Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
香港六合彩 » SlideShare
1. Privacy and Security in the Information AgePrivacy and Security in the Information Age
Conference, Melbourne, AustraliaConference, Melbourne, Australia
August 16, 2001August 16, 2001
The United States Government’sThe United States Government’s
Approach to Privacy:Approach to Privacy:
The EU Directive and theThe EU Directive and the
Safe Harbor FrameworkSafe Harbor Framework
Patricia M. SefcikPatricia M. Sefcik
U.S. Department of CommerceU.S. Department of Commerce
2. 2
Privacy in Europe and the U.S.Privacy in Europe and the U.S.
The European privacy system is basedThe European privacy system is based
on comprehensive legislation.on comprehensive legislation.
The U.S. privacy system is based onThe U.S. privacy system is based on
self regulation and sector specificself regulation and sector specific
legislation in highly sensitive areaslegislation in highly sensitive areas
such as financial, medical, children’ssuch as financial, medical, children’s
and genetic information.and genetic information.
3. 3
Historical Overview: Safe HarborHistorical Overview: Safe Harbor
OCTOBER 1998
– EU’s sweeping privacy directive went into effect
JULY 2000
– Safe Harbor principles are deemed adequate
NOVEMBER 1, 2000
– Safe Harbor becomes effective
– DOC launches safe harbor website
http://www.export.gov/safeharbor
JANUARY 4, 2001
– Official Department of Commerce roll-out
JANUARY-AUGUST, 2001
– Outreach events
4. 4
Safe Harbor ImplementationSafe Harbor Implementation
What are the Benefits?What are the Benefits?
Who Can Join and How?Who Can Join and How?
How and Where will Safe Harbor beHow and Where will Safe Harbor be
Enforced?Enforced?
5. 5
The Safe Harbor FrameworkThe Safe Harbor Framework
• 7 Privacy Principles7 Privacy Principles
• 15 FAQ’s15 FAQ’s
• European Commission’s adequacyEuropean Commission’s adequacy
determinationdetermination
• Letters between U.S. Dept. ofLetters between U.S. Dept. of
Commerce and the EuropeanCommerce and the European
CommissionCommission
• Letters from U.S. Dept. ofLetters from U.S. Dept. of
Transportation and Federal TradeTransportation and Federal Trade
CommissionCommission
6. 6
The 7 Safe Harbor PrinciplesThe 7 Safe Harbor Principles
1)1) NoticeNotice
2)2) ChoiceChoice
3)3) Onward TransferOnward Transfer
4)4) SecuritySecurity
5)5) Data IntegrityData Integrity
6)6) AccessAccess
7)7) EnforcementEnforcement
7. 7
The Safe Harbor PrinciplesThe Safe Harbor Principles
(1) NOTICE(1) NOTICE
Inform individuals about the purpose for which theInform individuals about the purpose for which the
information is being collected.information is being collected.
Inform individuals about how to contact theInform individuals about how to contact the
organizations with inquiries or complaints.organizations with inquiries or complaints.
Provide information on the types of third parties toProvide information on the types of third parties to
which information is being disclosed, and the choiceswhich information is being disclosed, and the choices
and means offered for limiting its use and disclosure.and means offered for limiting its use and disclosure.
8. 8
The Safe Harbor PrinciplesThe Safe Harbor Principles
(2) CHOICE(2) CHOICE
An organization must offer individuals the opportunityAn organization must offer individuals the opportunity
to choose (opt out) whether their personal informationto choose (opt out) whether their personal information
is (a) to be disclosed to a third party, or (b) to be usedis (a) to be disclosed to a third party, or (b) to be used
for a purpose that is incompatible with the purposesfor a purpose that is incompatible with the purposes
for which it was originally collected or subsequentlyfor which it was originally collected or subsequently
authorized by the individual.authorized by the individual.
Individuals must be provided with clear andIndividuals must be provided with clear and
conspicuous, readily available, and affordableconspicuous, readily available, and affordable
mechanisms to exercise choice.mechanisms to exercise choice.
9. 9
The Safe Harbor PrinciplesThe Safe Harbor Principles
CHOICE: Sensitive InformationCHOICE: Sensitive Information
For sensitive information (i.e. medical/ healthFor sensitive information (i.e. medical/ health
conditions; racial/ethnic origin; political opinions;conditions; racial/ethnic origin; political opinions;
religious/ philosophical beliefs; trade unionreligious/ philosophical beliefs; trade union
membership; sex life), individuals must be givenmembership; sex life), individuals must be given
affirmative or explicit (opt in) choice if the informationaffirmative or explicit (opt in) choice if the information
is to be disclosed to a third party or used for ais to be disclosed to a third party or used for a
purpose other than those for which it was originallypurpose other than those for which it was originally
collected or subsequently authorized.collected or subsequently authorized.
10. 10
The Safe Harbor PrinciplesThe Safe Harbor Principles
(3) ONWARD TRANSFER(3) ONWARD TRANSFER
To disclose information to a third party, organizationsTo disclose information to a third party, organizations
must apply the notice and choice principles.must apply the notice and choice principles.
