International Issues
At least forty nations around the globe have enacted various forms of privacy legislation in an effort to provide citizens with safeguards for their personal data.1 Some of these laws apply both to data transfers internally within a nation’s borders, and to overseas data transfers. As privacy legislation continues to build momentum internationally, these international privacy issues will become increasingly important to individuals and businesses in all nations. Indeed, such laws will be particularly important to U.S. companies doing business overseas or who have subsidiaries or partners overseas with whom data will be shared. Below is a discussion of privacy laws in several countries, to give a picture of different approaches to privacy laws across the globe.
European Union
a. European Union Directive on Data Protection (Directive 95/46/EC).
Adopted in October 1995 and effective three years later, the members of the European Union are required to adhere to certain “minimum standards” in processing “personal data.” Personal data is defined as “any information relating to an identified or identifiable natural person.”
(1) EU Standards for Processing Personal Data.
(a) The Directive requires generally that, subject to limited exceptions, personal data may be processed only “if the data subject has unambiguously given his consent;”
(b) The Directive requires that individuals be informed of the identity of the “controller” of their personal data, the intended purposes for processing the data and any other information that guarantees “fair processing” of the data;
(c) The Directive provides individuals with a right of access to their personal data and the ability to correct inaccuracies or block processing of their data;
(d) The Directive requires member states to provide individuals with judicial remedies and a right to compensation for violations of their rights under the directive; and
(e) Article 25 of the Directive prohibits member states from transferring personal data to countries outside the European Union that do not guarantee “adequate” protections for personal data.
(2) U.S. Safe Harbor. In November 2000, the EU and U.S. Department of Commerce implemented a “safe harbor” program under which U.S. companies are required to obtain prior express consent before collecting personal information from European customers. The FTC has enforcement authority over U.S. companies that do not abide by EU standards. In order to sign up for the safe harbor programs, a company must certify to the Department of Commerce that it adheres to a privacy policy that meets the safe harbor framework. An update report by the European Commission on the U.S. Safe Harbor program states that all elements of the program are in place. The report also states, however, that a substantial number of companies that signed up for the safe harbor program were not meeting the privacy policy transparency requirements that were agreed to under the plan. See http://europa.eu.int/comm/internal_ market/privacy/index_en.htm. (3) EU Standard Contractual Clauses. In December 2001, the European Commission issued standard contractual clauses considered as offering adequate safeguards for the protection of personal data transferred to processors. These clauses do not affect the application of the EU Directive to processing of personal data within Member States. b. European Union Directive on Privacy and Electronic Communications (Directive 2002/58/EC). Adopted in July 2002 and effective October 2003, the Directive adapts prior EU directives “to developments in the markets and technologies for electronic communications services,” in order to provide “an equal level of protection of personal data and privacy for users of publicly available electronic communications services, regardless of the technologies used.” The Directive repeals Directive 97/66/EC and expands the prior Directive’s provisions to include electronic communications providers and email messages.
c. EU and U.S. Share Transatlantic Flight Passenger Information.
Beginning in February 2003, officials of the European Commission agreed to share transatlantic flight passenger information with the U.S. Customs Service. Such passenger information includes a passenger’s name, itinerary, contact phone number, and credit card numbers. The U.S. Customs Service provided assurances to the European Commission that it would provide “appropriate handling” of passenger records.
d. U.K. Data Protection Act of 1998. The Data Protection Act of 1998 supercedes the U.K.’s prior data protection legislation, the Data Protection Act of 1984, in compliance with the EU Data Protection Directive. (1) The Data Protection Principles. The Act of 1998 contains eight Data Protection Principles; anyone processing personal data must comply with these eight enforceable principles of good practice. Personal data covers both facts and opinions about the individual, and includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. The eight principles require collection of personal data to be: (a) processed fairly and lawfully; (b) obtained only for specified and lawful purposes; (c) adequate, relevant and not excessive in relation to he purposes for which it is processed; (d) accurate and, where necessary, kept up to date; (e) kept no longer than necessary for the purposes for which it is being processed; (f) processed in accordance with the data subject’s rights; (g) kept secure with appropriate technical and organizational measures; and, (h) not transferred to a country outside of the European Economic Area unless that country ensures an ad equate level of protection relative to the processing of personal data.
(2) Data Subjects’ Rights. The Act of 1998 provides rights to individual data subjects regarding their personal information, including: (a) Right to be informed by a data controller whether the data controller processes any of the individual’s personal data; (b) Right to require the data controller to stop, or not to begin, processing the data subject’s personal data if such processing is likely to cause damage to the data subject or another; (c) Right to require the data controller to stop, or not to begin, processing the data subject’s personal data for direct marketing purposes; (d) Right to require a data controller to rectify or erase any personal data regarding the data subject that is inaccurate; and, (e) Right to seek compensation from a data controller for damages caused by the data controller’s contravention of any of the Act’s requirements. (3) Application of Data Protection Principles. New amendments to the Act of 1998 took effect in October 2001, and U.S. companies that conduct business in the U.K. are subject to the Act. Transfer of U.K. employee, customer and subscriber data to the U.S. is regulated, as is data processing in the U.K. itself. The Act governs the processing of both computerized personal data and manual personal data that is held in a relevant filing system such as employee personnel files.
