Cedric Laurant

Posts Tagged ‘European Union’

, , , , , , , , , , , , , , , , , , , , , , , , , , ,

Mexico Implements APEC’s Cross-Border Privacy Rules

In Opinions on 26 February, 2013 at 02:12

Mid-January, the APEC (Asia-Pacific Economic Cooperation), announced that Mexico had become the second formal participant in the APEC’s Cross-Border Privacy Rules (“CBPR”) framework, following in this the United States, which became the first formal participant in July 2012.  (More details at “International: APEC and EU bodies discuss regional interoperability”, Data Guidance, 15 February 2013).  A bit earlier the same month, the Secretaría de Economía, Mexico’s Ministry of Economy, published guidelines on a voluntary self-regulatory certification system (Parámetros para el correcto desarrollo de los esquemas de autorregulación vinculante a que se refiere el artículo 44 de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares), as part of implementing the CBPR framework into its national regime.

"US & Mexican Flags" by chrissam42. Available at http://www.flickr.com/photos/chrissam42/) Licenced under a Creative Commons Attribution-NonCommercial 2.0 Generic (CC BY-NC 2.0) licence.

“US & Mexican Flags” by chrissam42

Here is my take on how I see the APEC’s CBPR system evolving in Mexico in the coming months.  And what could be its potential impact on businesses, and its interoperability with other systems, such as in the United States and the European Union.

How the CBPR framework could be moving forward in the next few months in Mexico is hard to say, but a couple of elements can be taken into account to assess how its implementation process could shape up in Central America’s biggest economy.  Companies can file their applications for binding self-regulatory rules (e.g., codes of conduct, privacy trustmarks, compliance certifications or capacity-building programs) with the IFAI from October 2013.  As to how fast the process could evolve, depends on objective but also subjective elements.

Three main factors may slow down the implementation of the CBPR system in Mexico: an uncertain transitional political landscape, uncertain institutional developments at the country’s data protection authority, and the actual lack of a ‘culture of data protection’ among users and companies

On the ‘half-empty glass’ perspective, I can see three main factors slowing down the implementation of the CBPR system in Mexico:

  1. the current uncertain transitional political landscape because of the new political majority that might take away the data protection portfolio from the IFAI’s hands, and either transfer it to another governmental institution (the Ministry of Economy (Secretaría de Economía)? PROFECO (Procuraduría Federal del Consumidor)? Another entity?), or decide to shelve it for the time being;
  2. the current uncertain institutional developments at the IFAI, the authority in charge of enforcing the data protection law and the CBPR’s certification mechanism, due to recent intestine disputes among its commissioners and a possibility for all their commissioners to be replaced; and
  3. the actual lack of a ‘culture of data protection’ among users or consumers (data subjects) and companies (data controllers), which is a factor that will take years to improve.  Many companies are still not aware of the law and its obligations a year and a half after it became enforceable; users even  less.

All three factors could slow down the path toward the adoption of self-regulatory frameworks by companies doing business in Mexico.  Indeed, few Mexican companies have incentives to adopt self-regulatory schemes as data subjects’ level of awareness about their data protection rights is very low and the Mexican data protection authority has until now been focussing most its efforts on awareness rather than enforcement.

Being an optimist, I would see the glass ‘half-full’ and bet on three factors to influence the take off of the CBPR certification system in Mexico

Being an optimist, I would see the glass ‘half-full’ and bet on these three factors to influence the take off of the CBPR certification system in Mexico:

  1. the willingness the Mexican Ministry of Economy (Secretaría de Economía) has demonstrated thus far to use the CBPR system to promote e-commerce between Mexico and neighbouring countries – the United States in the first place – and brandish the country as a top destination for the IT offshoring industry;
  2. chambers of commerce, trade associations, and their member companies could see the potential of the CBPR system to enhance commercial relationships between Mexico and foreign countries, the United States in the first place; then
  3. the speed at which Mexican subsidiaries of US companies embrace the new rules for their Mexico-United States transborder data flows could have a positive impact on its adoption by Mexican companies doing business with the US.

