230 likes | 335 Vues
Privacy one year later Compliance and industry issues in Canada and the United States. David W. Stark. Name of presenter(s) or subtitle. MRIA Alberta Chapter January 20, 2005. Privacy one year later. Agenda. Privacy legislation overview Compliance: is it working? Industry implications
E N D
Privacy one year laterCompliance and industry issues in Canada and the United States David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter January 20, 2005
Agenda • Privacy legislation overview • Compliance: is it working? • Industry implications • Helpful resources • Q&A
Privacy legislation overview • Freedom of Information Access • Privacy and Protection of Personal Data Freedom of Information Act – U.S. Access to Info. Act - Canada Privacy Legislation - Quebec Privacy Act - Canada Privacy Act – U.S. EU Privacy Directive PIPEDA - Canada Safe Harbor – U.S. PIPA - AB & BC 1994 1966 1980 1985 1998 2000 1974 2001-2004
Canadian approach to privacy Federal regulations • Competition Act (1985; rev. 1999 and 2001) • CRTC Telemarketing Rules (1994; rev. 2004) • PIPEDA (2001-2004) • Comprehensive law affecting all industries in private sector • Bill C-37 (2005?) • Would establish a national do-not-call registry • Anti-spam legislation (2005?)
Canadian approach to privacy Provincial regulations • Personal information protection acts • QC, AB, BC • Personal health information acts • AB, SK, MB, ON • With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S.
U.S. approach to privacy – sectoral Federal regulations • Video Privacy Protection Act (1988) • Telephone Consumer Protection Act (1991) • Driver’s Privacy Protection Act (1994) • Telemarketing Sales Rule (1996)
U.S. approach to privacy – sectoral Federal regulations • Health Insurance Portability and Accountability Act (1996) • Financial Modernization Act (Graham-Leach-Bliley) (1999) • Children’s Online Privacy Protection Act (2000) • CAN-SPAM Law (2003)
U.S. approach to privacy – sectoral Federal regulations • Eavesdropping and Taping Laws (FCC) • Telephone interviewing, focus groups • Federal Trade Commission Act (Section 5) • Obligation to abide by one’s posted privacy policies
U.S. approach to privacy – sectoral State regulations • Anti-spam laws • Do-not-call laws and lists • Telephone curfew laws • Eavesdropping and taping • California’s Online Privacy Protection Act (CA OPPA) • Must post privacy policy on website if collecting personally-identifiable information from CA residents.
What’s driving consumer privacy laws? • Most privacy regulations enacted since early 1990s • Coincides with digital information age • Databases of PII that can be manipulated and moved offshore at click of a button • Public opinion • Greater intrusion into consumers’ lives – want to be left alone • Outsourcing offshore
Compliance in Canada • Low awareness of PIPEDA and provincial privacy laws • Federal Privacy Commissioner has treated offending organizations with kid gloves • Commissioner’s Office understaffed • Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts
Compliance in the United States • Patchwork of privacy laws difficult for organizations • Multinationals would prefer a national privacy law (similar to PIPEDA) • FTC names offending organizations on its website • Private right of action in many U.S. laws gives rise to class action suits • EU study suggests several U.S. firms on Safe Harbor list are not in compliance
Industry implications • Third-party disclosures • Clients’ customer lists • Respondent PII shared with clients • List brokers / sample providers • Qualitative research: recruiter, moderator, facility • Online research • Explicit opt-in consent • Must not spoof message headers • ISP shutdowns customer research client research supplier
When research firm (RF) sends invitation from its domain… • From: RF on behalf of CLIENT <xxxxxx@RF.com> • To: Rebecca Smith <rsmith@yahoo.com> • Subject: Complete CLIENT’s survey and receive a special • offer for your time • Date: Fri, 12 Nov 2004 10:51:10 -0500 MUST NOT SPOOF MESSAGE!! • From: CLIENT <surveys@CLIENT.com> • To: Rebecca Smith <rsmith@yahoo.com> • Subject: Complete CLIENT’s survey and receive a special • offer for your time • Date: Fri, 12 Nov 2004 10:51:10 -0500
Industry implications • Data security and retention • Physical, electronic and organizational • Minimum and maximum retention periods • International data flows • U.S. state laws could impact Canadian call centres and outsourcing overseas • One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries)
Industry implications • Contracts with clients that include indemnities and privacy protection clauses • Increasing number of multinational clients require completion of comprehensive privacy assessment forms • Research is becoming more difficult to conduct
Helpful resources • Federal Privacy Commissioner’s website • www.privcom.gc.ca • International Association of Privacy Professionals • www.privacyassociation.org • Nymity (privacy consulting firm) • www.nymity.com • CAMRO Privacy Protection Handbook
Helpful resources • CAMRO Privacy Protection Handbook • CD-ROM Version 1.0 released October, 2003 • 40 sold to date • Over 90 pages of advice • Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado) • Version 2.0 to be MRIA-branded and issued soon • Includes expanded policy section and appendices unique to qual. research
Thank you E-mail: david.stark@tns-global.com Tel.: (416) 924-5751