 |
 |
|
|
| |
|
TOP
5 STORIES OF THE MONTH
|
|
|
Canada
Michael Geist reveals the risk of hiring U.S. firms
to manage Canadian data. »Learn
More
APEC
Arrow Augerot describes the APEC Privacy Framework,
which guides the transfer of data between the United
States and other Pacific Rim nations. »Learn
More
Australia
Malcom Crompton discusses why Australia is strongly
committed to the APEC Framework. »Learn
More
Japan
Cynthia Rich discusses Japan's Basic Law, which comes
into effect in April 2005. »Learn
More
New
Benefit
The new Policy Flash e-newsletter updates you on policy
and legislative trends. »Learn
More
Privacy
Resource
TRUSTe advises consumers on how to avoid falling prey
to phishers. »Learn
More
Stay
Current!
Privacy events around the world and on the Web. »Learn
More
TRUSTe
Tech Tip
Don't forget to review your terms-of-use agreement to
make sure it is consistent with your privacy policy.
»Learn
More
Welcome
New Members
The newest Web sites to display the TRUSTe seal. »Learn
More
|
|
 |
|
| |
The Long Arm of U.S. Law Creates a Privacy Risk for
Canadians
By Michael Geist
Although
the issue has garnered only limited attention in the
rest of the country, for the past few months the privacy
and information technology communities in British Columbia
have been embroiled in a high-stakes debate that raises
difficult questions about the effectiveness of Canadian
privacy law and the potential threat posed by data outsourcing
to the United States.
The
issue first arose earlier this year when the British
Columbia provincial government announced its intention
to find a private-sector partner to manage the operation
of its medical services plan. Soon afterward, the B.C.
Government and Services Employees' Union (BCGEU) launched
a campaign opposing the fact that the government had
contracted out this task to U.S. corporations. The union
cited concerns that Canadian data could be disclosed
to U.S. law enforcement agencies acting under the powers
granted by the U.S. Patriot Act, which was enacted in
response to the events of Sept. 11, 2001.
Milana
Homsi, a recent graduate of the University of Ottawa
Faculty of Law, and I recently released a study on the
issue (read the full report online at http://patriotactbcprivacy.notlong.com).
Our results suggest that the problem is actually far
worse than is generally acknowledged.
A
review of both Canadian and U.S. law leaves little doubt
that U.S. law does grant law-enforcement authorities
the power to compel disclosure of personal information
without notifying the targeted individual that his or
her information is indeed being disclosed. In fact,
disclosing the disclosure is itself a violation of the
law.
The
troubling truth, however, is that this is not strictly
a Patriot Act issue. Rather, there are several U.S.
investigatory powers that grant similar authority. These
powers include grand jury subpoenas and national security
letters, both of which predate the Patriot Act.
Moreover,
the application of these laws is not limited to U.S.
companies but actually applies to any company with sufficient
U.S. connections such that it could find itself subject
to the jurisdiction of the U.S. courts. This is true
both for U.S. companies operating subsidiaries in foreign
countries as well as for foreign companies with U.S.
subsidiaries.
Since
Canada's privacy law is unlikely to meet the blocking
statute standard, it seems likely that U.S. law enforcement
authorities may indeed compel the disclosure of Canadian
data. In fact, this analysis suggests that the data
don't actually have to leave Canada in order for U.S.
authorities to successfully compel disclosure. As long
as the data are controlled by an entity such as major
bank or multinational Internet service provider with
U.S. ties, U.S. courts may apply their national law
and force the disclosure of the Canadian personal information.
The
British Columbia outsourcing case has forced the Canadian
privacy and outsourcing communities to come clean on
one of Canada's unwanted privacy secrets. Simply put,
the risk of secret disclosure of personal information
to U.S. authorities is a real one -- and there appears
to be very little that Canadians can do about it.
Michael
Geist is the Canada Research Chair in Internet and E-commerce
Law at the University of Ottawa. Find him online at
www.michaelgeist.ca.
|
|
|
 |
|
| |
United States Working With Pacific Rim Countries to
Create Trans-National Privacy Framework
By Arrow Augerot
In
the past couple of years, many countries in the Asia-Pacific
region, including Japan, South Korea, Thailand, Malaysia,
and the Philippines, have either passed new information
privacy laws or proposed draft bills in their legislatures.
