the allocation ofresources, the depth and breadth ofstaff’s expertise, or the amount ofenforcement and advocacy in which thecommission engages. When I arrived atthe commission in August 2003, theDivision of Privacy and IdentityProtection did not even exist yet; that isdifficult to believe, given that DPIP isnow so integral to the agency’s con-sumer protection mission.
In some sense, the commission’sapproach to privacy has come full circle.Shortly after I arrived at the commission,then-Chairman Muris challenged head-on the Fair Information Practices. Heargued that consumers did not exerciseinformed choices because the costs ofweighing and exercising their choiceswere too high, compared to any per-ceived benefits. As such, the FIPsmodel did not accurately reveal con-sumer preferences and might actuallyimpede the development of new andbeneficial uses of information.
As an alternative, Chairman Murischampioned a harm-based screen forprivacy-related enforcement by the com-mission. Under this approach, commis-sion enforcement actions focused pri-marily on misuses of information leadingto actual physical or economic harm toconsumers.
But by June 2009, with its Searssettlement, the commission had movedbeyond a narrow view of the notice and
choice model as well as theconventional economic harm-based approach. The commis-sion’s complaint againstSears alleged that the compa-ny failed to adequately dis-close the scope of personalinformation it collected via adownloadable research soft-ware application. The com-mission argued that, despiteproviding notice in a lengthylicense agreement, Sears had not pro-vided notice that was adequate ormeaningful. Arguably, there was noobvious economic harm to consumers,since Sears had paid consumers $10 todownload the research software. Ibelieve the Sears settlement signaledthe beginning of the commission’s shiftto a broader interpretation of notice andchoice, one that would go beyond theeconomic-based harm approach. I sug-gest that practitioners review carefullythe lessons of Sears.
On the heels of the Sears settle-ment, Bureau of Consumer ProtectionDirector David Vladeck launched a seriesof Privacy Roundtables, which recentlyconcluded. One of the purposes behindthe roundtables was to gather publicinput on current models for protectingconsumer privacy. As technologyevolves, existing analytical models maynot fully capture the wide range of con-sumer expectations and privacy-relatedharms—including, for example, reputa-tional harm or a fear of being monitored.As demonstrated by the Sears case,truly informed consent may be difficultto achieve when consumers never reallyunderstand how much information theyare sharing, or how much of it is beingcollected and disclosed to third parties.
While the commission’sapproach has changed overthe years and under differentleadership, I want to empha-size that the commission’sultimate goal of protectingconsumers has alwaysremained the same. As mar-kets evolve, data proliferate,and new data uses emerge,the commission constantlyreconsiders how to strike the
right balance between privacy protectionand data-driven innovation.
With respect to data security, I haveobserved increased attention to theseissues, and more enforcement activity,during my term. In recent years, thecommission has brought 26 enforce-ment actions. The commission has beeninstrumental in raising the public con-sciousness regarding data securitythrough its public awareness campaignsas well as its enforcement actions, manyof which have been pursued in tandemwith the 46 states that have enactedsome form of data security laws.
PA: What are your plans for the future?
Would you consider pursuing a career
in the data privacy field, for example?
PJH: I absolutely plan to build a lawpractice that reflects my growing expert-ise and strong interest in data privacyissues, as well as other competition andconsumer protection topics. In particu-lar, I hope to further refine my conceptof a consumer-focused nexus betweencompetition and privacy, two areas that Istrongly believe are interrelated. I beganto develop these ideas in my dissentingstatement when, in December 2007, thecommission decided not to challenge
16 www.privacyassociation.org
May • 2010
What’s a former commissioner to do?
Pamela Jones Harbour looks forward and back
Pamela Jones
May • 2010
Pamela Jones Harbour ended her term as a Federal Trade Commissioner on April 6. In the weeks leading up to her departureshe reflected on the changes she has seen during her term, shared some of her plans for the future and discussed how the privacy landscape may look in the years to come. Harbour’s responses to these questions reflect her own views and not necessarily those of the FTC or any other individual commissioner.
