A comparison of proposed legislative data privacy protections in the United States

The use of online consumer tracking methods has raised significant privacy concerns for consumers and policymakers for decades. Advertisers using these methods analyze web-viewing habits to predict consumer preferences and actions. The advertising industry in the United States has promoted self-regulatory principles to respond to these concerns. However, in December 2010, the U.S. Federal Trade Commission reported that these efforts “have been too slow and up to now have failed to provide adequate and meaningful protection.” President Barack Obama's administration has supported broader legislation for comprehensive protection of individuals' private data. The leading model for data privacy protection is the 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. This article examines two leading legislative privacy proposals in the context of the OECD principles. This examination concludes that, although the proposals do not provide sufficient comprehensive privacy protections, they do fill significant gaps in current U.S. privacy laws.     

Protecting the privacy and security of sensitive customer data in the cloud

The global ubiquity of cloud computing may expose consumers' sensitive personal data to significant privacy and security threats. A critical challenge for the cloud computing industry is to earn consumers' trust by ensuring adequate privacy and security for sensitive consumer data. Regulating consumer privacy and security also challenges government enforcement of data protection laws that were designed with national borders in mind. From an information privacy perspective, this article analyses how well the regulatory frameworks in place in Europe and the United States help protect the privacy and security of sensitive consumer data in the cloud. It makes suggestions for regulatory reform to protect sensitive information in cloud computing environments and to remove regulatory constraints that limit the growth of this vibrant new industry.     

Internet of Things – New security and privacy challenges

The Internet of Things, an emerging global Internet-based technical architecture facilitating the exchange of goods and services in global supply chain networks has an impact on the security and privacy of the involved stakeholders. Measures ensuring the architecture's resilience to attacks, data authentication, access control and client privacy need to be established. An adequate legal framework must take the underlying technology into account and would best be established by an international legislator, which is supplemented by the private sector according to specific needs and thereby becomes easily adjustable. The contents of the respective legislation must encompass the right to information, provisions prohibiting or restricting the use of mechanisms of the Internet of Things, rules on IT-security-legislation, provisions supporting the use of mechanisms of the Internet of Things and the establishment of a task force doing research on the legal challenges of the IoT.     

Data protection in Malaysia and Hong Kong: One step forward,two steps back?

Continuing rapid developments in information communication technology has led to an ever increasing amount of personal information being collected, processed, stored and used, without the individual even knowing about it. For countries which have domestic legislation relating to privacy and data protection, it has afforded the opportunity for a review. For others, it has opened up the opportunity to legislate. The aim of the paper is three-fold. First, the paper aims to deal with data protection regime in Malaysia and in Hong Kong by examining the salient features of the newly enacted Malaysia's Personal Data Protection Act 2010 and the recent recommendations for legislative reform to the Personal Data (Privacy) Ordinance in Hong Kong. Second, it considers whether the laws are more concerned with legitimising data protection practices of organizations and businesses rather than the protection of individuals' privacy interests. Finally, the paper briefly considers whether the laws adequately address the impact to individuals' data privacy brought about by technological advancements before providing a conclusion.     

Pricing privacy – the right to know the value of your personal data

The commodification of digital identities is an emerging reality in the data-driven economy. Personal data of individuals represent monetary value in the data-driven economy and are often considered a counter performance for “free” digital services or for discounts for online products and services. Furthermore, customer data and profiling algorithms are already considered a business asset and protected through trade secrets. At the same time, individuals do not seem to be fully aware of the monetary value of their personal data and tend to underestimate their economic power within the data-driven economy and to passively succumb to the propertization of their digital identity. An effort that can increase awareness of consumers/users on their own personal information could be making them aware of the monetary value of their personal data. In other words, if individuals are shown the “price” of their personal data, they can acquire higher awareness about their power in the digital market and thus be effectively empowered for the protection of their information privacy. This paper analyzes whether consumers/users should have a right to know the value of their personal data. After analyzing how EU legislation is already developing in the direction of propertization and monetization of personal data, different models for quantifying the value of personal data are investigated. These models are discussed, not to determine the actual prices of personal data, but to show that the monetary value of personal data can be quantified, a conditio-sine-qua-non for the right to know the value of your personal data. Next, active choice models, in which users are offered the option to pay for online services, either with their personal data or with money, are discussed. It is concluded, however, that these models are incompatible with EU data protection law. Finally, practical, moral and cognitive problems of pricing privacy are discussed as an introduction to further research. We conclude that such research is needed to see to which extent these problems can be solved or mitigated. Only then, it can be determined whether the benefits of introducing a right to know the value of your personal data outweigh the problems and hurdles related to it.     