Concerned that this trend would produce a matrix of
incompatible approaches to the issue in the region --
which would in turn inhibit cross-border trade and slow
the growth of e-commerce -- the Asia Pacific Economic
Cooperation Forum's (APEC) Electronic Commerce Steering
Group (ECSG) began development of an APEC Privacy Framework
in February 2002. Eleven economies are participating
actively in the development of the framework: Australia,
Canada, China, Chinese Taipei, Hong Kong, Japan, South
Korea, Malaysia, New Zealand, Thailand, and the United
States.
The
main purpose of this framework is to create a regional
system for information-privacy protection that achieves
a balance between the establishment of privacy protections
and the maintenance of information flows. Consistent
with the OECD's
1980 Guidelines on the Protection of Privacy and Trans-Border
Flows of Personal Data, both the privacy
principles and the implementation guidance that make
up the bulk of the framework are focused on the achievement
of four main goals:
- To
develop appropriate privacy protections for personal
information
- To
prevent the creation of unnecessary barriers to information
flows
- To
enable multinational businesses to implement uniform
approaches to the collection, use, and processing
of data
- To
facilitate both domestic and international efforts
to promote and enforce information privacy protections
The
ECSG plans to finalize the framework at its September
2004 meeting in Santiago, Chile, and then submit it
to APEC ministers and leaders for their endorsement
in November 2004.
The U.S. Department of Commerce's Office of Technology
and Electronic Commerce leads the U.S. delegation to
the ECSG with the active support of the Federal Trade
Commission, the U.S. Department of Justice, and a number
of industry and consumer groups.
To
download a copy of the latest draft of the framework,
go to www.export.gov/apececommerce.
We at the Office of Technology and Electronic Commerce
welcome all questions or comments on the draft framework.
Arrow
Augerot is a senior international trade specialist at
the U.S. Department of Commerce, Office of Technology
and Electronic Commerce.
|
|
|
 |
|
| |
Australia Looks to APEC to Improve Pacific Rim Privacy
By Malcom Crompton
Australia
has taken a strong interest in the work by the Asia-Pacific
Economic Cooperation (APEC) on privacy right from the
beginning. However, our involvement with APEC is only
the latest development in our long history of interest
in the protection of individual privacy. Justice Michael
Kirby of Australia's High Court chaired the
OECD working party that developed the OECD's
1980 privacy principles. Concerned
about the privacy implications, voters also rejected
a universal identity card late in the 1980s.
Australia
extended the coverage of our federal Privacy
Act 1988 to most of the private sector in
2001. One of the primary reasons for this expansion
was to facilitate trans-border data flows of personal
information. However, the European Union's decision
not to deem this legislation adequate, as
it has done elsewhere -- including the U.S.
Safe Harbor arrangements and privacy laws
in Canada and Argentina -- was very disappointing. APEC's
privacy initiative was therefore a major opportunity
to investigate other ways of facilitating trans-border
data flows. Until recently, Peter Ford from the Australian
Attorney General's Department chaired the APEC Privacy
Subgroup that has drafted the APEC
Privacy Framework.
The
new private-sector privacy law appears to have taken
root well in Australia since it came into place two
years ago, finding a middle ground between excessive
laissez faire and zealous overregulation. We stand ready
to contribute this experience to helping the development
of appropriate protection of personal information as
it moves between APEC economies -- arrangements that
need to be flexible, recognizing the realities of today's
business practices while also providing genuine protection
of personal information. Only with such a balanced approach
to privacy will economies around the Pacific Rim generate
the trust required to further growth in trade, including
outsourcing and online commerce.
Malcom
Crompton is principal of the Trust Dimension, which
provides data-privacy consultancy services, and former
federal privacy commissioner of Australia.
|
|
|
 |
|
| |
Japan's New 'Basic Law' Defines the Parameters of Privacy
By Cynthia Rich
On
May 23, 2003, Japan enacted the Law Concerning the Protection
of Personal Information, also called the "Basic
Law," regulating the acquisition and dissemination
of personal information for commercial use. Under the
Basic Law, which will become effective on April 1, 2005,
businesses must provide notice about the purposes for
which they collect and use personal information. The
must also adopt security control measures, respond to
access and correction requests from individuals, and
establish a complaint handling system. Unlike the EU
Data Protection Directive, the Basic Law does not impose
any additional requirements on cross-border data transfers.
