Information Privacy is an International concern. Today, most countries have laws protecting personal data from misuse and destruction. Regulation and enforcement of data protection varies from country to country. However, despite such differences, almost every country uses the same basic privacy concepts and principles– notice, access, consent, data integrity, disclosure and accountability– to develop data protection laws.
Data Protection in Europe
The European Union has the most extensive and comprehensive data protection laws in the world. In 1995, the European Commission instituted their most significant body of law known as the Data Protection Directive (95/45/EC). The directive applies to all entities that process personal data in all member states of the European Union.
E.U. Data Protection Directive Privacy Principles
The Data Protection Directive outlines privacy principles for the processing of data which include:
1) Notice– (Article 10) The data subject must be provided with the identity of the data controller, the purposes for which data is collected and third party recipients
2) Choice– (Article 14) The data subject may object to the processing of their personal data for the purpose of direct marketing and the disclosure of data for third parties or uses.
3) Access and Correction– (Article 12) The data subject may request to view data an entity has on record about them and rectify, erase of block the processing of data if incorrect or incomplete.
4) Data Quality–(Article 6) Data should be processed lawfully. It should be collected and processed for specific and legitimate purposes. Data should be timely, accurate and complete. Data that is no longer necessary should be kept in a format that is not personally identifiable.
5) Data Security– (Article 17) Appropriate steps must be taken to protect against accidental loss, and unauthorized access, use or destruction.
The E.U. data directive requires the creation of a National Data Protection Authority for all member states. This supervisory authority must regulate and implement data protection laws within its country as well as investigate privacy violations. Every data controller must register with a supervisory authority before processing personal data.
In order to protect personal data when transferred to countries outside the European Union, the Data Protection Directive prohibits onward transfer to entities in non-member states unless they meet an equivalent level of protection. Agreements like Safe Harbor between the United States and the E.U. allow businesses to participate in a program that allows unrestricted international data flow as long as a businesses institutes similar privacy principles to those of the E.U.
The Data Protection Directive also has special regulations for the transfer of sensitive data such as racial or ethnic origins, political or religious beliefs, sexual orientation, trade union membership and other similar characteristics. The E.U. requires explicit, affirmative consent from a data subject in order to disclose sensitive information to third parties, not matter whether the third party is within or outside the European Union.
Privacy and Electronic Communications Directive
In 2003, the Directive on Privacy and Electronic Communications Directive (2002/58)was developed to complement the Data Protection Directive. It deals specifically with data protection and with regard to marketing messages and the growing use of digital technology and electronic communications. The Privacy and Electronic Communications Directive requires explicit consent from a data subject to send marketing messages unless all of the following criteria are met:
1) The provider already has information on the data subject on file from a previous service or transaction
2) The marketing message is in relation to similar services or products
3) The data subject is given the opportunity to opt-out of further marketing messages.
The E-Privacy Directive also places restrictions on the use of marketing messages through telemarketing, automated telephone calls and faxes. The directive also requires a mechanism to opt-out of the use and receipt of cookies.
Data Protection in Canada
Canada is one of the countries closest to the European Union in terms of comprehensive information privacy law. It uses a coregulatory framework between the government and the privacy sector to enforce data protection.
The Privacy Act of 1983 regulates the use of personal information by the Canadian Federal Government. The Privacy Act requires:
- Notice– the data subject must be notified of the information collected and its uses
- Access– a data subject has the right to view what personal information is held by a government institution and rectify erroneous information
- Consent– data subject must provide explicit consent before information is disclosed to parties outside the control of a government institution (with a few exceptions)
- Limited Use– collected information must directly relate to the activities of a government program and may only be used for the purposes it was originally collected (with a few exceptions)
- Enforcement– the Privacy Commissioner of Canada must investigate and complaints it receives regarding privacy violations to data subjects.
PIPEDA deals with information privacy in the private sector of Canada which includes financial and health institutions. It protects all information that may identify an individual used in the course of rendering commercial services including those of nonprofit organizations.
PIPEDA incorporates the ten privacy principles outlined by the Canadian Standards Association which include: Accountability, Identifying Purposes, Consent, Limiting collection, Limiting use, disclosure and retention, Accuracy, Safeguards, Openness, Individual Access, Challenging compliance. PIPEDA requires explicit consent from individuals in order to use, process or disclose their personal information (with a few exceptions)
PIPEDA is enforced through the Office of the Privacy Commissioner of Canada or similar territorial privacy commissioners. The Commissioner is required, by PIPEDA, to investigate any privacy complaints lodged against a commercial institution and create a report of their findings.The report is sent to the organization against whom the complaint was filed with recommendations. The report is also returned to the complainant who can then pursue the matter further in the Federal Courts.
Data Protection in Asia
Data Protection across Asia is varied depending on the development and political beliefs of each country, however even counties that grant the least amount of protection have shown a concern for Data Protection and the way it affects the free flow of information.
Data Protection in Japan is covered under the Law Concerning the Protection of Personal Information. It was put into effect in 2005. Enforcement is regulated by ministries of each industry sector (i.e.: Ministry of Health enforces the Law in the Health industry) Each industry may place additional restrictions on the use of personal information.
