NAFTA Privacy

IAPP Global Privacy Summit 2011

March 10, 2011 1:45 to 2:45 PM

Presenters

• Moderator: Nuala O'Connor Kelly, CIPP, CIPP/G, Senior Counsel, Information Governance & Chief Privacy Leader, General Electric

• Moderator: Christopher Wolf, Co-Chair Privacy and Data Security Practice Group, Hogan Lovells US LLP

• Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario

www.hoganlovells.com 2

• Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario

• Ken Anderson, Assistant Commissioner of Privacy, Information and Privacy Commissioner/Ontario

• Julie Brill, Commissioner, Federal Trade Commission

• Jacqueline Peschard, President Commissioner, Federal Institute of Access to Information and Data Protection (IFAI), Mexico

Introduction to Privacy Law in North America

• All three NAFTA jurisdictions share a commitment to the protection or personal information, but there are differences in legal protections.

– Can businesses adopt uniform policies and procedures to

www.hoganlovells.com 3

– Can businesses adopt uniform policies and procedures to satisfy the various legal requirements?

• What modifications are necessary by jurisdiction?

– How do the conflicting laws affect cross-border transfers?

– What can be expected in the way of cross-border enforcement cooperation?

Mexico’s New Law

• Technological developments have surpassed geopolitical boundaries and agreements.

•NAFTA ruled on trade flows

4

•NAFTA ruled on trade flows yet information travels without visa.

Main background

• After NAFTA, Mexico addressed FOIA and data protection.

• In this framework the Federal Institute for Access to Public Governmental Information (now known as Federal

5

Information (now known as Federal Institute for Access to Information and Data Protection, IFAI) created with five commissioners (2003).

• IFAI is the authority for FOIA and data protection

MEXICO AND THE INTERNATIONAL SYSTEM

6

Advantages of the Mexican model

• The new law and its regulatory framework allow international data transfers.

• A free and speedy procedure to exercise the right of the individuals

7

exercise the right of the individuals (access, rectification, cancellation and opposition).

Economic Advantages of the model

• The model places Mexico in a competitive context as it aligns us with the international system, mainly with the OECD, European Union and APEC (focusing on the accountability principle).

8

• Legal certainty for trans-border economic trade, encouraging investment flows.

• Consequently, a rise in the creation of employment.

High cost vs. low cost?

• It does not requires the registry ofdatabases.

• Consent is based on the op-outmodel except for sensitive data.

9

• Security measures according to

innovative criteria.

Security within Privacy

• Our main objective: prevent unauthorized access to personal information

10

Security within Privacy

• Our strategy: define risk levels based on:

– type of data and

11

– number of individuals

Risk based approach

• Minimum security controls based on risk level of information– Efficient

– Effective

12

– EffectiveIntentional

RiskAccidental Risk

Re

latio

n / c

on

ne

ctio

n

∞

0

Redundancy

Availability

Filtering

ConfidentialityIntegrityExternal

ThreatInternalImpact

Opportunistic Risk

Private Public

Proportionate

– 80% of businesses will only need to complete a self-evaluation form

13

– 90% of Minimum Security Controls should already be in place in most industries

• Repurposing controls

Self-regulation

• The model allows self-regulated mechanism like privacy seals, codes of conduct and so on.

• It does not foresee authorization for data

14

• It does not foresee authorization for data transfers. Hence, encourages the data flow with our main trade partners (USA & Canada).

• It improves the image of the companies.

What are we looking for?

• The aforementioned will place Mexico in the international trend to reach new levels of integration that will allow the

15

integration that will allow the free flow of trade, goods, people and resources while protecting personal data.

Timeline for Compliance and Timeline for Compliance and

EnforcementEnforcement

• July 6th 2010 → the Law entered into effect.

•• By July 2011 → The By July 2011 → The

16

•• By July 2011 → The By July 2011 → The

Executive Branch will issue Executive Branch will issue

the secondary regulation.the secondary regulation.

Timeline for Compliance and Timeline for Compliance and

EnforcementEnforcement

By July 2011

• Private parties will appoint a person or department of data protection (depending on its size) to answer any requests of access, rectification, cancellation or

17

any requests of access, rectification, cancellation or oppositon/objetion of personal data.

• Private parties must issue privacy notices and

policies according to the requirements stated on the Law (Secondary framework and Guidelines).

Timeline for Compliance and Timeline for Compliance and

EnforcementEnforcement

By February 2012

• Any person can start a tutelage procedure before the IFAI.

18

before the IFAI.

• Every person may exercise their right of access, rectification, cancellation or objetion acordingly to Chapter IV of the Law.

Sanctions and fines

• Fines → taking into considera�on economic

capacity of the controller, technology, type of

data and so on.

• Private parties may file a petition for

19

• Private parties may file a petition for

annulment against decisions issued by the

Institute with the Federal Tax and

Administrative Court.

Encouraging a cultural shift

and dialogue

• Promoting a cultural shift towards the protection of data protection through education.

20

• Preventive perspective → as fines are considered the last resource.