Canada
a. Canada’s Personal Information Protection and Electronic Documents Act (PIPED). PIPED currently applies to information used and disclosed in the course of commercial activity by clients or employees of federally regulated industries. In 2004, the Canadian law will apply to every organization that collects, uses or discloses personal information. To comply with the law businesses must, inter alia: disclose the purpose of the data collection and provide access to it; obtain consumers’ consent to collect the information; limit the collection, use, disclosure and retention of information; and employ data security practices. The European Commission has deemed the PIPED Act “adequate” under its EU Data Protection Directive. See http://www.parl.gc.ca/36/2/parlbus/ chambus/house/bills/government/C-6/C-6_4/C-6_cover-E.html. In the first decision under PIPED, the federal privacy commissioner of Canada ruled that the use of street surveillance cameras by the city of Yellowknife was illegal. Commission Press Release at http://www.privcom.gc.ca/media/an/nt_010620_e.asp; Complaint and Commissioner’s Findings at http://www.privcom.gc.ca/cf-dc/cf-dc_010615_e.asp.
Hong Kong
a. Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486). Effective in December 1996, the Ordinance seeks to protect individuals’ privacy interests in their personal information; it covers any personally identifiable information that is in accessible or processible form, and applies to any person who controls the collection or processing of the personal information. The Ordinance also establishes the Privacy Commissioner’s Office (PCO) as an independent statutory body to oversee its enforcement. Among the Ordinance’s Data Protection Principles:
(1) Purpose and manner of collection. This principle provides for the lawful and fair collection of personal data, and sets out the information that a collector of data must provide to a data subject when collecting personal data from that subject;
(2) Accuracy and duration of retention. This principle provides that retained personal data should be accurate, up-to-date and retained no longer than necessary;
(3) Use of personal data. This principle provides that, unless the individual otherwise provides consent, personal data should be used only for the purposes for which it was collected, or a directly related purpose;
(4) Security of personal data. This principle requires appropriate security measures to be applied to all personal data (including data that is not in an accessible or processible form);
(5) Information to be made generally available. This principle provides that collectors of personal data must provide “openness” regarding the kinds of personal data that they hold, and the main purposes for which personal data is used; and, (6) Access to personal data. This principle provides that individuals are to have rights of access to, and the ability to correct, their personal data.
Australia
a. Australia’s Privacy Amendment (Private Sector) Act 2000 (Act No 155 of 2000). The Privacy Amendment received Royal Assent in December 2000, and was effective one year later. The legislation amends the prior Commonwealth Privacy Act of 1988, and establishes a national scheme to include regulation of personal information handled by private sector organizations. The Office of the Federal Privacy Commissioner has responsibility for educating and assisting organizations in relation to the privacy law. The legislation establishes the National Privacy Principles (the “NPPs”) as the minimum privacy standards for the private sector:
(1) The NPPs regulate the collection, use, disclosure, and overseas transfer, of personal information;
(2) The NPPs require organizations to ensure that the personal information they hold is accurate, up-to-date, complete, and secure;
(3) The NPPs require organizations to be open about how they manage personal information, provide access and correction rights to individuals, and, when lawful, allow individuals to deal with the organization anonymously;
(4) The NPPs regulate the adoption, use, and disclosure of Commonwealth Government identifiers; and,
(5) The NPPs exclude most government public sector bodies, registered political parties, and “small business operators,” as defined by the legislation. The private sector legislation also contains exemptions for certain acts and practices, and certain types of records, and provides exemptions for political acts and practices, media activities, and certain employee records.
