我輩は連邦プライバシー法である。まだ名は無い・・・
日本が天気に恵まれたゴールデンウィークを楽しんでいる最中、
米国で検討が始まった連邦プライバシー法(Omnibus Federal Privacy Law)の検討ドラフトがリリースされましたね。
僕は法律家ではないので最初に驚いたのは、内容以前にこの立法過程の透明性。
検討ペーパーの段階から資料公開するのはすごいですね。
Rick Boucher 下院議員のウェブに資料があります。
BOUCHER, STEARNS RELEASE DISCUSSION DRAFT OF PRIVACY LEGISLATION
そして、ここまで公開するのに、なんでこんなに見難い体裁なのだろうと思ってみると・・・
XMLで書いてるのですね。
確かに検討段階だと用語とかが二転三転することはよくあることで、
審議が進むに連れて文書を更新してると古い用語とかがごちゃ混ぜになりやすいですが、
XMLを使うとそういう不整合を防ぎやすそうです。
本題の検討状況ですが、Staff Discussion Draft の全文はページ下のリンクで見ることができます。
とはいえ、XML の直出力があまりにも見難いので、インデントを付けて成形しました。
さて、本題。
気になるところを行間に書き込んでみました。
ダウンロード Privacy_Draft_5-10comment.pdf (181.4K)
以下に表示されているのと同じ内容のファイル版です
全体を通してだと、既に法律を持っている国の法律なども調べて準備している様子。
日本にいたっては、国内個人情報保護法の改正ネタにしてよいようなことまで見受けられます。
以下の文中の書式: lang=EN-US style='font-family:"Courier New"'>
style='mso-ascii-font-family:"Courier New";color:blue'>青色文字 style='mso-ascii-font-family:"Courier New"'>:見出し style='font-family:"Courier New"'>
style='mso-bidi-font-style:normal'>斜体文字 style='mso-ascii-font-family:"Courier New"'>:定義用語 style='font-family:"Courier New"'>
style='mso-ascii-font-family:"Courier New";color:red'>赤色文字 style='mso-ascii-font-family:"Courier New"'>:佐藤のコメント(主として、国内法との差異) lang=EN-US style='font-family:"Courier New"'>
style='mso-ascii-font-family:"Courier New";background:yellow;mso-highlight:
yellow'>黄色マーカ:佐藤のコメント(本法に対する意見)
lang=EN-US style='font-family:"Courier New"'>
[STAFF
DISCUSSION DRAFT]
MAY 3,
2010
To
require notice to and consent of an individual prior to the
style='mso-ascii-font-family:"Courier New"'>
style='font-family:"Courier New"'> collection and
disclosure of certain personal information relating to that individual.
A BILL
To
require notice to and consent of an individual prior to the collection and
disclosure of certain personal information relating to that individual.
Be it
enacted by the Senate and House of Representatives of the
in Congress assembled,
style='font-family:"Courier New";color:blue'>SECTION 1. SHORT TITLE.
This
Act may be cited as [To be provided].
→まだ、名は無い。(笑)
style='font-family:"Courier New";color:blue'>SEC. 2. DEFINITIONS.
In
this Act the following definitions apply:
(1)
ADVERTISEMENT NETWORK. - The term ‘”advertisement network” means an entity that
provides advertisements to participating websites on the basis of individuals’
activity across some or all of those websites.
→SEC.3.(e)(3)で使われる
(2)
AGGREGATE INFORMATION. - The term “aggregate information” means data that
relates to a group or category of services or individuals, from which all
information identifying an individual has been removed.
→SEC.5.の除外範囲の特定に使われる
(3)
COMMISSION. - The term “Commission” means the Federal Trade Commission.
(4)
COVERED ENTITY. - The term “covered entity” -
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> means a person engaged in
interstate commerce that collects data containing covered information; and
lang=EN-US style='font-family:"Courier New";color:blue'>(B) lang=EN-US style='font-family:"Courier New"'> does not include -
lang=EN-US style='font-family:"Courier New";color:blue'>(i) lang=EN-US style='font-family:"Courier New"'> a government agency; or
lang=EN-US style='font-family:"Courier New";color:blue'>(ii)
lang=EN-US style='font-family:"Courier New"'> any person that collects
style='mso-bidi-font-style:normal'>covered information from fewer than
5,000 individuals in any 12-month period and does not collect
style='mso-bidi-font-style:normal'>sensitive information.
style='mso-ascii-font-family:"Courier New";color:red'>→5000人分未満の取得なら除外・・・どこかで見たことある数字ですね(笑) lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>ただし、過去12ヶ月という期間を明記している点は改善です lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>あと、センシティブ情報を、この人数下限から除いています lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>確かに国内法はセンシティブ情報でも少数取得なら対象から漏れるのはおかしいですね・・・ lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>一方で国内法は「保有数」なのにこちらは、「 lang=EN-US style='font-family:"Courier New";color:red'>collect style='mso-ascii-font-family:"Courier New";color:red'>」という書き方 lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>これ以外の箇所では「collect
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>」を状態ではなく行為としての文脈で使っているので、「保有」に相当する用語の方が適当では?
lang=EN-US style='font-family:"Courier New";color:blue'>
(5)
COVERED INFORMATION. - The term “covered information” means, with respect to an
individual, any of the following:
→「covered information(対象情報)」として定義するのはよいですね
国内法のように「個人情報」のような一般名詞を法条文で定義をすると、社内教育をする際に定義語としての個人情報と、いわゆる個人情報が混同されて誤解を生じやすいです lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> The first name or initial and
last name.
style='mso-ascii-font-family:"Courier New";color:red'>→ファーストネームをイニシャルにしてもラストネームがあると対象ですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>日本で言えば、姓名のうち姓だけでも対象ということになるのかな lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(B) lang=EN-US style='font-family:"Courier New"'> A postal address.
lang=EN-US style='font-family:"Courier New";color:blue'>(C) lang=EN-US style='font-family:"Courier New"'> A telephone or fax number.
lang=EN-US style='font-family:"Courier New";color:blue'>(D) lang=EN-US style='font-family:"Courier New"'> An email address.
style='mso-ascii-font-family:"Courier New";color:red'>→メールアドレスが無条件に対象ですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>国内は氏名がわかるような表記なら該当するという解釈がありますが、無条件とはすごい lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(E)
lang=EN-US style='font-family:"Courier New"'> Unique biometric data, including
a fingerprint or retina scan.
lang=EN-US style='font-family:"Courier New";color:blue'>(F)
lang=EN-US style='font-family:"Courier New"'> A Social Security number, tax
identification number, passport number, driver’s license number, or any other
government-issued identification number.
lang=EN-US style='font-family:"Courier New";color:blue'>(G)
lang=EN-US style='font-family:"Courier New"'> A Financial account number, or
credit or debit card number, and any required security code, access code, or
password that is necessary to permit access to an individual’s financial account.