The
Basic Law, much like other Japanese basic laws, delegates
discretion to national administrative agencies and local
governments to develop regulations that accomplish the
purposes of the law. As provided for under the law,
the Japanese government adopted a "Basic Policy"
in March 2004 that establishes guidelines for the implementation
and enforcement of the Basic Law. The Basic Policy also
provides guidance to national ministries regarding the
development of guidelines in their respective areas.
Under
the Basic Law, personal information is defined as any
information that can identify a specific individual.
It includes publicly available, business contact, professional
designation and registration, and employee (human resources)
information.
Notice
must be provided to the individual directly or through
a public announcement. A change of purpose of use requires
a new notice. Notice must be given when a data leak
occurs. In addition, businesses must provide notice
and obtain consent to share information with third parties
(or provide the individual with the ability to opt out
of such sharing) unless such sharing was included in
a previous notice and made part of the stated purpose
of use.
The
law does not define "third parties," but it
does specifically exclude entities that process data
on a business's behalf, other companies acquired by
or that acquire a business in the course of a merger
or acquisition, and other companies that jointly use
data held by a business (such as co-marketing partners).
Affiliates are considered to be third parties.
The
Basic Law designates certain government ministries with
responsibility for supervision and enforcement. They
are currently in the process of drafting sectoral guidelines
that are expected to be finalized prior to the Basic
Law becoming effective in 2005.
Cynthia
Rich is a senior international policy analyst in the
Washington, D.C., office of Morrison
& Foerster LLP.
|
|
|
 |
|
| |
Sign up to receive TRUSTe's new Policy Flash!
Privacy
law is changing every day -- and keeping up with it
is a challenge. TRUSTe and the Internet
Alliance's legislative privacy gurus, Emily
Hackett and Kaye Caldwell, are collaborating to bring
you the Policy Flash, a new monthly email newsletter.
This new member benefit is designed to keep TRUSTe sealholders
up to date on trends in privacy legislation and policies
across the United States and in California.
The
Internet Alliance has been the only consistent voice
representing Internet companies across all 50 states.
It has a proven track record of blocking or mitigating
privacy and anti-spam legislation, and a high level
of expertise in the area of Internet state tax. The
alliance seeks to empower and educate state legislators
about the nature of the Internet so they can make informed
decisions while preventing short-sighted laws that will
hurt both the industry and consumers.
To
sign up for the Policy Flash or find out more about
the new e-newsletter, contact Krystal
Putman at TRUSTe.
|
|
|
 |
|
| |
TRUSTe Advises Consumers on How to Avoid Taking
the "Phishing" Bait
In
response to the sharp increase in email phishing,
TRUSTe has released five rules to help consumers
detect -- and avoid -- phishing scams:
1.
Be suspicious of urgent demands for information.
Spoofed emails often make some form of urgent
request. For example, the email will claim that
your account will be terminated if you fail to
confirm your sensitive information.
2.
Look for misspelled words or grammatical errors
in the message and/or hyperlink. Blatant misspelled
words or grammatical errors are common in spoof
email scams.
3.
Always avoid emailing your personal and financial
information. Before submitting financial or account
information to a Web site, look for a third-party
privacy
seal to ensure that the transaction
is secure. Also avoid volunteering private information
like passwords or a personal social security number.
4.
Be watchful of general greetings. Many spoof emails
begin with a general greeting such as "Welcome,
eBay User" rather than directly addressing
the registered user by name.
5.
Contact the company directly. If you have any
doubts about an email or Web site, open a new
browser and visit the company directly to verify
its Web site. Don't be afraid to call customer
service about an email.
Read
the full article on the new consumer
section of TRUSTe's Web site.
|
|
|
|
 |
|
| |
Upcoming KnowledgeNet Luncheons
The
Fall 2004 KnowledgNet lineup will feature expert speakers
in each city. Watch your inbox for an email invitation
to join us for these free networking luncheons, open
to TRUSTe and IAPP members:
Boston
Time: Sept. 22, 11:30 a.m.
Location: Ernst & Young, 200 Clarendon St., 46th
Floor, Boston, MA 02116
Washington,
D.C.
Time: Sept. 29, 11:30 a.m.