• Underline the importance of compliance to the Law and its regulatory framework.

Where are we now?

• A joint effort with the Ministry of the Economy and IFAI → The creation of a secondary regulatory framework.

• This will help legal compliance.

21

• The Mexican government will issue the secondary regulation on July of this year.

Where are we now?

• At the same, IFAI works on the creation of privacy notice models in accordance with international standards.

• It also works towards privacy policy

22

• It also works towards privacy policy publication in accordance with better practices.

• IFAI is undergoing a restructuring.

What do we want?

• The main purpose of the Law and the secondary regulation is the harmonization with international

standards and with our commercial

partners to encourage trade while

guaranteeing the protection of data.

23

guaranteeing the protection of data.

• Therefore, Mexico welcomes privacy oriented businesses.

33 International Conference

• IFAI will host the 33 International Conference of Data Protection and Privacy Commissioners.

• 1-4 November in Mexico City.

• With the need to harmonized the legal

24

• With the need to harmonized the legal frameworks and practices, the subject of this years' Conference is precisely the harmonization, a global approached to make privacy effective.

• www.ifai.org.mx

25

• www.ifai.org.mx

Canadian Approach to Privacy

• PIPEDA

– Nationwide coverage

– Broad principles

– Satisfies EU “adequate protection” requirement

• Provincial Laws and Commissioners

www.hoganlovells.com 26

• Provincial Laws and Commissioners

– Roles of National and Provincial Commissioners are

complimentary

• Cross-border transfers

www.privacybydesign.ca

Adoption of “Privacy by Design Resolution”

Landmark Resolution Passed to Preserve

the Future of PrivacyBy Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy

JERUSALEM, October 29, 2010 – A landmark resolution by Ontario's

Information and Privacy Commissioner, Dr. Ann Cavoukian, was

approved by international Data Protection and Privacy Commissioners in

www.hoganlovells.com 28

approved by international Data Protection and Privacy Commissioners in

Jerusalem today at their annual conference. The resolution recognizes

Commissioner Cavoukian's concept of Privacy by Design - which

ensures that privacy is embedded into new technologies and business

practices, right from the outset - as an essential component of

fundamental privacy protection. Full Article:

http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy

U.S. Approach to Regulation and Prospects for New

Privacy Paradigm

• FTC Act: Section 5 Deceptive and Unfair practices in commerce

• State Consumer Protection laws (“Mini-FTC Acts)– State Security Breach Notification laws

• Telemarketers: Do Not Call Rule

www.hoganlovells.com 29

• Telemarketers: Do Not Call Rule

• Electronic communications: CAN-SPAM Act

• Financial Institutions: Gramm-Leach-Bliley Act

• Credit information: Fair Credit Reporting Act

• Health information: HIPAA and FTC’s Health Breach Notification rule

• Children’s online information: Children’s Online Privacy Protection Act

US Regulators Involved

• FTC

• CFBP

• "Prudential" regulators (OCC, Fed, FDIC, NCUA) for depository institutions with assets $10 B and under, and FTC for other entities, for Safeguards, Red

www.hoganlovells.com 30

and FTC for other entities, for Safeguards, Red Flags and Disposal rules

• HHS

• State Attorneys General

Whether Global Harmonization on Protection of Personal Privacy is Likely or Possible

• The corporate CPO perspective

www.hoganlovells.com 31

Questions and Answers

www.hoganlovells.com 32

www.hoganlovells.comwww.hoganlovells.com

Hogan Lovells has offices in:

Abu DhabiAlicanteAmsterdamBaltimoreBeijingBerlinBoulderBrusselsBudapest*

CaracasColorado SpringsDenverDubaiDusseldorfFrankfurtHamburgHanoiHo Chi Minh City

Hong KongHoustonJeddah*LondonLos AngelesMadridMiamiMilanMoscow

MunichNew YorkNorthern VirginiaParisPhiladelphiaPragueRiyadh*RomeSan Francisco

ShanghaiSilicon ValleySingaporeTokyoUlaanbaatar*WarsawWashington DCZagreb*

"Hogan Lovells" or the "firm" refers to the international legal practice comprising Hogan Lovells International LLP, Hogan Lovells US LLP, Hogan Lovells Worldwide Group (a Swiss Verein), and their affiliated businesses, each of which is a separate legal entity. Hogan Lovells International LLP is a limited liability partnership registered in England and Wales with registered number OC323639. Registered office and principal place of business: Atlantic House, Holborn Viaduct, London EC1A 2FG. Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia.

The word "partner" is used to refer to a member of Hogan Lovells International LLP or a partner of Hogan Lovells US LLP, or an employee or consultant with equivalent standing and qualifications, and to a partner, member, employee or consultant in any of their affiliated businesses who has equivalent standing. Rankings and quotes from legal directories and other sources may refer to the former firms of Hogan & Hartson LLP and Lovells LLP. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. New York State Notice: Attorney Advertising.

© Hogan Lovells 2011. All rights reserved.

* Associated offices