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>financial account style='mso-ascii-font-family:"Courier New";color:red'>へのアクセスに用いるものに限るとはいえ、パスワードも一緒に対象に含めていますね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>個人情報云々という視点だとおかしいですが、実務の安全対策では当然に保護すべきなので現実的ですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>言われてみると、国内法だと、たとえば、金融機関に登録した個人情報に該当しないメールアドレスとパスワードのペアは保護対象ではないですね・・・ lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>こちらは、「個人情報」ではなくて「 lang=EN-US style='font-family:"Courier New";color:red'>covered information style='mso-ascii-font-family:"Courier New";color:red'>」として定めるため、いわゆる個人情報の範囲にとらわれずに定義できるのでよいのですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>ただし、これを含める趣旨からすると、後半の「
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>any required security code, access code, or password
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>」をfinancial account
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>に限るよりも、それらを独立した項目にした上で
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>sensitive informationに係るものにした方がよいかもしれませんね
lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(H)
lang=EN-US style='font-family:"Courier New"'> Any unique persistent identifier,
such as a customer number, unique pseudonym or user alias, Internet Protocol
address, or other unique identifier, where such identifier is used to collect,
store, or identify information about a specific individual or a computer,
device, or
lang=EN-US style='font-family:"Courier New"'>software application owned or used
by a particular user or that is otherwise associated with a particular user.
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>IPアドレスその他の固有番号を含めていますね style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>直接的な人の特定以外に、人が使用している機器やソフトウェアなら対象ですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>
style='mso-spacerun:yes'> (I)
style='font-family:"Courier New"'> A preference
profile.
style='mso-ascii-font-family:"Courier New";color:red'>→「 lang=EN-US style='font-family:"Courier New";color:red'>preference profile style='mso-ascii-font-family:"Courier New";color:red'>」を対象に含めた上で、それを lang=EN-US style='font-family:"Courier New";color:red'>(8) style='mso-ascii-font-family:"Courier New";color:red'>で定義しています lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(J)
lang=EN-US style='font-family:"Courier New"'> Any other information that is
collected, stored, used, or disclosed in connection with any
style='mso-bidi-font-style:normal'>covered information described in
subparagraphs (A) through (I).
style='mso-ascii-font-family:"Courier New";color:red'>→これまで lang=EN-US style='font-family:"Courier New";color:red'>linkable style='mso-ascii-font-family:"Courier New";color:red'>とか言われてきたものでしょうか lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>だとすると"in connection
with"という表現なので、
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>linkableではなく、より範囲の狭い
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>linkedに限定しているのでしょうかね
lang=EN-US style='font-family:"Courier New";color:red'>
(6) FIRST
PARTY TRANSACTION. - The term “first party transaction” means an interaction be
tween an entity that collects covered information when an individual visits that entity’s website
or place of business and the individual from whom covered information is collected.
→一次とそれ以降を分けて定義してくれるのはいいですね
弊社内でも国内法人では一次取得と二次取得という社内用語を定義して社内トレーニングしてます style='font-family:"Courier New";color:red'>
いま気づいたけど、二次取得という表現は正確じゃなかったかな・・・三次以降も含むから style='font-family:"Courier New";color:red'>
社内資料を修正しないといけないな(苦笑)
(7)
OPERATIONAL PURPOSE. -
→国内法だと第18条4項の「適用除外」に相当するかんじですね style='font-family:"Courier New";color:red'>
こちらの方が国内法より具体的になっているのと、利用目的の文脈だけではなく利用の形態として定義してくれるのは実務的に大変助かります lang=EN-US style='font-family:"Courier New";color:red'>
この用語はSEC.3 (a)(5)の対象範囲に使われることになります
以下のように(A)で対象を(B)で対象外を明記してくれているのは、とても扱いやすいです
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> IN GENERAL - The term “operational
purpose” means a purpose reasonably necessary for the operation of the
style='mso-bidi-font-style:normal'>covered entity, including –
style='mso-ascii-font-family:"Courier New";color:red'>→国内法第18条4項4号の「取得の状況からみて利用目的が明らかであると認められる場合」に相当する表現で総じた上で、以下のように列記しています lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(i)
lang=EN-US style='font-family:"Courier New"'> providing, operating, or
improving a product or service used, requested, or authorized by an individual;
lang=EN-US style='font-family:"Courier New";color:blue'>(ii)
lang=EN-US style='font-family:"Courier New"'> detecting, preventing, or acting
against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks,
unauthorized transactions, and fraud;
lang=EN-US style='font-family:"Courier New";color:blue'>(iii)
lang=EN-US style='font-family:"Courier New"'> analyzing data related to use of
the product or service for purposes of optimizing or improving the
style='mso-bidi-font-style:normal'>covered entity’s products, services, or
operations;
lang=EN-US style='font-family:"Courier New";color:blue'>(iv)
lang=EN-US style='font-family:"Courier New"'> carrying out an employment relationship
with an individual;
lang=EN-US style='font-family:"Courier New";color:blue'>(v)
lang=EN-US style='font-family:"Courier New"'> disclosing covered information based on a good faith belief that such
disclosure is necessary to comply with a Federal, State, or local law, rule, or
other applicable legal requirement, including disclosures pursuant to a court
order, subpoena, summons, or other properly executed compulsory process; and
lang=EN-US style='font-family:"Courier New";color:blue'>(vi)
lang=EN-US style='font-family:"Courier New"'> disclosing covered information to a parent company of, controlled subsidiary
of, or affiliate of the covered entity,
or other covered entity under common
control with the covered entity where
the parent, subsidiary, affiliate, or other covered
entity operates under a common or substantially similar set of internal
policies and procedures as the covered
entity, and the policies and procedures include adherence to the
style='mso-bidi-font-style:normal'>covered entity’s privacy policies as set
forth in its privacy notice.