The impact of the CBPR’s on Mexican and US businesses is minimal as complying with the Mexican binding self-regulatory parameters is only voluntary.  However, should those companies, especially foreign ones, wish to implement them, it could help them do business in the country by positioning themselves as early adopters and using it as a competitive advantage in the local market.  Impact on businesses also depends on the company that must comply with the new rules: if the company is from the United States and already doing business with Mexico, complying with the rules may only require it to have their current self-regulatory framework  approved by a Mexican “certifier” (the equivalent to the “Accountability Agent” in the APEC’s CBPR system) as complying with the Mexican data protection law – starting in Oct. 2013.  With respect to Mexican companies, the learning curve will be much higher as many local companies, unless they already operate globally, do not have yet a self-regulatory framework in place, and it will probably cost them more to adapt to the new rules than their US counterparts.

As to how the Mexican version of the APEC’s CBPR’s may become interoperable with other systems is too early to assess.  It will depend on how the system is actually implemented later this year, and enforced in practice by the IFAI.  Recent discussions between European data protection authorities, their US counterparts and the International Chamber of Commerce have shown interest in making the CBPR system interoperable with the EU’s Binding Corporate Rules (“BCR’s”).  In the case of Mexico, if EU authorities had to decide whether binding self-regulatory rules of Mexico-based companies are considered compatible with BCR’s, their decision would depend on a number of factors, the strongest of which is the relative similarity between its data protection framework and the one of the EU data protection directives and the OECD Privacy Guidelines.

How the Mexican-US CBPR model will develop will prove to be a test case that could influence how other APEC economies might want to implement the CBPR system into their own national data protection legal framework.

Share

, , , , , , , , , , ,

The New “Privacy Guide for Spanish Speakers 2012″ Is Out

In News on 9 January, 2012 at 21:37

Cedric Laurant Consulting and Privacy International (“PI”) are pleased to present the Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012).

This report is made up of a translation into Spanish of the most current and relevant sections of the Privacy and Human Rights 2006 and European Privacy and Human Rights 2010 reports.

Privacy and Human Right is an annual report by Privacy International and the Electronic Privacy Information Center (EPIC) that reviews the state of privacy in over 75 countries around the world. It outlines legal protections for privacy, new challenges, and summarizes important issues and events relating to privacy and surveillance. The report provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. Published since 1998, this document has become the most comprehensive report on privacy and data protection ever published.

European Privacy and Human Rights 2010 was a project undertaken in 2010 by PI, EPIC and the Center for Media and Communications Studies of the Central European University. It was funded by the European Commission’s Special Programme “Fundamental Rights and Citizenship” 2007-2013. The report investigates the European landscape of national privacy and data protection laws and regulations in 33 countries in Europe, as well as any other laws or recent factual developments with and impact on privacy. The study consists of country reports, an overview presenting a comparative legal and policy analysis of main privacy topics and a privacy ranking for all the countries surveyed.

The Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012) includes the following chapters:

  • Overview of privacy (definition, aspects, models of privacy protection, right to privacy, evolution of data protection, oversight and privacy and data protection commissioners, etc.)
  • Privacy topics (identification systems and identity cards, workplace privacy, social networking and virtual communities, surveillance of communications, authentication and identity disclosure, public records)
  • European Privacy and Human Rights 2010 (key findings, research and analysis, criteria and metrics, results and methodology)
  • European Union
  • Spain
  • Appendix: privacy resources

Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012) [pdf - 6,5 MB]

Privacy Guide for Spanish Speakers 2012

Privacy Guide for Spanish Speakers 2012 (Guía de Privacidad para Hispanohablantes 2012)

Share

, , , , , , , , , , , , , , ,

Conference: “Is Your Company under Threat? New Digital Risks & Computer Attacks: Forensic & Data Protection Aspects” (Medellin, Colombia – 16 Nov. 2011)

In Conferences, Spanish on 11 November, 2011 at 04:01

UPDATE (28 Nov. 2011): the video of the conference is now available at http://envivo.eafit.edu.co/EnvivoEafit/?p=10790.

