9. Individual Access
10. Challenging Compliance
Sources: BearingPoint, Office of the Privacy Commissioner of Canada
Law on the Protection of Personal Data Held by Private Parties--Mexico
What it covers: Published in July 2010, this Mexican law requires organizations to have a lawful basis--such as consent or legal obligation--for collecting, processing, using and disclosing personally identifiable information. While there is no requirement to notify processing activities to a government body, as in many European countries, companies handling personal data must furnish notice to the affected persons. Individuals must also be notified in the event of a security breach.
Link to the law (Spanish language): http://www.dof.gob.mx/nota_detalle.php?codigo=5150631&fecha=05/07/2010
Who it will impact: Mexican businesses, as well as any company that operates or advertises in Mexico or uses Spanish-language call centers and other support services located in Mexico.
Requirements/provisions: In addition to addressing data retention, the law also incorporates eight general principles that data controllers must follow in handling personal data:
* Purpose Limitation
Source: Information Law Group
European Union Data Protection Directive
What it covers: This 1995 European directive sets strict limits on the collection and use of personal data and demands that each member state set up an independent national body responsible for the protection of this data.
Additional legislative documents and case law: http://ec.europa.eu/justice/policies/privacy/law/index_en.htm
Who it impacts: European businesses, as well as non-European companies to which data is exported (see Safe Harbor Act, below).
Requirements/provisions: The directive incorporates seven governing principles:
1. Notice: Data subjects should be given notice when their data is being collected.
2. Purpose: Data should only be used for the purpose stated.
3. Consent: Data should not be disclosed without the subject's consent.
4. Security: Collected data should be kept secure from any potential abuses.
5. Disclosure: Data subjects should be informed as to who is collecting their data.