Your search keyword '"Information privacy law"' showing total 378 results

1. Information Privacy Law

Author

Jajodia, Sushil, editor, Samarati, Pierangela, editor, and Yung, Moti, editor

Published

2025

2. Implementing COVIDSafe: The Role of Trustworthiness and Information Privacy Law

Author

Mark Burdon and Brydon Wang

Subjects

contact tracing apps, covidsafe, information privacy law, trustworthiness, Law in general. Comparative and uniform law. Jurisprudence, K1-7720

Abstract

Governments worldwide view contact tracing as a key tool to mitigate COVID-19 community transmission. Contact tracing investigations are time consuming and labour intensive. Mobile phone location tracking has been a new data-driven option to potentially obviate investigative inefficiencies. However, using mobile phone apps for contact tracing purposes gives rise to complex privacy issues. Governmental presentation and implementation of contact tracing apps, therefore, requires careful and sensitive delivery of a coherent policy position to establish citizen trust, which is an essential component of uptake and use. This article critically examines the Australian Government’s initial implementation of the COVIDSafe app. We outline a series of implementation misalignments that juxtapose an underpinning regulatory rationality predicated on the implementation of information privacy law protections with rhetorical campaigns to reinforce different justifications for the app’s use. We then examine these implementation misalignments from Mayer and colleagues’ lens of trustworthiness (1995) and its three core domains: ability, integrity and benevolence. The three domains are used to examine how the Australian Government’s implementation strategy provided a confused understanding of processes that enhance trustworthiness in the adoption of new technologies. In conclusion, we provide a better understanding about securing trustworthiness in new technologies through the establishment of a value consensus that requires alignment of regulatory rationales and rhetorical campaigning.

Published

2021

3. Design of a Compliance Index for Privacy Policies: A Study of Mobile Wallet and Remittance Services

Author

Rohit Valecha, H. Raghav Rao, and Oluwafemi Akanfe

Subjects

Information privacy, business.industry, Strategy and Management, Privacy policy, media_common.quotation_subject, 05 social sciences, Internet privacy, Privacy laws of the United States, Information privacy law, Payment, Latent Dirichlet allocation, symbols.namesake, General Data Protection Regulation, 0502 economics and business, Mobile payment, symbols, Electrical and Electronic Engineering, business, 050203 business & management, media_common

Abstract

Many nations have adopted comprehensive data privacy laws to protect customers’ data. However, privacy policies of mobile wallet digital payment systems (DPS), and particularly the mobile wallet and remittance services that are part of DPS, are often not compliant with privacy laws. There is a lack of measures to assess how adequate the policies are in addressing data privacy issues. To address this problem, this article develops a compliance index to help DPS organizations assess the compliance of their privacy policies with the general data protection regulation (GDPR). The compliance index is created through a natural language process that includes term frequency-inverse document frequency matrix and topic modeling using latent Dirichlet allocation, to compute 1) an emphasis density score that indicates the level of emphasis a privacy policy places on GDPR dimensions, and 2) a privacy score that identifies the level of compliance of a privacy policy with GDPR. The compliance index is validated by assessing its effectiveness at the country level in comparison with an international publicly available data privacy benchmark.

Published

2023

4. Implementing COVIDSafe: The Role of Trustworthiness and Information Privacy Law.

Author

Burdon, Mark and Wang, Brydon

Subjects

CONTACT tracing, COVID-19 pandemic, CELL phone tracking, PRIVACY, DATA privacy

Abstract

Governments worldwide view contact tracing as a key tool to mitigate COVID-19 community transmission. Contact tracing investigations are time consuming and labour intensive. Mobile phone location tracking has been a new data-driven option to potentially obviate investigative inefficiencies. However, using mobile phone apps for contact tracing purposes gives rise to complex privacy issues. Governmental presentation and implementation of contact tracing apps, therefore, requires careful and sensitive delivery of a coherent policy position to establish citizen trust, which is an essential component of uptake and use. This article critically examines the Australian Government’s initial implementation of the COVIDSafe app. We outline a series of implementation misalignments that juxtapose an underpinning regulatory rationality predicated on the implementation of information privacy law protections with rhetorical campaigns to reinforce different justifications for the app’s use. We then examine these implementation misalignments from Mayer and colleagues’ lens of trustworthiness (1995) and its three core domains: ability, integrity and benevolence. The three domains are used to examine how the Australian Government’s implementation strategy provided a confused understanding of processes that enhance trustworthiness in the adoption of new technologies. In conclusion, we provide a better understanding about securing trustworthiness in new technologies through the establishment of a value consensus that requires alignment of regulatory rationales and rhetorical campaigning. [ABSTRACT FROM AUTHOR]

Published

2021

5. Beyond Lessig's Code for Internet Privacy: Cyberspace Filters, Privacy Control and Fair Information Practices

Author

Paul M. Schwartz

Subjects

Information privacy, Privacy by Design, Computer science, business.industry, Privacy software, Privacy policy, Internet privacy, FTC Fair Information Practice, Information privacy law, Legal aspects of computing, business, Personally identifiable information

Abstract

In Code, the most influential book yet written about law and cyberspace, Lawrence Lessig makes an intriguing proposal for shaping privacy on the Internet: (1) the legal assignment to every individual of a property interest in her own personal information, and (2) the employment of software transmission protocols, such as P3P, to permit the individual to structure her access to Web sites. In "Beyond Lessig's Code for Internet Privacy: Cyberspace Filters, Privacy Control, and Fair Information Practices," 2000 Wisc. L. Rev. 743, I respond to this approach with a number of criticisms and a competing proposal. My initial criticism of Lessig's proposal for privacy concerns how it contradicts his stand against PICs, a software transmission protocol for filtering Internet content reminiscent of P3P. Once we place privacy in a social context, moreover, P3P seems far less attractive an option. In place of Lessig's underlying paradigm, which seeks to increase personal control of data. I develop a concept of constitutive privacy. In my view, information privacy is a constitutive value that safeguards participation and association in a free society. Rather than simply seeking to allow more and more individual control of personal data, we should view the normative function of information privacy as inhering in its relation to participatory democracy and individual self-determination. A privacy market can play a role in helping information privacy fulfill this constitutive function. Yet, Lessig's propertization of privacy raises a further set of difficulties. In my view, propertization a la Lessig will only heighten flaws in the current market for personal data. This consequence follows from numerous shortcomings in this market and structural difficulties that indicate the unlikelihood of a self-correction in it. Moreover, in revisiting Calabresi and Melamed's work regarding the comparative merits of property and liability regimes, I find that a mixed regime is to be preferred for Internet privacy over Lessig's property regime. Part III of this Article turns from criticism to prescription and develops the mixture of property and liability rules necessary for establishment of information privacy standards in cyberspace. It proposes recourse to Fair Information Practices (FIPs) to establish rules for the fair treatment of personal data on the Internet. Yet, FIPs are not without potential shortcomings if structured only as command-and-control rules. My suggestion therefore is that an American Internet privacy law consisting of FIPs should include both mandatory and default elements.

