Data Privacy Laws Lecture 2 PDF
Document Details
Uploaded by WonHaiku
Purdue University
Prof. Bharat Bhargava
Tags
Summary
This document provides a lecture about data privacy laws and regulations. It covers the framework of data privacy laws, the landscape of data privacy and protection laws, and examples of comprehensive laws and regulations, such as FIPPS and GDPR, along with sectoral data privacy laws in Saudi Arabia. The lecture also includes examples of data breaches and fines.
Full Transcript
Data Privacy Lecture 2: Data Privacy and Protection Laws and Regulations REFERENCE: Prof. Bharat Bhargava (Purdue University) Slides on Data Protection Directives Outline Framework of Data Privacy Laws Landscape of Data Privacy and Protection Laws Examples o...
Data Privacy Lecture 2: Data Privacy and Protection Laws and Regulations REFERENCE: Prof. Bharat Bhargava (Purdue University) Slides on Data Protection Directives Outline Framework of Data Privacy Laws Landscape of Data Privacy and Protection Laws Examples of comprehensive laws and regulation FIPPS GDPR Sectoral Data Privacy Laws in Saudi Arabia Example of data breaches and Fines COE426: Lecture 2 2 Legal Views on Privacy Privacy is a fundamental human right that has become one of the most important rights of the modern age Each country has a provision for rights of inviolability of the home and secrecy of communications Example: In Saudi Law Article 40: "The privacy of telegraphic and postal communications, and telephone and other means of communication, shall be inviolate. There shall be no confiscation, delay, surveillance or eavesdropping, except in cases provided by the Law." COE426: Lecture 2 3 Data Privacy and Protection Laws Data Privacy and Protection laws refer to legislation that is intended to: protect the right to privacy of individuals ensure that Personal Data is used appropriately by organisations that may have Personal data is any information that can be used to identify a natural person Name; Phone Number; Email address; etc Special Categories of Personal Data require more stringent measures of protection Religion; Ethnicity; Medical information; Criminal Data; Children’s Data COE426: Lecture 2 4 Landscape of Privacy Laws Two types of privacy laws 1. Comprehensive Laws: General laws that govern the collection, use and dissemination of personal information by public & private sectors Require commissioners or independent enforcement body Difficulty: lack of resources for oversight and enforcement; agencies under government control 2. Sectoral Laws: Avoid general laws, focus on specific sectors instead Advantage: enforcement through a range of mechanisms Disadvantage: each new technology requires new legislation COE426: Lecture 2 5 Comprehensive Laws In EU European Union Council adopted the Privacy Electronic Communications Directive Prohibits secondary uses of data without informed consent No transfer of data to non EU countries unless there is adequate privacy protection COE426: Lecture 2 6 Sectoral Laws in US No explicit right to privacy in the constitution A patchwork of federal laws for specific categories of personal information E.g., financial reports, credit reports, video rentals, etc. Wide belief that self-regulation is enough and that no new laws are needed (exception: medical records) COE426: Lecture 2 7 EU vs. US [cf. A.M. Green, Yale, 2004] The difference between the laws in the two systems resulted in what was called the “Safe Harbor Agreement” US companies would voluntarily self-certify to adhere to a set of privacy principles worked out by US Department of Commerce and Internal Market Directorate of the European Commission Little enforcement: A self-regulatory system in which companies merely promise not to violate their declared privacy practices Criticized by privacy advocates and consumer groups in both US and Europe COE426: Lecture 2 8 Privacy Impact Assessments (PIA) An evaluation conducted to assess how the adoption of new information policies, the procurement of new computer systems, or the initiation of new data collection programs will affect individual privacy The premise: Considering privacy issues at the early stages of a project cycle will reduce potential adverse impacts on privacy after it has been implemented Will talk about it more in coming lectures COE426: Lecture 2 9 Privacy Laws Framework Most data laws were developed alongside three major concepts that implicate our privacy Media Surveillance Personal data The laws revolve around privacy "torts" Intrusion upon seclusion What does "seclusion" mean? Public disclosure of private facts Misappropriation of name or likeness Placing someone in a false light Negligent handling of people's personal information COE426: Lecture 2 10 Fair Information Practice Principles (1) FIPPS are a set of internationally recognized principles that inform information privacy policies both within government and the private sector The principles are Collection Limitation Data quality principle Purpose specification Use limitation principle Security safeguards principle Openness principle Individual participation principle Accountability principle COE426: Lecture 2 11 General Data Protection Regulations (GDPR) The General Data Protection Regulations (GDPR) is new EU legislation that comes into effect on May 25th 2018. It very clearly sets out the ways in which the privacy rights of every EU citizen must be protected and the ways in