Perceptions of controllers on EU data protection reform: A Finnish perspective

Data protection regulations are undergoing a global reform. The European Commission proposed a reform of the EU data protection framework in 2012. One major driver for the reform has been the research on the consumer perceptions indicating that the consumers are worried about their personal privacy. However, there has been practically no research on perceptions of companies (the controllers of the personal data) and on the data protection reform. This research analyses the awareness and the willingness to act towards compliance regarding the proposed General Data Protection Regulation (GDPR) in Finland in 2013. The GDPR will replace the Finnish Personal Data Act and therefore plays a central role in the Finnish privacy regulation. This research found that the general level of awareness was low: only 43% of the controllers were aware of the forthcoming reform. The willingness to act or to take steps towards the compliance was even lower: 31% of controllers said that they are planning to act towards compliance during this year. These results indicate that the companies are quite unfamiliar with the reform that correlates with other relevant studies in Europe. Personal data are said to be the oil of the digital economy, the hottest commodity of the market today. There are companies that understand this, but the majority seems to ignore this at least what comes to their awareness regarding the reform, even the reform captures many of the best practices regarding processing of personal data.     

The retention of personal information online: A call for international regulation of privacy law

New technologies permit online businesses to reduce expenses and increase efficiency by, for example, storing information in “the cloud”, engaging in online tracking and targeted advertising, location and tracking technologies, and biometrics. However, the potential for technology to facilitate long term retention of customers' personal information raises concerns about the competing right of individuals to the privacy of their personal information. Although the European Commission has recently released a proposal for regulation to “provide a data subject with the right to be forgotten and to erasure”, neither the OECD Privacy Guidelines nor the APEC Privacy Framework includes any requirement to delete personal information. While New Zealand includes a “limited retention principle” in the Privacy Act 1993, apart from one limited exception the privacy principles cannot be enforced in court. Taking New Zealand privacy law as an example, this paper examines the issue of retention of customer data, explains why this is a serious problem and argues that although it could be addressed by appropriate amendments to domestic laws, domestic privacy legislation may not be sufficient in an online environment. In the same way as other areas of law, such as the intellectual property regime, have turned to global regulatory standards which reflect the international nature of their subject matter, international privacy regulation should be the next stage for the information privacy regime.     

Privacy and research involving humans

Human research ethics committees in Australia are required to consider compliance with privacy law as an element of the ethics of research. Recent legislation has introduced federal private sector privacy protection, as well as privacy protection at State and Territory levels. In Victoria, which is used as an example in this article, State privacy legislation covers public sector information and health records. This article considers the implications for research involving human participants and for ethics committees of the new privacy regimes. Although privacy law is a potential barrier to research about humans, the need for exceptions has been dealt with effectively in the context of medical or health research. However, privacy law and its chilling effect could potentially be a serious impediment to some forms of non-health-related research, such as social and socio-legal research.     

Data protection 1998–2008

This article reviews key developments in data protection legislation, case law and practice between 1998 and 2008. Over this time data protection has become a mainstream compliance topic for business and government alike. Having started in 1998 as a specialist area of limited general application, over the decade this area of law has been widely applied to access rights, international transfers of information and data losses. We are now seeing major changes in enforcement of data protection legislation (including the power to fine and increased use of audits) which will continue the focus on compliance.     

Effective approaches to regulate mobile advertising: Moving towards a coordinated legal,self-regulatory and technical response

This article aims to contribute to the ongoing discourse about the issue of privacy in the mobile advertising domain. The article discusses the fundamental principles and information practices used in digital environments for protecting individuals' private data. Major challenges are identified that should be addressed, so that fair information principles can be applied in the context of m-advertising. It also points out the limitations of these principles. Furthermore, the article discusses a range of models that is available for regulating the collection, use and disclosure of personal data, such as legislation, self-regulation and technical approaches. It is intended to promote an effective approach to improve consumer privacy in the mobile advertising domain.     

网络空间个人信息的保护问题研究——兼论电子商务营销过程中消费者的隐私权保护

电子商务的兴起改变了传统的营销、交易方式。丰富的网络信息和个人数据使得服务商可以根据每个人的喜爱和偏好为消费者提供更具针对性的服务,从而极大方便了消费者对商品的选购。可以说,成功的电子商务营销离不开对个人数据资料的收集和处理。但是,这种个性化的营销也存在着个人数据资料被滥用的潜在危险。因此,如何在电子商务营销过程中加强对消费者隐私权的保护就成为当前亟待解决的问题。     

India’s national ID system: Danger grows in a privacy vacuum

India is juggling demands and proposals for at least three national data surveillance projects of vast scope. This article focuses on the unique identification (UID) number, which it is proposed will be allocated to India’s 1.2 billion people, with 600 M UIDs to be allocated by 2015. Draft legislation to create the Authority which will administer the UID contains few protections for privacy or other liberties. They are needed because there is otherwise a privacy vacuum in Indian law. The Bill leaves most of the details of the demographic and biometric information which will be required to be included Regulations, and imposes no controls on which organisations can require UIDs, or what they can do with them. This article focuses on the planning documents for the UID, and the Bill, to argue that India may be building an identification system that puts peoples’ liberties at risk, and does so in a way which will be largely out of control of democratic or judicial restraints on such a powerful use of information technology.     