Published

2022

6. Privacy by Deletion: The Need for a Global Data Deletion Principle

Author

Keele, Benjamin

Subjects

Information privacy, data protection, business.industry, media_common.quotation_subject, Internet privacy, FOS: Law, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Information privacy law, LawArXiv|Law, International law, privacy, bepress|Law, LawArXiv|Law|International Law, Set (abstract data type), International Law, Data Protection Act 1998, bepress|Law|International Law, Business, Law, Personally identifiable information, Autonomy, media_common

Abstract

With global personal information flows increasing, efforts have been made to develop principles to standardize data protection regulations. However, no set of principles has yet achieved universal adoption. This note proposes a principle mandating that personal data be securely destroyed when it is no longer necessary for the purpose for which it was collected. Including a data deletion principle in future data protection standards will increase respect for individual autonomy and decrease the risk of abuse of personal data. Though data deletion is already practiced by many data controllers, including it in legal data protection mandates will further the goal of establishing an effective global data protection regime.

Published

2022

7. AN APPROACH TO A NEW AGREEMENT FOR EU/USA TRANSANTLANTIC PERSONAL DATA FLOW: AMERICAN TECHNOLOGY AND EUROPEAN LAW IN CONFLICT.

Author

García Sanz, Rosa María

Subjects

*DATA protection, *DATA security, *DATA privacy, *RIGHT of privacy, *INTERNET privacy

Abstract

The European Union (EU) and the USA have two very different models of personal data protection (European terminology) or information privacy law (American terminology). EU law has a defined and clear concept of personal data and a general law to protect this fundamental right. Meanwhile, the USA does not have a uniform definition of information privacy or personally identifiable information (PII); and it has only some sectorial laws to protect privacy in some markets. Personally identifiable information is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. At the same time, there is not a unique concept in US law for information privacy. Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can be re-indentified. In some way, then, we can say that the European law is applicable to almost all information on the Internet. And in some way, too, we can say that American technology uses data to establish its markets and services. These widely divergent positions present a difficult point from which to start looking for an agreement. In addition, some legal categories of the European Law--General Data Protection Regulation (GDPR)--are not negotiable under contracts. Because of their inalienability they cannot be traded away by the free will of individuals, which complicates the mutual relationships between the two continents. After breaking the SAFE HARBOR (after the SCHREMS EUROPEAN COURT DECISION Sept. 23, 2015, in CASE C-362/14) and under the New Agreement PRIVACY SHIELD FRAMEWORK 2016, new problems arose. Also, it cannot be forgotten that the prospects of the Internet of Things (IoT) and Artificial Intelligence (AI) are introducing new technologies that challenge the present laws and concepts. These problems are asking for harmonized solutions that reflect cooperation of laws and policies for both sides of the Atlantic. This is necessary in order to continue with the traditional commercial relationship between Europe and North America and to work together against the terrorism threat. This paper will examine possible departure points, criteria and perspectives to find an approach based on the European Law (GDPR) and the US regulations and policies. [ABSTRACT FROM AUTHOR]

Published

2017

8. Australia’s Consumer Data Right and the uncertain role of information privacy law

Author

Mark Burdon and Tom Mackie

Subjects

Scheme (programming language), Information privacy, business.industry, Internet privacy, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Information privacy law, Competition law, Commercialization, General Data Protection Regulation, Business, Construct (philosophy), Law, Data portability, computer, computer.programming_language

Abstract

Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship between information privacy and competition law which is central to data portability initiatives. The CDR grants consumers and businesses access and transfer rights for consumer data in the Australian banking, energy, and telecommunications sectors, through the implementation of mandated API standards. There are three policy vectors at the heart of the CDR that parallel previous Australian, UK, and EU data portability developments. They are the type of regulated data covered by the CDR scheme, privacy and security protections and the overarching regulatory framework. We argue that the CDR, and its antecedents, primarily construct data portability as a competition law measure. However, while the general policy intention of the CDR is clear, we contend that the scheme reveals an uncertain role for information privacy law as part of its operation. Uncertainty is evident in how policymakers have considered the information privacy law issues inherent in the three policy vectors. We contend that the CDR could give rise to definitional problems with regulated data, duplicated privacy and security protections and a conceptually challenging regulatory framework. In conclusion, we suggest potential solutions that would assist with the operation of the CDR within Australia’s broader information privacy law framework, governed by the Privacy Act 1988 (Cth), which would also better align with the General Data Protection Regulation (GDPR).

Published

2020

9. The new European regulation on personal data protection: significant aspects for data processing for scientific research purposes

Author

Antonella Zambon, Vincenzo Guardabasso, Silvia Salardi, Rosaria Gesuita, Paolo Trerotoli, Simona Villani, Francesca Preite, Preite, F, Salardi, S, Gesuita, R, Villani, S, Trerotoli, P, Guardabasso, V, and Zambon, A

Subjects

Data protection officer, 020205 medical informatics, Parliament, media_common.quotation_subject, Information privacy law, 02 engineering and technology, National data protection authority, 03 medical and health sciences, 0302 clinical medicine, Personal data for research purposes, Informed consent, Political science, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, Data Protection Regulation, informed consent, Data Protection Officer, Right to privacy, personal data for research purposes, 030212 general & internal medicine, Meaning (existential), media_common, Data protection regulation, lcsh:R5-920, Public health, Right to privacy, lcsh:Public aspects of medicine, lcsh:RA1-1270, General Data Protection Regulation, Law, lcsh:Medicine (General)

Abstract

Aim The paper investigates the new European Data Protection Regulation released in 2016. It highlights the data protection principles inspiring the Regulation and outlines its main innovative as well as critical aspects as regards the use of personal data for research purposes. Results: As far as scientific research is concerned, the new Regulation provides some interesting novelties in relation to informed consent and to use of personal data without consent. Conclusion: It is still early for the consideration of the new Regulation, in relation to which the transition period before it definitively comes into force in 2018 will be useful for making a complete and detailed assessment of its adequacy. However, it is precisely with reference to the collection of retrospective personal data that the greatest innovations are seen. It will therefore be interesting to follow the interpretative evolution of the principle of compatibility of purposes which renders - in fact - personal data already collected usable, even in the absence of consent from the data subject.