Notice and Choice are not required for data transfersNotice and Choice are not required for data transfers
to an agent (someone who acts on behalf of theto an agent (someone who acts on behalf of the
transferor) if it is first determined by the organizationtransferor) if it is first determined by the organization
that the agent complies with the safe harborthat the agent complies with the safe harbor
principles, or is subject to the directive or anotherprinciples, or is subject to the directive or another
adequacy finding, or enters into a written agreementadequacy finding, or enters into a written agreement
with the organizationwith the organization..
11. 11
The Safe Harbor PrinciplesThe Safe Harbor Principles
(4) SECURITY(4) SECURITY
Organizations creating, maintaining, using orOrganizations creating, maintaining, using or
disseminating personal information must takedisseminating personal information must take
reasonable precautions to protect it from loss, misusereasonable precautions to protect it from loss, misuse
and unauthorized access, disclosure, alteration andand unauthorized access, disclosure, alteration and
destruction.destruction.
Organizations must take more care to protectOrganizations must take more care to protect
sensitive information, as it is defined in the principles.sensitive information, as it is defined in the principles.
12. 12
The Safe Harbor PrinciplesThe Safe Harbor Principles
(5) DATA INTEGRITY(5) DATA INTEGRITY
Personal information must be relevant for thePersonal information must be relevant for the
purposes for which it is to be used. An organizationpurposes for which it is to be used. An organization
may not process personal information in a way that ismay not process personal information in a way that is
incompatible with the purposes for which it has beenincompatible with the purposes for which it has been
collected or subsequently authorized by thecollected or subsequently authorized by the
individual.individual.
To the extent necessary for those purposes, anTo the extent necessary for those purposes, an
organization should take reasonable steps to ensureorganization should take reasonable steps to ensure
that data is reliable for its intended use, accurate,that data is reliable for its intended use, accurate,
complete, and current.complete, and current.
13. 13
The Safe Harbor PrinciplesThe Safe Harbor Principles
(6) ACCESS(6) ACCESS
Individuals must have access to personal informationIndividuals must have access to personal information
about them that an organization holds and be able toabout them that an organization holds and be able to
correct, amend, or delete that information where it iscorrect, amend, or delete that information where it is
inaccurate, except where the burden or expense ofinaccurate, except where the burden or expense of
providing access would be disproportionate to theproviding access would be disproportionate to the
risks to the individual’s privacy in the case inrisks to the individual’s privacy in the case in
question, or where the rights of persons other thanquestion, or where the rights of persons other than
the individual would be violated.the individual would be violated.
14. 14
The Safe Harbor PrinciplesThe Safe Harbor Principles
(7) ENFORCEMENT(7) ENFORCEMENT
1.1. Follow-up procedures forFollow-up procedures for verifyingverifying that safe harborthat safe harbor
policies and mechanisms have been implemented;policies and mechanisms have been implemented;
2.2. Readily available and affordable independentReadily available and affordable independent
recourse mechanismsrecourse mechanisms to investigate and resolveto investigate and resolve
complaints brought by individuals;complaints brought by individuals;
3.3. Obligations toObligations to remedyremedy problems arising out of aproblems arising out of a
failure by the organization to comply with thefailure by the organization to comply with the
principles.principles.
15. 15
DIRECT COMPLIANCE WITHDIRECT COMPLIANCE WITH
THE EU DIRECTIVETHE EU DIRECTIVE
CONSENTCONSENT
ENTERING INTO A MODELENTERING INTO A MODEL
CONTRACTCONTRACT
Other Ways To ComplyOther Ways To Comply
With The Directive:With The Directive:
16. 16
Safe Harbor:Safe Harbor:
Next StepsNext Steps
Mid-Year ReviewMid-Year Review
““Visual” ComplianceVisual” Compliance
Financial Service NegotiationsFinancial Service Negotiations
DPA VisitDPA Visit
EU Directive ReviewEU Directive Review
17. 17
CONCLUSIONCONCLUSION
Additional resources are available onAdditional resources are available on
the safe harbor websitethe safe harbor website
www.export.gov/safeharborwww.export.gov/safeharbor
• Safe Harbor List (updated regularly)Safe Harbor List (updated regularly)
• Safe Harbor WorkbookSafe Harbor Workbook
• Safe Harbor Documents (includingSafe Harbor Documents (including
Principles, FAQ’s, correspondence)Principles, FAQ’s, correspondence)
• Historical Documents (including publicHistorical Documents (including public
comment)comment)
18. 18
Contact InformationContact Information
Patricia Sefcik, DirectorPatricia Sefcik, Director
Office of Electronic CommerceOffice of Electronic Commerce
International Trade AdministrationInternational Trade Administration
U.S. Department ofU.S. Department of
CommerceCommerce
Room 2003Room 2003
14th & Constitution Avenues, NW14th & Constitution Avenues, NW
Washington, DC 20230Washington, DC 20230
Tel: (202) 482-0216Tel: (202) 482-0216
Fax: (202) 482-5522Fax: (202) 482-5522
E-Mail: patty_sefcik@ita.doc.govE-Mail: patty_sefcik@ita.doc.gov
Notas do Editor
The U.S. and the EU have very different approaches to data privacy protection.