The future of consumer data protection in the E.U. Re-thinking the “notice and consent” paradigm in the new era of predictive analytics

The new E.U. proposal for a general data protection regulation has been introduced to give an answer to the challenges of the evolving digital environment. In some cases, these expectations could be disappointed, since the proposal is still based on the traditional main pillars of the last generation of data protection laws. In the field of consumer data protection, these pillars are the purpose specification principle, the use limitation principle and the “notice and consent” model. Nevertheless, the complexity of data processing, the power of modern analytics and the “transformative” use of personal information drastically limit the awareness of consumers, their capability to evaluate the various consequences of their choices and to give a free and informed consent.     

Say cheese! Privacy and facial recognition

The popular social networking site, Facebook, recently launched a facial recognition tool to help users tag photographs they uploaded to Facebook. This generated significant controversy, arising as much as anything, from the company’s failure to adequately inform users of this new service and to explain how the technology works.The incident illustrates the sensitivity of facial recognition technology and the potential conflict with data privacy laws. However, facial recognition has been around for some time and is used by businesses and public organisations for a variety of purposes – primarily in relation to law enforcement, border control, photo editing and social networking. There are also indications that the technology could be used by commercial entities for marketing purposes in the future.This article considers the technology, its practical applications and the manner in which European data protection laws regulate its use. In particular, how much control should we have over our own image? What uses of this technology are, and are not, acceptable? Ultimately, does European data protection law provide an adequate framework for this technology? Is it a framework which protects the privacy of individuals without unduly constraining the development of innovative and beneficial applications and business models?     

Data retention in the UK: Pragmatic and proportionate,or a step too far?

On 6 April 2009 new legislation came into force, for the first time putting Internet service providers' duty to retain significant amounts of data (relating to customers' email and Internet usage) on a compulsory, as opposed to a voluntary footing. It is a topic which has provoked intense protest from the privacy lobby and fuelled months of “Big Brother” headlines in the press. For the industry it raises operational challenges – how to facilitate storage and retrieval of colossal amounts of data. In this article we consider the policy background to the regime, the detail of the UK implementation and the practical implications for communications service providers. We weigh up the privacy and human rights concerns against the business case put forward by the Government. We also examine the Government's proposals – announced at the end of April – to significantly extend and “future proof” this regime in the form of its Intercept Modernisation Programme.     

Profiling the mobile customer – Privacy concerns when behavioural advertisers target mobile phones – Part I

Mobile customers are being tracked and profiled by behavioural advertisers to be able to send them personalized advertising. This process involves data mining consumer databases containing personally-identifying or anonymous data and it raises a host of important privacy concerns. This article, the first in a two part series on consumer information privacy issues on Profiling the Mobile Customer, addresses the questions: “What is profiling in the context of behavioural advertising?” and “How will consumer profiling impact the privacy of mobile customers?” The article examines the EU and U.S. regulatory frameworks for protecting privacy and personal data in regards to profiling by behavioural advertisers that targets mobile customers. It identifies potential harms to privacy and personal data related to profiling for behavioural advertising. It evaluates the extent to which the existing regulatory frameworks in the EU and the U.S. provide an adequate level of privacy protection and identifies key privacy gaps that the behavioural advertising industry and regulators will need to address to adequately protect mobile consumers from profiling by marketers. The upcoming second article in this series will discuss whether industry self-regulation or privacy-enhancing technologies will be adequate to address these privacy gaps and makes suggestions for principles to guide this process.¹     

The principle of security safeguards: Unauthorized activities

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.     

The introduction of data breach notification legislation in Australia: A comparative view

This article argues that Australia's recently-passed data breach notification legislation, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), and its coming into force in 2018, makes an internationally important, yet imperfect, contribution to data breach notification law. Against the backdrop of data breach legislation in the United States and European Union, a comparative analysis is undertaken between these jurisdictions and the Australian scheme to elucidate this argument. Firstly, some context to data breach notification provisions is offered, which are designed to address some of the problems data breaches cause for data privacy and information security. There have been various prominent data breaches affecting Australians over the last few years, which have led to discussion of what can be done to deal with their negative effects. The international context of data breach notification legislation will be discussed, with a focus on the United States and European Union jurisdictions, which have already adopted similar laws. The background to the adoption of the Australia legislation will be examined, including the general context of data privacy and security protection in Australia. The reform itself will be then be considered, along with the extent to which this law is fit for purpose and some outstanding concerns about its application. While data breach notification requirements are likely to be a positive step for data security, further reform is probably necessary to ensure strong cybersecurity. However, such reform should be cognisant of the international trends towards the adoption of data security measures including data breach notification, but lack of alignment in standards, which may be burdensome for entities operating in the transnational data economy.     

South Korea's innovations in data privacy principles: Asian comparisons

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.     

“Personal information of privacy nature” under Chinese Civil Code

Chinese Civil Code separates the civil right to privacy and the civil interest of personal information through the proposal of the PIPN in Article 1034, which constructs a different model from both EU and US. Although this distinction is of great significance, it brings potential problems, too. The PIPN is a kind of personal information which is unwilling to be known to others with privacy nature, which can be defined through a method of combining basic definition plus enumerations. It is recommended to consider the context and purpose of processing personal information when deciding the PIPN, and the level of privateness, availability, risk and identifiability will be considered to the privacy test. Based on Chinese reality, ID number, biometric information, financial information should be list as the typical kinds of the PIPN in the future legislation.