Published

2022

10. What Data Privacy Laws Exist?

Author

Claire McKay Bowen

Subjects

Computer science, business.industry, Internet privacy, Information privacy law, business

Published

2021

11. WHY THE NEED FOR CONSUMER PROTECTION LEGISLATION? A LOOK AT SOME OF THE REASONS BEHIND THE PROMULGATION OF THE NATIONAL CREDIT ACT AND THE CONSUMER PROTECTION ACT

Author

Tanya Woker

Subjects

Statute, business.industry, Consumer Protection Act, Data Protection Act 1998, Legislation, Information privacy law, Public relations, Consumer protection, business, Global recession, Promulgation, Law and economics

Abstract

Two statutes focusing on consumer protection have been introduced recently: the Consumer Protection Act due to come into effect in October 2010 and the National Credit Act. There are many who criticize this legislation, arguing that this will overburden the economy and will lead to significant costs for business. In this article I examine some of the reasons why the Department of Trade and Industry deemed it necessary to introduce consumer protection legislation. I conclude by arguing that despite the increased costs for business, the legislation is necessary in order to prevent the exploitation of consumers by business that presently exists in South Africa. I do not, however, seek to answer the question whether this legislation will achieve its lofty aims. This, only time will tell. However, many acknowledge that the introduction of the National Credit Act shielded South Africa from some of the worst excesses of the global recession of 2008/2009. It is hoped that the Consumer Protection Act will likewise change the way many in South Africa do business.

Published

2021

12. A Model-based Conceptualization of Requirements for Compliance Checking of Data Processing against GDPR

Author

Mehrdad Sabetzadeh, Lionel C. Briand, Sallam Abualhaija, and Orlando Amaral

Subjects

Data processing, Conceptualization, Computer science, media_common.quotation_subject, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Information privacy law, Service provider, Computer security, computer.software_genre, Data modeling, Set (abstract data type), General Data Protection Regulation, Conceptual model, computer, media_common

Abstract

The General Data Protection Regulation (GDPR) has been recently introduced to harmonize the different data privacy laws across Europe. Whether inside the EU or outside, organizations have to comply with the GDPR as long as they handle personal data of EU residents. The organizations with whom personal data is shared are referred to as data controllers. When controllers subcontract certain services that involve processing personal data to service providers (also known as data processors), then a data processing agreement (DPA) has to be issued. This agreement regulates the relationship between the controllers and processors and also ensures the protection of individuals’ personal data. Compliance with the GDPR is challenging for organizations since it is large and relies on complex legal concepts. In this paper, we draw on model-driven engineering to build a machine-analyzable conceptual model that characterizes DPA-related requirements in the GDPR. Further, we create a set of criteria for checking the compliance of a given DPA against the GDPR and discuss how our work in this paper can be adapted to develop an automated compliance checking solution.

Published

2021

13. PRIVACY AND DATA PROTECTION

Author

L. Determann

Subjects

Information privacy, data protection, federal republic of germany, business.industry, Freedom of information, Internet privacy, Privacy laws of the United States, K520-5582, Data security, Information privacy law, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Law of nations, Comparative law. International uniform law, International law, privacy, KZ2-6785, data protection laws and principles, Political science, the usa, Data Protection Act 1998, media_common.cataloged_instance, European union, business, european union, media_common

Abstract

Introduction. This article provides an overview regarding privacy and data protection laws and principles around the world. It is based on lectures by the author on May 17, 2018 at Moscow State Institute of International Relations (MGIMO) and Lomonosov Moscow State University (MSU) on the occasion of the publication of a Russian version of the 3 rd edition of Determann's Field Guide to Data Privacy Law. Materials and methods. Materials include national and international laws and scholarly articles and books relating to privacy and data protection. Methods follow general principles of German and United States legal commentary. Research results. People, societies and governments value and protect privacy quite differently around the world. Consequently, data privacy, data security and data protection laws and policies vary significantly. Particularly pronounced are differences in the approach to the protection of privacy and information freedom and data processing regulation in the United States and the European Union. Discussion and conclusions. Law and policy makers around the world must analyze and balance their people's specific needs for privacy, security, freedom of information, technical progress, economic development and other values and objectives as they decide whether to adopt European Unionstyle data processing regulation, enact specific individual privacy laws as the United States, or pursue alternative approaches. They need to consider the different meanings of individual privacy, data security, information self-determination and data protection, as well as the different functions of data privacy laws, data processing regulation, record retention statutes and data residency requirements.

Published

2019

14. Connected drug delivery devices to complement drug treatments: potential to facilitate disease management in home setting

Author

Beate Bittner, Gavneet Kaur, J. Schmidt, Chantal Schmit Chiesi, and Saifuddin Kharawala

Subjects

medicine.medical_specialty, business.industry, Biomedical Engineering, Medicine (miscellaneous), 030209 endocrinology & metabolism, Information privacy law, Disease, Data sharing, 03 medical and health sciences, 0302 clinical medicine, Health care, medicine, Dosing, Disease management (health), Intensive care medicine, business, 030217 neurology & neurosurgery, Reimbursement, Patient education

Abstract

Connected drug delivery devices are increasingly being developed to support patient supervision and counseling in home setting. Features may include dosing reminders, adherence trackers, tools for patient education, and patient diaries to collect patient-reported outcomes, as well as monitoring tools with interfaces between patients and health care professionals (HCPs). Five connected devices have been selected as the basis for a review of the clinical evidence concerning the impact of electronic tools on treatment adherence and efficacy outcomes. Disease areas covered include multiple sclerosis, diabetes, hypertension, liver and renal transplant recipients, tuberculosis, hepatitis C, clinically isolated syndrome, asthma, and COPD. From studies comparing the use of electronic feedback tools to standard of care, there is an initial evidence for a higher adherence to treatment and better outcomes among patients who use the electronic tools. To substantiate the assumption that connected devices can improve adherence in an outpatient setting over a prolonged period of time, further data from controlled randomized studies are required. Key barriers to the broader adoption of connected devices include data privacy laws that may prevent data sharing with HCPs in some countries, as well as the need to demonstrate that the tools are consistently used and generate a high-quality and reproducible database. If these challenges can be addressed in a way that is agreeable to all stakeholders, it is expected that the future value of connected devices will be to 1) facilitate and improve patient involvement in disease management in a flexible care setting, 2) enable early treatment decisions, and 3) complement value-based reimbursement models.

