E-Discovery in Asia/Pacific: U.S. litigation exposure for Asian … · 2012-02-29 · E-Discovery in Asia/Pacific: U.S. litigation exposure for Asian companies By Thomas Shaw, CIPP

O ne would not expect a Supreme Court Justice to weighin on the question unless it was presented formallybefore the Court. But the absence of a case did not

stop Justice Antonin Scalia from expressing his opinion thatsearching online for personal details about someone—him—iswrong. What prompted the Justice’s pronouncement? FordhamUniversity Professor Joel Reidenberg assigned his privacy classto “Google” Justice Scalia and his family (and look at other pub-licly available sources), as an educational exercise to show justhow much information is out there on the Internet about each ofus. The search turned up family pictures, home phone numbers,and other Scalia family information not intended for the world at large. Professor

Due to expansive rules on discov-ery, jury trials and the size ofdamage awards, plaintiffs world-

wide would choose to bring their claims,if possible, in U.S. courts. As such, when

non-U.S. companies are per-forming their periodic riskanalyses, they must considertheir exposure to U.S. litigation,either directly or through theirU.S. subsidiaries. Having suchexposure means being poten-tially subject to liability for dam-ages but even more likely sub-ject to pre-trial discoveryrequests for paper documentsand electronically stored infor-mation (ESI) (collectively “data”) underthe control of the non-U.S. company.This article focuses on how non-U.S.companies, particularly those based inthe Asia/Pacific region, can analyze anddeal with the risks of U.S. litigation expo-

sure to pre-trial discovery datarequests.

Non-U.S. parent corpora-tions should already understandthat their subsidiaries operatinginside the U.S. have exposureto U.S. litigation, either throughthe well-established principlesof personal jurisdiction orthrough forum selection claus-es in contracts. What is not aswell understood is that non-

U.S. parents themselves may also haveexposure to U.S. litigation pre-trial dis-covery requests. The U.S. Federal Rulesof Civil Procedure (FRCP) used to guide

December 2009 • Volume 9 • Number 11

Editor: Kirk J. Nahra, CIPP

The ethics of “Googling” someone

By Christopher Wolf

Just because you can “Google” someone, should you? This is a good question forthe U.S. Federal Trade Commission, which is re-examining privacy during a series ofroundtable events this winter.

See, E-discovery in Asia/Pacific, page 3

This Month

Notes from the Executive Director ............ 2

Thank you authors ...................................... 9

Global Privacy Dispatches ......................... 10

Privacy Classifieds ...................................... 11

Surveilled .................................................... 16

Privacy news .............................................. 20

Calendar of events ..................................... 21

Did You Know? ........................................... 22

The Lighter side of Privacy ........................ 22

E-Discovery in Asia/Pacific:U.S. litigation exposure for Asian companiesBy Thomas Shaw, CIPP

See, Ethics of Googling, page 15

Thomas Shaw

Christopher Wolf

This is the second article in a three-partseries exploring litigation exposure andreadiness for Asian companies. Here,Thomas Shaw explores how Asia/Pacific-based companies can analyze and dealwith the risks of U.S. litigation exposureto pre-trial discovery data requests. Partthree will review the principles of theAPEC Privacy Framework, comparingAsian countries’ privacy laws to thoseprinciples and suggesting a model set ofcorporate privacy principles.

109537_Dec_Advisor1 12/29/09 1:44 PM Page 1

THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335

Publications DirectorTracey [email protected]+207.351.1500

The Privacy Advisor (ISSN: 1532-1509) is published bythe International Association of Privacy Professionalsand distributed only to IAPP members.

ADVISORY BOARD

Nathan Brooks, CIPP, General Counsel, U.S. ISS Agency, LLC

Keith P. Enright, CIPP, CIPP/G, VP, Privacy & Chief PrivacyOfficer, Macy’s Inc.

Debra Farber, CIPP, CIPP/G, Privacy Officer, The AdvisoryBoard Company

Jill Frisby, CIPP, Manager, Crowe Horwath, LLP

Brian Hengesbaugh, CIPP, Partner, Privacy/InformationTechnology/E-Commerce, Baker & McKenzie LLP

Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian

Jim Keese, CIPP, Global Privacy Officer, VP Records &Information Mgmt., The Western Union Company

Robert Mahini, Attorney, Federal Trade Commission

Flemming Moos, Lawyer, DLA Piper UK LLP

David Morgan, CIPP, CIPP/C, Privacy Officer - SecondaryUses, Newfoundland and Labrador Centre for HealthInformation

Lydia E. Payne-Johnson, CIPP, Financial ServicesPrivacy Consultant, PricewaterhouseCoopers, LLP

Dan Ruch, Privacy and Data Protection Specialist

Luis Salazar, CIPP, Shareholder, Greenberg Traurig

Julie Sinor, CIPP, Information Management Consultant,PricewaterhouseCoopers, LLP

Kathleen Street, CIPP, Asst. Vice President, CorporateCompliance and Privacy, Children’s Health System

Frances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC

To Join the IAPP, call:+800.266.6501

Advertising and Sales, call:+800.266.6501

PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909

Subscription PriceThe Privacy Advisor is an IAPP member benefit.Nonmember subscriptions are available at $199 per year.

Requests to ReprintTracey [email protected]

Copyright 2009 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.

Our first issue of the Advisor every year has always beenabout looking forward into the New Year. What will

change in the privacy world? What new laws and regulations will challenge privacy pros? What major media stories—whetherbreaches, emerging technologies, or boundary-stretching busi-ness models—will strain our current tools for managing data?There are always more questions than can possibly be answered.

Next month’s issue will be packed with the predictions ofprivacy pros and luminaries. Until then, permit me to gaze intothe cloudy crystal ball of privacy, fully understanding that pre-dictions are always a risk—and frequently prove embarrassing when viewed with theclarity of hindsight.

It is difficult to argue that privacy has only grown in significance in the past 12months. And, looking forward, we have to assume that the issues we grapple with dailywill only continue to expand. In 2010, we can expect further discussions of the EUData Protection Review, an FTC staff report on the heels of the “Exploring Privacy”roundtable series, and an oft-predicted privacy bill in Congress. But we knew thesethings already. What else might challenge us in 2010?

Make sure you keep your eyes on the U.S. Supreme Court, which will decide theQuon case in the first half of the year. This case has the potential to throw asunder thestatus quo of employee privacy in the U.S. The case deals with the murky intersectionof employer-provided technology and the reality of a converged work/home lifestyle.The legal and social aspects of Quon make the privacy issues particularly fascinating.

Watch for a proliferation of symbols, icons, and novel notices to try to communi-cate data practices to the marketplace. Privacy pros are doing some incredible work inthis space—with the Future of Privacy Forum and others pushing our current thinkingabout notice in helpful new directions. It is unclear which, if any, of these ideas willgain traction. But it is certainly encouraging to see the level of innovation.Be prepared for continued acceleration in the debate over consumer privacy online.Many regulators around the world—including the FTC, Canada’s privacy commission-er, and various EU data protection authorities—are continuing to look closely at socialnetworking, online video postings, street imaging services, and behavioral advertising.Some of these debates are near a breaking point, where new standards will emerge orbusiness models will be forced to change. More aggressive enforcement in this space iscertainly a possibility as well.

Expect continued growth in the size and sophistication of the privacy profession.In 2009, the IAPP grew 20 percent in membership. When considered against the backdrop of the economy, that growth is nothing short of astounding. In 2010, as themarket begins to loosen up, we can certainly expect that more privacy pros will be hiredto respond to the myriad issues our profession manages.

And I would be remiss if I did not mention that, in 2010, the IAPP will be celebrating its 10th anniversary. Hard to believe, but our organization has been aroundfor a whole decade! So my safest prediction is that the IAPP will be gathering membersaround the world to recognize how far we have come as a profession in these few years.We certainly have a lot to celebrate.

J. Trevor Hughes, CIPPExecutive Director, IAPP

Notes From the Executive Director

December • 2009

2 www.privacyassociation.org


U.S. civil litigation only give the respond-ing party about 100 days to be able tofully describe their data that is respon-sive to a lawsuit. As such, non-U.S.-based parent corporations need to proac-tively evaluate their litigation exposurerisks and if so exposed, prepare them-selves well in advance to be able torespond quickly and fully to pre-trial dis-covery requests for the production ofresponsive corporate data.