style='mso-ascii-font-family:"Courier New";color:red'>→この lang=EN-US style='font-family:"Courier New";color:red'>(vi) style='mso-ascii-font-family:"Courier New";color:red'>もよいですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>国内法では委託先を考慮していますが、こちらは親子関係会社( lang=EN-US style='font-family:"Courier New";color:red'>parent style='mso-ascii-font-family:"Courier New";color:red'>と style='font-family:"Courier New";color:red'>controlled subsidiary style='mso-ascii-font-family:"Courier New";color:red'>)と関連会社( lang=EN-US style='font-family:"Courier New";color:red'>affiliate style='mso-ascii-font-family:"Courier New";color:red'>)を含めています lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>国内法も共同利用で運用できますが、このように lang=EN-US style='font-family:"Courier New";color:red'> Operational Purpose style='mso-ascii-font-family:"Courier New";color:red'>の文脈に入れてくれると実務しやすそうな気がします lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>その上で共通の管理下(
lang=EN-US style='font-family:"Courier New";color:red'>under common control / under
a common or substantially similar set of internal policies and procedures
style='mso-ascii-font-family:"Courier New";color:red'>)にあるところを含めています。
lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>国内法では委託先ならよいことにして委託管理をするというものですが、このように「管理が共通」であることが要件として必要だと思います lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>国内はこれを明記しないので、委託先が実施するリスクマネージメントシステムの管理下に入ってしまう lang=EN-US style='font-family:"Courier New";color:red'>ISMS style='mso-ascii-font-family:"Courier New";color:red'>や style='font-family:"Courier New";color:red'>Pマーク取得を、委託元が盲目的に要求するということが起きますね style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>ただ、これらの総称を用語定義していないのが残念です
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>残念な理由は、この後の「(13)
UNAFFILIATED PARTY」の定義で後述します
lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> EXCLUSION - Such term shall not
include the use of covered information
for marketing, advertising, or sales purposes, or any use of or disclosure of
style='mso-bidi-font-style:normal'>covered information to an
style='mso-bidi-font-style:normal'>unaffiliated party for such purposes.
(8)
PREFERENCE PROFILE. - The term “preference profile” means a list of
information, categories of information, or preferences associated with a
specific individual or a computer or device owned or used by a particular user
that is maintained by or relied upon by a covered
entity.
→直接的なopt-in/out状況だけではなく、Cookie やウェブビーコンも該当することになりそうですね
(9)
RENDER ANONYMOUS. - The term “render anonymous” means to remove or obscure
style='mso-bidi-font-style:normal'>covered information such that the
remaining information does not identify, and there is no reasonable basis to believe
that the information can be used to identify -
→以下で(A)と(B)をちゃんと区別するのは(5)(H)と同じモデルでの定義ですね
このように解釈論に任せずに明記してくれると、正しく解釈してる事業者が馬鹿を見て、解釈を正しくしないで無視する事業者が得をすることが防げてよいと思います lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> the specific individual to whom
such covered information relates; or
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> a computer or device owned or
used by a particular user.
(10)
SENSITIVE INFORMATION. - The term “sensitive information” means any information
that is associated with covered
information of an individual and relates to that individual’s -
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> medical records, including medical
history, mental or physical condition, or medical treatment or diagnosis by a
health care professional;
lang=EN-US style='font-family:"Courier New";color:blue'>(B) lang=EN-US style='font-family:"Courier New"'> race or ethnicity;
lang=EN-US style='font-family:"Courier New";color:blue'>(C) lang=EN-US style='font-family:"Courier New"'> religious beliefs;
lang=EN-US style='font-family:"Courier New";color:blue'>(D) lang=EN-US style='font-family:"Courier New"'> sexual orientation;
lang=EN-US style='font-family:"Courier New";color:blue'>(E)
lang=EN-US style='font-family:"Courier New"'> financial records and other
financial information associated with a financial account, including balances
and other financial information; or
lang=EN-US style='font-family:"Courier New";color:blue'>(F)
lang=EN-US style='font-family:"Courier New"'> precise geolocation
information.
style='mso-ascii-font-family:"Courier New";color:red'>→この lang=EN-US style='font-family:"Courier New";color:red'>(F) style='mso-ascii-font-family:"Courier New";color:red'>が新しいでしょうか?・・・ lang=EN-US style='font-family:"Courier New";color:red'>
(11)
SERVICE PROVIDER. - The term “service provider” means an entity that collects,
maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data
processing center, providing customer support, serving advertisements to the
website of the covered entity,
maintaining the covered entity’s records,
or performing other administrative support functions for the
style='mso-bidi-font-style:normal'>covered entity.
→欧州の定義への配慮をちゃんとしてますね・・・米国にとっては重要なことですね style='font-family:"Courier New";color:red'>
(12)
TRANSACTIONAL PURPOSE. - The term “transactional purpose” means a purpose
necessary for effecting, administering, or enforcing a transaction between a
style='mso-bidi-font-style:normal'>covered entity and an individual.
→これも弊社内の定義用語として、第18条4項4号に関連して「業務連絡」と社内独自定義してトレーニング説明を簡潔にしていましたが、用語が法律上も明確になり助かります lang=EN-US style='font-family:"Courier New";color:red'>
この用語はSEC.3 (a)(5)の対象範囲に使われることになります
(13)
UNAFFILIATED PARTY. - The term “unaffiliated party” means any entity that is
not related by common ownership or affiliated by corporate control with a
style='mso-bidi-font-style:normal'>covered entity.
→(7)(A)(vi)以外のことを指すことになるのでしょうね
その場合、
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>(7)(A)(vi)は、
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>parent company + controlled subsidiary + affiliate + other covered
entity under common controlという集合なので、ここで、集合の1要素である
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'> affiliated の補集合である
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>unaffiliatedを使うと誤解を生じやすそうです
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>
したがって、
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>(7)(A)(vi)の集合を、たとえば「
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>controlled entity」などの用語定義をして、これについては、その補集合となる「
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>uncontrolled entity又は
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>party」などとするのが、用語がより直感的になってよいかもしれませんね
lang=EN-US style='font-family:"Courier New";color:red'>
style='font-family:"Courier New";color:blue'>SEC. 3. NOTICE AND CONSENT
REQUIREMENTS FOR THE COLLECTION, USE, AND DISCLOSURE OF COVERED INFORMATION.
(a)
NOTICE AND CONSENT PRIOR TO COLLECTION AND USE OF COVERED INFORMATION. -
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> IN GENERAL. - A
style='mso-bidi-font-style:normal'>covered entity shall not collect, use,
or disclose covered information from
or about an individual for any purpose unless such covered entity -
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>shall not style='mso-ascii-font-family:"Courier New";color:red'>いいですねぇ(笑) lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>国内法が「個人情報を取得した場合は、~~しなければならない」というのに対して、こちらは「~~をしなければ如何なる目的であっても対象情報を取得・利用・開示してはならない」となっており、趣旨は同じですが、後者の方が社内教育などでそのまま引用できそうですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> makes available to such
individual the privacy notice described in paragraph (2) prior to the
collection of any covered information;
and
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>prior to style='mso-ascii-font-family:"Courier New";color:red'>ですから、国内法の「速やかに」ではなく style='font-family:"Courier New";color:red'> 「事前」に限定していますね
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> obtains the consent of the
individual to such collection as set forth in paragraph (3).