112272_advisor_Document 3 5/20/10 7:44 PM Page 16
the Google/DoubleClick merger. As thecommission’s review of that transactionprogressed, I began to appreciate thatdata companies increasingly competeon non-price dimensions, such as priva-cy protections and data security meas-ures. In a forthcoming article in theAntitrust Law Journal, I further developthis concept of privacy competition, aswell as the idea of relevant antitrustmarkets for data (separate and apartfrom markets for services fueled bythose data).
I am also committed to helpingbusinesses incorporate privacy and datasecurity principles into their corporatecultures and everyday ways of doingbusiness. Good privacy makes goodbusiness sense, no matter where a firmoperates. One challenge that business-es face, however, is a complicatedpatchwork of regulations wherever theyoperate around the globe. As a commis-sioner, I have served as part of the U.S.delegation to the Electronic CommerceSteering Group of the Asia PacificEconomic Cooperation forum (APEC),where we have engaged in importantefforts to develop cross-border privacyrules. I hope to expand upon the work Istarted as a commissioner, by helpingclients to navigate the complex andever-present issues surrounding datatransfer across borders.
PA: What experiences, lessons or
challenges do you expect to take away
from your six-and-a-half years serving
as an FTC commissioner?
PJH: One of the biggest challenges fac-ing the commission during my term wasto recognize the need for a dynamic, flex-ible, and technology-neutral regulatoryframework that addresses and protectsconsumer needs. Ideally, such a frame-work (1) fosters, rather than inhibits, theprocompetitive benefits of technologicalinnovation, and (2) can keep pace withexponential changes that accompany thegrowth and evolution of technology. Iplan to be one of many contributorsseeking workable solutions, and I lookforward to facing these challenges froma new perspective.
Another important lesson I will takewith me is that while privacy is person-al, it is not local. Cloud computing is aprime example of this concept. Cloudcomputing promises huge economies ofscale, but these efficiencies areunachievable unless data are transferredacross borders. The economic benefitsof cloud computing are, therefore, indirect tension with the jurisdictionalcomplexities of cross-border data trans-fers, given that different legal regimesprovide varying levels of data protection.Realizing the full benefits of cloud com-puting, while maintaining rigorous priva-cy and data protections, will require thatcompanies look internally at their globalcompliance, while at the same time,governments look externally at howtheir own regulatory choices may impactglobal competition and innovation.
PA: What are your most memorable
accomplishments?
PJH: International Privacy: I workedrelentlessly to develop robust relation-ships with the commission’s data privacy counterparts in North America,Europe, and Asia. I was particularly gratified that I, as a representative ofthe commission, was included in thehighest-level meetings of theInternational Conference of DataProtection and Privacy Commissioners.While our international colleagues viewmany issues differently, we all recognizethat the dialogue must be increasingly global and that the commission must bepart of the conversation.
Nexus of Privacy and Competition: Mydissent from the commission’s decisionnot to challenge the Google/DoubleClick
merger served as a catalyst forCommission Staff’s BehavioralAdvertising Principles. My commentsand subsequent speeches furthered therecognition that building privacy intoproducts and services creates competi-tive advantages for businesses, whilealso protecting consumers. I am hopefulthat my commentary will spur the priva-cy community to consider further theintersection between privacy and com-petition, and that my remarks also mightinform future investigations.
Behavioral Advertising: My concurrencewith Commission Staff’s report on Self-Regulatory Principles for OnlineBehavioral Advertising provided an aspirational roadmap for commissionand industry initiatives. I have been anoutspoken advocate for consumer privacy protections in the wake ofincreased on and offline consumer datacollection and storage.
PA: Looking forward, what do you
hope the online privacy landscape will
look like six years from now?
PJH: Six years from now, I hope theonline privacy landscape in the UnitedStates has progressed toward omnibusprivacy legislation that not only respectsconsumer expectations but also furthersconvergence toward a cohesive globalframework.
I would also like to see companiestaking a more holistic approach in theirproduct design and development byimplementing default privacy and datasecurity protections.