Published

2019

15. Automating trustworthiness in digital twins

Author

Wang, Brydon, Burdon, Mark, Wang, Brydon, and Burdon, Mark

Abstract

Digital twins are virtual models of cities that are built on real-time data extracted from sensors located within our built environment. Digital twins funnel a wide range of collected data from urban environments into automated decision-making frameworks that govern how we plan, design, build, operate and manage smart cites, including occupants. However, this use of collected data to predict and shape future behaviour in the city is accompanied with limited transparency about how automated decisions are made. Digital twins can consequently lead to ‘black box cities’ where data extraction seamlessly results in an automated decision-making output. This chapter examines whether the data collection practices that underpin digital twins are dataveillant and considers how information privacy legal obligations, articulated in the design of digital twins, may affect occupant perception of how trustworthy the system is. A conceptual framework of trustworthiness is applied to digital twins, with the three elements of trustworthiness being: ability, integrity and benevolence. The chapter examines how digital twins can be designed to be trustworthy by explicitly considering the role of socio-political values in data generation and analysis, especially that of information privacy law.

Published

2021

16. Issues Paper Submission - Attorney General's Department Review of The Privacy Act 1988 (Cth)

Author

Burdon, Mark, Cohen, Tegan, Burdon, Mark, and Cohen, Tegan

Abstract

We welcome the opportunity to provide a submission for this important review of The Privacy Act 1988 (Cth) (‘the Act’). Author details are provided at the end of the submission. Given that our submission is for an initial issues paper, rather than the more substantive discussion paper planned for 2021, we focus our comments on the broader conceptual issues that arise from the proposed review. We do so for two reasons. 1. We believe that Australia currently lacks a jurisprudential base regarding core understandings about the purpose and functioning of information privacy law, and privacy law more generally, particularly at the Commonwealth level. Consequently, without a broader jurisprudential base to work from, the proposed changes may not achieve the desired effect and may complicate further the current degree of fragmentation that typifies the existing information privacy law regime. The proposed reforms to the Act should therefore provide a clear legislative signal for subsequent judicial considerations and the development of a broader understanding about the purpose of privacy law in Australia. 2. Any proposed changes or developments to the Act do not sit in jurisdictional isolation. The transnational exchange of personal information is now so hardwired into technological infrastructures that developments to Australian information privacy law need to be considered in a supra-national context. The Australian Competition and Consumer Commission's (ACCC) Digital Platforms Inquiry (DPI) report rightly demonstrated that personal information collections through social media platforms, and technology providers, are inherently international. Decisions about Australian information privacy law consequently need to be aligned with information privacy laws or data protection laws of key jurisdictions, most notably the US and the EU. We believe it is not possible to align Australian information privacy law to the legal frameworks of both jurisdictions concu

Published

2021

17. Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance

Author

Graham Greenleaf

Subjects

Information privacy, State (polity), Coronavirus disease 2019 (COVID-19), Dominance (economics), media_common.quotation_subject, Political science, Law, Legislature, Information privacy law, International development, media_common

Abstract

The 50th anniversary in 2020 of the world’ s first data privacy law, the Datenschutzgesetz 1970 of the state of Hesse in Germany marks the first half century of their development. This article focuses on changes in the global development of these data privacy laws in 2019-20. In summary, the number of countries that have enacted data privacy laws rose from 132 to 145, and most of the 13 new laws are from 2019, before COVID-19 slowed down legislative activity world-wide. At least 23 other countries have official Bills for new laws in various stages of progress. During 2019-20, at least 13 countries have updated or replaced existing laws (almost always influenced by the EU’s GDPR). At least a further 11 have introduced Bills to do so. All of this adds up to nearly 60 countries world-wide where there was legislative activity in 2019-20 concerning data privacy, resulting in new or updated laws in 26 countries. All of these changes are detailed in the article, and in the two accompanying global Tables.

Published

2021

18. Automating Trustworthiness in Digital Twins

Author

Mark Burdon and Brydon Wang

Subjects

Information privacy, Data collection, Data extraction, Conceptual framework, Computer science, Test data generation, Information privacy law, Data science, Transparency (behavior), Built environment

Abstract

Digital twins are virtual models of cities that are built on real-time data extracted from sensors located within our built environment. Digital twins funnel a wide range of collected data from urban environments into automated decision-making frameworks that govern how we plan, design, build, operate and manage smart cites, including occupants. However, this use of collected data to predict and shape future behaviour in the city is accompanied with limited transparency about how automated decisions are made. Digital twins can consequently lead to ‘black box cities’ where data extraction seamlessly results in an automated decision-making output. This chapter examines whether the data collection practices that underpin digital twins are dataveillant and considers how information privacy legal obligations, articulated in the design of digital twins, may affect occupant perception of how trustworthy the system is. A conceptual framework of trustworthiness is applied to digital twins, with the three elements of trustworthiness being: ability, integrity and benevolence. The chapter examines how digital twins can be designed to be trustworthy by explicitly considering the role of socio-political values in data generation and analysis, especially that of information privacy law.

