Data Privacy

John

Privacy

  • Fundamental human right
    • In most constitutions
  • First law in 1361 against peeping toms and eavesdroppers
  • In 1948’s Universal Declaration of Human Rights
  • Most notable in the way it is constrained and infringed rather than how it is enforced

 

What is Privacy?

  • The ability to keep information about oneself confidential
    • Information about me as an individual (e.g., medical, financial)
    • Information about what I buy
    • Information about where I am and where I go
    • Information about with whom I associate, where, and when
  • Common threats to privacy
    • Government overreach
    • Advertising/marketing

 

The reality…

Privacy can get in the way of security

  • Surveillance authority abuse
    • Widespread violations
    • Degree varies by country
    • Perpetrators are usually police, companies, criminals, …
  • Targets
    • Opposition politicians
    • Journalists
    • Human rights activists
  • The difference between “freedom fighter” and “terrorist” is often (although not exclusively) a matter of point of view.

 

Privacy Erosion

  • Erosion from new technologies
    • ID systems (ID cards, biometrics, …)
    • Communication surveillance
    • Video surveillance
    • Workplace surveillance
    • Social media (Facebook, etc

 

Privacy and data protection laws

  • Many purposes
    • Prevent government abuse
    • Promote e-commerce
    • Achieve compatibility with other countries
  • Vary among countries (mainly by degrees)
  • Require personal information to be:
    • Obtained lawfully
    • Obtained fairly
    • Used only for the original specified purpose
    • Adequate, relevant and not excessive to purpose
    • Accurate and up to date
    • Destroyed after its purpose is completed

 

Privacy Protection

Industry Self-protection

  • Codes of practice
    • Industry-specific
    • E.g., “American XYZ Association” would issue privacy guidelines and codes for the XYZ industry
  • Proved disappointing
    • Resulted in inadequate codes
    • Codes of practice were not enforced
    • Inherently conflicted to have regulator = regulated
    • Failure was predictable (why was it even tried

 

Regulatory Protection

  • Comprehensive data protection law
  • Enforcement through a public official
    • Monitors compliance
    • Investigates breaches
  • No delay when new technologies appear
    • Existing law applies to all current and future products and technologies
  • EU, CA, Australia, NZ, HK

 

Sectoral Protection (whats done in US)

  • One for each sector and technology
    • Movie rental/viewing) records
    • Financial records (Gramm-Leach-Bliley) GLB
    • Medical records (HIPAA)
    • Students records (FERPA)
  • Enforcement through many mechanisms
  • Used in U.S.
  • Laws lag behind technology
    • E.g., genetic information

 

Hybrid (Regulatory + Sectoral)

  • A comprehensive law, complemented with sectoral laws
  • Sectoral laws provide more detailed protection of certain categories of information, such as
    • Police files
    • Consumer credit records

 

Do-it-Yourself Protection

  • Individual self-protection
  • Using privacy and anonymity technologies
    • Anonymous browsing (e.g., using Tor)
    • Paying with digital currencies (e.g., digital cash or a crypto-currency like Bitcoin)
    • In the extreme, can disappear (no bank account, no permanent address, burner phones, … )
  • Cannot replace a legal framework

 

Privacy Laws

  • GDPR in European Union
  • In the US, generally, FTC authorities
  • State laws
    • MA, NY
    • IL law on biometrics
    • New CA Consumer Privacy Act (CCPA, 2020)
  • Patchwork laws at Federal Level
    • Video Privacy Protect Act
    • Driver’s Protection Act
    • Children’s Online Privacy Protection Act (COPPA)
    • Family Education Right to Privacy Act (FERPA)
    • As noted earlier, HIPPA, GLBA. Etc

 

GDPR

https://gdpr-info.eu/art-5-gdpr/

The General Data Protection Regulation (GDPR) is a regulation passed by the European Union in 2016 that sets out rules for the processing and protection of personal data. The GDPR is designed to give individuals more control over their personal data and to ensure that companies handle this data in a responsible manner.

 

Here are some key provisions of the GDPR related to privacy:

  1. Lawful basis for data processing: Companies must have a lawful basis for processing personal data, such as consent, contract, legal obligation, vital interests, or legitimate interests.
  2. Data subject rights: Individuals have the right to access their personal data, rectify any inaccuracies, erase their data, and object to the processing of their data.
  3. Consent: Companies must obtain clear and affirmative consent from individuals before processing their personal data.
  4. Data protection officer: Some companies are required to appoint a Data Protection Officer (DPO) to oversee compliance with the GDPR.
  5. Data breach notifications: Companies must notify individuals and authorities within 72 hours of discovering a data breach that is likely to result in a risk to the rights and freedoms of individuals.
  6. Data transfers: Personal data can only be transferred to countries outside the EU if they have adequate data protection laws or if the company has implemented appropriate safeguards.
  7. Accountability: Companies must demonstrate compliance with the GDPR and maintain documentation to prove their compliance.

