Date post: | 19-Jan-2018 |
Category: |
Documents |
Upload: | charlene-stokes |
View: | 215 times |
Download: | 0 times |
What You Need To Know About Data Privacy
Virginia L. Gibson, David Bender and Jon F. Doyle
White & Case LLP
SummaryThis session will focus on: (i) the scope of the EU Directive on data privacy; (ii) the member countries and the local restrictions; (iii) the enforcement of the local data privacy restrictions; (iv) the U.S. safe harbor alternatives; and (v) the general practice of similar companies in complying with the EU Directive on data privacy and the local restrictions.
Biographies
Virginia L. Gibson – White & Case LLP Ms. Gibson is a partner in the Palo Alto and San Francisco offices of White & Case LLP. She received her B.A. from the University of California at Berkeley in 1972 and her J.D. from the University of California, Hastings College of the Law in 1977. Ms. Gibson’s practice features the representation of clients in global and U.S. employment law, personal data privacy and workplace privacy matters. Through these practice areas, Ms. Gibson has advised numerous employers on the nuances of local laws concerning privacy matters and drafting document, personal information and workplace privacy policies.Ms. Gibson’s other areas of practice include the representation of clients in: (i) global equity programs; (ii) cross-border financial services such as investment management, brokerage and banking; (iii) transactional representation involving stock compensation, executive compensation and employee benefit issues arising in acquisitions and mergers, loans, reorganizations, and other business transactions; (iv) plan design and implementation; and (v) investment product development.Ms Gibson has served as a member of the Executive Committee of the Tax Section of the California State Bar Association and as President of the San Francisco Chapter of the Western Pension & Benefits Conference. She is a frequent writer and lecturer for the National Association of Stock Plan Professionals, the National Center for Employee Ownership, the State Association of Country Retirement Systems, the California State Bar Association, the California Bankers Association, Northern California Trust Association, San Francisco Bar Association and the Western Pension & Benefits Conference.
.
Biographies, continued
David Bender – White & Case LLP Mr. Bender is a partner in the New York office of White & Case LLP specializing in the areas of intellectual property and information technology. Mr. Bender has extensive experience in contracting, litigation and counseling. He negotiates and drafts all types of agreements relating to internet, computer software and hardware matters. He also litigates computer-related disputes and directs intellectual property due diligence investigations. A registered U.S. patent attorney, Mr. Bender has represented a variety of corporations in the area of computer software and services. Over the past 15 years, he has drafted and supervised some 200 computer software and service agreements of all types and degrees of complexity for such clients as Avis Rent-A-Car, Aramco, Bankers Trust, Deutsche Bank, The Markle Foundation, NYNEX, NTT and Swiss Bank as well as many small software firms and banks.Mr. Bender is the author of Computer Law: Software Protection and Litigation and of a number of law review articles on topics relating to computer, intellectual property and antitrust law. He has been a guest speaker at more than 150 seminars in the United States and in a dozen other countries. He is also the president of the Computer Law Association.Mr. Bender is admitted to practice in the District of Columbia Bar, New York State Bar and the United States Courts of Appeals for the Second, Third, Fourth, Fifth, Ninth and Federal Circuits. Mr. Bender received his B.S. from Brown University, J.D. from University of Pennsylvania, LL.M., in Patent Law, and S.J.D., in Computer Law, from George Washington University.
Jon F. Doyle – White & Case LLPJon F. Doyle is an attorney in the Palo Alto and San Francisco offices of White & Case LLP and a member of the global equity compensation and financial services group. Mr. Doyle has advised multi-national companies and financial institutions on the tax, securities, foreign exchange, labor, data privacy and e-commerce issues encountered in each country where the relevant company offers stock option, stock purchase, restricted stock, phantom stock, stock appreciation right, cash bonus, venture capital and directed share plans to its employees, directors and consultants.Mr. Doyle has also represented clients in the following areas: (i) cross-border financial services such as investment management, brokerage and banking; (ii) transactional representation involving stock compensation, executive compensation and employee benefit issues arising in acquisitions and mergers, loans, reorganizations, and other business transactions; (iii) plan design and implementation; (iv) investment product development; (v) data privacy compliance; (vi) cross-border labor and employment matters; and (vii) cross-border entity formation.Prior to receiving his law degree, Mr. Doyle worked as a Certified Public Accountant for Ernst & Young in Chicago. Mr. Doyle received an LL.M. in taxation from the University of Florida College of Law in 1995, a J.D. in 1993 from the University of Iowa College of Law, and a B.B.A. in accounting in 1990 from the University of Iowa. He is a member of the California Bar, the District of Columbia Bar Association, the Florida Bar, and the State Bar of Georgia, the National Association of Stock Plan Professionals and the Western Pension & Benefits Conference.
