Presentation is loading. Please wait.

Presentation is loading. Please wait.

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

Published byAngelica Rosa Holt Modified over 8 years ago

Similar presentations

Presentation on theme: "LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,"— Presentation transcript:

1 LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19, 2011

2 LexisNexis Confidential EU versus US: Privacy Philosophy United States – Most data privacy laws and rules arise out of consumer protection concepts rather than a right of the individual. European Union – privacy and protection of personal information is treated as a human right. Thus one will see requirements in the EU that give an individual control over data about them even though they were not the source of the data in any way. 1

3 LexisNexis Confidential 2 EU Data Protection: The Basics What is personal information in the EU? “Personal data shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”. (1995 Data Directive)

4 LexisNexis Confidential EU Data Protection: The Basics (cont’d) Some personal information elements are considered more sensitive than others. The definition of what is considered sensitive may vary depending on jurisdiction and particular regulations. EU: Sensitive personal information called special categories of data. This refers to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life, and data relating to offenses, or criminal convictions. 3

5 LexisNexis Confidential Processing “Processing” is anything you can do with personal information. Processing includes: CollectionRecording OrganizationStorage UpdatingModification RetrievalConsultation UseDisclaoure TransmissionDissemination LinkingErasure Destruction 4

6 LexisNexis Confidential Controllers and Processors Controller - A Controller is the person or entity that determines the purposes and means of the processing of personal information. Processor - A Processor processes personal data on behalf of the Controller and at the direction of the Controller. Controllers and Processors have different obligations. 5

7 LexisNexis Confidential EU Directive Basics Processing of personal information is prohibited unless: Notice to and consent of the data subject; Other exemptions; Special processing rules for sensitive data. Ensure data security and quality. Give data subject the right to access and object/correct. Controls on automated decisions. Transfer restrictions. 6

8 LexisNexis Confidential UK DPA Law Example For example, UK law (DPA, Section 4(4) and Schedule 1) provides that personal data shall be: (a) processed fairly and lawfully; (b) processed for one or more specified and lawful purposes; (c) adequate, relevant and not excessive; (d) accurate and up to date; (e) not kept for longer than necessary; (f) processed in accordance with individuals’ rights; (g) afforded appropriate technical and organizational security; and (h) not transferred outside the EEA unless adequate data protection is assured. 7

9 LexisNexis Confidential Processing Grounds Processing must be based on legitimate grounds, including one or more of the following: Data subject has given unambiguous consent Processing is necessary to perform a contract to which the data subject is a party or to take step sat the request of the data subject prior to entering into a contract. The processing is necessary to comply with a legal obligation to which that party is subject. The processing is necessary to protect the vital interests of the data subject. OR 8

10 LexisNexis Confidential Processing Grounds (cont’d) The processing is necessary for the purposes of the legitimate interests pursued by a party or by a third party to whom the data are disclosed. except where the processing is “unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.” (quoting UK law) This last ground is more open-ended... CCTV example Watch lists 9

11 LexisNexis Confidential EU Special Categories Stricter Criteria for Processing Sensitive Data: Data subject has given explicit consent. Data subject is physically and legally incapable of giving consent and processing is necessary to protect vital interests. Necessary for the establishment, exercise or defense of legal claims. Information has been made public by the data subject. Processing is necessary to carry out the obligations and specific rights. 10

12 LexisNexis Confidential Data Transfers Transfers of personal data from the EEA to other countries are prohibited unless to a country with “adequate” protection (e.g., Canada) they qualify for an exception: (i)the data subject freely and unambiguously provides specific consent, (ii)the transfer is necessary on various grounds (i.e., performance or conclusion of a contract, legally required for the public interest or legal claims or protection of the vital interests of the data subject) or (iii)the transfer is made from a register intended to provide information to the public in accordance with law. 11

13 LexisNexis Confidential Data Transfers (cont’d) If no exception is available, a company may utilize one of the following methods to comply: uses a model contract signed by both the EU data exporter and U.S. data importer; adopts binding corporate rules approved by the EU countries from which personal data is to be transferred (within a corporate family); or self-certifies under the Safe Harbor framework. 12

14 LexisNexis Confidential EU Hot Topics Expanding Scope and Protections Viviane Reding, the European Commissioner for Justice: promised to "expand data protection to other areas" in a proposal by the end of the year. "We're looking at...localization data services, behavioral advertising, basically anything that's dealing with new technology.“ She supports the “right to be forgotten”. 13

15 LexisNexis Confidential EU Geo-Location Data Geo-location data on the agenda of the “Article 29 Working Party” last December; report expected by early June. Expected Proposal: treat information collected by phone and Internet companies on customer locations same as “personal data” (that is, treated the same as names, birthdays and other personal data). Article 29 Working Party opinions, working documents and recommendations are not legally binding, but they often become the “EU standard.” France, Germany, Italy, Ireland and the U.K. have already opened their own investigations into geo-location data. 14

16 LexisNexis Confidential Issues Arising Elsewhere India: Just published new privacy rules (in April Ministry of Communications and Information Technology issued the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.) New rules are arguably stricter than the EU rules, addressing consent, opt out, limits on use, data security, etc. Definitely requires a review of operations outsourced to India to confirm compliance. 15

17 LexisNexis Confidential Issues Arising Elsewhere Philippines – Proposed Privacy Legislation (already passed their House (H. No. 4115)) Adopted to SUPPORT outsourcing industry and become an acceptable country for the EU. Undercuts that goal by creating data rights and restrictions that may not otherwise apply to that data (e.g., requires notice, express consent, access, security, breach notification). Trade Assoc in Ph is hearing concerns from very few US firms (www.bpap.org). 16

Download ppt "LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,"

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005

Attorney at the Bars of Paris and Brussels Database exploitation & Data protection Thibault Verbiest Amsterdam 1 April 2005
Data Protection Overview

Data Protection Overview
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Similar presentations

Ads by Google