Implications of the EU directive:
The EU directive prohibits the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection.
The EU directive covers all industry sectors and virtually all personal data.
European authorities could legally stop data flows at any time.
In 1999, the U.S. had approximately $350 billion in trade with the EU.
Over $120 billion in two-way trade with EU is dependent upon access to personal information.
The U.S. and EU are committed to bridging different approaches to privacy while maintaining data flows and high level of privacy protection.
Benefits of implementing the safe harbor framework:
Predictability and Continuity (all 15 Member States bound by adequacy determination)
Eliminates need for prior approval to begin data transfers
Flexible privacy regime more congenial to U.S. approach
Simpler/more efficient means of compliance.
What organizations may join safe harbor?
U.S. organizations subject to jurisdiction of the FTC or the Dept. of Transportation.
Financial services (Treasury), telecommunications (FCC) (common carriers) and not-for-profits are currently ineligible
Who should join?
Organizations that receive personally identifiable information from EU member states must demonstrate “adequate” privacy protections.
Organizations that have not identified another basis for demonstrating “adequacy” should consider joining safe harbor.
Please be aware that decisions by U.S. organizations to join the Safe Harbor are entirely voluntary.
How may organizations join?
Organizations may self-certify via the Department of Commerce’s safe harbor website
http://www.export.gov/safeharbor or by sending the Department of Commerce a letter.
Organizations must comply with the framework’s requirements and publicly declare (see Jeff on this point) that they do so.
Once received, the information is reviewed for “completeness”.
To be assured of safe harbor benefits, an organization needs to self-certify annually to the DOC.
How and Where will Safe Harbor be Enforced?
In general, enforcement will take place in U.S, in accordance with U.S. law, and will rely, to a great extent, on private sector enforcement.
If an organization persistently fails to comply with safe harbor requirements, it is no longer entitled to safe harbor benefits.
Independent recourse mechanisms are required to notify DOC of such facts. Safe Harbor list will indicate failure to comply.
Failure to comply may also result in an enforcement action by the FTC or DoT. Both exercise their unfair and deceptive practice authority if the company doesn’t live up to its SH commitments.
An organization entering the safe harbor must adhere to 7 privacy principles.
Taking more care to protect sensitive info includes: heightened awareness, internal customized business models, and more secure servers.
There is no joint led approach/request as to the “specifics” of this principle.
The burden or expense is unreasonable due to the cost, logistics and resources.
One can not separate or extract data without compromising other data.
ENFORCEMENT has three components:
Verification, Dispute Resolution and Remedies.
Organizations must have the following enforcement mechanisms in place:
1. Verification
An organization may use a self-assessment or an outside/third-party assessment program.
Under self-assessment, a statement verifying the self-assessment should be signed by a corporate officer or other authorized representative at least once a year.
Under outside assessment, a verification statement should be signed either by the reviewer or by the corporate officer/authorized representative at least once a year.
85% of the 80 firms do self assessment vs. third party assessments, which are noted on self certifying forms.
2. Dispute Resolution
Organizations may choose to have disputes resolved by third-party dispute resolution programs, or they may choose to cooperate with the European Data Protection Authorities (DPA’s).
Third Party Dispute Resolution Programs:
TRUSTe
BBBOnLine
Direct Marketing Associations (DMA)
American Institute of Certified Public Accountants (AICPA)
Judicial Arbitration and Mediation Service (JAMS/Endispute)
WebTrust
Entertainment Software Rating Board
There is a 50% split: SME’s usually go with DPA’s due to the cost ease and larger third party organizations go with 3rd party dispute resolution programs, noted on self certifying forms.
In the case of human resources data, the organization must agree to cooperate with the DPA’s.
3. Human Resources Data
See FAQ 9
Organizations transferring employee data from Europe to the U.S. must:
1) Agree to cooperate with the EU DPAs for purposes of dispute resolution; and
2) Comply with member state law regarding the use of information (i.e. processing requirements).
Employers in EU must comply with member state regulations and ensure that employees have access to such information. Organization processing such data in the U.S. must provide access either directly or through the EU employer.
4. Remedies
The Safe Harbor is not the only means to complying with the EU Adequacy requirement.
Direct compliance with the EU Directive
Consent
Entering into a Model Contract
At the conclusion of the safe harbor negotiations in 2000, the EU began developing standard contractual provisions to be used as another means to comply with the Directive.
On June 18 …
ICC Proposal …
Commerce is currently in the process of consulting with a broad range of stakeholders on how we should work with safe harbor, model contracts and other options to ensure efficient data transfers.
Financial Service Negotiations
The Treasury Department, in consultation with with DOC, is the lead negotiator concerning financial services.
Treasury’s objective is to negotiate an adequacy determination from the European Commission for the Gramm Leach Bliley Act.
EU Directive Review
According to an EU official there has been no standstill on enforcement. If data has been flowing to recipients in the U.S. in the absence of an adequacy finding, it is because the data protection directive provides for this in various ways (exceptions –
article 26.1; Contracts - art 26.2, etc). An adequacy finding is nevertheless desirable because it provides greater legal certainty and simplified procedures for data exporters and importers.