Published

2021

19. Compliance with Brazil’s New Data Privacy Legislation: What Us Companies Need to Know

Author

Khyara F. Passos

Subjects

Information privacy, Scope (project management), Need to know, Data Protection Act 1998, media_common.cataloged_instance, Legislation, Information privacy law, Business, European union, Enforcement, Law and economics, media_common

Abstract

The legal system in Brazil has long looked to European legislation for inspiration and guidance. When it comes to data-privacy laws today, Brazilian legislators again have been encouraged by European officials to look to European models, the European Union’s General Data Privacy Regulation (GDPR). The Brazilian General Data Protection Law (Lei Geral de Protecao de Dados Pessoais, Law No. 13,709/2018, or "LGPD"), enacted in August 2020, specifically seeks to achieve the same level of restrictions and conform to the demands of the GDPR. Perhaps most importantly for our purposes, the Brazilian LGPD presents a significant compliance challenge for companies, forcing them to rethink how they collect, store, and use personal data throughout the data lifecycle. The practical scope of this paper assumes that the reader is already familiar with the EU data privacy laws and is seeking a good source of information about Brazilian data privacy laws. While many companies are already well advanced in assessing its data processing activities vis-a-vis the GDPR, they may also need to become LGPD compliant, which could mean instituting multiple new requirements. In broad strokes, this paper will explain, from a compliance and legal perspective, the existing differences between the GDPR and the LGPD regulations, the enforcement mechanisms, what companies need to know to become compliant with the Brazilian laws, as well as the effects of violations of the LGPD, its important definitions, and which entities have to comply.

Published

2021

20. Global Tables of Data Privacy Laws and Bills (7th Ed, January 2021)

Author

Graham Greenleaf

Subjects

Information privacy, business.industry, Computer science, Privacy policy, Internet privacy, Privacy laws of the United States, Data Protection Act 1998, Legislation, Information privacy law, Privacy law, business

Abstract

This is the fourth in a series of Tables (accompanied by articles) which have documented the increasing number of countries with data privacy laws. The initial assessment in mid-2011resulted in an unexpectedly high finding of 76 countries , expanding through new laws and further research to 89 by early 2012 http://ssrn.com/abstract=2000034, and then by mid-2013 to 99 http://ssrn.com/abstract=2305882. These January 2015 Tables show that number of countries which have now enacted data privacy laws has risen to 109 over the past eighteen months, and that 22 Bills for new Acts are known.The accompanying articles analyse the Tables and other data: - 'Global data privacy laws 2015: 109 countries, with European laws now in a minority' (2015) 133 Privacy Laws & Business International Report, 14-17, available http://ssrn.com/abstract=2603529; and 'Global data privacy laws 2015: DPAs and their organisations' (2015) 134 Privacy Laws & Business International Report, 16-19.

Published

2021

21. Big Data and Artificial Intelligence for Financial Inclusion: Benefits and Issues

Author

Peterson K Ozili

Subjects

Financial inclusion, business.industry, Unbanked, Big data, Information privacy law, Access to finance, Artificial intelligence, business, Financial services, Risk management, FinTech

Abstract

This paper discusses the benefits and issues associated with big data and artificial intelligence (AI) for financial inclusion. The benefits of artificial intelligence and big data for financial inclusion are: improved efficiency and risk management for financial services providers; the provision of smart financial products and services to banked adults; simplification of the account opening process for unbanked adults and the creation of credit scores for unbanked adults using alternative information. Several issues associated with artificial intelligence and big data for financial inclusion that need to be addressed include: the shortage of skilled AI workers, increase in the level of unemployment in the financial ecosystem, the unconscious bias in the design of artificial intelligence systems, and other barriers caused by strict data privacy laws.

Published

2021

22. Global Data Privacy 2021: DPAs Joining Networks Are the Rule

Author

Graham Greenleaf

Subjects

Information privacy, Political science, Privacy laws of the United States, Table (database), Data Protection Act 1998, Information privacy law, Enforcement, Computer security, computer.software_genre, computer

Abstract

The networks of Data Protection Authorities (DPAs) and (as they are sometimes called) Privacy Enforcement Agencies (PEAs) have continued to expand their membership, and some of their activities, in 2019-20, despite the pandemic in 2020 calling a halt to international in-person meetings. This article analyses the details of those networks set out in the 2021 Global Tables of Data Privacy Laws (included in Privacy Laws & Business International Report, Issue 169) https://ssrn.com/abstract=3836261 and completes the analyses started in that issue. The last two columns of that Table identify the DPA/PEA, where one exists (and whether yet appointed), in each of the 145 countries with data privacy laws, and each network of which they are a member or observer. Some conclusions from this paper include: • Fewer than 10% (12/145) of countries with data protection laws do not provide for specialised DPAs. • Important proposed new laws are moving to a DPA model, but other proposed revisions persist with the ‘Ministerial enforcement model’ and no DPA. The trend is consistently toward the DPA model. • A few countries have failed to bring their laws into force for at least two years after enactment, but South Africa is no longer among them. • It is a positive indicator of the vitality of national DPAs that nearly 90% (105/120) of them, once they are established, become involved in at least one DPA network. The record of national DPAs and PEAs, once appointed, in joining networks of DPAs or PEAs is very good but not universal.

Published

2021

23. Asia’s Privacy Reform Bills: Variable Speeds

Author

Graham Greenleaf

Subjects

History, Information privacy, Polymers and Plastics, Coronavirus disease 2019 (COVID-19), Human rights, business.industry, media_common.quotation_subject, Information privacy law, International trade, Industrial and Manufacturing Engineering, Variable (computer science), Political science, Asian country, Data Protection Act 1998, Business and International Management, business, China, media_common

Abstract

Never before have there been so many draft laws and Bills in Asian jurisdictions awaiting finalisation and enactment. The jurisdictions with the most important changes to existing drafts are China and Sri Lanka. Brunei becomes the latest Asian country with a data privacy draft law. However, there are also developments in countries in north-east Asia, south Asia and south-east Asia. Some countries, however, are in the ‘slow lane’ in moving reform forward, particularly India and Indonesia, where major reform Bills have languished for more than a year – due partly to COVID 19 disruptions. Developments in reforms (if any) in all 26 countries in Asia are noted at least briefly in this article. The overall picture is that Asia is undergoing a more intense transformation of its data privacy laws than any other region of the world at present. This article is the 2021 update to my Asian Data Privacy Laws: Trade and Human Rights Perspectives (OUP, 2014).