which a person’s ‘Personal Data’ can and can’t be used. It carries significant penalties for non-compliance €20 Millions, or 4% of the entire global revenue Whichever is higher! COE426: Lecture 2 17 GDPR Entities Three entities are defined in GDPR 1. A data subject: the person whose data is collected 2. A data controller: the entity that collects and uses personal data 3. A data processor: the entity that processes data on behalf of the data controller Laws and regulations impose different obligations on the controllers and processors For example, Data controller: a company has a website that collects data on the pages their visitors visit Data processor: Google Analytics COE426: Lecture 2 18 Seven Principles of Data Protection 1. Lawfulness, Fairness, Transparency 2. Purpose Limitation Use only for one or more specified purposes 3. Data Minimisation Collect only the amount of data required for the specified purpose(s) 4. Accuracy Ensure data is kept up to date, accurate and complete 5. Storage Limitation Kept for no longer than necessary for the specified purpose(s) 6. Integrity and Confidentiality Processed ensuring appropriate security of data 7. Accountability Essential not only to be compliant, but to be able to demonstrate compliance COE426: Lecture 2 19 How to Comply with GDPR? GD PR The Data Protection Commissioner has issued a guide to compliance, consisting of 12 steps. 1. Becoming Aware 7. Consent 2. Becoming Accountable 8. Children’s Data 3. Communication with 9. Reporting Breaches members 10.Impact Assessments 4. Personal Privacy Rights 11.Data Protection 5. Subject Access Requests Officers 6. Legal Basis 12.International Organisations COE426: Lecture 2 20 GD PR COE426: Lecture 2 21 Information Life Cycle Capture 1. Capture – Obtain and record information 2. Store – Save the information electronically Destroy Store or in paper format 3. Use – Use or reuse information 4. Destroy – Delete, erase Use or shred information COE426: Lecture 2 22 GDPR Information Life Cycle Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Assess Retention Period Data Minimisation Right to erasure Destroy Capture Privacy Notices Portability Privacy Rights Third Party copies Obtain Consent Use Store Safe and Secure Restricted Access Appropriate use Consent Data Inventory Manage Consent Subject Access Requests Restricted International Transfers Contracts with Data Processors COE426: Lecture 2 23 The Seven GDPR Sins Seven lethal mistakes when designing a new IT system 1. Storing data forever Data can take long time to be completely deleted 2. Reusing data indiscriminately E.g. Google used user's data for ad personalization 3. Walled gardens and black markets Ability to download your personal data instantly Third-party ad companies were blocked from accessing data 4. Risk-agnostic data processing "Unless you are breaking stuff, you are not fast enough" 5. Hiding data breaches 6. Making unexplainable decisions 7. Security as secondary goal Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX COE426: Lecture HotCloud. 2 24 The Seven GDPR Sins Seven lethal mistakes when designing a new IT system 8. Hiding data breaches Prior to GDPR, victims have to check themselves whether they are impacted or not Now, companies must send early notifications to all impacted users 9. Making unexplainable decisions Taking care of privacy when using algorithmic decision making 10. Security as secondary goal Proactive Vs. Reactive security Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX HotCloud. COE426: Lecture 2 25 Designing GDPR Compliant Systems Companies are legally bound to comply with GDPR Compliance with GDPR is not trivial For example, Three questions when designing a new storage system 1. What features should a storage system have to be GDPR- compliant? 2. How does compliance affect the performance of different types of storage system? 3. What are the technical challenges in achieving strict compliance in an efficient manner? COE426: Lecture 2 26 Designing for GDPR Compliance GDPR is intentionally vague in terms of technical specifications Features for GDPR-Compliant storage systems 1. Timely deletion 2. Monitoring and logging 3. Indexing via metadata 4. Access control 5. Encryption 6. Managing data location Shah, Aashaka, Vinay Banakar, Supreeth Shastri, Melissa Wasserman, and Vijay Chidambaram. "Analyzing the Impact of {GDPR} on Storage COE426: Lecture Systems." 2 {USENIX} Workshop on Hot Topics in Storage and File Systems (HotStorage 19). 2019. 27 In 11th Examples of Data Laws Breaches Marriot International Inc. ~339 million guest records leaked including payment details ~30 million are EU fined £99,200,396 for the violation British Airways ~500K customers information leakes Resulted in a fine of £183.39 million. Google failing to get valid consent from the users for personalized ads. Google was fined €50 million Facebook Related to Cambridge Fined £500,000 List of GPDR fines https://www.nathantrust.com/gdpr-fines-penalties https://www.cookielawinfo.com/gdpr-fines-biggest-gdpr-violation-examples/ COE426: Lecture 2 28 Conclusions [cf. A.M. Green, Yale, 2004] More work to be done to ensure the security of personal information for all individuals in all countries Technological solutions to protect privacy are implemented to a limited extent only Not enough being done to encourage the implementation of technical solutions for privacy compliance and enforcement COE426: Lecture 2 29