Data Privacy Laws Lecture 2 PDF

Summary

This document provides a lecture about data privacy laws and regulations. It covers the framework of data privacy laws, the landscape of data privacy and protection laws, and examples of comprehensive laws and regulations, such as FIPPS and GDPR, along with sectoral data privacy laws in Saudi Arabia. The lecture also includes examples of data breaches and fines.

Full Transcript

Data Privacy Lecture 2: Data Privacy and Protection Laws and Regulations

REFERENCE:
Prof. Bharat Bhargava (Purdue University) Slides on Data Protection Directives
Outline

 Framework of Data Privacy Laws
 Landscape of Data Privacy and Protection Laws
 Examples of comprehensive laws and regulation
 FIPPS
 GDPR
 Sectoral Data Privacy Laws in Saudi Arabia
 Example of data breaches and Fines

COE426: Lecture 2 2
Legal Views on Privacy
 Privacy is a fundamental human right that has become
one of the most important rights of the modern age
 Each country has a provision for rights of inviolability of
the home and secrecy of communications
 Example: In Saudi Law
 Article 40:
"The privacy of telegraphic and postal communications,
and telephone and other means of communication, shall
be inviolate. There shall be no confiscation, delay,
surveillance or eavesdropping, except in cases provided by
the Law."

COE426: Lecture 2 3
Data Privacy and Protection
Laws
 Data Privacy and Protection laws refer to legislation that is
intended to:
 protect the right to privacy of individuals
 ensure that Personal Data is used appropriately by
organisations that may have

 Personal data is any information that can be used to
identify a natural person
 Name; Phone Number; Email address; etc

 Special Categories of Personal Data require more stringent
measures of protection
 Religion; Ethnicity; Medical information; Criminal Data;
Children’s Data
COE426: Lecture 2 4
Landscape of Privacy Laws

 Two types of privacy laws
1. Comprehensive Laws: General laws that govern the
collection, use and dissemination of personal information
by public & private sectors
 Require commissioners or independent enforcement body
 Difficulty: lack of resources for oversight and enforcement;
agencies under government control

2. Sectoral Laws: Avoid general laws, focus on specific
sectors instead
 Advantage: enforcement through a range of mechanisms
 Disadvantage: each new technology requires new legislation

COE426: Lecture 2 5
Comprehensive Laws In EU
 European Union Council adopted the Privacy Electronic
Communications Directive
 Prohibits secondary uses of data without informed consent
 No transfer of data to non EU countries unless there is
adequate privacy protection

COE426: Lecture 2 6
Sectoral Laws in US
 No explicit right to privacy in the constitution

 A patchwork of federal laws for specific categories of
personal information
 E.g., financial reports, credit reports, video rentals, etc.

 Wide belief that self-regulation is enough and that no
new laws are needed (exception: medical records)

COE426: Lecture 2 7
EU vs. US [cf. A.M. Green, Yale, 2004]

 The difference between the laws in the two systems
resulted in what was called the “Safe Harbor
Agreement”
 US companies would voluntarily self-certify to adhere to
a set of privacy principles worked out by US Department
of Commerce and Internal Market Directorate of the
European Commission
 Little enforcement: A self-regulatory system in which
companies merely promise not to violate their declared
privacy practices
 Criticized by privacy advocates and consumer groups in
both US and Europe

COE426: Lecture 2 8
Privacy Impact Assessments
(PIA)
 An evaluation conducted to assess how the adoption of
new information policies, the procurement of new
computer systems, or the initiation of new data
collection programs will affect individual privacy

 The premise: Considering privacy issues at the early
stages of a project cycle will reduce potential adverse
impacts on privacy after it has been implemented

 Will talk about it more in coming lectures

COE426: Lecture 2 9
Privacy Laws Framework

 Most data laws were developed alongside three major
concepts that implicate our privacy
 Media
 Surveillance
 Personal data
 The laws revolve around privacy "torts"
 Intrusion upon seclusion
 What does "seclusion" mean?
 Public disclosure of private facts
 Misappropriation of name or likeness
 Placing someone in a false light
 Negligent handling of people's personal information

COE426: Lecture 2 10
Fair Information Practice
Principles (1)

 FIPPS are a set of internationally recognized principles that
inform information privacy policies both within government
and the private sector
 The principles are
 Collection Limitation
 Data quality principle
 Purpose specification
 Use limitation principle
 Security safeguards principle
 Openness principle
 Individual participation principle
 Accountability principle
COE426: Lecture 2 11
 General Data Protection Regulations
(GDPR)

 The General Data Protection Regulations (GDPR) is new
EU legislation that comes into effect on May 25th 2018.
 It very clearly sets out the ways in which the privacy
rights of every EU citizen must be protected and the
ways in which a person’s ‘Personal Data’ can and can’t
be used.
 It carries significant penalties for non-compliance
 €20 Millions, or 4% of the entire global revenue
 Whichever is higher!

