Four Major Models of Privacy Regulation/Protection
1. Comprehensive 2. Co-Regulatory 3. Sectoral 4. Self-regulatory
Comprehensive Model
Oversight body governs privacy across all sectors
Co-Regulatory Model
Industries develop privacy rules that are overseen by a privacy agency.
Sectoral Model
Sector-specific privacy laws
Self-regulatory model
Industry association produced rules
Which countries are examples of Comprehensive Model
EU under EU Data Protection Directive
Which countries are examples of Co-regulatory models?
Canada, Australia & New Zealand
What are examples of the self-regulatory model
PCI DSS (payment card industry data security standard) also a company's privacy policy
8 Privacy Principles under OECD guidelines
1. Collection Limitation 2. Data quality 3. Purpose specification 4. Use limitation 5. Security Safeguards 6. Openness 7. Individual participation 8. Accountability
Collection Limitation Principle
Collection of personal data should be with knowledge and consent of the data subject, fair & lawful
Data Quality Principle
Accurate data, relevant for purpose used
Purpose specification principle
Pre-collection disclosure of what the data is for and use limited to that purpose
Security Safeguards Principle
Personal data should be protected by reasonable safeguards
Openness Principle
Data controller should be open & honest about identity & residence. Transparency of data practices
Individual Participation Principle
An individual data subject should be able to 1. Know whether a data controller has data on him 2. Data about him shown to him at a reasonable cost and within a reasonable time 3. Be able to challenge denial of #2, if any 3. Challenge the accuracy of data
EU Data Protection Directive 1995
Personal data should not be processed unless there is 1. Transparency 2. Legitimate purpose & 3. Proportionality. Each member state will 1. Monitor data protection, 2. Give advice about admin measures and regulations & 3. Legally enforce
If a country has not been deemed adequate in terms of privacy protections then what do you do to transfer data from the EU to that country?
1. Model contracts 2. Binding corporate rules 3. Safe harbor program / privacy shield 4. Unambiguous consent from data subjects to transfer
Model contracts
Drafted by the EU & signed by company in destination country
Binding corporate rules (BCRs)
Code of conduct or similar rule adopted by related organizations to allow cross border transfers that are approved by an EU member data Protection authority
Safe Harbor Program
Invalid, 2015 court found permitting governments general access to content of communications cross purposes with human right to privacy
EU-US Privacy Shield
Effective since Feb 2016 provides stronger obligations for theUS companies to protect personal data & the US FTC & Dept of Commerce to monitor & enforce. Also restricts US public authorities from accessing personal data that is transferred. EU persons wil
General Data Protection Regulation
GDPR adopted April 2016 takes effect in 2018 Ims to strengthen & unify personal data Protection across the EU
European Convention of Human Rights
ECHR provides individuals have the right to privacy in correspondence, & private & family life
APEC
Asian-Pacific Economic Cooperation members US, Australia, Brunei, Canada, Chile, China, Hong King, Indonesia, Japan, Korea, Malaysia, Mexico, NZ, Papua New Guinea, Peru, Philippines, Russia, Singapore, Taiwan, Thailand & Vietnam,
APEC Privacy Rules 2004
Self-regulatory privacy system designed for more consistent privacy protection
Madrid Resolution
2009 adopted in 80 countries w purpose of 1. Defined set of principles for the uniform Protection of Privacy & 2. Facilitate international flow of data Gives data controllers duty to provide reasonable security measures & personal data confidentiality
FCRA
1970 Fair Credit Reporting Act
FACTA
2003 update to FCRA
Purpose of FCRA
Increase accuracy of consumer reports and limit use of consumer reports to permissible purpose such as employment & insurance coverage and provide notice to consumers
GLBA
1999 Gramm-Leach-Bliley Act
Financial Services Modernization Act
GLBA
GLBA requires
Applies to US domestic financial institutions Initial & annual privacy notices. Opt-out notices prior to sharing info with unaffiliated third parties
HIPAA
1996 Health Insurance Portability and Accountability Act
HIPAA requires
Covered Entities (health care providers, employer sponsored health plans, health insurers, healthcare clearinghouses) to protect PHI (personal health information). The HHS (Department of Health and Human Services) has 2 important rules 1. Privacy Rule & 2
HIPAA Privacy Rule
Covered entities may disclose PHI for the purpose of treatment, payment or health care operations w/o consent. Other disclosures need consent. Reasonable effort must be made to use only the minimum amount of data to achieve purpose
HIPAA
Must implement reasonable data security Safeguards for electronic PHI (ePHI)
COPPA
1998 Children's Online Privacy Protection Act
COPPA requires
Applies to websites & online services directed to children under the age of 13 OR have actual knowledge that children under 13 are providing info online. Requires conspicuous privacy notices &verifiable parental consent prior to collection of Personal inf
Privacy Act of 1974
Establishes fair Information principles for information maintained by the federal government. Requires written consent if data subject prior to disclosure
FOIA
1966 Freedom of Information Act. Defines agency records subject to disclosure & disclosure procedures. 9 exemptions from disclosure rule (e.g. Trade secrets)