style='mso-ascii-font-family:"Courier New";color:red'>→オプトイン方式ですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(2) lang=EN-US style='font-family:"Courier New"'> NOTICE REQUIREMENTS. -
lang=EN-US style='font-family:"Courier New";color:blue'>(A) lang=EN-US style='font-family:"Courier New"'> NATURE OF NOTICE. -
lang=EN-US style='font-family:"Courier New";color:blue'>(i)
lang=EN-US style='font-family:"Courier New"'> COLLECTION OF INFORMATION THROUGH
THE INTERNET - If the covered
lang=EN-US style='font-family:"Courier New"'>entity collects
style='mso-bidi-font-style:normal'>covered information through the
Internet, the privacy notice required by this section shall be.
lang=EN-US style='font-family:"Courier New";color:blue'>(I)
lang=EN-US style='font-family:"Courier New"'> posted clearly and conspicuously
on the website of such covered entity
through which the covered information
is collected; and
style='mso-ascii-font-family:"Courier New";color:red'>→国内法で言う通知(
lang=EN-US style='font-family:"Courier New";color:red'>posted clearly
style='mso-ascii-font-family:"Courier New";color:red'>)と公表(
lang=EN-US style='font-family:"Courier New";color:red'>conspicuously on the
website)が「又は」ではなく「及び」で両方義務付けられています
lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(II)
lang=EN-US style='font-family:"Courier New"'> accessible through a direct link
from the Internet homepage of the covered
entity.
style='mso-ascii-font-family:"Courier New";color:red'>→ホームページからワンクリックということで要件が明確です lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(ii)
lang=EN-US style='font-family:"Courier New"'> MANUAL COLLECTION OF INFORMATION
BY MEANS OTHER THAN THROUGH THE INTERNET. - If the covered entity collects covered
information by any means that does not utilize the Internet, the privacy
notice required by this section shall be made available to an individual in
writing before the covered entity
collects any covered information from
that individual.
style='mso-ascii-font-family:"Courier New";color:red'>→こちらも lang=EN-US style='font-family:"Courier New";color:red'> before style='mso-ascii-font-family:"Courier New";color:red'>で、「事前」に限定していますね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> REQUIRED INFORMATION. - The privacy
notice required under paragraph (1) shall include the following information:
style='mso-ascii-font-family:"Courier New";color:red'>→以下のとおり、具体的に決めています lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(i) lang=EN-US style='font-family:"Courier New"'> The identity of the style='mso-bidi-font-style:normal'>covered entity collecting the style='mso-bidi-font-style:normal'>covered information.
lang=EN-US style='font-family:"Courier New";color:blue'>(ii) lang=EN-US style='font-family:"Courier New"'> A description of any style='mso-bidi-font-style:normal'>covered information collected by the style='mso-bidi-font-style:normal'>covered entity.
lang=EN-US style='font-family:"Courier New";color:blue'>(iii)
lang=EN-US style='font-family:"Courier New"'> How the covered entity collects covered
information.
lang=EN-US style='font-family:"Courier New";color:blue'>(iv)
lang=EN-US style='font-family:"Courier New"'> The specific purposes for which
the covered entity collects and uses
style='mso-bidi-font-style:normal'>covered information.
lang=EN-US style='font-family:"Courier New";color:blue'>(v)
lang=EN-US style='font-family:"Courier New"'> How the covered entity stores covered
information.
style='mso-ascii-font-family:"Courier New";color:red'>→保管方法 lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(vi)
lang=EN-US style='font-family:"Courier New"'> How the covered entity may merge, link, or combine covered information collected about the individual with other
information about the individual that the covered
entity may acquire from unaffiliated
parties.
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>unaffiliated parties style='mso-ascii-font-family:"Courier New";color:red'>から獲得する情報とどのように併合( lang=EN-US style='font-family:"Courier New";color:red'>merge style='mso-ascii-font-family:"Courier New";color:red'>)、関連付け( lang=EN-US style='font-family:"Courier New";color:red'>link style='mso-ascii-font-family:"Courier New";color:red'>)、連結( lang=EN-US style='font-family:"Courier New";color:red'>combine style='mso-ascii-font-family:"Courier New";color:red'>)するのか・・・確かに重要ですが企業にとってはこれを予め明記するのは大変そうです lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>でも、大変ですがやらないといけないことですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(vii)
lang=EN-US style='font-family:"Courier New"'> How long the covered entity retains covered
information in identifiable form.
style='mso-ascii-font-family:"Courier New";color:red'>→保管期間 lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(viii)
lang=EN-US style='font-family:"Courier New"'> How the covered entity disposes of or renders
anonymous covered information
after the expiration of the retention period.
style='mso-ascii-font-family:"Courier New";color:red'>→廃棄又は匿名化方法 lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(ix)
lang=EN-US style='font-family:"Courier New"'> The purposes for which
style='mso-bidi-font-style:normal'>covered information may be disclosed,
and the categories of unaffiliated
parties who may receive such information for each such purpose.
style='mso-ascii-font-family:"Courier New";color:red'>→開示する場合の目的と、目的ごとにどのような lang=EN-US style='font-family:"Courier New";color:red'>unaffiliated parties style='mso-ascii-font-family:"Courier New";color:red'>に出すのかですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:red'>unaffiliated parties style='mso-ascii-font-family:"Courier New";color:red'>を業種にとどめているのは現実的でよいです lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>会社名を予め特定するのは非現実的ですからね lang=EN-US style='font-family:"Courier New";color:blue'>
lang=EN-US style='font-family:"Courier New";color:blue'>(x)
lang=EN-US style='font-family:"Courier New"'> The choice and means the
style='mso-bidi-font-style:normal'>covered entity offers individuals to
limit or prohibit the collection and disclosure of covered information, in accordance with this section.
style='mso-ascii-font-family:"Courier New";color:red'>→国内法でいうところの第三者提供の禁止ですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>制限として、他段階に指定できるようにしているのは現実的ですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(xi)
lang=EN-US style='font-family:"Courier New"'> The means by and the extent to
which individuals may obtain access to covered
information that has been collected by the covered entity in accordance with this section.
style='mso-ascii-font-family:"Courier New";color:red'>→国内法の開示の手続きに相当しますかね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(xii)
lang=EN-US style='font-family:"Courier New"'> A means by which an individual
may contact the covered entity with
any inquiries or complaints regarding the covered
entity’s handling of covered
information.
style='mso-ascii-font-family:"Courier New";color:red'>→国内法の苦情処理に相当しますね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(xiii)
lang=EN-US style='font-family:"Courier New"'> The process by which the
style='mso-bidi-font-style:normal'>covered entity notifies individuals of
material changes to its privacy notice in accordance with paragraph (4).
