Legal news and trends for Canadian in-house counsel and c-suite executives
Issue link: https://digital.canadianlawyermag.com/i/50877
Europe The EU has developed a very sophisticated personal information protection regime with stringent standards that has influenced the adoption of privacy laws throughout the world. Directive 95/46 sets out the general principles with regard to the processing of personal information, which are now implemented in the national law of every EU member state. The underlying principles of Directive 95/46 were largely based on those of international bodies, like the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The EU's privacy legislation closely resembles that of Canada, however, how this legislation is interpreted can lead to some surprising differences, particularly with respect to the validity of consent given to the collection, use and disclosure of personal information. "Outside of Canada and Europe, privacy legislation is either non-existent or a patchwork of sector-specific laws and regulations." Consent is in the lynchpin of Canadian privacy legislation. In the EU Directive, persons from or about whom data is collected must unambiguously grant their consent before such data is collected, after having been informed about the purpose(s) for which the data will be used. The interpretation of the validity of consent may impact a US business processing personal information of European customers or employees. For example, relying on employee consent to the collection of certain personal information can prove to be difficult since some European countries question whether that consent is "freely given" given the desire to be employed or to keep employment. Another key tenet of the EU privacy directive is that it prohibits the transfer of personal information to non-EU countries, including the US, unless those countries provide adequate protection for the information. While the US has not been, officially, deemed to provide adequate protection, the two jurisdictions are negotiating so as to facilitate normal business relations. The Safe Harbor Agreement allows US companies to avoid sanctions imposed by the EU if they voluntarily embrace a somewhat less stringent version of the EU privacy directive. The Rest of the World Once you move out of Canada and Europe, all bets are off with respect to the extent that privacy legislation exists or is enforced. In many jurisdictions there is no one law or regulatory framework governing privacy. Instead, laws or regulations relating to privacy are often found as a sub-set of sector-specific or constitutional laws. Asia-Pacific: Regions that have recently adopted privacy legislation include Australia, Hong Kong, Japan, Macao, New Zealand, South Korea and Taiwan. China, Malaysia, the Philippines and Thailand are currently in the process of drafting legislation. Indonesia, Singapore, Vanuatu and Vietnam only have privacy provisions in sector-specific laws. Still, many Asia-Pacific regions do not have privacy legislation, including Brunei, Cambodia, Laos, Myanmar and the majority of the small Pacific island countries. India: India does not have comprehensive privacy laws in place. The right of privacy is not expressly recognized in the Constitution of India, although the Supreme Court of India has implied it from article 21 of the Constitution, which states that, "No person shall be deprived of his life or personal liberty except according to procedure established by law." However, this right is not absolute and can be restricted under procedures established by law or if a superior interest commands it. Laws that do exist relate to the privacy of data held by public financial bodies (e.g. banks) and electronic data (the Information Technology Act of 2000). India is moving to bring their privacy laws in step with Europe and other jurisdictions. The Personal Data Protection Bill, based primarily on foreign privacy legislations, was introduced in 2006 and is currently still pending. Latin America: Currently, very few Latin American regions have any privacy legislation and there is no cohesive framework for the region. However, the importance of a harmonized privacy legal framework for the region has been recognized and many countries in this region are currently working on developing it. Conclusion Although efforts are underway in many regions to harmonize legislation, privacy laws around the world still differ in many respects. Outside of Canada and Europe, privacy legislation is either non-existent or a patchwork of sector-specific laws and regulations. US organizations conducting business in these regions should use the most stringent legislation as the lowest common denominator in order to establish an effective privacy policy.