Japan
a. Japan’s Law for the Protection of Computer Processed Personal Data Held by Administrative Organs (1988) and Japan’s Guidelines Concerning the Protection of Personal Information Associated with Electronic Computer Data Processing in the Private Sector (1989). (1) Law for the Protection of Computer Processed Personal Data Held by Administrative Organs. This privacy legislation encompasses data held by the public sector; national administrative organs holding, modifying or disclosing personal data files must provide prior notification to the Director General of the Management Coordinator Agency. Further, any national administrative organ which has notified the Management and Coordinator Agency must compile a directory of all personal file holdings and make it accessible to the public. In addition, data subjects are provided the following rights to their data held by the public sector: (f) Reasonable security precautions must be taken in the processing and handling of the data subject’s information. (2) Guidelines Concerning the Protection of Personal Information Associated with Electronic Computer Data Processing in the Private Sector. These guidelines are established by the Japanese Ministry of International Trade and Industry, prepared for the stated purpose of protecting personal data handled during electronic commerce. These guidelines provide guidance for private sector enterprises to establish compliance programs for protecting personal data, and are “directly applicable to all enterprises conducting electronic commerce.” These guidelines for businesses conducting electronic commerce include: (a) A business using personal data in electronic com merce must clearly specify the purpose of collecting said data; (b) Personal data must be collected by lawful and fair means; (c) Personal data which includes race, ethnicity, family origin, religious beliefs, health, medical treatment or sexual activity, may not be collected, used or disclosed without the data subject’s explicit consent, or where required or permitted by law; (e) Personal data must be used within the scope of a legitimate business, for the purpose for which the data was collected, and as consented to by the data subject. (f) Personal data must be kept accurate and up-to-date to the extent necessary for fulfilling the purpose of use; (g) Reasonable security measures must be taken to prevent unauthorized access to personal data, and to prevent the loss, destruction or alteration of personal data. (a) A data subject may request disclosure or correction of his or her information; (b) Processed data may be used only for the purposes ascribed by the file controller; (c) There must be a justifiable purpose for the collection of a data subject’s information; (d) Dissemination of a data subject’s information to third parties is allowed only in instances of necessity; (e) A data subject’s information must be accurate and kept up to date; These guidelines provide data subjects’ rights, including: (i) Data subjects must be given access to personal data for accuracy verification purposes; (ii) Data subjects must have the right to refuse the use or disclosure of previously collected personal data to third parties; (iii) Consent of a child’s guardian should be obtained when personal data is collected from children, and simple language understandable by children should be used to inform them of the purpose of collection and use of their data; (iv) Businesses must designate a manager to implement and enforce these guidelines.
Thailand
a. Thailand’s Official Information Act. Approved in 1997, the Official Information Act provides Thai citizens access to public information held by state agencies, and establishes requirements for the processing of personal information held by state agencies. All individuals or corporations performing official duties under a public agency, or that are vested with public authority, such as private firms in a contractual relationship with a government agency, also have public status and are subject to the Act. The Official Information Commission, under the Office of the Prime Minister, oversees enforcement of the Act, and the Information Disclosure Tribunal conducts adjudication with respect to information disclosure under the Act. Among the Act’s data retention requirements for state agencies: (1) The agency must ensure that data collection is relevant to, and necessary for, achieving the agency’s objectives; (2) The agency must make efforts to collect information directly from the data subject; (3) The agency must provide appropriate security measures for protecting personal information; (4) The agency must provide citizens rights of access, correction, and deletion, to personal information in its possession; (5) The agency must notify citizens of personal information collected from third parties; (6) The agency must obtain prior or immediate written consent from citizens before disclosing personal information to other agencies or parties, with limited exceptions.
Other Countries
A nonexhaustive list of additional countries’ privacy laws:
Argentina: The Personal Data Protection Act, also known as Habeas Data, Law 25,326; Australia: Privacy Act, Privacy Amendment (Private Sector) Act, No. 155, 2000; Austria: Data Protection Act 2000, BGBl I Nr. 1999/165; Belgium: Law on the Protection of Private Life Regarding the Processing of Personal Data; Canada: The Privacy Act, Personal Information Protection and Electronics Documents Act; Chile: Act on the Protection of Personal Data; Czech Republic: Act on the Protection of Personal Data in Information Systems; Denmark: Danish Private Registers Act (Consolidated), Restatement; The Danish Public Authorities Registers Act (Consolidated), Restatement; Estonia: Personal Data Protection Act; Finland: Personal Data Act (523) 1999, Act on the Amendment of the Personal Data Act (986) 2000; France: Act on Data Processing, Data Files and Individual Liberties; Germany: Federal Data Protection Act; Greece: Law No.2472 on the Protection of Individuals with Regard to the Processing of Personal Data; Hungary: Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests; Iceland: Act Concerning the Registration and Handling of Personal Data; Ireland: Data Protection Act, Number 25 of 1988; Israel: Protection of Privacy Law; Italy: Processing of Personal Data Act; Japan: Law for the Protection of Computer Processed Data Held by Administrative Organs, Guidelines Concerning the Protection of Personal Information Associated with Electronic Computer Data Processing in the Private Sector; Latvia: Personal Data Protection Law; Luxembourg: Act of 30 March 1979 Organizing the Identification of Physical and Legal Persons by Number, Act of 31 March 1979 Regulating the Use of Nominal Data in Data Processing; The Netherlands: Data Protection Act, Personal Data Protection Act; New Zealand: Privacy Act, Privacy Amendment Act; Norway: Act Relating to Personal Data Registers; Poland: Law of August 29, 1997 on the Protection of Personal Data; Portugal: Act on the Protection of Personal Data; Russia: Information Computerization and Protection of Information, 1995. Participation in International Information Exchange, 1996; Slovenia: Personal Data Protection Act , RS No. 55/99; South Africa: Promotion of Access to Information Law [67B-98]; Spain: Law 15/99 on the Protection of Data of a Personal Character; Sweden: Personal Data Protection Act (1998:204); Switzerland: The Federal Law on Data Protection; Taiwan: Computer-Processed Personal Data Protection Law; Thailand: Official Information Act, B.E. 2540; United Kingdom: Data Protection Act 1998.