Ideally, consumers will becomemore educated about their online inter-actions—preferably as a result ofimproved transparency from productand service providers rather thanincreased levels of well-publicizedenforcement actions.
Lastly, I hope to see both leadingtechnology companies and breakthroughinnovators using their substantial tech-nological and innovative prowess to provide consumers with better tools tomanage their online and cloud comput-ing experiences.
International Association of Privacy Professionals 17
“We all recognize that
the dialogue must be
increasingly global and that
the commission must be
part of the conversation.”
THE PRIVACY ADVISOR
112272_advisor_Document 3 5/20/10 7:44 PM Page 17
ARGENTINA
By Pablo Palazzi
Argentine judge holds Google and
Yahoo liable for posting of third-party
content
An Argentine civiljudge held Googleand Yahoo liable forcontent posted bythird parties to aWeb site, rejectingthe companies’defenses that theywere mere interme-diaries, thereforenot responsible forthe actions of the Web site linking thename of the plaintiff to pornographicand female-escort Web sites without her consent (Rodriguez Maria Belen v.Google Inc, Juzg. N. 95, No.99613/2006, March 4 2010). The courtawarded USD $100,000 in damages.
This new case sets a different standard from one decided last year (Da Cunha v. Google) where a strict lia-bility rule was applied to hold Yahoo andGoogle liable under a similar fact sce-nario. This case was appealed to theCivil Court of Appeals and there is nodecision yet.
The judge held that the searchengines are liable since they had knowl-edge of the illegality of the content anddid not act to remove it expeditiously.The content in question was the pictureand name of the plaintiff included in cer-
tain adult Web sites without her con-sent. The lawsuit is based on the rightof image protected by a specific statutein Argentina. The judge also ordered thecompanies to remove the plaintiff’sname, image, likeness, and photos inthe search engines’ indexes.
Pablo A. Palazzi is an attorney in thelaw firm of Allende & Brea, based inBuenos Aires, Argentina, with an exten-sive practice in intellectual property andinformation technology law. He is admit-ted to practice law in New York andArgentina. He may be reached [email protected].
GERMANY
By Flemming Moos
Federal Constitutional Court ruling
on data retention
The German FederalConstitutional Court(Bundesverfassungs-gericht) on March 2,2010 rejected thelegislation requiringthe general six-month retention ofall electronic com-munications traffic.The data retentionobligations implemented EC Directive2006/24/EC and entered into force onJanuary 1, 2008. The constitutional com-plaint was brought to the court byapproximately 35,000 citizens (the largestnumber of plaintiffs ever involved in aGerman court case), one of the plaintiffsbeing current Minister of Justice SabineLeutheusser-Schnarrenberger.
The court found in particular that thedata storage was not secure enough andthat the purposes of the data usages
were not defined clearly enough. Thejudges considered "such retention anespecially grave intrusion" into citizens'privacy. As a consequence, the courtordered immediate deletion of the dataalready collected. Furthermore, a compre-hensive modification of the law is neces-sary in order to provide stricter conditionsfor the use and storage of the data.According to the decision, the data shouldbe encoded and there should be "trans-parent control" of the information usage.Now, the lawmaker will have to revise thedata retention provisions in order to com-ply with the EC directive as well asGerman constitutional guarantees.
ECJ declares German data protection
supervision unlawful
On March 9, 2010 the European Court ofJustice ruled that by making the stateauthorities responsible for monitoringthe processing of personal data by non-public bodies subject to state scrutiny,and by thus incorrectly transposing therequirement that those authorities per-form their functions “with completeindependence,” Germany failed to fulfillits obligations under Directive 95/46/EC.
Contrary to the position taken bythe Federal Republic of Germany (andalso the Attorney General), the conceptof “independence” shall imply a deci-sion-making power independent of anydirect or indirect external influence onthe supervisory authority. The court stat-ed that the guarantee of independenceof national supervisory authorities isintended to ensure the effectivenessand reliability of the supervision of com-pliance with the provisions on protectionof individuals with regard to the pro-cessing of personal data and must beinterpreted in the light of that aim.Therefore, when carrying out their
Flemming Moos
Global Privacy Dispatches
Pablo Palazzi
18 www.privacyassociation.org
May • 2010
“The lawsuit is based
on the right of image
protected by a specific
statute in Argentina.”
