International Privacy Law

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing).
Continue Reading Legitimate Interests – Alternative to Notice & Choice?

When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information.
Continue Reading On Balance – the Legitimate Interest of a Controller

A recurring criticism of Australian privacy law has been that the Privacy Act 1988 (Cth) (the Act) lacked any real bite – the enforcement powers of the privacy watchdog, the Information Commissioner, were limited. However, recent amendments to the Act, which introduced a new set of privacy principles, have increased the Commissioner’s enforcement powers. Employers should familiarise themselves with the changes in order to ensure they are compliant with the new regime.

Background

On 12 March 2014, significant amendments to the Act came into operation. The changes affect all private sector organisations and government agencies covered by the Act, which will include most Australian employers except for “small businesses” with less than $3 million in annual turnover.

In brief, the Act deals with how organisations are to manage “personal information”. The scheme of the Act works by subjecting organisations that it covers to a series of “privacy principles” that govern how personal information is to be collected, stored, handled and used.
Continue Reading Changes to privacy law: does the “toothless tiger” finally have some bite?

In recognition of the need for the world’s two largest economic blocks to coordinate data protection efforts, The Article 29 Working Party of the EU released a “Referential” to map the EU requirements for Binding Corporate Rules (“BCRs”) and the APEC Cross Border Privacy Rules System (“CBPRs”). This Referential is a tool for the two systems to determine common ground. Ultimately, it will be used by the EU in the process of determining what level of cross-recognition may exist between BCRs and CBPRs, in terms of the “adequacy” necessary to move data between the EU and Asia.
Continue Reading EU and Asian Privacy Models – Work Toward Interoperability

The Institute of Access to Information and Data Protection (“IFAI”) has made it known that it is going to be aggressive in enforcing the Mexican data protection law. While some commentators warn about the willingness to “show its teeth”, the basic question is still how to avoid being bitten.

Considering the allowable penalties can be in excess of US$1 Million, it is worthwhile to understand how one can effectively work with the law.
Continue Reading Mexican Privacy Enforcement – Options for Compliance

And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills.
Continue Reading Access By US Authorities – The REAL Reason Safe Harbor is at Risk

The next set of recommendations seeks to improve how the individual can directly seek resolution to a potential violation of their privacy rights.

5.         The privacy policies on companies websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.

Many companies who participate in the safe harbor framework already comply

The first set of recommendations in the Commission’s memo addresses a series of perceived deficiencies in how a Safe Harbor participating company makes its privacy practices available to the public at large.

1.         Self-certified companies should publicly disclose their privacy policies.

This is a foundational requirement for any Trustmark providing certification services around the US-EU

Much has been written recently regarding the European commission’s latest report on the sufficiency of the US – EU safe harbor agreement. For the most part, the commentary seems to be focused on the impending doomof the Safe Harbor Framework. While there are a number of references to the “13 recommendations” to “save” safe harbor, further investigation into what those recommendations will actually require is limited. Consequently, the difficulty of implementing these “13 recommendations” really hasn’t been evaluated. While the lucky “13” may seem to be a lot, the more important question is: “how hard will it be to implement these recommendations?”
Continue Reading US-EU Safe Harbor Agreement at Risk? The Sky Isn’t Falling Yet Chicken Little