NAFTA Privacy
IAPP Global Privacy Summit 2011
March 10, 2011
1:45 to 2:45 PM
Presenters
•
Moderator: Nuala O'Connor Kelly, CIPP, CIPP/G, Senior Counsel,
Information Governance & Chief Privacy Leader, General Electric
•
Moderator: Christopher Wolf, Co-Chair Privacy and Data Security
Practice Group, Hogan Lovells US LLP
•
•
Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario
Ken Anderson, Assistant Commissioner of Privacy, Information and
Privacy Commissioner/Ontario
•
Julie Brill, Commissioner, Federal Trade Commission
•
Jacqueline Peschard, President Commissioner, Federal Institute of
Access to Information and Data Protection (IFAI), Mexico
www.hoganlovells.com
2
Introduction to Privacy Law in North America
• All three NAFTA jurisdictions share a commitment to
the protection or personal information, but there are
differences in legal protections.
– Can businesses adopt uniform policies and procedures to
satisfy the various legal requirements?
• What modifications are necessary by jurisdiction?
– How do the conflicting laws affect cross-border transfers?
– What can be expected in the way of cross-border
enforcement cooperation?
www.hoganlovells.com
3
Mexico’s New Law
• Technological developments
have surpassed geopolitical
boundaries and agreements.
• NAFTA ruled on trade flows
yet information travels
without visa.
4
Main background
• After NAFTA, Mexico addressed FOIA
and data protection.
• In this framework the Federal Institute
for Access to Public Governmental
Information (now known as Federal
Institute for Access to Information
and Data Protection, IFAI) created with
five commissioners (2003).
• IFAI is the authority for FOIA and data
protection
5
MEXICO AND THE INTERNATIONAL
SYSTEM
6
Advantages of the Mexican model
• The new law and its regulatory
framework allow international data
transfers.
• A free and speedy procedure to
exercise the right of the individuals
(access, rectification, cancellation and
opposition).
7
Economic Advantages of the model
• The model places Mexico in a competitive
context as it aligns us with the international
system, mainly with the OECD, European
Union and APEC (focusing on the
accountability principle).
• Legal certainty for trans-border economic
trade, encouraging investment flows.
• Consequently, a rise in the creation of
employment.
8
High cost vs. low cost?
• It does not requires the registry of
databases.
• Consent is based on the op-out
model except for sensitive data.
• Security measures according to
innovative criteria.
9
Security within Privacy
• Our main objective: prevent unauthorized
access to personal information
10
Security within Privacy
• Our strategy: define risk levels based on:
– type of data and
– number of individuals
11
Risk based approach
• Minimum security controls based on risk
level of information
– Efficient
– Effective
External
Threat
Relation / connection
∞
0
12
Intentional
Risk
Opportunistic Risk
Accident
al Risk
Filtering
Confidentiality
Integrity
Redundancy
Availability
Private
Public
Internal
Impact
Proportionate
– 80% of businesses will
only need to complete a
self-evaluation form
– 90% of Minimum
Security Controls should
already be in place in
most industries
• Repurposing controls
13
Self-regulation
• The model allows self-regulated
mechanism like privacy seals, codes of
conduct and so on.
• It does not foresee authorization for data
transfers. Hence, encourages the data
flow with our main trade partners (USA &
Canada).
• It improves the image of the companies.
14
What are we looking for?
• The aforementioned will place
Mexico in the international trend
to reach new levels of
integration that will allow the
free flow of trade, goods,
people and resources while
protecting personal data.
15
Timeline for Compliance and
Enforcement
• July 6th 2010 → the Law entered
into effect.
• By July 2011 → The
Executive Branch will issue
the secondary regulation.
16
Timeline for Compliance and
Enforcement
By July 2011
• Private parties will appoint a person or department
of data protection (depending on its size) to answer
any requests of access, rectification, cancellation or
oppositon/objetion of personal data.
• Private parties must issue privacy notices and
policies according to the requirements stated on
the Law (Secondary framework and Guidelines).
17
Timeline for Compliance and
Enforcement
By February 2012
• Any person can start a tutelage procedure
before the IFAI.
• Every person may exercise their right of
access, rectification, cancellation or
objetion acordingly to Chapter IV of the
Law.
18
Sanctions and fines
• Fines → taking into consideraon economic
capacity of the controller, technology, type of
data and so on.
• Private parties may file a petition for
annulment against decisions issued by the
Institute with the Federal Tax and
Administrative Court.
19
Encouraging a cultural shift
and dialogue
• Promoting a cultural shift towards the
protection of data protection through
education.
• Preventive perspective → as fines are
considered the last resource.
• Underline the importance of
compliance to the Law and its
regulatory framework.
20
Where are we now?
