Class 13

Internet Privacy Law

European Privacy

Differing Approaches

Europe United States

General Terms DATA PROTECTIONS PRIVACY

Data Protection Privacy is policies, laws, and regs

Data protection is privacy related laws and regulations

Treatment of Privacy

Fundamental human right. No processing of PI is

default, and processing must meet strict guidelines

Some constitutional rights to privacy. Commercial use is

acceptable. Processing limited by sector.

Privacy Protection Model

Comprehensive Sectoral

Sensitive Information

race/ethnic origin, political opinion, religion, health or sex

life, criminal history, union membership

SSN, Drivers License, Medical records, financial info

The Comprehensive Model

❖ EU data protection directive (1998)

❖ Parental consent before collecting data from under 13

❖ Companies with >250 employees must have data protection

Why the different approaches to privacy?

Defining what is private in EU

❖ EU definition of PI

❖ Any information relating to an identified or identifiable individual (includes name, address).

❖ Personal data

❖ Any information related to an identifiable natural person

EU Data Protection Roles

❖ DPA in each member state

❖ Data controller – individual in entity who directs data management (most laws are focused on data controller)

❖ Data processor – follows orders of data collector

❖ Data subject – user

❖ Processing - Under EU ANYTHING with PI is processing (even storage)

Generally

❖ Processing of PI prohibited unless:

❖ Notice

❖ Consent

❖ Data quality principles

❖ Other exceptions

❖ Special processing for

certain categories

❖ Right to access and object

❖ Controls on automated decisions

❖ Notice to DPAs

❖ Transfer restrictions

Legitimate Processing

❖ EXPRESS CONSENT unless

❖ Contract where data subject is subject of a contract

❖ Legal obligation

❖ Vital interests of data subjet

❖ Legitimate use

❖ Processing of Sensitive PI PROHIBITED unless:

❖ Explicit consent

❖ Vital interests

❖ Public information

Transferring Out of Europe

❖ Adequacy

❖ Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US Department of Commerce's Safe Harbor Privacy Principles

❖ Safe-harbor (Between EU and US only)

❖ Model contracts

❖ Limited exceptions

❖ Binding corporate rules

Employee Privacy

❖ May not probe into past

❖ Employee monitoring ONLY with specific justification

❖ Background checks are limited

❖ Employers required to consult with trade unions agreements and regulations

EU Cookie Directive

❖ The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage of or access to information stored on a user's terminal equipment.

❖ In other words, you must ask users if they agree to most cookies and similar technologies … before the site starts to use them.

EU Cookie Directive❖ However, some cookies are

exempt from this requirement. Consent is not required if the cookie is:

❖ used for the sole purpose of carrying out the transmission of a communication, and

❖ strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Closing out the class