Forgot your password?
Please enter your email & we will send your password to you:
My Account:
Copyright © International Chamber of Commerce (ICC). All rights reserved. ( Source of the document: ICC Digital Library )
by Emily O’Connor
In contrast to the EU approach to data protection discussed below131, the United States does not have a comprehensive federal law regulating the use of and collection of data. The United States makes use of a combination of a federal and state laws, and regulations that overlap and can even conflict with each other. The United States also makes use of a series of guidelines developed by governmental agencies and industry groups that are not legally enforceable but are considered part of best practice and a self-regulatory framework.
There are of course many existing federal privacy related laws that regulate the collection and use of personal data. Some of the legislation concerns itself with categories of information, such as health132 and financial133 information or electronic communications134. Other laws affect particular activities that make use of the personal information, such as[Page127:]collection of information from minors135, telemarketing136, e-mail137, employment records138, privacy of government-held data and privacy from government data collection139, and privacy of miscellaneous records and activities140. The application of US privacy laws for agreements performed outside the United States depends upon the scope of each statute and whether they affect information that can be collected by Franchisors in the United States.
The EU approach and data protection rules are set out in the 1995 Data Protection Directive 95/46/EC (“the Directive”). These rules aim to protect the fundamental rights and freedoms of natural persons, and in particular the right to data protection, as well as the free flow of data. The Directive has been complemented by further legal instruments relating to the communications sector141 and the protection of personal data in police and judicial cooperation matters142. The right to the protection of personal data is also specifically recognized in the European Union’s Charter of Fundamental Rights of the European Union (Article 8) and the Lisbon Treaty.
The Directive’s governing principle is the protection of personal data. Its purpose is not the protection of privacy as such. The Directive’s primary objective was to harmonize existing regulations to safeguard the data subject’s right to informational privacy and to create a common European market for the free movement of personal data143.
The implementation of the Directive is delegated to each individual Member State. This inevitably results in some variation as to its implementation as between Member States.
[Page128:]In general, the EU data protection law follows three principles: transparency, legitimate purpose and proportionality144. These principles are laid down in Article 6 of the EU directive:
Member States shall provide that personal data must be:
The criteria for lawful data are set out in Article 7 of the Directive145. Personal data may be processed only if:
The minimum security standards required by the Directive are set out in Article 17 which provides that “the data holder must implement appropriate technical and organization measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
[Page129:]
Article 25 of the EU Directive addresses the transfer of personal data to countries that are not Member States, such as the United States. The EU Member State is required to provide that the transfer to a third country (a country not in the EU) of personal data that is undergoing processing or is intended to be processed after transfer may take place only if, having complied with the national provisions, the third country ensures an adequate level of protection.
Those countries currently listed as having sufficient levels of protection are: Andorra, Argentina, Australia, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey and Switzerland146.
Companies operating between the United States and EU may engage in cross-border transfers of data between Europe and the United States in compliance with the EU Directive by having certification under the Safe Harbor program, using European Commission-approved model contracts, or for multinationals, implementing Binding Corporate Rules. The Safe Harbor program was created by the Commission and the US Department of Commerce to address the Commission’s view that the United States does not have in place a regulatory framework sufficient adequately to protect personal data being transferred from the European Economic Area. If an organization in the United States is subject to the jurisdiction of the FTC, or in the case of some transportation organizations subject to the jurisdiction of the US Department of Transportation, then it can participate in the Safe Harbor program. A list of the current participants to the Safe Harbor program may be found on the US Department of Commerce website147.
The Safe Harbor program requires a voluntary adherence to a set of seven principles: notice, choice, transfers to third parties, access, security, data integrity, and enforcement. The Commission has recognized these principles as providing adequate protection and therefore meeting these principles will allow compliance with the Commission’s requirements. The organization is required to join a self-regulatory privacy program that adheres to the US-EU Safe Harbor Framework’s requirements, or develop its own self-regulatory privacy policy that conforms to the US-EU Safe Harbor Framework. The participating company is required to implement a privacy policy that complies with these principles and to renew its self-certification annually. The organization must in general provide: (1) notice of its privacy policy; (2) a choice to individuals in relation to the use of personal information; (3) access to the information; and (4) protection of the data.