When performing such a risk analy-sis for U.S. litigation discovery exposure,a non-U.S. corporate parent with U.Ssubsidiaries must answer the followingfour questions:

• Will U.S. pre-trial discovery take placeunder U.S., international, or local rules?

• Will U.S. courts have the power toorder a non-U.S. corporation to pro-duce data?

• Will U.S. courts order discovery if thereare local data protection laws in place?

• What additional factors will U.S. courtsconsider for discovery of overseas ESI?

Procedural rules Under the U.S. FRCP (and similar staterules), a party to a lawsuit may requestthe other party or a non-party to producedata. This data can involve “any non-privi-leged matter that is relevant to anyparty's claim or defense.” The respond-ing party may voluntarily reply to theserequests but if it does not, the initiatingparty may request a court order com-pelling discovery. To issue such an order,the court must have personal jurisdictionover the party who will be compelledand that party must have control of thedocuments (see following section). Butfor responding parties located outsidethe U.S. who control data that is thesubject of a discovery productionrequest, the court may have to considera second set of procedural rules availablefrom the Hague Conference on PrivateInternational Law.

The Convention on the Taking ofEvidence Abroad in Civil or CommercialMatters (the “Hague Convention”) is amultilateral agreement detailing proce-dures for requesting evidence from theauthorities in another country. Almost 50countries are currently signatories,including the U.S. Both the FRCP andthe Hague Convention are consideredthe law of the United States. Under theHague Convention, to obtain evidence inthe other signatory country, a letter ofrequest is transmitted to that country’sCentral Authority for execution. InAerospatiale, the U.S. Supreme Courtruled that the Hague Convention isintended as an optional supplement toobtain evidence located abroad, asopposed to the exclusive procedure forrequesting such evidence. The determi-nation of whether the Hague Conventionshould be utilized is based on thesethree factors:

• the particular facts of each case;

• the sovereign interests of the respective countries;

• the likelihood that the HagueConvention procedures will proveeffective.

A party wanting to utilize the HagueConvention has the burden of persua-sion regarding its use instead of theFRCP. Article 23 of the HagueConvention allows signatories to passlaws to refuse to comply with commonlaw discovery requests. In Asia/Pacific,only four major countries are signatoriesof the Hague Convention (Australia,China including Hong Kong and Macau,India, and Singapore). Each of thesecountries has taken an Article 23 reser-vation, meaning that letters of requestsfor discovery will not be executed by thelocal officials. Only China for itself (notHong Kong or Macau) states that it willexecute a letter or request that has a“direct and close connection with thesubject matter of the litigation will beexecuted.” Even then, it may not be

170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]

The Privacy Advisor is the official newsletter of theInternational Association of Privacy Professionals. All activeassociation members automatically receive a subscription toThe Privacy Advisor as a membership benefit. For details aboutjoining IAPP, please use the above contact information.

BOARD OF DIRECTORSPresidentJonathan D. Avila, CIPP, Vice President – Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA

Vice PresidentNuala O’Connor Kelly, CIPP/G, Chief Privacy Leader,General Electric Company, Washington, DC

TreasurerDavid Hoffman, CIPP, Director of Security Policy and GlobalPrivacy Officer, Intel Corp., Germany

SecretaryAmy Yates, CIPP, Director, Privacy and Data Protection,Deloitte & Touche LLP, Chicago, IL

Past PresidentSandra R. Hughes, CIPP, Global Ethics, Compliance andPrivacy Executive, The Procter & Gamble Company,Cincinnati, OH

Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME

Bojana Bellamy, Director of Data Privacy, Accenture, London

Agnes Bundy Scanlan, Esq., CIPP, Chief Regulatory Officer, TDBank, Boston, MA

Malcolm Crompton, CIPP, Managing Director, InformationIntegrity Solutions Pty Ltd., Chippendale, Australia

Stan Crosley, Esq., CIPP, Chief Privacy Officer, Eli Lilly and Co.,Indianapolis, IN

Dean Forbes, CIPP, Senior Director Global Privacy, Schering-Plough Corp., Kenilworth, NJ

D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster, LLP,Washington, DC

Jeff Green, CIPP/C, VP, Global Compliance & Chief PrivacyOfficer, RBC, Toronto, ON

Kirk M. Herath, CIPP/G, Associate Vice President, ChiefPrivacy Officer, Associate General Counsel, NationwideInsurance Companies, Columbus, OH

Jane Horvath, CIPP, CIPP/G, Senior Privacy Counsel, Google

Alexander W. Joel, CIPP/G, Civil Liberties Protection Officer,Office of the Director of National Intelligence, Bethesda, MD

Harriet Pearson, CIPP, VP Security Counsel & Chief PrivacyOfficer, IBM Corporation, Armonk, NY

Zoe Strickland, CIPP/G, Vice President, Chief Privacy Officer,Wal-Mart Stores, Inc.

Brian Tretick, CIPP, Executive Director, Ernst & Young,McLean, VA

Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC


E-discovery in Asia/Pacific

continued from page 1

THE PRIVACY ADVISOR

International Association of Privacy Professionals 3


timely as, according to the StateDepartment, “while it is possible torequest compulsion of evidence in Chinapursuant to a letter rogatory or letter ofrequest (Hague Evidence Convention),such requests have not been particularlysuccessful in the past. Requests maytake more than a year to execute.” HongKong, Macau, Australia, India, andSingapore will not even execute a letterof request for purposes of obtaining pre-trial discovery of documents. Australia’sdeclaration is typical of these: “pursuantto Article 23, [we] will not executeLetters of Request issued for the pur-pose of obtaining pre-trial discovery ofdocuments as known in common lawcountries.” As such, a responding partyfrom an Asia/Pacific signatory country isunlikely to persuade a U.S. court to usethe Hague Convention.

For parties based in all otherAsia/Pacific countries who are not HagueConvention signatories, a U.S. courtwould likely determine whether theFRCP or local rules of discovery would beused, based on two steps: first to deter-mine whether a conflict exists betweenthe two sets of procedural rules and sec-ond to perform a comity analysis. Thecomity analysis, endorsed in Aerospatialeand based on the Restatement (Third) ofForeign Relations Law §442(1)(c), usesthe following five factors:

• importance to the litigation of the information requested;

• degree of specificity of the discoveryrequest;

• whether the information originated inthe U.S.;

• availability of alternate means of securing the requested information;

• extent to which non-compliance would undermine important interestsof the U.S. or compliance would undermine important interests of the other country involved.

Other courts have used additional fac-tors, such as hardship, on the respond-ing party if facing criminal sanctions forproducing the data or a non-party status.In In re Vitamins, because it is not aHague Convention signatory, Japan’sCode of Civil Procedure Law was ana-lyzed and a conflict was found betweenthe local law and the FRCP. Then thecomity analysis found that the local pro-cedural rules would not allow for a“prompt and efficient resolution” and sothe court ordered discovery to proceedunder the FRCP instead.

Jurisdiction and controlA U.S. court can order a non-U.S. parentcorporation to produce data if the court:

• has personal jurisdiction directly overthe non-U.S parent;

• can acquire personal jurisdiction overthe parent indirectly through a U.S.subsidiary;

• determines the subsidiary has controlover or access to the non-U.S. parent’sdata.

Personal jurisdiction directly

A U.S. court must have personal jurisdic-tion over the responding party againstwhom production of the relevant data issought under pre-trial discovery. The stan-dard analysis is under “minimum con-tacts,” requiring the responding party tohave a certain minimum level of contactswith the forum the court is situated in, asfirst described in International Shoe. Theminimum contacts analysis under localstatutes allows for jurisdiction that iseither “general” or “specific.” Generaljurisdiction will support “a suit not arisingout of or related to defendant's contactswith the forum” if the respondent hascontinuous and systematic contacts withthe forum. Specific jurisdiction will sup-port “a suit arising out of or related to thedefendant's contacts with the forum”when the defendant has purposelyavailed itself of the benefits of the forum.In addition, the result must comport withdue process in that it is reasonable andwith sufficient notice.

Under either general or specificjurisdiction, a U.S. subsidiary of a non-U.S. parent corporation doing businesswithin the U.S. would likely come underthe jurisdiction of the U.S. courts. A non-U.S. parent corporation that is doingbusiness directly through a U.S. branchoffice would also. But would the non-U.S. parent corporation itself fall underthe jurisdiction of U.S. courts if only itssubsidiary, not the parent, is doing busi-ness in the U.S.?