style='mso-ascii-font-family:"Courier New";color:red'>→変更の通知方法ですが、実際には lang=EN-US style='font-family:"Courier New";color:red'>(4) style='mso-ascii-font-family:"Courier New";color:red'>でオプトインを求めているので、オプトインの方法ということになりますね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(xiv)
lang=EN-US style='font-family:"Courier New"'> A hyperlink to or a listing of
the Commission’s online consumer
complaint form or the toll-free telephone number for the Commission’s
style='mso-ascii-font-family:"Courier New";color:red'>→問い合わせ先の記載ですが、無償で連絡できる方法に限定していますね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>そうしないと、無関係のフリーダイヤルや電子メールの受付に連絡がくるので、意外と実務上重要なポイントだと思います lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(xv)
lang=EN-US style='font-family:"Courier New"'> The effective date of the privacy
notice.
lang=EN-US style='font-family:"Courier New";color:blue'>(3) lang=EN-US style='font-family:"Courier New"'> OPT-OUT CONSENT REQUIREMENTS. -
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> OPT-OUT NATURE OF CONSENT. - A
style='mso-bidi-font-style:normal'>covered entity shall be considered to
have the consent of an individual for the collection and use of
style='mso-bidi-font-style:normal'>covered information relating to that
individual if -
lang=EN-US style='font-family:"Courier New";color:blue'>(i)
lang=EN-US style='font-family:"Courier New"'> the covered entity has provided to the individual a clear statement
containing the information required under paragraph
style='mso-spacerun:yes'> (2)(B) and informing the individual that
he or she has the right to decline consent to such collection and use; and
lang=EN-US style='font-family:"Courier New";color:blue'>(ii)
lang=EN-US style='font-family:"Courier New"'> the individual either
affirmatively grants consent for such collection and use or does not decline
consent at the time such statement is presented to the individual. If an
individual declines consent at any time subsequent to the initial collection of
covered information, the
style='mso-bidi-font-style:normal'>covered entity may not collect
style='mso-bidi-font-style:normal'>covered information from the individual
or use covered information previously
collected.
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> ADDITIONAL OPTIONS AVAILABLE. - A
covered entity may comply with this
subsection by enabling an individual to decline consent for the collection and
use only of particular covered
information, provided the individual has been given the opportunity to
decline consent for the collection and use of all covered information.
style='mso-ascii-font-family:"Courier New";color:red'>→ん?ここはちょっと意味がよくわからないな・・・ lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(4)
lang=EN-US style='font-family:"Courier New"'> NOTICE AND CONSENT TO MATERIAL
CHANGE IN PRIVACY POLICIES. - A covered
entity shall provide the privacy notice required by paragraph (2) and
obtain the express affirmative consent of the individual prior to –
style='mso-ascii-font-family:"Courier New";color:red'>→変更時は「事前の」オプトインですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>ただ、変更の程度に応じた同意取得でないと、なんでもを事前に同意を取るのは結構大変な気がします
lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> making a material change in
privacy practices governing previously collected covered information from that individual; or
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> disclosing covered information for a purpose not previously disclosed to the
individual and which the individual, acting reasonably under the circumstances,
would not expect based on the covered
entity’s prior privacy notice.
lang=EN-US style='font-family:"Courier New";color:blue'>(5) lang=EN-US style='font-family:"Courier New"'> EXEMPTION FOR A style='mso-bidi-font-style:normal'>TRANSACTIONAL PURPOSE OR AN style='mso-bidi-font-style:normal'>OPERATIONAL PURPOSE. -
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> EXEMPTION FROM NOTICE REQUIREMENTS.
- The notice requirements in this sub-section shall not apply to
style='mso-bidi-font-style:normal'>covered information that –
style='mso-ascii-font-family:"Courier New";color:red'>→利用目的通知の適用除外について定めています lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(i)
lang=EN-US style='font-family:"Courier New"'> is collected by any means that
does not utilize the Internet, as described in paragraph (2)(A)(ii); and
lang=EN-US style='font-family:"Courier New";color:blue'>(ii)
lang=EN-US style='font-family:"Courier New";color:blue'>(I) lang=EN-US style='font-family:"Courier New"'> is collected for a style='mso-bidi-font-style:normal'>transactional purpose or an style='mso-bidi-font-style:normal'>operational purpose; or
lang=EN-US style='font-family:"Courier New";color:blue'>(II)
lang=EN-US style='font-family:"Courier New"'> consists solely of information described
in subparagraphs (A) through (D) of section 2(5) and is part of a
style='mso-bidi-font-style:normal'>first party transaction.
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> EXEMPTION FROM CONSENT REQUIREMENTS.
- The consent requirements of this subsection shall not apply to the
collection, use, or disclosure of covered
information for a transactional
purpose or an operational purpose,
but shall apply to the collection by a covered
entity of covered information for
marketing, advertising, or selling, or any use of or disclosure of
style='mso-bidi-font-style:normal'>covered information to an
style='mso-bidi-font-style:normal'>unaffiliated party for such purposes.
style='mso-ascii-font-family:"Courier New";color:red'>→オプトインの適用除外について定めています lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>当然のことながら、
lang=EN-US style='font-family:"Courier New";color:red'>marketing, advertising,
or selling, or disclosure of covered information to an unaffiliated party for
such purposesはオプトインの適用対象です
(b)
EXPRESS CONSENT REQUIRED FOR DISCLOSURE OF COVERED
INFORMATION TO UNAFFILIATED PARTIES.
–
→国内法の第三者提供時のオプトインに相当しますね
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> IN GENERAL. - A
style='mso-bidi-font-style:normal'>covered entity may not sell, share, or
otherwise disclose covered information
to an unaffiliated party without
first obtaining the express affirmative consent of the individual to whom the
style='mso-bidi-font-style:normal'>covered information relates.
style='mso-ascii-font-family:"Courier New";color:red'>→ぱっと見ると、当然のことが書いてありますが、最後の「 lang=EN-US style='font-family:"Courier New";color:red'>relates style='mso-ascii-font-family:"Courier New";color:red'>」の範囲があいまいですね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:red'>SEC.2.(8) style='mso-ascii-font-family:"Courier New";color:red'>で定義された lang=EN-US style='font-family:"Courier New";color:red'> preference profile style='mso-ascii-font-family:"Courier New";color:red'>も入るとすると、 lang=EN-US style='font-family:"Courier New";color:red'>cookie style='mso-ascii-font-family:"Courier New";color:red'>や style='font-family:"Courier New";color:red'>web beacon style='mso-ascii-font-family:"Courier New";color:red'>も対象となり、 lang=EN-US style='font-family:"Courier New";color:red'>unaffiliated party style='mso-ascii-font-family:"Courier New";color:red'>のことまで管理するのは結構大変そうです lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>あと、文中の「first obtaining
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>」については、定義した「first party
transaction」をうまく使えるといいですね
style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> WITHDRAWAL OF CONSENT. - A
style='mso-bidi-font-style:normal'>covered entity that has obtained express
affirmative consent from an individual must provide the individual with the
opportunity, without charge, to withdraw such consent at any time thereafter.