 

Some specific provisions of the GDPR that relate to privacy:

  1. Personal data: The GDPR defines personal data as any information that can be used to directly or indirectly identify an individual, such as a name, photo, email address, IP address, or location data.
  2. Privacy notices: Companies must provide individuals with clear and concise privacy notices that explain how their personal data will be processed, who will have access to it, and their rights under the GDPR.
  3. Data minimization: Companies must collect and process only the personal data that is necessary for the specific purpose for which it is being processed.
  4. Data retention: Companies must not retain personal data for longer than necessary and must delete it when it is no longer needed.
  5. Right to erasure: Individuals have the right to request that their personal data be erased in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or when the individual withdraws their consent.
  6. Right to object: Individuals have the right to object to the processing of their personal data in certain circumstances, such as when the data is being processed for direct marketing purposes.
  7. Automated decision-making: Individuals have the right to object to automated decision-making, including profiling, that has legal or significant effects on them.
  8. Data protection by design and default: Companies must implement data protection measures from the outset of any new project or system, and must ensure that privacy is built in by default.

 

USACM Policy Recommendations on Privacy

June 2006

MINIMIZATION

  1. Collect and use only the personal information that is strictly required for the purposes stated in the privacy policy.
  2. Store information for only as long as it is needed for the stated purposes.
  3. If the information is collected for statistical purposes, delete the personal information after the statistics have been calculated and verified.
  4. Implement systematic mechanisms to evaluate, reduce, and destroy unneeded and stale personal information on a regular basis, rather than retaining it indefinitely.
  5. Before deployment of new activities and technologies that might impact personal privacy, carefully evaluate them for their necessity, effectiveness, and proportionality: the least privacy-invasive alternatives should always be sought.

 

CONSENT

  1. Unless legally exempt, require each individual’s explicit, informed consent to collect or share his or her personal information (opt-in); or clearly provide a readily-accessible mechanism for individuals to cause prompt cessation of the sharing of their personal information, including when appropriate, the deletion of that information (opt-out). (NB: The advantages and disadvantages of these two approaches will depend on the particular application and relevant regulations.) Whether opt-in or opt-out, require informed consent by the individual before using personal information for any purposes not stated in the privacy policy that was in force at the time of collection of that information.

 

OPENNESS

  1. Whenever any personal information is collected, explicitly state the precise purpose for the collection and all the ways that the information might be used, including any plans to share it with other parties.  Be explicit about the default usage of information: whether it will only be used by explicit request (opt-in), or if it will be used until a request is made to discontinue that use (opt-out).
  2. Explicitly state how long this information will be stored and used, consistent with the “Minimization” principle.
  3. Make these privacy policy statements clear, concise, and conspicuous to those responsible for deciding whether and how to provide the data.
  4. Avoid arbitrary, frequent, or undisclosed modification of these policy statements.
  5. Communicate these policies to individuals whose data is being collected, unless legally exempted from doing so.

 

ACCESS

  1. Establish and support an individual’s right to inspect and make corrections to her or his stored personal information, unless legally exempted from doing so.
  2. Provide mechanisms to allow individuals to determine with which parties their information has been shared, and for what purposes, unless legally exempted from doing so.
  3. Provide clear, accessible details about how to contact someone appropriate to obtain additional information or to resolve problems relating to stored personal Information.

 

ACCURACY

  1. Ensure that personal information is sufficiently accurate and up-to-date for the intended purposes.
  2. Ensure that all corrections are propagated in a timely manner to all parties that have received or supplied the inaccurate data.

 

SECURITY

  1. Use appropriate physical, administrative, and technical measures to maintain all personal information securely and protect it against unauthorized and inappropriate access or modification.
  2. Apply security measures to all potential storage and transmission of the data, including all electronic (portable storage, laptops, backup media), and physical (printouts, microfiche) copies.

 

ACCOUNTABILITY

  1. Promote accountability for how personal information is

 

ACM US Technology Policy Committee

https://www.acm.org/public-policy/ustpc

ACM’s US Technology Policy Committee regularly produces data-driven, apolitical statements, reports and other materials on a wide range of computing-related policy issues. Current current key issues and resources include:

  • Digital Privacy
  • AI and Algorithms
  • Election Security
  • Internet of Things
  • Health Tech
  • Cybersecurity
  • Ethics
  • Accessibility
  • Intellectual Property

 

 

eof