Next week, I am organizing with two colleagues a conference in Medellin, Colombia, about the country’s recent data protection law entitled: “Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects – International Perspectives and the New Colombian Legislation”. Now that the Constitutional Court has approved the law, the time has come for the government to implement it into regulations, and for companies to start seriously considering how they will put in place the measures necessary to comply with the new rules.

In this conference, we plan on talking, from the forensic expert’s point of view, about the threats Colombian companies are facing with the latest waves of cybercrimes and computer attacks, the new risks they must address and the new challenges they must tackle.  We will then cover the new law itself: its scope, the legal and regulatory privacy framework in Colombia, and the legal impact for companies.  In a third and last part, the focus will be to explain the position of the new law within the landscape of current or emerging data protection laws in Latin America, but then also in the more global context of legislative and public policy developments in the European Union and the United States, and what these developments mean for Colombia at a time when its government is drafting its new data protection regulatory framework.

Conference speakers are:

  • Álvaro Alexander Soto, Director, Digital Forensic & Security Lab, Asoto Technology Group (forensic company with offices in Medellin and Bogota (Colombia), and Washington, D.C. (U.S.A.)),
  • Arean Velasco, Attorney, Velasco & Calle d’Alleman (a law firm with offices in Medellin, Colombia) and
  • Cédric Laurant, Principal, Cedric Laurant Consulting (consulting firm based in Brussels, Belgium)

Practical information: the conference will take place on 16 November 2011, 18:00-20:00 at the Universidad EAFIT, Carrera 49 N° 7 Sur – 50, Medellín (Colombia) – Bloque 38, Auditorio 125.  Language: Spanish.  Free entrance.  Prior registration required at info@cedriclaurant.com or right before the event at the conference venue.  More information in the flyer below.

Please do share this event with people who could be interested.

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 1)

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 1)

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 2)

Conference: "Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects - International Perspectives and the New Colombian Legislation" (EAFIT, Medellin, Colombia - 16 Nov. 2011) (p. 2)

Share

, , , , , , , , , ,

“Privacy is Freedom”: Public Voice Event in Mexico City (31 Oct. 2011)

In Conferences on 31 October, 2011 at 15:29
"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011). Available at http://www.flickr.com/photos/gnatallica/5480065859/ (Creative Commons "Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) license.)

"Dia de los Muertos" (photo by Natalie Curtiss, shot on February 26, 2011).

Two days before the 33rd International Conference of Data Protection and Privacy Commissioners takes place in Mexico City, The Public Voice, an international coalition of NGO’s, and nonprofit organizations, is organizing this Monday a full-day event to discuss the views of Civil Society representatives from Latin America, Europe and North America, but also with several government officials and industry speakers.  The issues featured are the same as the ones that will be discussed for the following three days in the Mexican capital: privacy and data protection, and how they relate to broader issues such as freedom of expression and consumer protection.

The stated goals of the conference are to:

  • review the status of the two Madrid Declarations (Civil Society’s Madrid Privacy Declaration (“Global Privacy Standards for a Global World”) and the Data Protection Commissioners’s International Standards on Privacy and Personal Data Protection.
  • assess cultures and privacy perspectives from around the world;
  • raise public awareness on surveillance technologies and its consequences to consumers, freedom of expression and human rights;
  • explore the ongoing policy and legal issues at stake in Latin America about privacy and freedom of expression.
  • establish networking opportunities between Mexican civil society and consumer rights advocates and members of the Public Voice.