COE426: Lecture 2 17
GDPR Entities

 Three entities are defined in GDPR
1. A data subject: the person whose data is collected
2. A data controller: the entity that collects and uses
personal data
3. A data processor: the entity that processes data on
behalf of the data controller
 Laws and regulations impose different obligations on
the controllers and processors
 For example,
 Data controller: a company has a website that collects
data on the pages their visitors visit
 Data processor: Google Analytics

COE426: Lecture 2 18
Seven Principles of Data
Protection
1. Lawfulness, Fairness, Transparency
2. Purpose Limitation
 Use only for one or more specified purposes
3. Data Minimisation
 Collect only the amount of data required for the specified purpose(s)
4. Accuracy
 Ensure data is kept up to date, accurate and complete
5. Storage Limitation
 Kept for no longer than necessary for the specified purpose(s)
6. Integrity and Confidentiality
 Processed ensuring appropriate security of data
7. Accountability
 Essential not only to be compliant, but to be able to demonstrate compliance

COE426: Lecture 2 19
 How to Comply with GDPR?
GD
PR
The Data Protection Commissioner has
issued a guide to compliance, consisting of
12 steps.

1. Becoming Aware 7. Consent
2. Becoming Accountable 8. Children’s Data
3. Communication with 9. Reporting Breaches
members 10.Impact Assessments
4. Personal Privacy Rights 11.Data Protection
5. Subject Access Requests Officers
6. Legal Basis 12.International
Organisations

COE426: Lecture 2 20
 GD
PR

COE426: Lecture 2 21
Information Life Cycle

Capture 1. Capture – Obtain and
record information
2. Store – Save the
information electronically
Destroy Store or in paper format
3. Use – Use or reuse
information
4. Destroy – Delete, erase
Use or shred information

COE426: Lecture 2 22
GDPR Information Life Cycle
Data Protection by Design and by Default
Data Protection Impact Assessment (DPIA)
Documentation

Assess

Retention Period Data Minimisation
Right to erasure Destroy Capture Privacy Notices
Portability Privacy Rights
Third Party copies Obtain Consent

Use Store
Safe and Secure
Restricted Access
Appropriate use Consent Data Inventory
Manage Consent Subject Access Requests
Restricted International Transfers Contracts with Data Processors

COE426: Lecture 2 23
The Seven GDPR Sins

 Seven lethal mistakes when designing a new IT system
1. Storing data forever
 Data can take long time to be completely deleted
2. Reusing data indiscriminately
 E.g. Google used user's data for ad personalization
3. Walled gardens and black markets
 Ability to download your personal data instantly
 Third-party ad companies were blocked from accessing data
4. Risk-agnostic data processing
 "Unless you are breaking stuff, you are not fast enough"
5. Hiding data breaches
6. Making unexplainable decisions
7. Security as secondary goal

Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX
COE426: Lecture
HotCloud. 2 24
The Seven GDPR Sins

 Seven lethal mistakes when designing a new IT system
8. Hiding data breaches
 Prior to GDPR, victims have to check themselves whether they
are impacted or not
 Now, companies must send early notifications to all impacted
users

9. Making unexplainable decisions
 Taking care of privacy when using algorithmic decision making

10. Security as secondary goal
 Proactive Vs. Reactive security

Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of
Personal-Data Processing Systems under GDPR. USENIX HotCloud.
COE426: Lecture 2 25
Designing GDPR Compliant
Systems
 Companies are legally bound to comply with GDPR
 Compliance with GDPR is not trivial
 For example,
 Three questions when designing a new storage system
1. What features should a storage system have to be GDPR-
compliant?
2. How does compliance affect the performance of different
types of storage system?
3. What are the technical challenges in achieving strict
compliance in an efficient manner?

COE426: Lecture 2 26
Designing for GDPR
Compliance
 GDPR is intentionally vague in terms of technical
specifications
 Features for GDPR-Compliant storage systems
1. Timely deletion
2. Monitoring and logging
3. Indexing via metadata
4. Access control
5. Encryption
6. Managing data location

Shah, Aashaka, Vinay Banakar, Supreeth Shastri, Melissa Wasserman, and Vijay Chidambaram. "Analyzing the Impact of {GDPR} on Storage
COE426: Lecture
Systems." 2 {USENIX} Workshop on Hot Topics in Storage and File Systems (HotStorage 19). 2019. 27
In 11th
Examples of Data Laws
Breaches
 Marriot International Inc.
 ~339 million guest records leaked including payment details

 ~30 million are EU

 fined £99,200,396 for the violation

 British Airways
 ~500K customers information leakes

 Resulted in a fine of £183.39 million.

 Google
 failing to get valid consent from the users for personalized ads.

 Google was fined €50 million

 Facebook
 Related to Cambridge

 Fined £500,000

 List of GPDR fines
 https://www.nathantrust.com/gdpr-fines-penalties

 https://www.cookielawinfo.com/gdpr-fines-biggest-gdpr-violation-examples/

COE426: Lecture 2 28
Conclusions [cf. A.M. Green, Yale, 2004]

 More work to be done to ensure the security of personal
information for all individuals in all countries

 Technological solutions to protect privacy are
implemented to a limited extent only

 Not enough being done to encourage the
implementation of technical solutions for privacy
compliance and enforcement

COE426: Lecture 2 29