In Asahi Metals, the U.S. SupremeCourt held that placing products into thestream of commerce was not sufficientcontacts for personal jurisdiction over anon-U.S. (Japanese) corporation. In othercases, personal jurisdiction over non-U.S.corporations has been found. Finding ofpersonal jurisdiction over a parent corpo-ration under a minimum contacts analy-sis is very fact-specific and must beuniquely determined in each situation.

Personal jurisdiction indirectly

If minimum contacts between the non-U.S. parent corporation and the U.S.forum are not found, jurisdiction over theparent can still be found by lookingthrough its U.S. subsidiary and ‘piercingthe veil‘ of the parent’s U.S. subsidiary.This can apply not only when the sub-sidiary was set up for fraudulent or ille-gal purposes, but also for a legitimatelyorganized subsidiary, depending onwhich of three different lines of cases,as articulated in Gallagher, is used.

One precedent, termed the Cannonline of cases, holds that only by creatingand then not respecting the parent/sub-sidiary legal differences is jurisdiction overa parent gained through a subsidiary. Asecond precedent, the Scophony lines ofcases, holds that personal jurisdictionover a parent may be possible if based onthe extent of control the parent exertsover the subsidiary, to the point of domi-nating the subsidiary’s operations. Thislooks to factors including common owner-ship, financial dependency of the sub-sidiary, the parent’s interference with sub-sidiary executive selection, and the par-ent’s control over the subsidiary’s market-ing and operational policies. A third prece-dent, the Gallagher line of cases, allows



December • 2009



jurisdiction over a parent if a subsidiaryengaged in functions that the parentwould have to otherwise undertake. Asstated by the court in Bulova Watch, if asubsidiary is expanding a parent’s marketposition in the forum, then the parent isdoing business in the forum.

An analysis of the parent/subsidiaryrelationship should consider at least thefollowing:

• Is the subsidiary adequately capitalized?

• How sufficiently are the corporate for-malities observed?

• What level of control does the parentmaintain over the subsidiary’s opera-tions?

• Are there separate bank accounts?

• Are parent-subsidiary loans at marketrates of interest?

• Is the subsidiary insured?

• Is the subsidiary 100 percent ownedand are there interlocking directorates?

Control or access

Once personal jurisdiction over the non-U.S. parent has been established, a partymay seek production of data in its “pos-session, custody, or control.” A U.S.court has the power to require the pro-duction of data located in foreign coun-tries if the court has personal jurisdictionover the corporation in possession orcontrol of the data. But if personal juris-diction over a non-U.S. parent is notestablished, a court may still order pro-duction of data held by the non-U.S. par-ent through its U.S. subsidiary.

In In re Uranium Antitrust Litigation,the court looked at a number of factorsto determine if a U.S. subsidiary had“control” over the documents held by itsnon-U.S. parent. These factors includedthe percentage of ownership of the sub-sidiary by the parent and the manage-ment unity of the two companies. Thecourt noted that the ability to compelproduction of data and liability for a sub-sidiary’s acts is distinct and that the cor-

porate formalities cannot be “used as ascreen.” Other courts have also allowedaccess to data held by the parent corpo-ration, even though jurisdiction was heldonly over the subsidiary.

In Linde, the court stated that aparty attempting to compel a U.S. sub-sidiary to produce documents of its for-eign parent has to show the documentswere within the subsidiary’s control.Control is inclusive of: possession, thelegal right to obtain documents andaccess to and the ability to obtain docu-ments. This control could be shownwhere documents “ordinarily flow freelybetween parent and subsidiary” orwhere it could “generally obtain docu-ments” from its non-U.S. parent to assistitself in litigation. The court held therewas no control, using these factors plusthe fact that the parent and subsidiaryshared no computer systems or confi-dential customer transaction information.

Data protection lawsOnce a court has established the powerover data held by a non-U.S. parent cor-poration, the court must then determineif it should use that power in the face ofany data protection laws that may existin the country of the parent corporation.Countries across the world have a vari-ety of data protection laws, in the formof secrecy laws, privacy statutes, andblocking statutes. Commercial secrecylaws typically protect corporate andbanking data. Privacy statutes typicallyprotect consumers and their personalinformation. Blocking statutes have typi-cally been enacted for the express pur-pose of frustrating U.S. discovery.

Caselaw

In Societe Internationale, the U.S.Supreme Court stated that the respond-ing party cannot fail to produce docu-ments because of a foreign data protec-tion statute. The Court outlined three fac-tors that should be considered when it isdetermining whether to exercise itspower to order discovery in the face of anon-U.S. data protection law:


The IAPP Welcomes our Newest

Corporate Members

Perkins Coie LLP

Orrick, Herrington& Sutcliffe LLP

Lockton Companies

THE PRIVACY ADVISOR



• the strength of the policies underlyingthe U.S. statute;

• whether the requested data are crucialto resolving a key issue in the lawsuit;

• the amount of flexibility in the applica-tion of a country’s data protection law.

Each factor requires additional explana-

tion. The first factor does not balance theU.S statute against the data protectionstatue of the foreign country but onlyconsiders the U.S statute. The secondfactor is actually a higher standard thanthe typical U.S. standard for productionof data during discovery, which is anydata that is relevant or could reasonablylead to admissible evidence. The thirdfactor speaks to the ability of theresponding party to deal with its owngovernment in trying to waive enforce-ment of the data protection law and

whether it has done so. The good faithof the responding party is not consid-ered when ordering production, but onlyafter an order is not complied with.

In cases that followed, the majorityof U.S. courts have not allowed blockingstatutes to stop the issuance of produc-tion orders. In In re Vitamins AntitrustLitigation, the court stated that it is wellsettled that blocking statutes do notdeprive the U.S. courts of power to ordera party to produce evidence even thoughthe act of production may violate thatstatute. To some extent, this wasbecause U.S. courts did not believe thatthe sanctions attached to these blockingstatutes would be enforced. This mayhave changed with what happened aftera discovery production order was issuedin face of the French blocking statute. AFrench attorney who subsequently triedto speak to a witness in contradiction ofthe blocking statute was convicted andfined in a result that was upheld by theFrench Supreme Court. The subsequenteffect of this on the analysis by U.S.courts is not yet clear.

After evaluating local secrecy andprivacy laws, courts have still ordereddiscovery anyway. In SocieteInternationale itself, the Court ruled thatthe Swiss banking secrecy law was notsufficient to prevent ordering productionof data from the respondent. InRichmark Corp., China’s secrecy law wasnot allowed to protect the financial infor-mation of a state-owned company. InFirst National City Bank, the court upheldproduction because Germany’s banksecrecy law was waive-able and onlycivil penalties and commercial conse-quences were likely to result. In In reUranium Antitrust Litigation, the courtheld that discovery was required ofrespondents despite data protectionlaws from three different countries, eachwith widely differing amounts of flexibili-ty in enforcement of those laws.

Asia/Pacific data protection statutes

In Asia/Pacific, there are quite a range ofstatutes set up to protect various typesof data. These statutes serve varioussegments of society, from consumers tobusiness to government. These local



Wouldn’t it be great if DNC compliance was this simple?

With PrivacyAdvisor, it is.

866.366.6822, option 1

MyPrivacyAdvisor.com

Looking for a simple, phone-based solution? Ask about CallAdvisor today.

Gryphon’s on-demand, contact governance software solution is the easy answer to your customer contact challenges. PrivacyAdvisor uses a simple traffic light visual to manage contact compliance, and streamlines every step of the salesand marketing process. It also:

Eliminate 100% of your compliance risk across all channels, guaranteed.

December • 2009



laws should be part of the legal riskanalysis for parent corporations but it isimportant to understand that eachstatute has not been interpreted by aU.S court. In addition, many statutes arebeing updated or introduced as this arti-cle is being written, so any risk analysismust be constantly revisited. In additionto statutes, there are also regional

frameworks, such as the non-bindingAPEC Privacy Principles, that may have agreater influence in the absence of localprivacy law or on future statutes. The following is a non-comprehensive butrepresentative list of regional data pro-tection laws.


Australia:

China:

Hong Kong:

India:

Japan:

Singapore:

South Korea:

Taiwan:

The Foreign Proceedings Act of 1984 is a blocking statute for common law discov-

ery. The Federal Privacy Act of 1988 (revised in 2001) that lays out ten National

Privacy Principles, which includes a requirement to have a reasonable belief and

take reasonable steps that any personal data transferred outside the country be

to a recipient that upholds the National Privacy Principles. Australia also protects

commercial secrets under the general law concerning confidentiality.