The event hosts are the Electronic Privacy Information Center and the Federal Institute for Access to Information and Data Protection (IFAI), the Mexican Data Protection Authority.  Some of the government speakers they invited include:

  • Marie-Hélène Boulanger, Head of the Data Protection Unit of the Directorate General “Justice” at the European Commission,
  • Jacob Kohnstamm, Chair of the European Article 29 Data Protection Working Party,
  • Jacqueline Peschard, IFAI’s President,
  • Peter Schaar, the Federal Commissioner for Data Protection and Freedom of Information of Germany, and
  • David Vladeck, Director of the Bureau of Consumer Protection of the United States Federal Trade Commission.

The full list of speakers is available here.

If you wanted to attend the meeting physically, unfortunately at this time it is not possible anymore to register to attend the meeting in person.  If you plan on following the event online, just go to the webcast page at the start of the event: today at 08:00am GMT-6.

Several people have already offered to tweet about the event in several languages (currently English, French, Portuguese and Spanish).  If you want to make comments about the panels or even ask questions directly to speakers, you will be able to do so by using the #tpv11 hashtag in your tweets and the speaker’s Twitter username (speakers list on Twitter).  I will be tweeting in English and French from my Twitter account (@cedric_laurant).

Public Voice event in Mexico City (Oct. 31, 2011)

Public Voice event in Mexico City (Oct. 31, 2011)

Share

, , , , , , , , , , , , , , , , , , ,

Emerging Data Protection Laws in Latin America and Doing Business in the EU

In Opinions on 15 September, 2011 at 15:33

Late August I wrote an interview for Nymity for their “Privacy Interviews with Experts” series that covers the recent and emerging developments in data protection in Latin America.  The whole interview is also available here and here (pdf).

Map of Latin America

Latin America

As Latin America increases its attention to data protection legislation and regulation, a number of questions arise. Why now? What is the impetus behind their actions? What will implementation entail? Where do these countries start from in their implementation journeys?  What challenges will they face, especially keeping pace with the EU and at the same time satisfying the demands of other economies, including the US, Russia, China and others with no data protection regulation?

Cedric Laurant, attorney and consultant and founding partner of Cedric Laurant Consulting, provides us with a summary of the privacy challenges coming ahead in Latin America.

Cedric received his legal training in Belgium and the United States, taught courses and seminars in international privacy, data protection law and comparative law as a Visiting Law Professor at the Universidad de los Andes in Colombia between 2007 and 2008, and has talked at various conferences and seminars in Latin America about privacy and related issues.  He directed the publication of the Privacy & Human Rights survey between 2002 and 2006, increasing its scope to cover most Latin American countries.

Cedric speaks about about the current challenges for data protection in Latin America during his presentation at the next IAPP Privacy Academy conference on September 15 in Dallas, TX and at the Public Voice conference preceding the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City next October 31st.

Nymity: Why data protection law and regulation in Latin America today? Is it the same in all economies, or does it differ country by country?

Laurant: Latin America is the next big region after Asia that will see major changes occur in its data protection regulatory landscape.  Several countries have recently gotten their act together by enacting or drafting new data protection laws. Is it a coincidence or the intent to follow the “mode du jour”? None of the above: data protection has been on the agenda of many Latin American countries at least for the past 10-15 years. What we are seeing now is an increasing political will among all states in the region to catch up with their neighbours, and a growing realization that adopting strong data protection laws will help their economies by increasing their commercial transactions outside and within their borders.

Although all countries in Latin America that currently have a data protection law or are drafting one largely follow the European data protection model, with a few differences here and there, the lack of a harmonized and integrated regional legal system like in the European Union has led countries to adopt laws or draft bills that feature many differences among each other, which creates a diverse patchwork of legal frameworks or regulatory initiatives.

In turn, a common characteristic that appears in many Latin American privacy regimes is the constitutional right of “habeas data”, which despite variations from country to country, enables individuals to complain before a constitutional court to protect their image, privacy, honor, informational self-determination or freedom of information by providing them with the right to access the registries that hold their personal data, the way to amend or correct obsolete data, to insure their personal information remain confidential, and to provide means to remove sensitive personal information.  Lacking from that seemingly rosy perspective is the fact that habeas data only provides an after-the-fact remedy for individuals and through the courts: when it requires a lawyer, it stays out of reach for most plaintiffs, to show damage may be arduous, and it relies on case law and offers poor legal certainty.