style='mso-ascii-font-family:"Courier New";color:red'>→「 lang=EN-US style='font-family:"Courier New";color:red'>without charge style='mso-ascii-font-family:"Courier New";color:red'>」で無償を明記していますね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>文中に、「express affirmative consent
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>」という表現が出てきますが、このように
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>consentの前に
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>expressが付く場合と付かない場合、同様に
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>affirmativeの有無の違いは定義されるべきですね
lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(3)
lang=EN-US style='font-family:"Courier New"'> EXEMPTION FOR CERTAIN INFORMATION
SHARING WITH SERVICE PROVIDERS. - The
consent requirements of this subsection shall not apply to the disclosure of
style='mso-bidi-font-style:normal'>covered information by a
style='mso-bidi-font-style:normal'>covered entity to a service provider for purposes of executing a first party transaction if –
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>→「controlled entity
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>」を定義すると、こういうところで使えるようになります
style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> the covered entity has obtained consent for the collection of
style='mso-bidi-font-style:normal'>covered information pursuant to
subsection (a); and
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> the service provider agrees to use such covered information solely for the purpose of providing an
agreed-upon service to a covered entity
and not to disclose the covered
information to any other person.
(c)
EXPRESS CONSENT FOR COLLECTION OR DISCLOSURE OF SENSITIVE INFORMATION. - A covered
entity shall not collect or disclose sensitive
information from or about an individual for any purpose unless such
style='mso-bidi-font-style:normal'>covered entity –
→センシティブ情報については、他と区別したオプトインを明記しています style='font-family:"Courier New";color:red'>
この区別がされて、続く(d)でonline activityのオプトインも要求することから、オンラインでセンシティブ情報を扱う場合には、ダブル・オプトインが必要になりますね lang=EN-US style='font-family:"Courier New";color:red'>
内容を見ると、欧州の要求に配慮しているのですね
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> makes available to such
individual the privacy notice described in subsection (a)(2) prior to the
collection of any sensitive information;
and
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> obtains the express affirmative
consent of the individual to whom the sensitive
information relates prior to collecting or disclosing such
style='mso-bidi-font-style:normal'>sensitive information.
(d)
EXPRESS CONSENT FOR COLLECTION OR DISCLOSURE OF ALL OR SUBSTANTIALLY ALL OF AN
INDIVIDUAL’S ONLINE ACTIVITY. - A covered
entity shall not collect or disclose covered
information about all or substantially all of an individual’s online
activity, including across websites, for any purpose unless such
style='mso-bidi-font-style:normal'>covered entity -
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> makes available to such
individual the privacy notice described in subsection (a)(2) prior to the
collection of the covered information
about all or substantially all of the individual’s online activity; and
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> obtains the express affirmative
consent of the individual to whom the covered
information relates prior to collecting or disclosing such
style='mso-bidi-font-style:normal'>covered information.
(e)
EXCEPTION FOR INDIVIDUAL MANAGED PREFERENCE
PROFILES. - Notwithstanding subsection (b), a covered entity may collect, use, and disclose covered information if –
→「notwithstanding」って法律系ではよく使うのだろうか・・・、初めて見た、発音は区切っていいのだろうか style='font-family:"Courier New";color:red'>(笑)
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> the covered entity provides individuals with the ability to opt out of
the collection, use, and disclosure of covered
information by the covered entity
using a readily accessible opt-out mechanism whereby, the opt-out choice of the
individual is preserved and protected from incidental or accidental deletion,
including by -
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> website interactions on the
style='mso-bidi-font-style:normal'>covered entity’s website or a website
where the preference profile is being
used;
lang=EN-US style='font-family:"Courier New";color:blue'>(B) lang=EN-US style='font-family:"Courier New"'> a toll-free phone number; or
lang=EN-US style='font-family:"Courier New";color:blue'>(C)
lang=EN-US style='font-family:"Courier New"'> letter to an address provided by
the covered entity;
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> the covered entity deletes or renders
anonymous any covered information
not later than 18 months after the date the covered
information is first collected;
style='mso-ascii-font-family:"Courier New";color:red'>→18ヶ月以内となっており、国内法と文脈は異なりますが保有個人データの6ヶ月未満より長期間ですね lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>ただし、 lang=EN-US style='font-family:"Courier New";color:red'>(1) style='mso-ascii-font-family:"Courier New";color:red'>から lang=EN-US style='font-family:"Courier New";color:red'>(4) style='mso-ascii-font-family:"Courier New";color:red'>までは lang=EN-US style='font-family:"Courier New";color:red'>AND style='mso-ascii-font-family:"Courier New";color:red'>条件なので、それなりに限定されています lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(3)
lang=EN-US style='font-family:"Courier New"'> the covered entity includes the placement of a symbol or seal in a
prominent location on the website of the covered
entity and on or near any advertisements delivered by the
style='mso-bidi-font-style:normal'>covered entity based on the
style='mso-bidi-font-style:normal'>preference profile of an individual that
enables an individual to connect to additional information that –
style='mso-ascii-font-family:"Courier New";color:red'>→「 lang=EN-US style='font-family:"Courier New";color:red'>symbol style='mso-ascii-font-family:"Courier New";color:red'>又は lang=EN-US style='font-family:"Courier New";color:red'>seal style='mso-ascii-font-family:"Courier New";color:red'>」とあるのは、第三者機関による認証取得のことでしょうかね・・・ lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>そうであれば、それが明確にわかるような表現か定義が必要ですね
style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> describes the practices used by
the covered entity or by an
style='mso-bidi-font-style:normal'>advertisement network in which the
style='mso-bidi-font-style:normal'>covered entity participates to create a
style='mso-bidi-font-style:normal'>preference profile and that led to the
delivery of the advertisement using an individual’s preference profile, including the information, categories of
information, or list of preferences associated with the individual that may
have led to the delivery of the advertisement to that individual; and
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>preference profile style='mso-ascii-font-family:"Courier New";color:red'>を使って管理し、かつ lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> allows individuals to review and
modify, or completely opt out of having, a preference
profile created and maintained by a covered
entity or by an advertisement network
in which the covered entity
participates; and
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>preference profile style='mso-ascii-font-family:"Courier New";color:red'>を本人が参照・更新などできることが求められますね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(4)
lang=EN-US style='font-family:"Courier New"'> an advertisement network to which a covered entity discloses covered
information under this subsection does not disclose such
style='mso-bidi-font-style:normal'>covered information to any other entity
without the express affirmative consent of the individual to whom the
style='mso-bidi-font-style:normal'>covered information relates.
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 4. ACCURACY AND SECURITY OF
style='mso-bidi-font-style:normal'>COVERED INFORMATION AND CONSUMER
EDUCATION CAMPAIGN.
style='font-family:"Courier New";color:blue'>
→このセクションは、これから肉付けするのかな?
たとえば、データ流出など事故発生時の本人通知などについて触れてない style='font-family:"Courier New";color:red'>
少なくともセクションタイトルは、
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>CONSUMER EDUCATION CAMPAINとは分けてもよさそう
lang=EN-US style='font-family:"Courier New";color:red'>
以下の本文も、
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>securityと
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>integrityと
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>confidentialityを並べたり、
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>securityと
style='font-family:"Courier New";color:red;background:yellow;mso-highlight:
yellow'>integrityだけを並べたり、
lang=EN-US style='font-family:"Courier New";color:red;background:yellow;
mso-highlight:yellow'>protecting informationと表現してみたり、ここは、これから仕上げていくのでしょうね
lang=EN-US style='font-family:"Courier New";color:red'>
(a)
ACCURACY. - Each covered entity shall
establish reasonable procedures to assure the accuracy of the
style='mso-bidi-font-style:normal'>covered information it collects.
(b) SECURITY
OF COVERED INFORMATION. -
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> IN GENERAL. - A
style='mso-bidi-font-style:normal'>covered entity or service provider that collects covered
information about an individual for any purpose must establish, implement,
and maintain appropriate administrative, technical, and physical safeguards
that the Commission determines are
necessary to –
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> ensure the security, integrity,
and confidentiality of such information;
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> protect against anticipated
threats or hazards to the security or integrity of such information;
lang=EN-US style='font-family:"Courier New";color:blue'>(C)
lang=EN-US style='font-family:"Courier New"'> protect against unauthorized
access to and loss, misuse, alteration, or destruction of, such information;
and
lang=EN-US style='font-family:"Courier New";color:blue'>(D)
lang=EN-US style='font-family:"Courier New"'> in the event of a security
breach, determine the scope of the breach, make every reasonable attempt to
prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the
affected covered information.
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> FACTORS FOR APPROPRIATE SAFEGUARDS.
- In developing standards to carry out this section, the Commission shall consider the size and complexity of a
style='mso-bidi-font-style:normal'>covered entity, the nature and scope of
the activities of a covered entity,
the sensitivity of the covered
information, the current state of the art in administrative, technical, and
physical safeguards for protecting information, and the cost of implementing
such safeguards.
(c)
CONSUMER EDUCATION. - The Commission
shall conduct a consumer education campaign to educate the public regarding
opt-out and opt-in consent rights afforded by this Act.
style='font-family:"Courier New";color:blue'>SEC. 5. USE OF style='mso-bidi-font-style:normal'>AGGREGATE OR ANONYMOUS INFORMATION.
Nothing
in this Act shall prohibit a covered
entity from collecting or disclosing aggregate
information or covered information
that has been rendered anonymous.
→統計情報と匿名化情報を除外することを明記しています
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 6. USE OF LOCATION-BASED
INFORMATION.
→国内だと、どれに相当することになるのでしょうかね
(a) IN
GENERAL. - Except as provided in section 222(d) of the Communications Act of
1934 (47 U.S.C. 222(d)), any provider of a product or service that uses
location-based information shall not disclose such location-based information
concerning the user of such product or service without that user’s express
opt-in consent. A user’s express opt-in consent to an application provider that
relies on a platform offered by a commercial mobile service provider shall satisfy the requirements of this subsection.
(b)
AMENDMENT. - Section 222(h) of the Communications Act of 1934 (47 U.S.C.
222(h)) is amended by adding at the end the following: “(8) CALL LOCATION
INFORMATION - The term ‘call location information’ means any location-based
information.”
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 7. FEDERAL COMMUNICATIONS
COMMISSION REPORT.
Not
later than 1 year after the date of enactment of this Act, the Federal
Communications Commission shall transmit a report to the Committee on Energy
and Commerce of the House of Representatives and the Committee on Commerce,
Science, and Transportation of the Senate describing -
(1) all
provisions of
communications law, including provisions in the Communications Act of 1934,
that address subscriber privacy; and
(2) how
those provisions may be harmonized with the provisions of this Act to create a
consistent regulatory regime for covered
entities and individuals.
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 8. ENFORCEMENT.
(a)
ENFORCEMENT BY THE FEDERAL TRADE COMMISSION. -
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> UNFAIR OR DECEPTIVE ACTS OR PRACTICES.
- A violation of this Act shall be treated as an unfair and deceptive act or
practice in violation of a regulation under section 18(a)(1)(B) of the Federal
Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive
acts or practices.
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>FTCのこれまでの監督体制を使いつつ・・・(以下につづく) style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> POWERS OF COMMISSION. - The Commission
shall enforce this Act in the same manner, by the same means, and with the same
jurisdiction, powers, and duties as though all applicable terms and provisions
of the Federal Trade Commission Act
style='mso-spacerun:yes'> (15 U.S.C. 41 et seq.) were incorporated
into and made a part of this Act. Any person who violates such regulations
shall be subject to the penalties and entitled to the privileges and immunities
provided in that Act. Notwithstanding any provision of the Federal Trade
Commission Act or any other provision of law and solely for purposes of this
Act, common carriers subject to the Communications Act of 1934 (47 U.S.C. 151
et seq.) and any amendment thereto shall be subject to the jurisdiction of the
style='mso-bidi-font-style:normal'>Commission.
lang=EN-US style='font-family:"Courier New";color:blue'>(3)
lang=EN-US style='font-family:"Courier New"'> RULEMAKING AUTHORITY AND LIMITATION.