The State Secrecy Law is implicated when any information is deemed by the

Chinese government to be a state secret, which may include civil matters when

the government is involved (e.g. as an owner). The Unfair Competition Law is for

the protection of commercial secrets. A Data Protection Law has been in develop-

ment for the last several years.

The Personal Data (Privacy) Ordinance of 1995 has a provision for the onward

transfer of personal data that requires that there be a reasonable belief that any

personal data transferred outside Hong Kong without consent is transmitted only

to a recipient operating under similar privacy laws. Bank secrecy is contractual

instead of statutory.

Article 21 of Constitution has been interpreted by the Indian courts to include a

right of privacy. The IT Act of 2000, based on the model U.N e-commerce law,

was revised effective in 2009 and has select privacy provisions.

The Personal Information Protection Act of 2003 protects personal data and does

not allow un-consented transfers of personal data to third parties, with the excep-

tion of certain outsourcing companies (e.g. payroll processing). It also has notice

and opt-out provisions. Japan protects commercial secrets under the Unfair

Competition Prevention Act.

There is a voluntary privacy framework, the Model Data Protection Code for the

Private Sector, which applies to any recipient to whom personal data is trans-

ferred, in or outside the country. Singapore’s Banking Law states that “customer

information shall not, in any way, be disclosed by a bank.”

The Act on Promotion of Information and Communication Network Utilization and

Information Protection of 2001 protects the personal information of consumers

held by certain industries. The number of industries subject to this law is in the

process of being greatly expanded by the responsible government ministry.

The Computer-Processed Personal Data Protection Law of 1995 protects the pro-

cessing of personal data in certain kinds of industries, such as financial. It allows

for restrictions on cross-border transfer of personal information.

In Malaysia, the Philippines and Thailand, new privacy legislation is expected to be enacted

soon, while in Indonesia and Vietnam the e-transactions laws include privacy provisions.

New Zealand is currently considering amendments to the Privacy Act of 1993 to protect

cross-border movement of data and align its rules with the EU’s data protection regimen.

Regional Data Protection Laws

THE PRIVACY ADVISOR



ESI considerationsWhen addressing the issue of whetherto compel a party to produce data forpre-trial discovery, a court may consideradditional factors solely related to ESI.There are a number of characteristics ofESI that are different than paper docu-ments. These include:

• volume and ease of replication;

• persistence;

• dynamic nature;

• existence of hidden metadata;

• hardware and software systemdependence and obsolescence;

• mobility, portability and searchability.

In Aerospatiale, the Supreme Court stat-ed that the individual courts should show

“special vigilance to protect foreign liti-gants from…unduly burdensome discov-ery” and specifically noted that courtsmust watch out for discovery abuses foroverseas litigants based on “additionalcosts” and special problems on accountof the “location of its operations.”

The FRCP allows a responding partyto resist discovery of ESI that is not rea-sonably accessible due to undue burdenor cost. The requesting party then has toshow good cause to go forward withobtaining discovery, at which point thecourt will analyze the following additionalfactors, some of which are similar tothose in the comity analysis:

• the specificity of the discovery request;

• the quantity of information availablefrom other and more easily accessedsources;

• the failure to produce relevant informa-tion that seems likely to have existedbut is no longer available on more easi-ly accessed sources;

• the likelihood of finding relevant,responsive information that cannot beobtained from other, more easilyaccessed sources;

• predictions as to the importance andusefulness of further information;

• the importance of the issues at stakein the litigation;

• the parties’ resources.

In addition to these factors, a court mayalso shift the cost burden of productionto the requesting party. The SedonaConference has documented a list of 12 factors to determine the relativeaccessibility of a source of potentiallydiscoverable ESI. Six factors are basedon media type (from Zubalake I ) and sixare based on data complexity. Whilenone of these factors specificallyrelates to overseas ESI, the need forlanguage translation from a local (possi-




December • 2009



Thank you to the IAPP members and friends who contributed their time and expertise to The Privacy Advisor this year. The IAPP and Privacy Advisor readers appreciate your commitment to sharing knowledge and advancing the privacy profession.

THANK YOU

Martin Abrams

Shannon Ballard, CIPP,CIPP/G

Matthew Barach

Jillian Barber

Teresa Basile

Jean-David Behlow

Steven Bennett

Ann Bevitt

Lars Brauer

Joshua Briones

Ann Cavoukian

Daniel Cooper

Chris Cowper

Malcolm Crompton, CIPP

Richard Cumbley

Lothar Determann

Jan Dhont

Larry Dobrow

Erin Egan

Debra Farber, CIPP, CIPP/G

Julie Fergurson

David Fink

D. Reed Freeman Jr., CIPP

Stephen Gantz, CIPP/G

Pascale Gelly

Craig Gentry

Kirk Herath, CIPP, CIPP/G

Rebecca Herold, CIPP

John Jager, CIPP/C

Jacqueline Klosek, CIPP

John Kropf, CIPP, CIPP/G

Christopher Kuner

Sagi Leizerov, CIPP

KK Lim

Annie Lindstrom

Marc Loewenthal, CIPP

David Loukidelis

Christine Lyon, CIPP

Joanne McNabb, CIPP,CIPP/G

Terry McQuay, CIPP, CIPP/C

Flemming Moos

David Morgan, CIPP,CIPP/C

Kirk Nahra, CIPP

Brian O’Connor, CIPP

Dan Or-Hof, CIPP

Tom Oscherwitz, CIPP

Harriet Pearson, CIPP

Jose-Luis Pinar Manas

Jules Polonetsky, CIPP

Larry Ponemon, CIPP

Michael Power

Olivier Proust

Nick Pujji

Richard Purcell, CIPP

Elisabeth Quillatre

Jorge Rey

Christoph Rittweger

Stewart Room

Lauren Saadat, CIPP, CIPP/G

Janelle Sahouria

Luis Salazar, CIPP

Heidi Salow, CIPP

Bruce Schneier

Mathew Schwartz

Andrew Serwin

Thomas Shaw, CIPP

Julie Sinor, CIPP

Daniel Solove

Lisa Sotto

Mike Spinney, CIPP

Jennifer Stoddart

Zoe Strickland, CIPP, CIPP/G

Anahit Tagvoryan

Florian Thoma

Micah Thorner

HenrietteTielemans

Eduardo Ustaran

Tanguy van Overstraeten

Richard van Staden tenBrink, CIPP

Jarno J. Vanto

Maria Villar

Christopher Wolf

Amy Yates, CIPP

Jonathan Zittrain

THE PRIVACY ADVISOR



BELGIUM

By Jan Dhont

‘Dear valued customer, we regret toinform you that your data has beencompromised...’

Paving the way fornew standards indata security, onOctober 26, 2009,the Council of theEuropean Unionapproved the direc-tive amendingDirective 2002/58/ECconcerning the pro-cessing of personaldata and the protection of privacy in theelectronic communications sector (theDirective). Following a trend, theseamendments introduce notificationrequirements on public providers of elec-tronic communication services in theevent of data breaches. Such notificationrequirements exist in the U.S. and havebeen recently implemented in Germany,with many other European nations soonto follow.

Under the amended Directive,providers of publicly available e-communi-cations must notify the relevant nationalauthorities without delay when a person-al data breach has occurred. A databreach is vaguely defined as “a breach ofsecurity leading to the accidental orunlawful destruction, loss, alteration,unauthorised disclosure of, or access to”personal data.

Providers must also notify individu-als or subscribers of electronic commu-nication services if the breach is likely toadversely affect their personal data orprivacy. Notification to a customer orsubscriber will not be required if theprovider can demonstrate that it hasimplemented certain protection meas-ures to the satisfaction of the competentnational authorities.

Further, the national authorities aregranted the right to require notificationregardless of the harm to the individual.Notifications should contain the nature ofthe breach, contact information and pos-sible steps to mitigate damages and, if tothe national authorities, the conse-quences and measures taken by theprovider to address the breach.Additionally, national authorities areauthorized to adopt guidelines on thenotification process and are empoweredto audit the service providers’ compli-ance. The providers are required to keepa log of breaches and any mitigatingsteps taken.