112272_advisor_Document 3 5/20/10 7:44 PM Page 18
duties, the supervisory authorities mustact objectively and impartially. For thatpurpose, they must remain free fromany external influence, including thedirect or indirect influence of the stateor the Länder, and not of the influenceonly of the supervised bodies.
Accordingly, Germany will have torevise the supervisory structure in sev-eral Länder, inter alia in Hesse, wherethe supervisory authority is subject tostate scrutiny.
Burden of proof re faulty address data
On February 17, 2010, the RegionalCourt of Duesseldorf issued a judgmenton the requirements for proving defectsof address data that have been pur-chased for telephone marketing purpos-es. The defendant who had been suedfor paying the purchase price for thedata claimed that the data was faultybecause no opt-in consents to tele-phone marketing activities had beendeclared by the affected individuals. Thecourt held that this unspecified objec-tion was not enough to prove the defec-tiveness of the data. It would have hadto be demonstrated and proven in detail:
• which data had actually been used bythe defendant
• which individuals had actually opposedthe usage of the data, and
• in which specific cases eventually adeclaration to cease and desists wasrequired from the user of the data
.
Flemming Moos is an attorney at DLA Piper in Germany and a certified specialist for information technology law. He chairs the IAPP KnowledgeNetin Hamburg and can be reached at [email protected].
ISRAEL
By Omer Tene
Supreme Court: anonymity is
constitutional right
The Israeli SupremeCourt settled a longstanding DistrictCourt split in March,holding that onlineanonymity is a constitutional rightderived from theright to privacy andfree speech.
The court pro-hibited an Internet service provider fromdisclosing a user’s identity based on hisor her IP address. The user was sued as“John Doe” in a libel action based on anIP address obtained from the Web sitethat published his or her allegedlylibelous comments.
The court wrote:
Alongside online platforms which pro-vide user anonymity, the Internet maynegate the anonymity of those whosepersonal data are stored in its massivedatabase. In the past, there was no pub-lic access to personal and sensitive dataand actions taken within the confines ofone’s home remained far from the pub-lic eye; now the Internet provides directand indirect access into the very heartand mind of users. The shattering ‘illusion of privacy’ online, a realitywhere the sense of user privacy is amyth, raises the disturbing specter of“big brother.” This invasion of privacymust be minimized. The shelter ofonline anonymity must be preservedwithin reasonable bounds as a basis foronline culture. To a great extent,anonymity makes the Internet what it is today; without it there would be noliberty in the virtual world. As theprospect of digital surveillance increas-es, users’ behavior will radically change.
http://elyon1.court.gov.il/files/07/470/044/p10/07044470.p10.pdf (Decision in Hebrew).
Omer Tene is an Israeli legal consultantand an associate professor at theCollege of Management School of Law.He can be reached [email protected].
MEXICO
By Lina Ornelas
Mexico passes Federal Data
Protection Act
After nine years ofintense efforts andconstant lobbying,the Federal DataProtection Act hasbeen approved inMexico. On April 27,2010, the Senateunanimouslyapproved theFederal DataProtection Act fulfilling the duty of theMexican Constitution and internationalstandards on the matter.
In Mexico, the Federal Act onTransparency and Access toGovernment Public Information (FOIA)recognises the right to personal dataprotection and establishes the rightsand principles of protection that mustbe observed by all government entities.However, up to this point Mexico didnot have a specific legal document ondata protection to regulate the privatesphere.
Further to the constitutional amend-ments to articles 16 and 73 that recog-nized the right to data protection as afundamental and autonomous right,there was a clear social demand for dataprotection. Previous amendments point-ed out the existence of fundamentalprinciples for which all treatments ofpersonal data should be ruled.