• A joint effort with the Ministry of the
Economy and IFAI → The creation of a
secondary regulatory framework.
• This will help legal compliance.
• The Mexican government will issue the
secondary regulation on July of this year.
21
Where are we now?
• At the same, IFAI works on the
creation of privacy notice models in
accordance with international
standards.
• It also works towards privacy policy
publication in accordance with better
practices.
• IFAI is undergoing a restructuring.
22
What do we want?
• The main purpose of the Law and the
secondary regulation is the
harmonization with international
standards and with our commercial
partners to encourage trade while
guaranteeing the protection of data.
• Therefore, Mexico welcomes privacy
oriented businesses.
23
33 International Conference
• IFAI will host the 33 International
Conference of Data Protection and
Privacy Commissioners.
• 1-4 November in Mexico City.
• With the need to harmonized the legal
frameworks and practices, the subject
of this years' Conference is precisely
the harmonization, a global
approached to make privacy
effective.
24
• www.ifai.org.mx
25
Canadian Approach to Privacy
• PIPEDA
– Nationwide coverage
– Broad principles
– Satisfies EU “adequate protection” requirement
• Provincial Laws and Commissioners
– Roles of National and Provincial Commissioners are
complimentary
• Cross-border transfers
www.hoganlovells.com
26
www.privacybydesign.ca
Adoption of “Privacy by Design Resolution”
Landmark Resolution Passed to Preserve
the Future of Privacy
By Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
JERUSALEM, October 29, 2010 – A landmark resolution by Ontario's
Information and Privacy Commissioner, Dr. Ann Cavoukian, was
approved by international Data Protection and Privacy Commissioners in
Jerusalem today at their annual conference. The resolution recognizes
Commissioner Cavoukian's concept of Privacy by Design - which
ensures that privacy is embedded into new technologies and business
practices, right from the outset - as an essential component of
fundamental privacy protection.
Full Article:
http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_priv
acy
www.hoganlovells.com
28
U.S. Approach to Regulation and Prospects for New
Privacy Paradigm
•
FTC Act: Section 5 Deceptive and Unfair practices in
commerce
• State Consumer Protection laws (“Mini-FTC Acts)
– State Security Breach Notification laws
•
•
•
•
•
Telemarketers: Do Not Call Rule
Electronic communications: CAN-SPAM Act
Financial Institutions: Gramm-Leach-Bliley Act
Credit information: Fair Credit Reporting Act
Health information: HIPAA and FTC’s Health Breach
Notification rule
• Children’s online information: Children’s Online Privacy
Protection Act
www.hoganlovells.com
29
US Regulators Involved
• FTC
• CFBP
• "Prudential" regulators (OCC, Fed, FDIC, NCUA) for
depository institutions with assets $10 B and under,
and FTC for other entities, for Safeguards, Red
Flags and Disposal rules
• HHS
• State Attorneys General
www.hoganlovells.com
30
Whether Global Harmonization on Protection of
Personal Privacy is Likely or Possible
• The corporate CPO perspective
www.hoganlovells.com
31
Questions and Answers
www.hoganlovells.com
32
www.hoganlovells.com
Hogan Lovells has offices in:
Abu Dhabi
Alicante
Amsterdam
Baltimore
Beijing
Berlin
Boulder
Brussels
Budapest*
Caracas
Colorado Springs
Denver
Dubai
Dusseldorf
Frankfurt
Hamburg
Hanoi
Ho Chi Minh City
Hong Kong
Houston
Jeddah*
London
Los Angeles
Madrid
Miami
Milan
Moscow
Munich
New York
Northern Virginia
Paris
Philadelphia
Prague
Riyadh*
Rome
San Francisco
Shanghai
Silicon Valley
Singapore
Tokyo
Ulaanbaatar*
Warsaw
Washington DC
Zagreb*
"Hogan Lovells" or the "firm" refers to the international legal practice comprising Hogan Lovells International LLP, Hogan Lovells US LLP, Hogan Lovells Worldwide Group (a Swiss Verein), and their affiliated businesses,
each of which is a separate legal entity. Hogan Lovells International LLP is a limited liability partnership registered in England and Wales with registered number OC323639. Registered office and principal place of
business: Atlantic House, Holborn Viaduct, London EC1A 2FG. Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia.
The word "partner" is used to refer to a member of Hogan Lovells International LLP or a partner of Hogan Lovells US LLP, or an employee or consultant with equivalent standing and qualifications, and to a partner, member,
employee or consultant in any of their affiliated businesses who has equivalent standing. Rankings and quotes from legal directories and other sources may refer to the former firms of Hogan & Hartson LLP and Lovells
LLP. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. New York State Notice: Attorney Advertising.
© Hogan Lovells 2011. All rights reserved.
* Associated offices