Following notification trends in theU.S., healthcare, insurance, and financialservices industries will likely be the nextindustries affected by notification require-ments. The European Data ProtectionSupervisor stated that “citizens willexpect such a system to apply not only totheir Internet access providers, but also totheir online banks and online pharmacies”(EDPS press release January 12, 2009).The amendment recitals state that all EUmember states should implement manda-tory notifications for security breaches inall industries “as a matter of priority” andthat a subsequent review on the mem-ber’s legislation in this respect, theCommission should take steps to encour-age notification laws throughout the EU,“regardless of the sector, or the type ofdata concerned.” Thus, it is anticipatedthat notifications will branch out into otherindustries throughout Member States.

Overall, companies should considertheir data security policies and proce-dures and assess their implementation ofIT risk management in light of the newnotification requirements. This is especial-ly attenuated with regard to assessmentof risks and harm to individuals and com-munication channels with the relevantnational authorities.

Jan Dhont heads the privacy practice of

Lorenz Brussels. He specializes in dataprotection and privacy, telecommunica-tions, media, and technology law. He canbe reached at [email protected].

CANADA

By John Jager, CIPP/C

Disclosure of subscriber informationby Internet service providers

A number of recentcourt decisions have discussed thematter of Internetservice providers(ISPs) providing lawenforcement withsubscriber informa-tion (SI) absent acourt-issued warrantor subpoena.

In the most recent case dealing withthis matter, the Ontario Court of Justice,in Her Majesty the Queen and DouglasCuttell, found that the defendant had areasonable expectation of privacy in hisSI and that a warrantless request bypolice to the ISP for the defendant’s SIwas a violation of section 8 of theCharter of Rights and Freedoms. In thiscase, the police came across the defen-dant’s IP address during an investigationof child sexual exploitation and requestedthat the ISP provided the subscriber’s SI,which it did in line with its policy. The ISPhad developed a protocol to provide lawenforcement agencies with SI without awarrant or subpoena only in the casewhere that information was requested bythe police in the context of a child sexualexploitation investigation. All other disclo-sures of SI, for example for a fraud inves-tigation, would not be made absent a

Global Privacy Dispatches

Jan Dhont

John Jager

December • 2009



court issued warrant or subpoena.The court ruled that, in this case, the

evidence obtained by means of a searchconducted of the defendant’s homeunder a search warrant obtained on thebasis of the defendant’s SI received fromthe ISP would be permitted, as society’sbest interests were served by the admission of this evidence.

In its reasons, the court noted that sections 7(3)(c) and 7(3)(c.1) of thePersonal Information Protection andElectronic Documents Act (PIPEDA) pro-vide for a number of disclosures withoutconsent of the individual. Although thepolice relied on section 7(3)(c.1) as itsauthority for making the request, thecourt pointed out that this section doesnot create a police ‘search power,’ itmerely requires that a lawful authorityexist before the personal information isdisclosed without knowledge or consent.As such, is does not itself confer theauthority to the law enforcement agency.

The court also explored the role ofthe ISP’s privacy notice and other agree-ments between the ISP and the sub-scriber. The court cited a number ofcases where it was found that as a resultof a contract between the ISP and thesubscriber, there was no reasonableexpectation of privacy in SI (see, amongothers, R. v. Wilson, R. v. Ward, and R. v.McGarvie). In this case, however, the ISPcould not provide evidence of what wasposted on the company’s Web site orwhat was provided to customers at thetime the defendant became a subscriber.The court noted that ISPs recognize adegree of privacy in SI, but that manyISPs have contracts in place that requiresubscribers to agree to disclosure of SI incertain circumstances and that therefore,in most cases, the issue of whetherthere is an expectation of privacy in SIwill be resolved by the contract betweenthe parties.

John Jager, CIPP/C, is vice president ofresearch services at Nymity, Inc., whichoffers Web-based privacy support to help organizations control their privacyrisk. He can be reached at [email protected].

FRANCE

By Pascale Gelly

Data sharing: disclosure of partnersrequired

In an answer to aquery brought bythe online magazinePCimpact.com, theCNIL (the Frenchdata protectionauthority) clarifiedwhat should be con-sidered “informedconsent” (opt in). Incases where a busi-ness intends to share personal data withother business partners, the individualsconcerned should be put in a position toidentify all data recipients. “The listshould be up to date at the time theInternet user’s consent is collected andthe Internet user should, as the casemay be, be informed on the data collec-tion form (or on the partners list if it islinked via a hyperlink) of the fact that thelist may evolve. www.pcinpact.com/actu/news/53221-cnil-base-mutualisee-accord-collecte.htm

E-discoveryThe CNIL issued a recommendation todata controllers requested to transferinformation to the U.S. in the frameworkof e-discovery proceedings. French legalrequirements must be met includingthose resulting from the HagueConvention and from the DataProtection Act.

10 security recommendationsThe security requirements of the FrenchData Protection Act being expressed ingeneral terms, the CNIL recently issued10 recommendations to guide IT andsecurity managers, including:

• creating a robust password policy (personal, confidential, of at least eightalphanumeric characters, renewed

See, Global Privacy Dispatches, page 12

Pascale Gelly

Privacy ClassifiedsThe Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.

PRIVACY ANALYSTZions BancorporationHouston, TX

PRIVACY ATTORNEYWells FargoCharlotte, Des Moines, Minneapolis, or

San Francisco

PRIVACY COMPLIANCE SENIOR ASSOCIATEFreddie MacMcLean, VA

PRIVACY MANAGERPrescription SolutionsIrvine, CA

SENIOR SECURITY & IDENTITY SERVICES ANALYSTLegacy HealthPortland, OR

PRIVACY CONSULTANTConvergysCincinnati, OH

CHIEF INFORMATION SECURITY OFFICERWright Express EnterpriseSouth Portland, ME

DATA SHARING CONSULTANTAxiomFalls Church, VA

MANAGER, PRIVACY & GOVERNMENT AFFAIRSThe McGraw-Hill CompaniesWashington, DC

SENIOR COUNSEL, PRIVACY AND REGULATORY MATTERSOmnicom Media GroupNew York, NY

THE PRIVACY ADVISOR



every three months, that’s a robustpassword!);

• managing user accounts, which shouldbe personal as opposed to generic;

• securing work stations with automaticscreen saver;

• creating a strict definition of useraccess depending on user profile basedon need to know;

• ensuring data confidentiality by serviceproviders beyond mere contract claus-es;

• securing local networks (logical protection, specific caution for remoteaccess by portable devices…);

• securing premises: access control,badges;

• anticipating the loss or disclosure ofdata: regular backups, emergencyrecovery process, specific protection of portable devices (encryption)depending on content sensitivity;

• anticipating and formalizing an IS security policy;

• user sensitization to IT risks and to theData Protection Act.

“Peer to peer law”— the statusAs reported in the October issue of thePrivacy Advisor (page 10), the law to fightagainst infringing downloads had to bemodified in order to meet the require-ments of the French Constitutional Court.Finding the new draft still unsatisfactory,some MEPs challenged it once morebefore the Constitutional Court. This time,the Court approved most of the text.

The principle of “graduated risposte”

was maintained:

• Rightful owners can report an unlawfuldownload to a High Authority, which

will identify the Internet subscribers with the assistance of Internet accessproviders, and send them two warnings.

• In case of repetition, a summary crimi-nal procedure can be launched withouttrial; the sanctions being fines and thesuspension of the Internet access.

The Ministry of Culture announced mem-bers of the High Authority in Novemberand the first e-mail warnings will be sentat the beginning of 2010.

Video-surveillance sanctioned

The CNIL issued a 10,000 euro fine to astreet-ware business for using a perma-nent video surveillance system. The sys-tem, intended to protect the businessagainst theft, was found not proportion-ate because it surveilled too manyareas, including areas where no prod-ucts were stored. The matter wentbefore the criminal jurisdiction becausethe business manager had preventedthe CNIL from conducting an onsiteinvestigation. He was personally fined5,000 euros by the Court.

Pascale Gelly of the French law firmCabinet Gelly can be reached at [email protected].

UK

By Eduardo Ustaran

UK government consults on toughpenalties for the misuse of personaldata

The UK Governmenthas launched a public consultationon whether to introduce prisonsentences for thosefound guilty ofoffences related to obtaining, disclosing, or sellingpersonal data.

The consultation paper “Knowing or Reckless Misuse of Personal Data:Introducing Custodial Sentences” propos-es increasing the current maximum penal-ty from a fine to up to two years’ impris-onment. The proposed new measurecould see those convicted imprisoned forup to two years if the case is heard in theCrown Court, and up to 12 months ifheard in the magistrates’ court. Thecourts will also be able to impose com-munity sentences and fines if appropriate.