Nymity: What are the emerging regulatory highlights, by economy and what is the timeline for their regulatory implementation?

Laurant: Several Latin American countries have recently enacted, or are drafting, a comprehensive legislative framework to protect individuals’ personal information. Starting with Mexico that, since last summer 2010, regulates at the federal level the processing of personal data by businesses, and is working on implementing decrees that should become enforceable early 2012.

Follows Peru with a new data protection law that was enacted last July and now must be detailed in an implementing decree. The Peruvian law establishes a data protection authority, the “National Register of Personal Data Protection” that will keep a record of private and public databases and have the power to levy fines for violations of the law.

Colombia is still waiting for the approval of its recently enacted and first comprehensive data protection law by the Constitutional Court, which according to local counsels, should come during the last trimester of this year.

The Brazilian Ministry of Justice is working on enacting a comprehensive data protection law modeled after the European Data Protection Directive and the Canadian Data Protection Law (PIPEDA). The draft bill, which has been subject to public discussion for several months, guarantees a list of citizens’ basic rights regarding their personal data: the right to access one’s data, correct inaccurate or wrong data, delete them, object to their processing, be compensated for their misuse, and not be subject to purely automated decisions.

Costa Rica is on the verge of adopting a law that is also modeled after the EU Data Protection Directive: it regulates almost all types of personal data processing activities and requires express written consent for many of them. It would also create a new data protection authority that would be competent to issue sanctions for violations of the law. After the Supreme Court of Justice found the law to be free of constitutional defects in April of this year, the bill has made its way back to the Legislative Assembly.

Uruguay is waiting this year for the approval of its data protection law as offering adequate protection pursuant to the European data protection legal framework, after the European body of the Article 29 Data Protection Working Party issued an affirmative opinion late October 2010. Mexico and Peru might wish to obtain that European “seal of approval”, but should they follow that route, they will probably have to wait for 3 or 4 years, especially as the European Union is currently focussing its efforts on reviewing its own data protection framework.

A development worth to notice is the growing number of countries in Latin America (Brazil, Uruguay and Mexico) that have added data breach notification clauses in their data protection law, similar to the ones that exist in almost all US State statutes and are burgeoning in some EU Member States.

Nymity: What challenges will those economies face?

Laurant: A major hurdle for these countries is the questionable level of independence of their data protection authorities and the effectiveness of their enforcement means: will they obtain enough means – financial, human and material – entrusted to them by their governments to fine the companies that do not comply with the rules, and will they get the true authority necessary to enforce the new rules?

Another obstacle is the pervasive lack of awareness about data protection by the vast majority of the population: it may take quite some time before companies learn about their new obligations and implement them into their data processing activities.  It will also take efforts for individuals to understand their new rights and for the authority to educate stakeholders about the new law.

At a broader level, where cross-border data transfers among all countries in the region will be at stake, the lack of an integrated regional data protection framework will give headaches to companies willing to transfer data to each other while following the legal mandates.

Nymity: How long might their journey take?

Laurant: As it is the case of all the economies that have already adopted data protection or information privacy rules around the world, it will take several years for Latin American states to fully implement them in the ground and get a high enough rate of compliance.  One example might illustrate the challenges ahead: it took 20 years for Colombia, after it recognized the right to privacy in its Constitution of 1991, to come up with its first comprehensive data protection bill. It will probably take as much time for its data protection framework to reach maturity and satisfy awareness, compliance and implementation levels similar to the ones in Europe and the United States.  However, to use again the example of Colombia, changes are gradual and cannot only be assessed based on changes in the law, but also through case law. In this regard, the Colombian Constitutional Court’s decisions have shown exceptional clarity by building since 1992 a comprehensive case law about habeas data that already embodies most of the data protection principles of international data protection instruments – something some of the biggest developed economies have not achieved yet.