Outline of Presentation Data Protection in the United States
Statutes Self-regulation
Employer’s monitoring rights in the US EU Directive National data privacy laws Data Transfer from the EU
Compliance alternatives
The Blunt Truth?
“You have zero privacy anyway. Get over it.”
Scott McNealyChief Executive OfficerSun MicrosystemsJanuary 25, 1999
Hysteria?
“... there’s a new hysteria on ... privacy. People are beating the drum, [although] the average person has far more privacy today than a century ago .... This hysteria is misplaced.” Thomas Leary, Commissioner Federal Trade Commission June 5, 2001
Two Different Approaches Europe
EU Data Protection Directive implemented by detailed national legislation in each Member State
US Relatively little legislation, with self-regulation
and enforcement of deceptive practices legislation for failing to comply with announced privacy policy
Summary of US Data Protection Law
Three sources of US Data Protection “Law”Specific statutes
Examples: GLB, HIPPA, COPPAThe Federal Trade Commission
FTC Act FTC “Guidelines”
EU Privacy Directive transfer restrictions
The Statutory Landscape Most US companies favor “self-regulation” There are no generally applicable statutes Existing statutes adopt a piecemeal, sector-
specific approach Statutes exist at both federal and state levels Most sectors lack specific regulation
Specific Statutes Fair Credit Reporting Act Gramm-Leach-Bliley Act of 1999 Children’s Online Privacy Protection Act of
1998 (“COPPA”) Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) Video Privacy Protection Act of 1988
The Federal Trade Commission “... unfair or deceptive acts or practices in or affecting commerce, are
hereby declared unlawful.” 15 USC Sec. 45(a)(1)
“The [FTC] is hereby empowered and directed to prevent persons ... from using ... unfair or deceptive acts or practices in or affecting commerce.” Id. at Sec. 45(a)(2)
Statute permits action by FTC (but not private party)
Statutory remedy: Cease and desist order (but no damages, and no order to post privacy policy)
Activities of the FTC Three Data Protection reports to Congress
(June 1998, July 1999, May 2000) May 2000 report to Congress identified four
“core” principlesNoticeChoiceAccessSecurity
FTC Recommendation 1998 and 1999 Reports recommended self-
regulation The 2000 Report recommended legislation
Legislation should be general and technologically neutral
Invites continued self-regulation programs and seal programs
But FTC did an about-face in 2001
Gramm-Leach-Bliley Act Applies to institutions providing “financial
services” (broadly defined)Banks Insurance companies Investment houses
But also may apply to:Retailer issuing its own credit cardsPersonal property or real estate appraiserAuto dealer that leases for more than 90 days
GLB Act Applicability (continued)Career counselor who advises employees or
ex-employees of financial organizationBusiness that prints and sells checks for
consumersEntity that provides real estate settlement
servicesTax return preparation service
Not Impacted by G-L-B Data that is not consumer data Data that is not personally identifying data Transfers of data among affiliates But:
Fair Credit Reporting Act governs transfers between affiliates
Proposed legislation would subject affiliates to G-L-B Act
G-L-B Act Requirements Before disclosure to non-affiliate, must inform
consumer of proposed disclosure, that consumer may prohibit it, and how to do so
Exceptions: consumer consented; necessary to effect transaction consumer authorized; to protect against fraud; to resolve customer disputes; in connection with transfer of the business
No pre-emption of stricter State laws
G-L-B Act Principles Two principles: notice and opt-out Consumer must have reasonable period in
which to opt out But consumer cannot opt out of sharing
with affiliates or with processors Financial institution may not disclose
account numbers to non-affiliates
Observation and Question Under present US law, unless (i) your website is
directed to children, (ii) you deal with a sector where privacy is regulated, or (iii) you need to process data from the EU, then all you need do to avoid privacy liability is keep your mouth shut (i.e., don’t announce a policy).
Why, then, are so many companies that don’t fall into (i), (ii) or (iii) announcing policies?
Self-Regulation In the absence of statutes governing them
(and to forestall new legislation that would govern them), companies are promoting self-regulation.
There are various ways to do this, including use of industry associations and seal organizations.