The consultation will also look atwhether a defence should be introducedfor those acting for the purposes of jour-nalism, art, or literature with a view topublishing such material in the reason-able belief that the obtaining, disclosing,or selling of the information is in the pub-lic interest.

Consumer watchdog scrutinises customised pricing based on onlinebehaviourThe Office of Fair Trading (OFT) haslaunched two separate market studiesinto advertising and pricing. The first, intoonline targeting of advertising and prices,will cover behavioural advertising and cus-tomised pricing, where prices are individ-ually tailored using information collectedabout a consumer's Internet use. It isexpected that this study will be complet-ed by the spring of 2010. The second, intoadvertising of prices, will consider variouspricing practices which may potentiallymislead consumers. The study will look inparticular, but not exclusively, at howthese practices are used online. The OFTis reported to be increasingly concernedabout how information about consumers'Web usage is being surreptitiouslyexploited and the lack of control by con-sumers over their online personal data.

Eduardo Ustaran is head of the Privacyand Information Law Group at FieldFisher Waterhouse LLP, based in London.He is a member of the IAPP EducationAdvisory Board, co-chair of Knowledge-Net London, editor of Data ProtectionLaw & Policy and co-author of E-Privacyand Online Data Protection. He may bereached at [email protected].

Global Privacy Dispatches


Eduardo Ustaran

December • 2009



THE PRIVACY ADVISOR



Congratulations, Certified Professionals!

Periodically, the IAPP publishes the names of graduates from our various privacy credentialing programs. While we makeevery effort to ensure the currency and accuracy of such lists, we cannot guarantee that your name will appear in an issuethe very same month (or month after) you officially became certified.

If you are a recent CIPP, CIPP/G or CIPP/C graduate but do not see your name listed above then you can expect to be listedin a future issue of the Advisor. Thank you for participating in IAPP privacy certification!

Kevin Acoveno, CIPP/G

Kimberly Joy Akre, CIPP

Rami A. Albalawi, CIPP

Gregory Albertyn, CIPP

Miranda Alfonso-Williams, CIPP/IT

Michael Christian Bell, CIPP/IT

Adam T. Berg, CIPP

Astra Verdun Bester, CIPP/IT

Taryn Bevilacqua, CIPP

José A. Bisbe, CIPP

Andrea Blander, CIPP

Carlos M. Bonet, CIPP

Vicki L. Bowman, CIPP/G

Diane G. Boyea, CIPP/G

Gary Mark Brown, CIPP

Sarah Buerger, CIPP/IT

Merlene Burnham, CIPP/G

Kimberley Anne Bustin, CIPP/C

Katherine A. Carsno, CIPP

Sheila R. Caudle, CIPP

Mary Elizabeth Cavanaugh, CIPP

Christopher T. Chin, CIPP/G

Kate Gordon Cohen, CIPP

Kenneth Comeforo, CIPP/IT

Keith P. Cooley, CIPP/IT

Lazaro F. Corrales, CIPP/IT

Ruth Day, CIPP

Barbara S. Dasenbrock, CIPP/G

Frank Robertson Dawson, CIPP/IT

Dennis Brian Dayman, CIPP

Thomas J. De Deo, CIPP

Russell Ray Densmore, CIPP/IT

Sunita Deshmukh, CIPP

Mark Arthur Di Sabato, CIPP/IT

Russell E. Dougherty, CIPP

Ron N. Dreben, CIPP

Neil Alexander Etter, CIPP/G

Elizabeth Ann Fearnow, CIPP

Caitlin Davitt Fennessy, CIPP

Donna H. Fickett, CIPP/G

Katherine Ann Flaherty, CIPP

Jonathan Fox, CIPP

Linda Gaye Furney, CIPP

Sarah Gagwani, CIPP/IT

Glen Alan Germanowski, CIPP

Susan M. Gifaldi, CIPP

Judith Ann Gosselin, CIPP

Joanna Lyn Grama, CIPP/IT

Natalie Tull Greene, CIPP

Teresa Elizabeth Hall, CIPP/IT

Daniel John Heinle, CIPP/IT

William Keith Horstman, CIPP/IT

Daniel M. Hoye, CIPP

Catherine Intravia, CIPP

Trina L. Jackson-Ford, CIPP/IT

Ronney Alex John, CIPP

Richard Allen Johnson, CIPP/G

Gina Julian, CIPP/G

Lew A. Kaufman, CIPP/IT

Yvette D. Kelly, CIPP/G

Michael Fergus LaMothe, CIPP/G

Scott K. Larson, CIPP

Michelle Diane Levack, CIPP/G

Chad Oliver Lewis, CIPP/G

David A. Lowe, CIPP/G

Joseph Patrick Lynem, CIPP/G

Mita Majethia, CIPP/G

Michael Joseph Marshall, CIPP

John Scott Mathews, CIPP

Mark Jason Molloy, CIPP/G

Sarah D. Morrow, CIPP

Susan K. Moscaritolo, CIPP

Erin Jeannette Mount, CIPP/IT

Mra Khwar Nyo, CIPP

Kingsley Odeh, CIPP

Robert A. O'Keefe, CIPP

Joseph Dennis O'Leska, CIPP/G

Patrick O'Malley, CIPP

Genevieve Marie Ovalle, CIPP

Steven William Owen, CIPP/G

Michael Owings, CIPP

Geoff Palmer, CIPP/G

Erick Rowland Patterson, CIPP/G

Robert S. Perdue, Jr., CIPP

Camille D. Privett, CIPP/G

Peggy Lyn Pugh, CIPP/G

Robert B. Quigley, CIPP

Susan Quirk, CIPP

Janice C. Rehman, CIPP

Nancy Repice, CIPP

Robin L. Ricketts, CIPP

David Andrew Ritchie, CIPP

Perry Christian Robinson, CIPP

Melissa J. Rolf, CIPP

Andrew P. Sargent, CIPP

James Watson Schreiber, CIPP/G

Thomas Mark Scurrah, CIPP

Vickie Shaw, CIPP/G

Daniel J. Showalter, CIPP/IT

Jack Showalter, CIPP/G

Marie A. Simonelli, CIPP

Susan Smith, CIPP

Christopher Strobel, CIPP

Brendan Paul Sweeney, CIPP/IT

Peter Brian Tannish, CIPP

Chad R. Thiemann, CIPP

Aubrey Craig Turner, CIPP

B. Dianne Usry, CIPP/G

Bernardo Manuel Vasquez, CIPP

Scott John VonFischer, CIPP/IT

Kathleen Anne Wakefield, CIPP/IT

John J. Walker, CIPP/G

Joann E. Waters, CIPP/G

David J. White, CIPP

Joshua Jon Wieland, CIPP/IT

Susan K. Williams, CIPP

Amadou Yattassaye, CIPP/IT

Linda Dawn Zanfardino, CIPP

Patrick Edward Zeller, CIPP

The IAPP is pleased to announce the latest graduates of our privacy certification programs. The following

individuals successfully completed IAPP privacy certification examinations held in September 2009.

December • 2009



Reidenberg was not stalking the Justice.Rather, he launched the educationalexercise in response to the assertion byJustice Scalia at a privacy conference inJanuary that he didn’t think “every singledatum about my life is private.” (Thedossier the Fordham students preparednever was released to the public.)

The Justice was furious, calling theclass exercise in Googling a demonstra-tion of bad judgment. Analogizing to theFirst Amendment, the Justice said thatjust because the law allows you to dosomething does not mean you shoulddo it.

At a recent IBM-sponsored pro-gram, the issue of privacy and ethicswas discussed, with a particular focuson the episode of Scalia Googling. Oneaspect of the issue was whether, in theGoogle/MySpace/YouTube era, anyone—especially a public figure—can have anexpectation of privacy when it comes to

publicly available information thatappears online. For sure, informationprovided in private, or for one particularpurpose, is ending up on the Internet forall to see. Does that mean there shouldbe a rule of ethics that even thoughinformation is publicly available, oneshould refrain from looking at it (ordownloading it)?

The rules on intellectual propertyare a lot clearer: Just because copyright-ed sound recordings and motion pic-tures may be available for download on

the Internet does not mean we shouldtake them for free. It’s illegal. But thereare no legal rules on helping ourselvesto freely viewable personal informationonline. That, as Justice Scalia has put it,is a matter of “judgment.”