Among the foreseeable factors that are likely to impede the path to successful implementation of data protection rules are: a higher level of corruption than in developed economies, a much weaker public sector with limited budgets for administrative and judicial bodies, a deficit in technical expertise, a poor level of trust in the justice system and consumer protection, and a lesser degree of reliability in commercial transactions.

Nymity: What are the key challenges each economy will face from Europe? What do you recommend these economies do about these challenges?

Laurant: If these economies intend at some point in time to get the adequate protection ‘seal of approval’ from the EU, they will have to demonstrate that the law that exists in their books is enforced in practice and effectively protects individuals. It will probably prove harder to obtain than in the case of Argentina that was the first Latin American country to get the approval but has not delivered yet on all its promises. One of the difficulties comes from how they will protect their transborder data flows after receiving personal data from EU countries. However, the EU recognition will definitely help them with increased prospects of European investments, in particular in the business process outsourcing sector and in data and call centers.

In this context, a growing conflict has already reared its head between the United States and the European Union, each of them trying to influence Latin America in adopting its own data protection model, and multiplying commercial initiatives or courting them individually with unilateral trade agreements. Most of the progress to be done in data protection in those countries will come indeed from the economic incentives to develop commercial transactions with the rest of the world and attract investment from foreign companies, especially with the regions that already impose strict rules on international data transfers to protect their consumers. But it may not come by making each of them sign unilateral trade agreements. The European Union got started thanks to the brilliant idea of European states forming a group around a purely economic objective – build a common market and a community of countries around the production of coal and steel – then promoting within their united territory the circulation of goods, services and capital.  Likewise, the same idea could be a leading factor in fostering Latin American economies to make progress on increasing international data transfers and commercial transactions: through the building of economic alliances among themselves. The best for the region is most likely to build up its own data protection model, based in part on its strong habeas data heritage and its civil law system, then to agree over multilateral trade treaties that would highlight the protection of international data flows as a key requirement.

Nymity: What recommendations do you have for companies that do business in Latin America? What might they begin to do to anticipate the upcoming data protection changes?

Laurant: I would advise international companies doing business throughout Latin America to embrace the upcoming data protection standards coming along in the region. Even though it will turn out to be a more costly business proposition for them, it will only be in the short term. The advice is: get an edge over your domestic and international competitors by adopting the highest data protection standards available throughout the region, and right from the start. Translating these standards to fit into the Latin American regional context means:

  1. be as transparent as possible towards your prospective customers in how you will use their personal information;
  2. do not be seen as following the herd of domestic companies that will probably have a harder time to comply with the new rules than you will;
  3. being seen as an early adopter will be good for business and the building of your reputation;
  4. in some of the countries where trust between businesses and consumers is particularly low, trust your consumers even more: it will breed reciprocal trust in your products, services, brand and reputation;
  5. follow all consumer protection and data protection regulations, and go even beyond strict compliance by doing better than domestic companies;
  6. develop a reputation for being fully reliable for your customers.

Nymity: What recommendations do you have for companies in Latin America that want to do business outside of Latin America? What data protection measures might they consider, perhaps in addition to their emerging laws and regulations?

Laurant: If your country does not have a clear and binding data protection legal framework, lobby your Parliament members to work on one; if business is mainly with European countries, encourage your government to start the process of the “adequate protection” recognition with the European Commission. In the meantime, you will have to demonstrate that you protect well enough the personal data transferred from the EU and comply with administrative procedures and contractual steps such as signing standard contractual clauses, adopting rules that apply throughout the company everywhere it does business (“ binding corporate rules”) or obtaining approval for individual transactions by national data protection authorities.

Share

Follow

Get every new post delivered to your Inbox.

Join 531 other followers

%d bloggers like this: