Global Privacy Law Landscape

• Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
• Financial Modernization Act of 1999 or Gramm-Leach-Bliley Act (GLB)
• Numerous state breach notification laws

• Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA)
  
• Numerous provincial privacy laws affecting the public and private sectors

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Data Protection Directive)
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications (EU E-Privacy Directive)

• Japan Law on Protection of Personal Information of 2003
• Asia-Pacific Economic Cooperation (APEC) Privacy Framework

Although the requirements of these laws and frameworks vary greatly, some common themes have emerged, such as notice, choice, access, and security:

Notice: What information must be provided to individuals about how their data may be used and who it may be shared with? When must this notice be provided to individuals? In what manner must this notice be provided?

Choice: What choices are individuals offered in terms of what information about them is collected and how such information is used?

Access: Are individuals given the opportunity to access information maintained about them? Can individuals request that their information be amended or deleted?

Security: Are organizations that handle personal information required to protect such information using administrative, technical, and physical safeguards?

Salesforce.com's customers solely determine what data is submitted to the salesforce.com service as customer data. With respect to such data, salesforce.com acts as a data processor. In our role as a processor of customer data, salesforce.com addresses the general privacy principles described above in the following ways:

Notice, Choice & Access: Salesforce.com generally does not have a direct relationship with individuals whose personal data is submitted by customers to the salesforce.com service as customer data. Salesforce.com does not collect personal information on behalf of our customers, and salesforce.com does not determine how our customers use such data. Additionally, salesforce.com's customer contracts generally prohibit salesforce.com from accessing customer data except under limited circumstances.

Compliance with the Notice, Choice, and Access principles is based on cooperation between salesforce.com and our customers. For example, salesforce.com's contracts with our customers state that customers are responsible for the accuracy, quality, integrity, reliability, and appropriateness of data submitted to the salesforce.com service and that customers must comply with applicable laws in using the salesforce.com service.

Security: Salesforce.com maintains appropriate administrative, physical, and technical safeguards to help protect the security, confidentiality, and integrity of data our customers submit to the salesforce.com service as customer data. Salesforce.com's customers are responsible for ensuring the security of their customer data in their use of the service.