As a result, data protection inMexico has undergone several develop-ments in recent years. In 2009, thedevelopments reached relevant successwith the main constitutional amend-ments cited and related directly to personal data protection and the privacy regime.
Taking into account the previousdata protection initiatives, the FederalInstitute of Access to Public Information
See, Global Privacy Dispatches, page 20
International Association of Privacy Professionals 19
THE PRIVACY ADVISOR
Linda Ornelas
Omer Tene
112272_advisor_Document 3 5/20/10 7:44 PM Page 19
(IFAI) collaborated with the Congress tocreate a new and innovative act. Thedraft of the act was also discussed withrepresentatives of the federal govern-ment and with the private sector inorder to have a balance between regula-tors and the regulated entities.
With the Federal Data ProtectionAct the current Federal Institute ofAccess to Public Information changesits name to Federal Institute of Accessto Information and Data Protection.Therefore, from now on, the institute sjurisdiction will expand to include theprotection of personal information ofprivate individuals and entities as wellas the access to information right. Withthis act and the FOIA, the institutebecomes the guarantee institution fordata protection in both public and pri-vate spheres at the federal level inMexico.
In this sense, the newly born actprotects third-generation rights andtakes into account the development ofthe international recognized principles ofdata protection. Furthermore, it protectsexplicitly sensitive personal data andincorporates OECD and APEC s PrivacyFramework elements as well as estab-lishes a free and speedy procedure toexercise the rights of individuals(access, rectification, cancellation andopposition). It also includes a procedureof tutelage for the rights of the citizensand has the attribution to impose fines(taking into consideration economiccapacity of the controller, technology,type of data and so on).
The Mexican model provides bal-ance between free movement of datafor trade whilst protecting information.Hence, the model is flexible and repre-sents an effective tool to increase eco-nomic transactions making Mexico morecompetitive in the economic community.
Last but not least, with the FederalData Protection Act and the FOIA,Mexico will continue to engage in inter-national and regional relations on privacyand data protection in order to not only
keep pace with the latest recommenda-tions, policies and best practices, butalso to cooperate at the multilateral andregional level in the enforcement of dataprotection laws as a result of cross-bor-der online activities.
Mexico walks through the path ofdemocracy and the right to personal dataprotection enforcement is of the utmostimportance. Along with the majorimprovements in the matter, this insti-tute now counts with the legal structureto protect personal data protection.
Lina Ornelas is general director of clas-sified information and data protection atthe Federal Institute of Access to PublicInformation in Mexico. She may bereached at [email protected].
(Read Lina Ornelas’s story about theMemorandum of Montevideo in theMarch 2010 issue of the Privacy Advisor,available on the IAPP Web site).
UNITED KINGDOM
By Eduardo Ustaran
The Privacy Dividend Report
The UK InformationCommissioner,Christopher Graham,has launched thePrivacy DividendReport, which pro-vides organizationswith a financial casefor data protectionbest practice. Thereport explains howto put a value on personal informationand assess the benefits of protectingprivacy. It includes practical tools to helporganizations prepare a business casefor investing in privacy protection.
In launching the report,Commissioner Graham urged organiza-tions to put a value on personal informa-tion and invest in privacy protection. Hesaid “no organization can neglect to
Global Privacy Dispatches
continued from page 19
20 www.privacyassociation.org
May • 2010
Eduardo Ustaran
The IAPP Welcomes our Newest
Corporate Members
SVB
112272_advisor_Document 3 5/20/10 7:44 PM Page 20
International Association of Privacy Professionals 21
Reprinted with permission from Slane Cartoons Limited.
THE PRIVACY ADVISOR
The Privacy Advisor is now available in an easy-to-read format on the IAPP Web site. Check out the current issue or search thearchives for topics of interest.
www.privacyassociation.org/privacy_advisor
Based on member demand, starting this summer the PrivacyAdvisor will move to a digital format. Members will receive thesame exclusive content, but in an electronic, easily searchableand printable layout. See page two for more information.
Privacy Advisor newsprotect people’s privacy. Not only is itthe law, but there is also a hard-headedbusiness imperative.”