To be sure, there are legal restric-tions on what personal information canbe accessed from credit bureaus and forwhat purpose it can be used. And othercompanies that provide personal infor-mation to law enforcement and busi-ness operate under legal rules. But forthe great maw of information availableonline, it is pretty much “anything goes.”

In his book, Delete: The Virtue ofForgetting in the Digital Age, ViktorMayer-Schönberger explains that forget-ting is a natural human process, but thatdigital technology and cheap storagemake forgetting impossible. So weappear to be approaching the fictionalworld of the movie Defending Your Lifewith Albert Brooks and Meryl Streep, in

Ethics of Googling


Top Ranked Privacy Practice

Computerworld

Chambers Global Chambers USA

Legal 500 United States

See, Ethics of Googling, page 24

“Analogizing to the First

Amendment, the Justice

said that just because

the law allows you to do

something does not

mean you should do it.”

THE PRIVACY ADVISOR



WORKSHOP SESSIONS OFFERED:

A week’s worth of privacy education,

with sessions such as…

• Online Privacy: Behavioral Targetingand Beyond

• Cloud Computing: Demystifying theIssues and Managing the Risk

• Global Transfer Solutions: Selecting a Solution That Works forYour Organization

• Notice of Security Breach: MovingFrom “Why?” and “What?” to“How!”

• Privacy and Corporate Responsibility

• Protecting the Privacy of Minors

• Balance between Privacy and Security

• Companies, privacy and internationaldata flows

• Intellectual property and privacy: pro-files of a conflict

• Data protection law in a globalizedworld

• New advertising techniques and privacy

• Do you have a private life at work?

• Privacy by Design

• Towards a global regulation on privacy: proposals and strategies

(Above) Delegates and audience members at the 31st annual InternationalConference of Data Protection and Privacy Commissioners.

Scenes from the IAPP Data Protection and Privacy Workshop, the OIPC’s

Privacy by Design workshop, and the 31st International Conference of

Data Protection and Privacy Commissioners in Madrid

(Above) Before the real work began, privacy pros sweat it out with a little futbol friendly.

December • 2009



(Above) On Tuesday, the IAPP held its Data Protection and PrivacyWorkshop at the Melia Castilla hotel. In this session, privacy expertsfrom four continents discussed “The Future of the Privacy Profession.”(LtoR) Bruno Rasle, French Association of Data ProtectionCorrespondents; Maria Belen Cardona of the Spanish Association ofPrivacy Professionals; Christoph Klug of the German Association forData Protection and Data Security; Malcolm Crompton, IAPP/ANZ;Kamlesh Bajaj, Data Security Council of India; David Hoffman, Intel;Bojana Bellamy (moderator), Accenture.

(Above) Ontario, Canada Information and PrivacyCommissioner Ann Cavoukian at her event, Privacyby Design: The Definitive Workshop, which she co-hosted with Yoram Hacohen, head of the IsraeliLaw, Information, and Technology Authority.

The 32nd International

Conference of Data Protection

and Privacy Commissioners

will take place in Jerusalem,

next October.

(Above) Privacy and corporate responsibility was thefocus of this panel. (LtoR) Willemien Bax, EuropeanConsumers’ Organization (BEUC); Martin Abrams,Centre for Information Policy Leadership, Hunton &Williams; Bojana Bellamy, Accenture; New ZealandPrivacy Commissioner Marie Shroff (moderator); FranMaier, TRUSTe.

(Above) Leslie Harris of the CDT makes a point during lunch at the IAPP Data Protection andPrivacy Workshop.

THE PRIVACY ADVISOR



bly double-byte) language into Englishor additional legal reviews for confiden-tiality and relevance of foreign languageESI performed by foreign-qualified attor-neys may provide the basis for anundue burden or cost argument.Conversely, the third factor from theRestatement’s comity analysis dis-cussed above (”whether the informa-tion originated in the U.S.”) could beused to support an argument for discov-ery of ESI that may have originated inthe U.S. but was then moved overseas.This may be quite typical in the emerg-ing cloud computing environment.Finally, local e-discovery rules are beingintroduced, such as Australia’s PracticeNote 17 or Singapore’s PracticeDirection No. 3, and their effect on U.S.courts’ analyses of overseas ESI discov-ery is yet to be determined.

ConclusionAsia-Pacific parent corporations with U.S.subsidiaries or operations should, as afirst step, perform a proactive legal riskanalysis for their exposure to U.S. pre-trial discovery based on the factors out-lined in this article. As a second step,these non-U.S. parent corporationsshould analyze how prepared they cur-rently are to respond in a timely mannerto pre-trial discovery requests. This wouldinclude performing at least an inventoryof the corporate data and data custodi-ans, analyzing records retention and legalhold processes to guard against improperdeletion of responsive data, and verifyingthat data collection procedures are legallysound. As a third step, all remediationsidentified in the first two steps should bedesigned, implemented, and monitored.It is critical that these companies enlistthe proper expertise to help themthrough this multi-disciplinary process,including technically adroit attorneys whounderstand the international legal analy-

sis required and IT resources withdetailed knowledge of both the corporatedata and the numerous processes need-ed to identify, preserve, collect, process,review, and produce data responsive toU.S. litigation.

Part one of this series can be found in the November issue of the PrivacyAdvisor, available online at www.privacyassociation.org (click “educate,” then “Advisor archives”).

Thomas J. Shaw, Esq., is an attorney, CPA,CIPP, CISM, ERMP, CFF, CISA, CITP, andCGEIT based in Tokyo, Japan. He workswith corporations across Asia to developtheir legal, e-discovery, information securi-ty, data privacy, compliance, and informa-tion governance policies and proceduresto assess, prepare for, and respond to liti-gation and technology risk. He can bereached at [email protected] or onthe Web at www.tshawlaw.com.



December • 2009



Our focus is Privacy...but our blog is open for discussion

Proskauer’s Privacy and Data Security Practice is an outgrowth of our Internet, intellectual property, labor andemployment, health care, First Amendment, international law and litigation practices. Indicative of our Chambers USAranked experience and reputation in this relatively new field of law, is the fact that the venerable Practising Law Institute(PLI) asked our firm to create its first-ever treatise on the subject of privacy and data security law, called “Proskauer onPrivacy,” published in 2006. For more information about this practice area, please visit www.proskauer.com.

Subscribe to our Privacy Law Blog at

http://privacylaw.proskauer.com/index.xml

1585 Broadway, New York, NY 10036-8299 | 212.969.3000 | Attorney Advertising


New AFCDPboard members

Privacy News

eBay receives BCR approval

EBay has received permission to use binding corporaterules (BCRs) to transfer data across borders. The

Luxembourg data protection authority, CommissionNationale pour la Protection des Données (CNPD), approvedthe company’s application recently.

BCRs are legally binding regulations that demonstrate acompany’s capacity to transfer data across borders safely.The approval lets eBay transfer and share personal data within the company without havingto use other legal instruments such as model contractual clauses.

“We were very pleased with the exceptional work provided by [eBay and eBay’s outsidecounsel Allen & Overy], of the quality of the documents elaborated and of the constructivedialogue in the process of validation and implementation of eBay’s binding corporate rules,”said CNPD President Gerard Lommel.

EBay is the first e-commerce company to receive BCR approval, according to a companypress release. It gained approval for both employee and customer BCRs. The authorizationcame under the new BCR mutual recognition procedure.

EBay Global Privacy Leader Scott Shipman, CIPP, called the approval a “major milestone”and said: “The level of cooperation and communication eBay received from the CNPD andthe other DPAs was greatly appreciated and made the project a success.”

Breach action site created

Anew site aims to provide a one-stop resource for organizations that have experienced a data breach. Field Fisher Waterhouse (FFW), RSA Security, and KPMG have teamed

together to create the Breach Action Web site, a clearinghouse of law, technology, and consultancy resources who will collectively execute a joint plan of action for breachedfirms. “The Breach Action Web site was devised to provide speedy access to relevant expertsshould the worst happen,” said FFW Privacy & Information Law partner Stewart Room. “Byoffering this holistic service we hope that companies suffering a data breach will be able tominimize the impact of the breach and its consequences.” www.breachaction.co.uk

Walters joins U.S. SEC as FOI/Privacy Act chief

Barry Walters is the new chief Freedom of Information Act and Privacy Act officer at theSecurities and Exchange Commission.

