In the EU, organizations that collect personal data must do so in accordance with the Data Protection Directive. US businesses must also provide an “adequate level of protection” if they do business with the EU. Personal data can only be gathered under strict conditions and for a legitimate purpose. Further, this information must be managed by the organization in a way that protects certain rights and prevents misuse.
If you are a US company, you can comply with the requirements by joining the US-EU Safe Harbor Program. To do so, you must adhere to the following seven Safe Harbor Privacy Principles:
- Notice-Organizations must notify individuals about the purpose for which they collect and use information about them, contact information of the organization, the means the organization provides for limiting its use and disclosure, and the kind of third parties that the organization discloses your information to if any.
- Choice-Organizations must provide the opportunity to opt out (and if the information is sensitive like health information, it must be in the form of an opt in) of the collection of personal information that will be disclosed to a third party or used for any purpose beyond that of its original collection.
- Onward Transfer-In order to disclose to a third party, an organization must comply with the above Notice and Choice principles.
- Access-Individuals must be able to view, correct, amend, or delete their personal information, with some exceptions.
- Security-Reasonable precautions must be made by organizations to protect personal information.
- Data Integrity-Personal information collected must be relevant to all the purposes it will be used for.
- Enforcement-Organizations must have accessible independent recourse mechanisms for complaints to be resolved and have damages awarded if applicable. They must also have procedures for verifying the adherence to all principles, and to correct problems from any failures to comply.
In Canada, the applicable law is the Personal Information Protection and Electronic Documents Act or “PIPEDA.” It applies to any organization that collects, uses, or discloses personal information in the course of commercial activities. As a US company, you will still fall within the scope of PIPEDA if you have operations in Canada. Also, even if you do not have any Canadian operations but are collecting the personal information of Canadian citizens, you may be found to be within the scope of the law.
Any collection, use, or disclosure of personal information under this law can only be for purposes that a reasonable person would consider appropriate under the circumstances. In addition to this, there are ten principles that are to be followed to comply.
- Accountability-There must be people responsible for your organization’s compliance with the ten principles, protect all personal information, and implement personal information policies and practices.
- Identifying Purposes-The organization must identify, document, and inform the user the reasons for collecting personal information at the time of collection or beforehand.
- Consent-The user must be meaningfully informed of the purposes for collection and use or disclosure of the personal information and then consent to them.
- Limiting Collection-An organization cannot deceive, mislead, or be indiscriminate with their collection of personal information or statements of reasons for collecting it.
- Limiting Use, Disclosure, and Retention-Personal information cannot be used beyond its original purpose for collection or kept longer than is necessary. There must also be procedures in place for retention, destruction, and the resolution of grievances in relation to the data.
- Accuracy-The possibility of disclosing or making a decision based on personal information that is incorrect must be minimized.
- Safeguards-The personal information must be protected from loss, theft, unauthorized access, disclosure, copying, use, or modification, regardless of the information’s form.
- Openness-The organization must have understandable policies for the management of personal information that are readily available to users.
- Individual Access-Users should generally be given the opportunity to access the personal information that the organization possesses.
- Challenging Compliance-The organization must provide simple and easily understandable complaint procedures that inform of all avenues of recourse, investigate all complaints, and take appropriate corrective measures.