Alternatively, standard contractual clauses (model contracts) can be used to regulate the transfer of personal data from the EU148. The[Page130:]contractual clauses aim to establish adequate safeguards by imposing obligations similar to those set out in the Safe Harbor program, and incorporate the Directive’s principles. US multinationals also have the option to develop a set of binding corporate rules to regulate data protection and apply to all intra-group transfers of personal data outside of the EU149. The binding corporate rules must be approved separately in each EU Member State where the multinational has an office, and the applicant must describe the data protection audit plan, the processing and flows of information, the data protection, safeguards, and mechanisms for reporting and recording changes. Moreover, the multinational company is required to demonstrate that these rules are binding both internally and externally.
On the contrary, the Australian Privacy Act 1998 permits organizations to choose one of several options set out in NPP 9 to make it acceptable to transfer personal information of individuals to overseas destinations. NPP 9 states that an organization in Australia or an external territory may transfer personal information about an individual to someone (other than the organization or the individual) who is in a foreign country only if:
[Page131:]
Privacy legislation in Canada does not specifically prohibit the cross-border transfer or disclosure of personal information. However, special considerations and notice requirements apply150.
As discussed above, whenever there is a transfer of information, service provider organizations continue to be held accountable for the protection of personal information. This is also true with respect to cross-border transfers of information. Additionally, under PIPEDA, organizations must notify individuals that their information may be processed or stored outside Canada, and that local courts, law enforcement and national security authorities of that jurisdiction may have access to the information151.
The province of Québec restricts the transfer of personal information outside the province in its private sector privacy legislation. An organization may not communicate personal information outside of Québec if the organization considers that the personal information may be used for purposes other than those for which it was collected or disclosed to third parties without consent152.
In the province of Alberta, if an organization outside of Canada collects, uses or discloses personal information, the organization’s policies and practices must include information (in writing) regarding (a) the countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur; and (b) the purposes for which the service provider (which includes affiliates) outside Canada has been authorized to collect, use or disclose the personal information153. Notice of an organization outside of Canada’s use, collection or storage of personal information must be given before or at the time the personal information is collected or transferred outside of Canada and a description of the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada must also be provided. The individual must also be provided with the name or position of a person who is able to answer the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
131 Other countries follow an approach similar to the EC. For example, in Canada, see Privacy Act (R.S.C. 1985, c. P-21) and Personal Information Protection and Electronic Documents Act (S.C. 2000 c. 5); and, in Australia, see Privacy Act 1988 (Cth); Telecommunications Act 1997 (Cth); Data-matching Program (Assistance and Tax) Act 1990 (Cth); Crimes Act 1914 (Cth) AntiMoney Laundering and Counter-Terrorism Financing Act 2006 (Cth); Amended the Privacy Act 1988; and Healthcare Identifiers Act 2010 (HI Act) (Cth).
132 Drug and Alcoholism Abuse Confidentiality Statutes, 21 U.S.C. § 1175; 42 U.S.C. § 290dd-3; Genetic Information Nondiscrimination Act, P.L. 110-233, 122 Stat. 881; Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1306; Employee Retirement Income Security Act, 29 U.S.C. § 1025; and Health Information Technology for Economic and Clinical Health (HITECH Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009), Pub. L. No. 111-5
133 Electronic Funds Transfer Act, 15 U.S.C. § 1693, 1693m; Fair Credit Reporting Act (1970), 15 U.S.C. § 1681 et seq.; Fair Credit Billing Act, 15 U.S.C. § 1666; Consumer Financial Protection Act of 2010, Pub. L. No. 111-203, 124 Stat. 1376 (Part of Dodd-Frank and not yet codified); Right to Financial Privacy Act (1978), 12 U.S.C. § 3401 et seq.; Taxpayer Browsing Protection Act (1997), 26 U.S.C. §§ 7213, 7213A and 7431;Gramm-Leach-Bliley Act (1999), 15 U.S.C. §§ 6801-6809; Fair and Accurate Credit Transactions Act (2003), Pub. L. 108-159 (amendments to the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.); and Equal Credit Opportunity Act, 15 U.S.C. § 1691 et seq.