- The Commission may, in accordance
with section 553 of title 5, United States Code, issue such regulations it
determines to be necessary to carry out this Act. In promulgating rules under
this Act, the Commission shall not
require the deployment or use of any specific products or technologies,
including any specific computer software or hardware.
style='mso-ascii-font-family:"Courier New";color:red'>→ style='font-family:"Courier New";color:red'>FTCが本法のために、新たなルールを設ける可能性を示唆していますね style='font-family:"Courier New";color:red;background:aqua;mso-highlight:aqua'>
(b) ENFORCEMENT
BY STATE ATTORNEYS GENERAL. -
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> CIVIL ACTION. - In any case in
which the attorney general of a State, or agency of a State having consumer
protection responsibilities, has reason to believe that an interest of the residents
of that State has been or is threatened or adversely affected by any person who
violates this Act, the attorney general or such agency of the State, as
class=SpellE>parens patriae, may bring a civil
action on behalf of the residents of the State in a district court of the
United States of appropriate jurisdiction to –
style='mso-ascii-font-family:"Courier New";color:red'>→被害者に代わって州政府が事業者に民事措置をしたり、 lang=EN-US style='font-family:"Courier New";color:red'>FTC style='mso-ascii-font-family:"Courier New";color:red'>が調停をしたりできます lang=EN-US style='font-family:"Courier New";color:red'>
style='mso-ascii-font-family:"Courier New";color:red'>日本からすると厳しい内容ですが、これは米国で消費者保護を目的とする法律でよく見られるものなので、米国内では特段に厳しいということはないのでしょうね lang=EN-US style='font-family:"Courier New";color:red'>
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> enjoin further violation of such
section by the defendant;
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> compel compliance with such
section;
lang=EN-US style='font-family:"Courier New";color:blue'>(C)
lang=EN-US style='font-family:"Courier New"'> obtain damage, restitution, or
other compensation on behalf of residents of the State; or
lang=EN-US style='font-family:"Courier New";color:blue'>(D)
lang=EN-US style='font-family:"Courier New"'> obtain such other relief as the
court may consider appropriate.
lang=EN-US style='font-family:"Courier New";color:blue'>(2) lang=EN-US style='font-family:"Courier New"'> INTERVENTION BY THE FTC. -
lang=EN-US style='font-family:"Courier New";color:blue'>(A)
lang=EN-US style='font-family:"Courier New"'> NOTICE AND INTERVENTION. - The State
shall provide prior written notice of any action under paragraph (1) to the
style='mso-bidi-font-style:normal'>Commission and provide the
style='mso-bidi-font-style:normal'>Commission with a copy of its complaint,
except in any case in which such prior notice is not feasible, in which case
the State shall serve such notice immediately upon instituting such action. The
Commission shall have the right -
lang=EN-US style='font-family:"Courier New";color:blue'>(i) lang=EN-US style='font-family:"Courier New"'> to intervene in the action;
lang=EN-US style='font-family:"Courier New";color:blue'>(ii)
lang=EN-US style='font-family:"Courier New"'> upon so intervening, to be heard
on all matters arising therein; and
lang=EN-US style='font-family:"Courier New";color:blue'>(iii) lang=EN-US style='font-family:"Courier New"'> to file petitions for appeal.
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> LIMITATION ON STATE ACTION WHILE
FEDERAL ACTION IS PENDING. - If the Commission
has instituted a civil action for violation of this Act, no State attorney
general or agency of a State may bring an action under this subsection during
the pendency of that action against any defendant named in the complaint of the
Commission for any violation of this
Act alleged in the complaint.
lang=EN-US style='font-family:"Courier New";color:blue'>(3)
lang=EN-US style='font-family:"Courier New"'> CONSTRUCTION. - For purposes of
bringing any civil action under paragraph (1), nothing in this Act shall be
construed to prevent an attorney general of a State from exercising the powers
conferred on the attorney general by the laws of that State to -
lang=EN-US style='font-family:"Courier New";color:blue'>(A) lang=EN-US style='font-family:"Courier New"'> conduct investigations;
lang=EN-US style='font-family:"Courier New";color:blue'>(B)
lang=EN-US style='font-family:"Courier New"'> administer oaths or affirmations;
or
lang=EN-US style='font-family:"Courier New";color:blue'>(C)
lang=EN-US style='font-family:"Courier New"'> compel the attendance of
witnesses or the production of documentary and other evidence.
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 9. NO PRIVATE RIGHT OF
ACTION.
This
Act may not be considered or construed to provide any private right of action.
No private civil action relating to any act or practice governed under this Act
may be commenced or maintained in any State court or under State law (including
a pendent State claim to an action under Federal law).
→private rightに係るものではないと明記
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 10. PREEMPTION.
This
Act supersedes any provision of a statute, regulation, or rule of a State or
political subdivision of a State, that includes requirements for the
collection, use, or disclosure of covered
information.
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 11. EFFECT ON OTHER LAWS.
(a)
APPLICATION OF OTHER FEDERAL PRIVACY LAWS. - Except as provided expressly in
this Act, this Act shall have no effect on activities covered by the following:
lang=EN-US style='font-family:"Courier New";color:blue'>(1)
lang=EN-US style='font-family:"Courier New"'> Title V of the Gramm-Leach-Bliley
Act (15 U.S.C. 6801 et seq.).
lang=EN-US style='font-family:"Courier New";color:blue'>(2)
lang=EN-US style='font-family:"Courier New"'> The Fair Credit Reporting Act (15
U.S.C. 1681 et seq.).
lang=EN-US style='font-family:"Courier New";color:blue'>(3)
lang=EN-US style='font-family:"Courier New"'> The Health Insurance Portability
and Accountability Act of 1996 (Public Law 104-191).
lang=EN-US style='font-family:"Courier New";color:blue'>(4)
lang=EN-US style='font-family:"Courier New"'> Part C of title XI of the Social
Security Act (42 U.S.C. 1320d et
seq.).
lang=EN-US style='font-family:"Courier New";color:blue'>(5)
lang=EN-US style='font-family:"Courier New"'> The Communications Act of 1934
(47 U.S.C. 151 et seq.).
lang=EN-US style='font-family:"Courier New";color:blue'>(6)
lang=EN-US style='font-family:"Courier New"'> The Children’s Online
seq.).
lang=EN-US style='font-family:"Courier New";color:blue'>(7)
lang=EN-US style='font-family:"Courier New"'> The CAN-SPAM Act of 2003 (15 U.S.C.
7701 et seq.).
(b)
style='mso-bidi-font-style:normal'>COMMISSION AUTHORITY. - Nothing
contained in this Act shall be construed to limit authority provided to the
style='mso-bidi-font-style:normal'>Commission under any other law.
style='font-family:"Courier New";color:blue'>
style='font-family:"Courier New";color:blue'>SEC. 12. EFFECTIVE DATE.
Unless
otherwise specified, this Act shall apply to the collection, use, or disclosure
of, and other actions with respect to, covered
information that occurs on or after the date that is one year after the
date of enactment of this Act.
→施行までの猶予は1年間ですね
5月 20, 2010 | Permalink
トラックバック
この記事へのトラックバック一覧です: 我輩は連邦プライバシー法である。まだ名は無い・・・:
» 米国連邦プライバシー法-第2案 トラックバック 砂糖の甘い付箋
「我輩は連邦プライバシー法である。まだ名は無い・・・」でご紹介した、米国の連邦プ [続きを読む]
受信: 2010/07/22 17:04:15
コメント
おおきに。。。大変参考になります。
投稿: 丸山満彦 | 2010/05/20 17:57:56