“I am pleased to welcome Barry back to the SEC,” said the commission’s general counseland senior policy director, David Becker. “Given the great importance of making sureinvestors receive the information they need, and handling sensitive information in asecure manner, I am confident his experience in these areas will serve the agency well.”

Walters served as FOIA/Privacy Act Officer at the SEC from 2001-2002, according toan SEC press release. He returns to government after several years in the private sector.

“It is a pleasure for me to return to the commission to serve in this important posi-tion,” Walters said.

The French Association ofData Protection

Correspondents (AFCDP) hasnamed new members to itsboard of directors.

New board membersinclude correspondants infor-mation et libertés (CILs)Patrick Blum of Essec;Laurent Cellier ofDeveryware; DominiqueChaumet of RATP; Marc Doloof Casino; Pascale Gelly ofCabinet Gelly; Helene Legrasof Areva; Catherine Leverrierof Groupama; and HerveJosse of La Poste.

Denis Beautier of ISEPand Jean-Pierre Remy ofBanque de France were re-elected to the board, as wereAFCDP executive officers.

AFCDP was created in2004 after the DataProtection Act was amendedto create the function of thedata protection correspon-dent. It is a forum for privacyand data protection profes-sionals and others who areinterested in the protection ofpersonal data.

The new board says itwill begin working on anambitious four-year develop-ment plan which will includeworkshops, regular meetings,and the creation of guidancedocuments, among other ini-tiatives.

December • 2009



The Privacy ProjectsNew initiative to fund ‘evidence-based’ privacy

research

Anew nonprofit research institute has been created to fund academic researchabout privacy. The Privacy Projects will forward research intended to help

maintain the balance between the use and protection of personal data. “Technology and consumer demand for Internet-based services have clearly

outpaced many of the laws and regulations initially put in place to protect con-sumers,” said TPP President Richard Purcell, CIPP. “Our goal is to provide evidence-based information to support the dialogue toward establishing increased corporateaccountability and greater regulatory relevance to today’s information economy.”

The Privacy Projects released its first research paper at an event in Parisrecently. www.theprivacyprojects.org

Engaging data

More than 200 people from across the globe attended the First InternationalForum on the Application and Management of Personal Electronic

Information in October, the launching event of the MIT SENSEable City Lab's"Engaging Data Initiative."

The Engaging Data Initiative seeks to address the issues surrounding theapplication and management of personal electronic information by bringing togeth-er the main stakeholders from multiple disciplines, including social scientists, engi-neers, manufacturers, telecommunications service providers, Internet companies,credit companies and banks, privacy officers, lawyers, watchdogs, and govern-ment officials.

The forum explored novel applications for electronic data and addressed therisks, concerns, and consumer opinions associated with the use of this data.Participants discussed techniques and standards for protecting and extractingvalue from this information.

— Caitlin Zacharias

JANUARY 2010

28 Data Privacy DayLocations worldwide

www.dataprivacyday2010.org

28 FTC Privacy RoundtableUniversity of California

Berkeley School of Law

Berkeley, CA

28 Privacy by Design:The Gold StandardToronto, Ontario

www.privacybydesign.ca

28 Privacy After HoursLocations worldwide

www.privacyassociation.org

FEBRUARY

4 Université AFCDP desCorrespondants Informatique& LibertésParis, France

www.afcdp.net

MARCH

16 IAPP Tenth AnniversaryCelebrationwww.privacyassociation.org

17 FTC Privacy RoundtableFTC Conference Center

Washington, DC

APRIL

19-21 IAPP Global Privacy SummitWashington, DC

www.privacysummit.org

MAY

26-28 IAPP Canada PrivacySymposium 2010Toronto, ON

JUNE

14-15 Practical Privacy SeriesSanta Clara, California

SEPTEMBER-OCTOBER

29-1 IAPP Privacy AcademyBaltimore, MD

Calendar of Events

To list your privacy event in The Privacy Advisor, e-mail

Tracey Bentley at [email protected]

The Engaging Data forum at MIT

THE PRIVACY ADVISOR



Pandemic privacy

The offices of the privacy commissioners of Canada, BritishColumbia, and Alberta havereleased guidance about how privacy laws apply in the privatesector workplace during the H1N1pandemic.

www.privcom.gc.ca

Wanting more

In a recent survey, 71 percent ofUK employees indicated that theirorganizations should do more toprotect confidential documents.The numbers were similar amongemployees in other Europeannations: Germany (66%), Belgium(70%), Netherlands (61%), Ireland(85%).

Source: National Fraud Authority

Data matching

The Office of the PrivacyCommissioner of Victoria, Australia,has published guidance on datamatching. The guidance is targetedto the public sector, but privateentities such as financial institu-tions and advertisers may also find it useful.

www.privacy.vic.gov.au

Reprinted with permission from Slane Cartoons Limited.

In the Privacy Tracker this month…If this month is any indication, the outlook for privacy in 2010 is red hot. Already in December:

• The Federal Data Accountability and Trust Act, HR 2221 (Rush, D), passed theHouse and moved to the Senate. The bill requires data security policies and procedures and provides for nationwide notice in the event of a security breach.

• S 1490 (Leahy, D), which also requires a comprehensive data security program by businesses that maintain personally identifying information, passed out of theSenate Judiciary Committee.

• The FTC held its first of three privacy-focused roundtables, where issues surrounding online and mobile advertising received considerable focus.

Don’t miss easy-to-read weekly and monthly updates on the privacy legislation you need to know about. The Privacy Tracker will keep you up-to-date on all 2010federal and state privacy legislation, with monthly audio conferences (where youcan request specific coverage), weekly e-mails, and a Web dashboard featuringtimely articles and reports.

Subscribe today to keep up with the privacy developments affecting your business.

Try it before you buy it! E-mail us to get a free week-long demo subscription to the Privacy Tracker.

www.privacytracker.org

December • 2009





IAPP members:

Does your organization offer

free or discounted products or

services to other IAPP members?

If so, let them know!

Advertise at a DISCOUNTED RATE

here in our new member-to-member

benefits section.

MEMBER to MEMBER Benefit

Contact Wills Catling [email protected] +1.207.351.1500, ext. 118

which every episode in one’s life isrecorded for later viewing (to pass judg-ments).

As much as Justice Scalia wouldlike, it is unlikely that society will devel-op ethical norms about accessing freelyavailable online personal information. Soshould we just throw up our hands andconclude in the words of former SunMicrosystems Chairman Scott McNealythat “there is no privacy, get over it”?

Actually, privacy is both a matter ofgiving and taking. Yes, personal informa-tion online is free for the taking and thatis not likely to change. But we still havelots of ability to control what personalinformation is taken from us, and forwhat purpose—the personal informationthat has the potential to end up onlinefor public view. The legal and ethicalproblem so far has been on how we areinformed about who is taking our infor-mation, for what purpose, with whom itis being shared, how long it will be

retained and when (and how) it will ulti-mately be destroyed.

The Federal Trade Commission hasgotten a lot tougher recently about thenotices that companies give about thecollection of online information, and newFTC leadership is focusing hard on thatquestion. Congressman Rick Boucher isproposing new legislation to controlonline tracking of consumers for target-ed advertising. And many think that our“digital natives,” the kids who havegrown up with computers and social net-working sites, need to be educatedabout the permanent record that theonline world creates. Funny picturesfrom a fraternity bash or an irreverent“tweet” on Twitter may impede a youngperson’s educational or job opportunities.

Responsible companies, too, arerecognizing, as a matter of law and busi-ness ethics, that providing clear andtimely notice to consumers about thecollection and use of information fromthem builds trust. In this age whereinformation is the lubricant of com-merce, being fair to people about their

personal information is not just the rightthing to do, it is good business. TheFuture of Privacy Forum, a think tankfocused on privacy issues, is working onnew ways online marketers can engageusers about how their Web activity isbeing used for tailored advertising.

So, we may never solve the prob-lem of all of us becoming onlinevoyeurs, accessing and looking at per-sonal information about others becausewe can. “Googling someone” hasentered common parlance preciselybecause it is common. But as technolo-gies accelerate in their ability to collectinformation about us, providing each ofus with control on the input side ofthings is imperative.

Mr. Wolf leads the privacy law practice at Hogan & Hartson LLP and is the co-chair of a think tank focused on privacy issues, the Future of PrivacyForum. This article is an adaptation of a recent presentation at the IBM ITServices Legal Summit in New York City.

Ethics of Googling


December • 2009