134 The Electronic Communications Privacy Act (1986), 18 U.S.C. § 2510-22; The Communications Act of 1934, 47 U.S.C. § 151 et seq.; Counterfeit Access Device and Computer Fraud Abuse Act of 1984, 18 U.S.C. § 1030; Telecommunications Act of 1996, 47 U.S.C. § 222 (Amending the Communications Act of 1934); Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Wiretap Act), 18 U.S.C. §§ 2510-2522; Communications Assistance for Law Enforcement Act of 1994, 47 U.S.C. §§ 1001-1010; Wireless Communication and Public Safety Act (1999), Pub. L. No. 106–81 (Amending the Communications Act of 1934); Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), Pub. L. No. 107-56; Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Pub. L. 108-458; Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act), Pub. L. 110-53; Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. §§ 1801-11, 1821-29, 1841-46, 1861-62, 1871; and The National Security Act of 1947, 50 U.S.C. § 401 et seq.
135 Children’s Online Privacy Protection Act (COPPA) of 1998, 15 U.S.C. §§ 6501–6506.
136 Telephone Consumer Protection Act of 1991, 47 U.S.C. 227; Do-Not-Call Implementation Act of 2003, 15 U.S.C. § 6101 et seq.; and Do-Not-Call Improvement Act of 2007, Pub. L. No. 110-187, amending the DNCI Act of 2003.
137 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), 15 U.S.C. 7701 et seq.
138 Employee Polygraph Protection Act, 29 U.S.C. § 2001 et seq.; and Equal Employment Opportunity Act, 42 U.S.C. § 2000e et seq.
139 Census Confidentiality Statute of 1954, 13 U.S.C. § 9; Computer Security Act, 40 U.S.C. § 1441; Criminal Justice Information Systems, 42 U.S.C. § 3789g; Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721; Freedom of Information Act (1966), 5 U.S.C. § 552; Privacy Act of 1974, 5 U.S.C. § 552a; Privacy Protection Act of 1980, 42 U.S.C. § 2000aa et seq. (media source protection); and E-government Act of 2002, 44 U.S.C. § 101 et seq.
140 Administrative Procedure Act, 5 U.S.C. §§ 551, 554-558; Family Education Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; Cable Communications Policy Act of 1984 and Cable TV Privacy Act of 1984: both at 47 U.S.C. § 551; and, Video Privacy Protection Act of 1988, 18 U.S.C. § 2710. For a more detailed discuss of U.S. privacy laws, see M. Fuchs, R. Plesser & M. Power, Privacy: U.S. and International, American Bar Association, 25th Annual Forum on Franchising (2002); and P. Jones & D. Koch, Privacy Issues Affecting Franchising, American Bar Association, 27th Annual Forum on Franchising (2004).
141 E-Privacy Directive, 2002/58/EC.
142 Council Framework Decision, 2008/977/JHA
143 N. Robinson.; H. Graux, M. Botterman& L. Valeri; Review of the European Data Protection Directive, (2009).
144 Christoph Wildhaber, International Franchising — Data Protection — the European perspective, page 118.
145 Christoph Wildhaber, p.118
146 http://ec.europa.eu/justice/policies/privacy/thirdcountries/index_en.htm
147 https://safeharbor.export.gov/list.aspx
148 Official Journal of the European Union, L 39/10, 12 February 2010; and L385/77 29 December 2004.
149 E.g. Working Party document WP 108, Working Document Establishing a model checklist for approval of Binding Corporate Rules, 14 April 2005; http://ec.europa.eu/justice_home/fsj/privacy/docs/wp108_en.pdf
150 Additional considerations and restrictions apply to the cross-border transfer or disclosure of personal information by public bodies.
151 Richard D. Leblanc: “Privacy Issues in Franchise Relationships: A Practical Guide”, page 5, 2006. http://www.millerthomson.com/assets/files/article_attachments/RLeblanc_Privacy%20Issues%20in%20Franchise%20Relationships.pdf
152 Fred H. Cate: “Provincial Canadian Geographic Restrictions on Personal Data in the Public Sector” page 9, 2008, in: The Centre For Information Policy Leadership http://www.hunton.com/files/Publication/2a6f5831-07b6-4300-af8d-ae30386993c1/Presentation/PublicationAttachment/0480e5b9-9309-4049-9f25-4742cc9f6dce/cate_patriotact_white_paper.pdf
153 Madeleine Donahue: “Recent Developments in Privacy Laws”, 2010 in: Macleod Dixon. http://www.macleoddixon.com/documents/Recent_Developments_In_Privacy_Laws_Legal_Alert.pdf