What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries; however, you should be aware that privacy is regulated to one extent or another in most countries with which the U.S. does business. And regulation in this area is increasing and evolving rapidly. Privacy concerns come into play in any situation where uniquely identifiable information relating to a person is collected, processed and stored. These concerns apply regardless of whether an organization collects uniquely identifiable information in digital form or otherwise. Typical considerations for businesses and organizations that collect Personal Information may include: -how is Personal Information collected, stored, and associated? -who is given access to your customers’ Personal Information? -how is such information used? -does the individual have any ownership rights to such data, and/or the right to view, verify, and challenge that information?

Different Notions of “Privacy” Right to privacy primarily enforced as “consumer protection right” Privacy “balanced” against Free Speech; latter often prevails Implied (not express) right in U.S. Constitution Protection of people against Government overreaching, esp. at home Right to privacy as a “fundamental human right” Privacy as a “human dignity right” Art. 8 EU Convention of Human Rights: “…respect for…private and family life…home, and…correspondence”. Protection of people from having their lives exposed to public view, esp. mass media EUROPEAN UNION UNITED STATES Differences also stem from very different historical experiences

Privacy protection is privileged over economic efficiency and speech, even if this creates trade barriers Transfers of personal data in commerce, at work, etc. presumed to not be legitimate unless there is a “legal basis” (express consent; fulfillment of contractual or legal obligations) Data Protection Principles Most countries not deemed to offer “adequate protection” Free speech and interstate commerce privileged over privacy; protections crafted primarily for consumers Transfers of personal data are presumed legitimate and necessary (protections limited to situations of egregious misuse or unauthorized access) Regulation fragmented by economic sector (e.g., HIPAA, FCRA, HITECH, GLBA) not uniformly EUROPEAN UNIONUNITED STATES Different Approaches to Privacy Regulation

Canada often assumed to be similar to the U.S. with respect to business practices; but privacy regulation is another matter. Canadian approach to confidentiality and the transfer of Personal Information is much more in line with the European model than that of the U.S. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became effective in 2004 and provides a federal-level personal information protection regime Basic principles and obligations for organizations covered by PIPEDA: -obtain an individual's consent when they collect, use or disclose the individual's personal information. -the individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. -personal information can only be used for the purposes for which it was collected. If purpose changes, consent must be obtained again. -individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption. PRIVACY REGULATION IN CANADA Your footnote

Mexico enacted comprehensive data protection law in 2010, the “Law on the Protection of Personal Data in the Possession of Private Entities” (“LFPD”) LFPD regulates the processing of personal information by private companies (other than credit bureaus, which are regulated separately) and seeks to protect citizens’ rights to “privacy and to personal information self-determination”. The LFPD provides data subject s the right to give his/her consent to the processing of personal data, subject to certain statutory exceptions. The data controller must disclose to the data subject, through a privacy notice the information gathered about him/her and the use(s) to be given to said information. LFPD requires express written consent of the data subject for the disclosure of sensitive personal data (incl. ethnic origin, current or foreseeable health condition(s), genetic information, religious, philosophical or moral beliefs, labor union affiliation, political opinions and/or sexual orientation). The LFPD creates a right of civil action for data subjects for the data controllers’ breaches of the LFPD. PRIVACY REGULATION IN MEXICO Your footnote

How to Address Privacy Compliance Across National Borders with Different Constituencies Business Partners Employees Customers Service Providers B-2-B agreements regarding use of personal information Privacy Policy Terms and Conditions Representations made re: Use of Personal Information Internal policies and procedures regulating access to and use of personal information Agreements to use personal information only for your organization Your Organization Your Organization

s_2012/$FILE/Privacy-trends-2012_AU1064.pdf s_2012/$FILE/Privacy-trends-2012_AU1064.pdf ataProtection_326jpm.pdf ataProtection_326jpm.pdf Other Country Regulation & Select Resources Your footnote