Online Privacy Alliance Cross-industry coalition of over 100 global
companies, created in 1998 Sponsors include: AOL, AT&T, Cisco,
Compaq, IBM, Lexis, Microsoft, Yahoo Goal: promote online privacy A leading voice of the private sector
regarding online privacy policy
Online Privacy Alliance Guidelines Members’ privacy policy must conform to
the five precepts of the GuidelinesAdoption/implementation of a privacy policyNotice and disclosureChoice/consentData securityData quality and access
Enforcement Framework Needed to assure compliance Verification and monitoring Consumer complaint resolution Education and outreach Support for third party enforcement
programs that award symbols (“seals”)
Seal Programs Independent organizations created for this
purpose Examples: BBBOnline, Truste, and CPA
WebTrust Purpose: to enhance consumer confidence in e-
commerce - “Good Housekeeping” analogy Seal organization works with online client to
develop privacy policy and statement to reflect information collection–dissemination–choice–access–security practices.
Seal Programs (continued) Client agrees to adhere to this statement, and
its website carries seal symbol (click to verify) with link to client’s privacy statement.
Annual fee in range of $100 – $10,000 based on client’s size.
Seal organization may offer ADR facility. Some seal organizations offer a special mark
for children’s websites.
Seal Programs (continued) Seal organization engages in passive and
active monitoring. Seal organization receives and investigates
consumer complaints. If seal organization believes site has violated
statement, its agent investigates. If noncompliant, seal organization advises
and assists.
Seal Programs (continued) In event of continued noncompliance,
withdraw seal. In certain situations, seal organization may
report client to FTC. Seal organization may display on its
website information regarding complaints filed against its clients.
Perception of Seal Programs By industry: quite valuable — Why?
Because it may help avoid further governmental regulation
Because e-commerce will not thrive absent a high degree of consumer confidence
By consumers: much higher degree of confidence
Some Practical Suggestions1. The website owner should bind the user to the
Terms of Use. By simply posting the Terms of Use, the owner may
be bound. But the user may not be bound. Post the Terms of Use conspicuously, in non-legalese,
and not intermingled with other matters. Require the user to agree by clicking on a button (no
click, no use). Properly drafted Terms that are properly portrayed on
the site and agreed to (“clickwraps”) are enforceable.
Suggestions2. Avoid making overly broad statements in
the privacy policy. Examples:Instead of “Your data will not be disclosed
without your consent,” why not try “Unless required by law, we won’t authorize disclosure of your data without your consent.”
Instead of “The data you give us is entirely secure,” how about “We use security techniques standard in our industry to safeguard your data.”
Suggestions3. If your website contains hyperlinks to other
sites, note conspicuously in your privacy statement that your privacy policy does not apply to websites to which the user transfers through those hyperlinks. Your statement should advise the user that, for a statement as to the privacy policy of each such site, the user must address that site’s privacy statement.
Suggestions4. In the posted Terms of Use governing the
website, include an arbitration clause. Most consumer privacy victims will have minimal
damages. Significant consumer privacy judgments will
generally occur only in class actions. A properly drafted arbitration clause in the Terms
of Use will likely avert a class action.
Conclusion1. US privacy law is presently a collection of sector–specific statutes,
backed up by an FTC right to order a cessation of deceptive statements.
2. General privacy legislation may or may not be on the horizon. If so, its form is presently indistinct.
3. It has become commercially expedient for a website to state a privacy policy.
4. By carefully framing the site’s privacy policy, and Terms of Use, liability may be limited.
Non-Privacy Problems Arising from Employee Use of E-Mails/Internet
Legal Problems:DefamationCopyright infringementHarassmentOwnership disputes as to software and content created
using employer equipment and services Commercial Problems:
Network slowdown Inattention to work
Employer Monitoring of Employee Use of E-Mail/Internet
The Question: To what extent may an employer lawfully monitor employee use of e-mail or the Internet?
The Answer: It depends. The critical Issue: Did the employee have
an “expectation of privacy”?
Electronic Communications Privacy Act (1986)
General prohibition of unauthorized interception, access, or disclosure of e-communications
Applies to private parties, government and police Distinguishes between access to transmission
(covered), and access to storage (not covered) Does not prohibit employer access to stored data Other factors: state privacy laws, union and
employee agreements
Importance of a Privacy Policy A properly drafted privacy policy, appropriately communicated
to employees, can negate an expectation of privacy.
It should be in writing.
If you will monitor employee use, state the extent to which you will do so in the policy.
Educate employees about the policy, and periodically remind them.
Privacy Policy (continued) Post a notice at employee log-in and require
acknowledgement: E-mail [Internet messages] transmitted through this system is not private. [State nature of permitted use.]
Describe e-mail retention practice.
Indicate how employer may use e-mails accessed.
EU Directive Countries within the EU are required to adopt
national data privacy legislation.
The Directive does not take precedence over existing national labor, tax and personnel laws.