Criminal case against BT being
considered
Following the European Commission’slegal proceedings against the UK for failing to take any action over behavioraltargeting, the Crown ProsecutionService is working on a potential crimi-nal case against BT over its trials ofPhorm’s system.
The CPS has reportedly said “wehave requested and received technicaland expert evidence, some of which wehave only recently received, and whichis being very carefully considered. Weare currently awaiting advice from a sen-ior barrister which we will review beforecoming to a conclusion. We are givingthe matter meticulous attention and willreach a proper and considered decisionas soon as it is possible for us to do so.”
Parliament Committee issues privacy
recommendations
The House of Commons’ Culture Mediaand Sport Committee has released areport on press standards, privacy, andlibel. The report makes recommenda-tions aimed at balancing privacy andfreedom of expression, and concludesthat a new privacy law is not necessary.However, the committee has recom-mended the introduction of a require-ment that journalists notify the subjectof their articles prior to publication. Therequirement would not be mandatory,but rather an aggravating factor inassessing damages. The ICO welcomedthe report.
Eduardo Ustaran is head of the Privacyand Information Law Group at FieldFisher Waterhouse LLP, based inLondon. He is a member of the IAPPEducation Advisory Board, co-chair ofKnowledge-Net London, editor of DataProtection Law & Policy and co-authorof E-Privacy and Online Data Protection.He may be reached [email protected].
Editor: Kirk J. Nahra, CIPP
112272_advisor_Document 3 5/20/10 7:44 PM Page 21
processors. Moreover, the parties shouldconsider including transition and pay-ment obligations in case the data con-troller issues (costly) instructions to thedata processor or terminates the agree-ment early because the controller doesnot want to pay for costs caused by itsinstructions, or because the data con-troller can no longer transfer data to thejurisdiction where the processor is located, e.g., because of changes in lawor law enforcement practices. Also, theparties should address commercial riskallocation as between themselves, e.g.,who foots the bill and to what amountsin case one party is sued or sanctionedfor violations or breaches by the otherparty. Further, it might be helpful toestablish a procedural roadmap and substantive rules on how to address and cooperate in case of data securitybreaches, notifications, and compensa-tion of data subjects.
Customers should consider the relative benefits of transferring databased on a Safe Harbor filing by U.S.-based service providers. Conversely,providers should consider a Safe Harborregistration and point out to their cus-tomers the relative benefits of relying onthe Safe Harbor mechanism for bothdata controllers and processors.
Companies and business associa-tions should think twice before askingfor changes to data protection laws orseeking guidance: As a general trend,the legal and procedural requirementstend to get stricter and more burden-some for businesses in this area. Andunder the New Processor Clauses, serv-ice providers now have to “abide byadvice” by the authorities.
Lothar Determann practices data privacy, technology, and internationalbusiness law at Baker & McKenzie LLP (www.bakernet.com) in San Francisco/Palo Alto, and teaches data privacy, e-commerce, and computer law at Univer-sity of California, Berkeley School of Law(Boalt Hall) and Freie Universität Berlin.
www.privacyassociation.org
May • 2010
New Processor Clauses
continued from page 8
MAY
19-21 EuroPriSe Expert Workshop
Kiel, Germanywww.european-privacy-seal.eu/experts/expert-workshops
20-21 4th Annual DataGuidance
European Data Protection
Intensive
London, UKwww.dataprivacyeurope.com/
21 Children, Young People and
Privacy Conference
Melbourne, Australia
26-28 IAPP Canada Privacy
Symposium 2010
Toronto, ON
27-28 Belgian e-Youth Conference
Antwerp, Belgiumwww.ua.ac.beBerlin, Brussels, Paris
JUNE
10-11 2010 Access and Privacy
Conference
Edmonton, ABsites.google.com/site/accessandpriva-cy/home
14-15 IAPP Practical Privacy Series
Santa Clara, Californiawww.privacyassociation.org
21-25 IAPP Delegate Tour Europe
Berlin, Brussels, Paris
SEPTEMBER
22-24 OTA Online Trust &
Cybersecurity Forum
Washington DCotalliance.org/dcforum.html
29-1 IAPP Privacy Academy
Oct. Baltimore, MDwww.privacyassociation.org/academy
30 IAPP Privacy Dinner
Baltimore, MDwww.privacyassociation.org
OCTOBER
14 Privacy After Hours
27-29 32nd International Conference
of Data Protection and Privacy
Commissioners
Jerusalem, Israel
NOVEMBER
29-30 IAPP Europe Data Protection
Congress
Paris, France
DECEMBER
8-9 IAPP Practical Privacy Series
Washington, DCwww.privacyassociation.org
Calendar of Events
22
For certification testing dates go
to www.privacyassociation.org.