Like many data protection laws, Japan’s Law requires specific and limited use of information, adequate data security and integrity, data subject notice of purpose of use, as well as access to and correction of information held by an institution. One major different in Japan’s Law is in their policies regarding disclosure. Explicit consent is required for all disclosure of information to third parties, even if the third party is affiliated with the data controlling entity.
The Asia-Pacific Economic Cooperation
APEC is a non-binding cooperative agreement between countries along the coast of the Pacific to facilitate regional trade. In 2004, APEC developed a Privacy Framework, recognizing the need for strong data protection laws to allow multinational and international business and trade to continue. Members of APEC include: Australia, Canada, Chile, China, Japan, Peru, Russia, the United States, as well as others.
1) Preventing Harm– Above all privacy regulations should prevent harm to data subjects from the unauthorized or misuse collection, use or disclosure of personal information.
2) Notice– An individual should be notified regarding the personal information including what, why, how and to whom their information is collected, used or disclosed. They must also be given the choice and means to limit the use and disclosure of their information
3) Collection Limitation– Collected information should be used for specific and limited purposes.
4) Uses of Personal Information–Person Information should be collected with consent of the data subject and when necessary to render a service or transaction
5) Choice– Individuals must be provided with unambiguous mechanisms to control the collection, use and disclosure of their personal information.
6) Integrity of Personal Information– Personal Information should be complete, timely and accurate
7) Security Safeguards–Safeguards should be created to protect against data loss as well as unauthorized, access, use, disclosure, destruction and other misuses.
8) Access and Correction– Individuals must be able to obtain the personal information a data controller may hold about them in a timely and reasonable manner and be allowed to challenge the accuracy of the information.
9) Accountability– Entities controlling personal information must be accountable for complying with privacy principles.
APEC is non-binding which means that there is no single supervisory authority for enforcing compliance in member states. Each member state is responsible for creating and enforcing their own information privacy regulations that adhere to the APEC Privacy Framework.
Data Protection in Latin America
Like, Asia, data protection in Latin America is inconsistent. However, many Latin American countries along the Pacific are members of APEC and comply with the APEC Privacy Framework. Furthermore, many countries have included some forms of data protection in their constitutions under the writ of Habeas Data
Habeas Data literally translates to “[we command] you have the data.” It protects the right of an individual file complaints to a constitutional court regarding violations to their image, honor, privacy, and freedom of information. Legally this has translated to information privacy regulations for the government. Often similar regulations have been extended to the private sector. Habeas Data requires that an individual be able to view information on record about their person and correct any false information. Furthermore it holds a data controlling entity accountable for the integrity of data. The 1988 Brazilian Constitution was the first to include the writ of Habeas Data.
Argentina is the only Latin American country considered adequate under the E.U. Data Protection Directive. The Argentine Constitution contains the writ of Habeas Data. In 2000, a comprehensive data protection law called the Personal Data Protection Act was implemented to protect personal data in both the public and private sector.
Under the Act, data must be collected for “certain, appropriate, pertinent and not excessive” purposes and must be collected lawfully. Data must be accurate, complete, secure and destroyed once it is no longer necessary for the purposes it was originally collected. Furthermore any activities surrounding personal data must receive explicit consent from the individual with a few specific exceptions (section 5).
The Act also prohibits the creation of files linking sensitive data with identifiable individuals and requires that no person may be compelled to share sensitive data. Much like the E.U. Data protection directive, the Act requires other countries to have adequate levels of protection before transferring data.
In 1999, Chile was the first Latin American country to implement a data protection law. Chile uses a comprehensive law called The Law for the Protection of Private Life to govern the public and private sectors. While the Law guarantees the rights of a data subject’s to access, correction, notice, and judicial control, there is no supervisory authority and compliance is largely self enforced. Furthermore, the Law provides no protection for international transfers.
Paraguay includes Habeas Data in Article 135 of its constitutions which states:
“Everyone may have access to information and data available on himself or assets in official or private registries of a public nature. He is also entitled to know how the information is being used and for what purpose. He may request a competent judge to order the updating, rectification, or destruction of these entries if they are wrong or if they are illegitimately affecting his rights.” Paraguay also has its own privacy law to govern information privacy during the course of commercial business. Additionally it protects sensitive data and economic status information by requiring explicit, written consent of the data subject unless it is required by law.
As technology progresses and the unrestricted flow of information across borders becomes increasingly important, countries will no longer have the luxury of avoiding data protection. In order to protect the data of their citizens, governments like the E.U. and Argentina require similar levels of protection when they transfer their information to other countries. To allow such trade to continue, countries around the globe must implement privacy policies of their own and consider how they will protect the information of their citizens as well as the personal information they receive through onward transfer. With the growth of electronic technology, information privacy has become an international issue that cannot be ignored.
CIPP Candidate Preparation
In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:
- Privacy and Data Protection Regulation (Foundations: I.F.b.ii-v.) including Europe, Canada, Asia and South America