Published

2021

24. Data to act upon. Improving the data basis for targeted political action to contain and overcome the consequences of the Corona pandemic

Author

Detlef Fickermann

Subjects

Erziehung, Schul- und Bildungswesen, media_common.quotation_subject, Information privacy law, Schulpädagogik, School closing, Education, Politics, Political decision, ddc:370, Politische Entscheidung, Datensammlung, Political science, Germany, FOS: Mathematics, Statistik, Lernstand, Bildungsorganisation, Bildungsplanung und Bildungsrecht, Deutschland, Datenerhebung, media_common, Data, Schulsystem, Data Processing, Education statistics, business.industry, Lerndefizit, Pandemie, Data Collection, Closing (real estate), Bildungsstatistik, Statistics, COVID-19, Pupil, Public relations, Trusted third party, Datenschutz, Daten, Pupils, School system, Educational statistics, Datenanalyse, Auswirkung, Schulschließung, Schüler, business

Abstract

Daten bilden während der Corona-Pandemie die Basis für weitreichende politische Entscheidungen im Bund, in den Ländern und in den Kommunen und beeinflussen damit massiv den Alltag und die Gesundheit von Millionen Menschen. Jedoch fehlen viele Daten zum Infektionsgeschehen und vorhandene Daten aus anderen Bereichen werden nicht ergänzend für vertiefte Analysen genutzt. Beschrieben werden die aktuell vorhandenen Schuldaten sowie die darüber hinausgehenden Datenerfordernisse für das geplante Bund-Länder-Programm zur Schließung von coronabedingten Lern- bzw. Kompetenzlücken der Schüler*innen und dessen Evaluation. Ergänzend werden Ansätze zur Identifikation von kleinräumigen Infektionsclustern und zu berufsgruppen- und branchenspezifischen Auswertungen vorgeschlagen. Den Vorschlägen gemein ist die Nutzung von kleinräumigen Daten sowie die Inanspruchnahme eines vertrauenswürdigen Dritten, um datenschutzkonform (Individual-)Daten aus unterschiedlichen Quellen miteinander verknüpfen und für vertiefte Auswertungen als Grundlage für evidenzbasierte politische Entscheidungen zur Verfügung stellen zu können. (DIPF/Orig.), This paper discusses the fact that in Germany, many of the extensive political decisions pertaining to the Corona Pandemic lack adequate evidence as a basis. Yet these decisions exert a massive influence on the daily life and health of millions of people. Data on the development of infections are, however, often incomplete, and chances to connect them to existing data from other areas are being missed. The article thus describes currently existing school data and the data requirements beyond them with regard to upcoming political decisions on the closing of students’ competency gaps and its evaluation. Furthermore, approaches to identifying small-range infection clusters and possibilities for job-specific and sectoral analyses are proposed. The different suggestions share the ideas of using small-range data and utilizing a trusted third party to connect data from different sources and, in accordance with data privacy laws, make them available for deepened analyses, thus providing a basis for evidence-based political decisions. (DIPF/Orig.)

Published

2021

25. Preserving Privacy in Caller ID Applications

Author

Tamara Stefanović and Silvia Ghilezan

Subjects

Information privacy, Identification (information), ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, Caller ID, Phone, Computer science, business.industry, Privacy policy, Internet privacy, Telephone number, Information privacy law, Telephony, business

Abstract

Caller identification (or Caller ID) is a telephone service that transmits a caller’s phone number to a receiving party’s telephony equipment when the call is being set up. Besides the telephone number, the Caller ID service may transmit a name associated with the calling telephone number. The appearance of the first Caller ID devices caused suspicion among the users and the public because of the potential security and privacy issues that the caller identification may cause. Privacy issues apply to users of the Caller ID applications, but also to non-users whose phone numbers are stored in the database of some Caller ID application. The emergence of the data privacy laws has led discussions on the privacy policies of Caller ID applications and their compliance with the law. In this paper we investigate two Caller ID applications, Truecaller and Everybody, and compliance of their privacy policies with the data privacy laws, especially the GDPR, the ePrivacy Directive and the ePrivacy Regulation. Further, we deal in more detail with the data privacy problem of non-users and we give the connection between those problems, and the inverse privacy problem. In order to solve the privacy problem of non-users, we develop the mathematical model based on the notions of privacy variables and sensitivity function. Finally, we discussed open questions related to the identity protection of Caller ID app users and non-users, and their trust in Caller ID apps.

Published

2021

26. Data localisation trends and challenges

Author

Dan Jerker B. Svantesson

Subjects

Information privacy, Risk analysis (engineering), Computer science, Corporate governance, Data_MISCELLANEOUS, Accountability, Proportionality (law), Context (language use), Information privacy law, Relevance (information retrieval), Digital economy

Abstract

This report highlights a complex situation in which some forms of data localisation are seen as useful and largely uncontroversial, while others as a significant barrier to the digital economy. Contributing to the review of the implementation of the OECD Privacy Guidelines, the report emphasises the need to recognise the effect that data localisation can have on transborder data flows, but suggests that the conditions that data privacy laws traditionally impose do not necessarily amount to data localisation measures. Focusing on data localisation in the context of data privacy and the governance of globalised data flows, the report proposes a definition for data localisation, outlines a roadmap to ensure that data localisation does not impede transborder data flows, and makes recommendations to support such work. In particular, it emphasises the relevance of the accountability principle and the proportionality test articulated in the OECD Privacy Guidelines in evaluating data localisation measures.

Published

2020

27. Class Clown: Data Redaction in Machine Unlearning at Enterprise Scale

Author

Daniel Felps, Trung N. Vuong, Alan Briggs, Tyler Shumaker, Matthew Hunt, Joyce D. Williams, Amelia D. Schwickerath, David D. Saranchak, and Evan Sakmar

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Core business, Computer science, Right to be forgotten, Information privacy law, Redaction, Inference attack, Computer security, computer.software_genre, Attack model, General Data Protection Regulation, Consumer privacy, Cryptography and Security (cs.CR), computer

Abstract

Individuals are gaining more control of their personal data through recent data privacy laws such the General Data Protection Regulation and the California Consumer Privacy Act. One aspect of these laws is the ability to request a business to delete private information, the so called "right to be forgotten" or "right to erasure". These laws have serious financial implications for companies and organizations that train large, highly accurate deep neural networks (DNNs) using these valuable consumer data sets. However, a received redaction request poses complex technical challenges on how to comply with the law while fulfilling core business operations. We introduce a DNN model lifecycle maintenance process that establishes how to handle specific data redaction requests and minimize the need to completely retrain the model. Our process is based upon the membership inference attack as a compliance tool for every point in the training set. These attack models quantify the privacy risk of all training data points and form the basis of follow-on data redaction from an accurate deployed model; excision is implemented through incorrect label assignment within incremental model updates., 8 pages, 7 figures

Published

2020

28. Blockchain and the Personal Data Protection Act 2010 (PDPA) in Malaysia

Author

Hasventhran Baskaran, Fiza Abdul Rahim, Salman Yussof, and Asmidar Abu Bakar

Subjects

Information privacy, Cryptocurrency, Blockchain, Computer science, Privacy laws of the United States, 020206 networking & telecommunications, Information privacy law, 02 engineering and technology, Computer security, computer.software_genre, General Data Protection Regulation, Ledger, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, media_common.cataloged_instance, 020201 artificial intelligence & image processing, European union, computer, media_common

Abstract

Blockchain is a time stamped ledger that is used to keep immutable records. This technology has gained immense popularity due to the use of its decentralized architecture in cryptocurrency platforms. Blockchain has been increasingly adopted in other sectors due to its ability to ensure data integrity. The increasing use of blockchain by the public has made it become a subject to data privacy laws. Based on the study conducted by other researchers, there are features of blockchain that conflict with certain elements in data privacy laws. The European Union's General Data Protection Regulation (GDPR), which becomes a model for data privacy act of many other countries, has been identified to be incompatible with blockchain. One of the research works in the area of blockchain is to figure out how blockchain can be made to comply with such privacy laws. In Malaysia, blockchain is still relatively new and a study needs to be done to evaluate its compatibility with Personal Data Protection Act 2010 (PDPA). Hence, the aim of this paper is to identify the gaps between blockchain and PDP A in terms of their compatibility and to propose solutions to bridge the gaps. Based on the gaps identified, the paper proposed the use permissioned or private blockchain, off-chain storage and stealth address to enable a blockchain application to be compliant with PDPA.

Published

2020

29. Developing Privacy-preserving AI Systems: The Lessons learned

Author

Rosario Cammarota, Huili Chen, Farinaz Koushanfar, Ahmad-Reza Sadeghi, Emmanuel Stapf, Siam U. Hussain, and Fabian Boemer

Subjects

021110 strategic, defence & security studies, Computer science, 0211 other engineering and technologies, Homomorphic encryption, Information privacy law, 02 engineering and technology, Computer security, computer.software_genre, 020202 computer hardware & architecture, Test (assessment), Work (electrical), 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, computer, Ai systems

Abstract

Advances in customers' data privacy laws create pressures and pain points across the entire lifecycle of AI products. Working figures such as data scientists and data engineers need to account for the correct use of privacy-enhancing technologies such as homomorphic encryption, secure multi-party computation, and trusted execution environment when they develop, test and deploy products embedding AI models while providing data protection guarantees. In this work, we share the lessons learned during the development of frameworks to aid data scientists and data engineers to map their optimized workloads onto privacy-enhancing technologies seamlessly and correctly.

Published

2020

30. Using Information Privacy Law to Interrupt Modulation

Author

Mark Burdon

Subjects

business.industry, Modulation, Privacy policy, Internet privacy, Information privacy law, Interrupt, business, Personally identifiable information

Published

2020

31. What Information Privacy Protects

Author

Mark Burdon

Subjects

Power (social and political), Information privacy, business.industry, media_common.quotation_subject, Internet privacy, Data Protection Act 1998, Information privacy law, Business, Autonomy, Liberalism (international relations), media_common

Published

2020

32. How Information Privacy Law Protects

Author

Mark Burdon

Subjects

business.industry, Internet privacy, Information privacy law, business, Privacy principles, Personally identifiable information

Published

2020

33. Perceptions of ICT Practitioners Regarding Software Privacy

Author

Edna Dias Canedo, Pedro Henrique Teixeira Costa, Eloisa Toffano Seidel Masson, Fernanda Lima, and Angélica Toffano Seidel Calazans

Subjects

Information privacy, privacy requirements, Computer science, Internet privacy, General Physics and Astronomy, Dados pessoais - legislação, Information privacy law, lcsh:Astrophysics, 02 engineering and technology, Article, Software development process, Proteção de dados, Analistas de sistemas, 020204 information systems, lcsh:QB460-466, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, Software requirements, lcsh:Science, data privacy, business.industry, software development process, Software development, 020207 software engineering, ICT practitioners’ perception, Direito à privacidade, lcsh:QC1-999, Software - desenvolvimento, Information and Communications Technology, general law of personal data protection, Software design, ComputingMilieux_COMPUTERSANDSOCIETY, lcsh:Q, business, lcsh:Physics

Abstract

During software development activities, it is important for Information and Communication Technology (ICT) practitioners to know and understand practices and guidelines regarding information privacy, as software requirements must comply with data privacy laws and members of development teams should know current legislation related to the protection of personal data. In order to gain a better understanding on how industry ICT practitioners perceive the practical relevance of software privacy and privacy requirements and how these professionals are implementing data privacy concepts, we conducted a survey with ICT practitioners from software development organizations to get an overview of how these professionals are implementing data privacy concepts during software design. We performed a systematic literature review to identify related works with software privacy and privacy requirements and what methodologies and techniques are used to specify them. In addition, we conducted a survey with ICT practitioners from different organizations. Findings revealed that ICT practitioners lack a comprehensive knowledge of software privacy and privacy requirements and the Brazilian General Data Protection Law (Lei Geral de Prote&ccedil, &atilde, o de Dados Pessoais, LGPD, in Portuguese), nor they are able to work with the laws and guidelines governing data privacy. Organizations are demanded to define an approach to contextualize ICT practitioners with the importance of knowledge of software privacy and privacy requirements, as well as to address them during software development, since LGPD must change the way teams work, as a number of features and controls regarding consent, documentation, and privacy accountability will be required.