Location: Ernst & Young, 1225 Connecticut Ave. NW,
2nd floor Conference Center, Room 2130, Washington,
DC 20036
Speaker: Laura Mazarella, Federal Trade Commission
Topic: Operational Lessons -- Tower Records & Gateway
Learning Corp ("Hooked on Phonics")
Bay
Area
Time: Oct. 6, 11:30 a.m.
Location: Ernst & Young, 1001 Page Mill Road, Building
1, Suite 200, Palo Alto, CA 94304
New
York
Time: Oct. 12, 11:30 a.m.
Location: Ernst & Young, 5 Times Square, 23rd Floor,
New York, NY 10036
Philadelphia
Time: Oct. 13, 11:30 a.m.
Location: Marathon Grill, 2001 Market St., Philadelphia,
PA 19103
Speaker: Gerald Lewis, senior counsel & chief privacy
officer, Comcast Cable Communications
Additional
luncheons are being held in Chicago (Nov. 10)
and Atlanta (Nov. 18). Watch this space for details.
For more information on these or other KnowledgeNet
Luncheons, contact Krystal Putman, marketing associate,
at kputman@truste.org
or (415) 520-3421.
SAVE
the DATE!
TRUSTe
members receive the discounted IAPP member rate for
registration at these upcoming IAPP seminars and conferences:
Privacy
and National Security Forum
Location: Renaissance Hotel, Washington, D.C.
Date: September 30, 2004
Entertainment
& Privacy Forum
Location: Los Angeles
Date: October 7, 2004
Annual
Privacy & Data Security Academy
Location: Marriott, New Orleans
Dates: October 27-29, 2004
For information, registration, sponsorship, and conference
updates, check the IAPP
Web site or contact the IAPP conference office
at (800) 266-6501.
|
|
|
 |
|
| |
Tech Tip: Ensure consistency in your privacy policies
by aligning your terms-of-service statement with your
privacy statement.
TRUSTe
helps mitigate privacy risk primarily by establishing
and enforcing consistency between the privacy statement
on a TRUSTe member's Web site and the company's online
privacy practices. However, other company policies may
conflict with the privacy statement that TRUSTe approves.
As
such, we strongly recommend that you review your terms-of-service
agreement for potential contradictions in the way these
agreements govern the collection and usage of personally
identifiable information.
One
example: Say your terms-of-use statement includes a
passage indicating that your company "may share
personal data under certain circumstances"; this
policy may have been intentionally drafted to include
the possibility of such a practice at a later date.
Meanwhile, your online privacy statement indicates that
"personal data will not be shared under any circumstances."
The ambiguity of the terms-of-use statement conflicts
directly with the definitive declaration in the privacy
statement; disparities like these magnify your risk
of liability in the event of a privacy dispute.
The
best way to address this issue is to cross-reference
your privacy statement with your terms-of-use statement.
(A reminder: if you wish to alter your privacy statement
to match the latter, first read the July
2003 Tech Tip regarding material changes.)
Updating staff as to the revised terms-of-service statement
will also underscore the change and aid in preventing
mishaps as a result of human error.
By
confirming uniform privacy practices throughout your
Web site, you project a clear and concise impression
to consumers while minimizing your exposure to privacy
risk.
--
Alexander Yap, compliance analyst
|
|
|
 |
|
| |
TRUSTe would like to congratulate
the following new members on successfully completing
our certification process:
1
800 Mobiles, Adventures Northwest, Applytorefinance.com,
Archer Development, Auctiontool.com, Beliefnet, BullPuckey,
Buysell Website, Considerate Lover, Desert Mentors,
Documatix, DSNR dba Usafis Organization, Employer Services
Assurance Corp., Fort Point Partners, Friendly Web Design,
Fujitsi Computer Systems, HR Integrated Services, McMillion
Research, Merit Property Management, Perfect Contribution
Solutions, Peru Quality Travel, Pharmaopportunities,
RealtyTracker.com, Renesas, Savings Path, Smartbomb.com,
Visible Path Corporation, WP Associates.
|
|
|
 |
|
| |
Got Feedback?
We would like to hear what you
think of the TRUSTe
Advocate. Send an email with your
comments and suggestions to newsletter@truste.org.
TRUSTe
is an independent, nonprofit organization that administers
the Internet's first and largest privacy seal program.
685
Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org
|
|
|
 |
|
 |
|
