• Privacy and “Personal Information” have different meanings in different countries; however, you should be aware that privacy is regulated to one extent or another in most countries with which the U.S. does business. And regulation in this area is increasing and evolving rapidly.
•
Privacy concerns come into play in any situation where uniquely identifiable information relating to a person is collected, processed and stored.
•
These concerns apply regardless of whether an organization collects uniquely identifiable information in digital form or otherwise.
•
Typical considerations for businesses and organizations that collect Personal
Information may include:
how is Personal Information collected, stored, and associated?
who is given access to your customers’ Personal Information?
how is such information used?
does the individual have any ownership rights to such data , and/or the right to view, verify, and challenge that information?
Your footnote

EUROPEAN UNION
• Right to privacy as a “fundamental human right”
• Privacy as a “human dignity right”
•
Art. 8 EU Convention of Human
Rights: “…respect for…private and family life…home, and…correspondence”.
•
Protection of people from having their lives exposed to public view, esp. mass media
UNITED STATES
•
Right to privacy primarily enforced as “consumer protection right”
• Privacy “balanced” against Free
Speech; latter often prevails
•
Implied (not express) right in U.S.
Constitution
•
Protection of people against
Government overreaching, esp. at home
Differences also stem from very different historical experiences

EUROPEAN UNION
•
Privacy protection is privileged over economic efficiency and speech, even if this creates trade barriers
•
Transfers of personal data in commerce, at work, etc. presumed to not be legitimate unless there is a “legal basis”
(express consent; fulfillment of contractual or legal obligations)
•
Data Protection Principles
•
Most countries not deemed to offer “adequate protection”
UNITED STATES
•
Free speech and interstate commerce privileged over privacy; protections crafted primarily for consumers
•
Transfers of personal data are presumed legitimate and necessary (protections limited to situations of egregious misuse or unauthorized access)
•
Regulation fragmented by economic sector (e.g., HIPAA,
FCRA, HITECH, GLBA) not uniformly

•
Canada often assumed to be similar to the U.S. with respect to business practices; but privacy regulation is another matter. Canadian approach to confidentiality and the transfer of Personal Information is much more in line with the European model than that of the U.S.
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) became effective in 2004 and provides a federal-level personal information protection regime
•
Basic principles and obligations for organizations covered by PIPEDA:
obtain an individual's consent when they collect, use or disclose the individual's personal information.
the individual has a right to access personal information held by an organization and to challenge its accuracy, if need be.
personal information can only be used for the purposes for which it was collected .
If purpose changes, consent must be obtained again.
individuals should also be assured that their information will be protected by specific safeguards , including measures such as locked cabinets, computer passwords or encryption.
Your footnote

• Mexico enacted comprehensive data protection law in 2010, the “Law on the Protection of
Personal Data in the Possession of Private Entities” (“LFPD”)
•
LFPD regulates the processing of personal information by private companies (other than credit bureaus, which are regulated separately) and seeks to protect citizens’ rights to
“privacy and to personal information self-determination
”.
•
The LFPD provides data subject s the right to give his/her consent to the processing of personal data, subject to certain statutory exceptions.
•
The data controller must disclose to the data subject, through a privacy notice the information gathered about him/her and the use(s ) to be given to said information.
•
LFPD requires express written consent of the data subject for the disclosure of sensitive personal data (incl. ethnic origin, current or foreseeable health condition(s), genetic information, religious, philosophical or moral beliefs, labor union affiliation, political opinions and/or sexual orientation).
•
The LFPD creates a right of civil action for data subjects for the data controllers’ breaches of the LFPD.
Your footnote

Business
Partners
B-2-B agreements regarding use of personal information
Customers
Agreements to use personal information only for your organization
Your
Organization
Service
Providers
Privacy Policy
Terms and Conditions
Representations made re:
Use of Personal Information
Internal policies and procedures regulating access to and use of personal information
Employees

•
•
•
Your footnote