Companies must be aware that some EU countries have data privacy requirements which exceed the requirements of the Directive.
“Personal Data” Personal Data is any data that identifies a natural
person (as opposed to an entity). Examples of “personal data” for employment matters
name address salary date of birth marital status length of service status of changes (e.g., disability, leave of absence, retirement,
termination) tax ID#
Impact of Data Privacy Laws on HR Recruitment, screening, assessment of candidates Access control to buildings and computers Payroll Performance reviews Benefits (e.g., stock option, stock purchase,
retirement, bonus, etc.) Disciplinary actions Company directories
Personal Data May Be Processed: With the unambiguous consent of the employee As part of an employee contract Due to an employer’s legal obligation In order to protect the vital interests of the
employee To perform a task carried out in the public
interest or in the exercise of official authority If the “legitimate interests” of the employer or a
third party are an issue.
Data Protection Principles To process and use data, it must be relevant and have a
specific purpose. The data can be held no longer than necessary. The data should be correct and kept up current. Employees must be notified as to the purpose of the data
processing, and the identities of the data controller (e.g., employer) and any third-party recipients.
Appropriate security measures should be taken to protect the data.
Employees need access to the data, the ability to correct errors and the right to object to some types of processing.
Special CategoriesProcessing of “special categories” is prohibited unless the employee explicitly consents or it is necessary to carry out certain obligations or “legitimate activities”
Ethnic origin Labor union membership Religious or other beliefs Physical or mental health Criminal convictions Sex life Political opinions or affiliations
Transfer of Personal Data The transfer of data within the EU is
unrestricted. Member states must prevent data transfers
to countries lacking “adequate” privacy protections.
There is no clear standard of what constitutes “adequate” protection.
Data transfers permissible despite inadequate protection if:
Unambiguous consent of employee Necessary for performance of contract between
employer and employee Legally required on important public interest
grounds or in defense of legal claims To protect vital interests of the employee Information is already available to the public
PitfallsU.S. companies and their EU subsidiaries may face:
Disruption of data flowsFinesCriminal actionsSuspension of business operations in EU
member statesPrivate lawsuitsNegative publicity
National Data Privacy Laws EU Directive intended to establish
minimum privacy standards National laws vary from country-to-country Consent required to process or transfer data Registration with local privacy authorities
France Written consent required for collection,
processing and transfer of data Declare data to Commission Nationale de
L’Informatique et des Libertés (“CNIL”) prior to collection and processing
Transfer agreement must be filed with CNIL
Germany Personal data must not be stored, used or
transmitted without employee’s consentUse of personal data permissible if within
scope or directly connected with employment relationship
Conservative approach is to obtain written consent
Automated databases must be registered
Italy Notification of Garante per la Protezione de
Dati Personali (“Garante”) required before the processing and transfer of data.
Employees must be informed of processing and transfer of personal data.
The Netherlands Notification required unless data covered by
Exemption Regulation Exemption Regulation applicable to certain employee
information and to data “necessary to calculate allowance and other payment and remuneration in-kind”.
Data covered by Exemption Regulation cannot be stored longer than two years after termination of employment.
Employee consent required for transfer of data to the US
United Kingdom No notification required if data processed
for purposes of “staff administration” Employee consent required for transfer of
data to the US
Compliance Alternatives Safe harbor Standard contractual clauses Employee consent
“Safe Harbor” Agreement Enables U.S. based employers to comply
with EU Directive Enables the EU to certify that participating
U.S. companies meet the EU requirements for adequate privacy protection
“Safe Harbor” Principles Notice Choice Onward transfer Security Data integrity Access Enforcement
For “Safe Harbor” Protection, the Employer Must: Subject itself to jurisdiction of the Federal
Trade Commission (“FTC”) Revise or create a privacy policy in compliance
with the safe harbor principles Publicly disclose its privacy policy Unambiguously and publicly disclose its
commitment to comply with the safe harbor principles
Self-Certification to Department of Commerce Self-certification by sending a letter to the U.S.
Department of Commerce, signed by corporate officer, containing the specifics of the company’s compliance with safe harbor principles
Participation in safe harbor is voluntary U.S. Department of Commerce maintains a list at
www.export.gov/safeharbor/ of companies that agree to subscribe to the safe harbor principles
Standard Contractual Clauses Alternatives to safe harbor Compliance with designation similar to
those of the EU Directive Joint & several liability for sender &
recipient Subject to jurisdiction of EU member states
Employee Consent Consent to data processing Consent to data transfer
Getting Started Review/develop privacy policies and
practices Designate a chief privacy officer Review compliance in specific countries