Exams are coming up in New York,
Toronto, St. Louis, Chicago, Dallas,
Denver, and Columbus.
For upcoming KnowledgeNet dates
go to www.privacyassociation.org.
KnowledgeNet events are coming
up in Seattle, Austin, Paris, New
York, and Columbus.
112272_advisor_Document 3 5/20/10 7:44 PM Page 22
didn’t harm your customers. Now you can didn’t harm your customers. Now you can Regulators want to know your breach
didn’t harm your customers. Now you can Regulators want to know your breach
didn’t harm your customers. Now you can Regulators want to know your breach
P OR E IVOOVE ITP OR E IVOOVE IT
consumer protection is workingPROOF
your breach caused no harmPROOF
your customers and your brand are safe. With Debix OnCall Attack Reports you have proof
consumer protection is working
your breach caused no harm
your customers and your brand are safe. With Debix OnCall Attack Reports you have proof
consumer protection is working
your breach caused no harm
your customers and your brand are safe. With Debix OnCall Attack Reports you have proof
the Debix OnCall Challenge and see if you agree. www.DebixOnCallChallenge.com
9 out of 10 Privacy Professionals prefer Debix over ordinary credit monitoring. Take
for your regulators PROOF
consumer protection is workingPROOF
the Debix OnCall Challenge and see if you agree. www.DebixOnCallChallenge.com
9 out of 10 Privacy Professionals prefer Debix over ordinary credit monitoring. Take
for your regulators
consumer protection is working
the Debix OnCall Challenge and see if you agree. www.DebixOnCallChallenge.com
9 out of 10 Privacy Professionals prefer Debix over ordinary credit monitoring. Take
consumer protection is working
the Debix OnCall Challenge and see if you agree. www.DebixOnCallChallenge.com
9 out of 10 Privacy Professionals prefer Debix over ordinary credit monitoring. Take
the Debix OnCall Challenge and see if you agree. www.DebixOnCallChallenge.com
9 out of 10 Privacy Professionals prefer Debix over ordinary credit monitoring. Take
www.debix.com Breach Hotline: www.debix.com 57-569-008Breach Hotline: 465y Ptithe IdenT orkwtion Netecotry P
112272_advisor_Document 3 5/20/10 7:44 PM Page 23
24 www.privacyassociation.org
IAPP members:
Does your organization offer
free or discounted products or
services to other IAPP members?
If so, let them know!
Advertise at a DISCOUNTED RATE
here in our new member-to-member
benefits section.
MEMBER to MEMBER Benefit
Contact Wills Catling [email protected] +1.207.351.1500, ext. 118
toBERMME enefitBRBEMME enefit
e in our new memberher
tise at a Adver
If so, let them know!
vices to other IAPP members?ser
ee or discounted prfr
ganization ofDoes your or
IAPP members:
-to-membere in our new member
TEAAT RDSCOUNTEDI
If so, let them know!
vices to other IAPP members?
oducts oree or discounted pr
ferganization of
benefits section.
e in our new memberher
or +1.207.351.1500,wills@prContact
benefits section.
-to-membere in our new member
118ext..+1.207.351.1500,,gassociation.oracyviivwills@pr
ills Catling atWContact
112272_advisor_Document 3 5/20/10 7:44 PM Page 24