Published

2020

34. Technological Innovation and Discrimination in Household Finance

Author

Karen M. Pence and Adair Morse

Subjects

Public economics, business.industry, Technological change, Process (engineering), media_common.quotation_subject, Big data, Information privacy law, The Internet, Business, Discretion, Statistical discrimination, Financial services, media_common

Abstract

Technology has changed how discrimination manifests itself in financial services. Replacing human discretion with algorithms in decision-making roles reduces taste-based discrimination, and new modeling techniques have expanded access to financial services to households who were previously excluded from these markets. However, algorithms can exhibit bias from human involvement in the development process, and their opacity and complexity can facilitate statistical discrimination inconsistent with antidiscrimination laws in several aspects of financial services provision, including advertising, pricing, and credit-risk assessment. In this chapter, we provide a new amalgamation and analysis of these developments, identifying five gateways whereby technology induces discrimination to creep into financial services. We also consider how these technological changes in finance intersect with existing discrimination and data privacy laws, leading to our contribution of four frontlines of regulation. Our analysis concludes that the net effect of innovation in technological finance on discrimination is ambiguous and depends on the future choices made by policymakers, the courts, and firms.

Published

2020

35. What initiatives do healthcare leaders agree are needed for healthcare system improvement? Results of a modified-Delphi study

Author

Mike Wagner, Stuart Barson, Peter Lachman, M. Rashad Massoud, Luis Villa, Christina Krause, Jonathon Gray, Lynne Maher, Goran Henriks, Lee Mathias, and Robin Gauld

Subjects

Quality management, Delphi Technique, Scope (project management), business.industry, 030503 health policy & services, Health Policy, Professional development, Equity (finance), Delphi method, Information privacy law, Public relations, Private sector, Quality Improvement, Organizational Innovation, Leadership, 03 medical and health sciences, 0302 clinical medicine, Health care, Business, Management and Accounting (miscellaneous), 030212 general & internal medicine, 0305 other medical science, business, Delivery of Health Care

Abstract

Purpose The purpose of this paper is to identify five quality improvement initiatives for healthcare system leaders, produced by such leaders themselves, and to provide some guidance on how these could be implemented. Design/methodology/approach A multi-stage modified-Delphi process was used, blending the Delphi approach of iterative information collection, analysis and feedback, with the option for participants to revise their judgments. Findings The process reached consensus on five initiatives: change information privacy laws; overhaul professional training and work in the workplace; use co-design methods; contract for value and outcomes across health and social care; and use data from across the public and private sectors to improve equity for vulnerable populations and the sickest people. Research limitations/implications Information could not be gathered from all participants at each stage of the modified-Delphi process, and the participants did not include patients and families, potentially limiting the scope and nature of input. Practical implications The practical implications are a set of findings based on what leaders would bring to a decision-making table in an ideal world if given broad scope and capacity to make policy and organisational changes to improve healthcare systems. Originality/value This study adds to the literature a suite of recommendations for healthcare quality improvement, produced by a group of experienced healthcare system leaders from a range of contexts.

Published

2018

36. Shore to Shore: How Europe’s New Data Privacy Laws Help Global Libraries and Patrons

Author

Daniel Ayala

Subjects

Shore, geography, geography.geographical_feature_category, business.industry, Internet privacy, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Information privacy law, Library and Information Sciences, General Data Protection Regulation, Data Protection Act 1998, media_common.cataloged_instance, European union, business, Personally identifiable information, media_common

Abstract

As the European Union’s General Data Protection Regulation (GDPR) comes into effect to ensure the data protection and privacy of the personal information of its citizens, positive benefits will als...

Published

2018

37. Enter the quagmire – the complicated relationship between data protection law and consumer protection law

Author

Dan Jerker B. Svantesson

Subjects

050502 law, Computer Networks and Communications, 05 social sciences, Private law, Commercial law, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Information privacy law, 02 engineering and technology, Consumer protection, General Business, Management and Accounting, Data Protection Directive, Public law, 020204 information systems, Law, General Data Protection Regulation, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, Business, 0505 law

Abstract

This article examines the complex relationship between consumer protection law and data protection law, particularly within the EU's online environment, and highlights the problems that stem from this complexity. It suggests that, while there are significant similarities between their respective sources, tools and purposes, there are also arguable differences between consumer protection law and data protection law. One such arguable difference is found in that, while consumer protection law can be seen to merely set a floor in its pursuit of a sufficiently high level of consumer protection, data protection law – due to its clearly articulated dual purposes of (a) protecting individuals with regard to the processing of personal data and (b) providing for the free movement of such data – sets both a floor and a ceiling. Having discussed the relationship between consumer protection law and data protection law in more detail, the argument is made that it seems possible to conclude that the balance struck in the Data Protection Directive, and soon in the General Data Protection Regulation, places limitations on consumer protection law. The implications of this conclusion are then examined briefly in the context of some matters currently coming before the CJEU and the contours of a framework are presented, addressing situations where a data protection-based liability claim is pursued against a third-party non-controller under consumer protection law.

Published

2018

38. Privacy, consent and vehicular ad hoc networks (VANETs)

Author

Rajen Akalu

Subjects

Information privacy, Vehicular ad hoc network, Privacy by Design, Computer Networks and Communications, Computer science, business.industry, Privacy software, Privacy policy, Internet privacy, 020206 networking & telecommunications, Information privacy law, 02 engineering and technology, Expectation of privacy, Computer security, computer.software_genre, General Business, Management and Accounting, 0202 electrical engineering, electronic engineering, information engineering, ComputingMilieux_COMPUTERSANDSOCIETY, 020201 artificial intelligence & image processing, business, Law, computer, Personally identifiable information

Abstract

The consent model of privacy protection assumes that individuals control their personal information and are able to assess the risks associated with data sharing. The model is attractive for policy-makers and automakers because it has the effect of glossing over the conceptual ambiguities that are latent in definitions of privacy. Instead of formulating a substantive and normative position on what constitutes a reasonable expectation of privacy in the circumstance, individuals are said to have control over their data. Organizations have obligations to respect rights to notice, access and consent regarding the collection, use and disclosure of personal data once that data has been shared. The policy goal becomes how to provide individuals with control over their personal data in the consent model of privacy protection. This paper argues that the privacy issues raised by vehicular ad hoc networks make this approach increasingly untenable. It is argued that substantive rules that establish a basic set of privacy norms regarding the collection, use and disclosure of data are necessary. This can be realized in part via a privacy code of practice for the connected vehicle. This paper first explores the relationship between privacy, consent and personal information in relation to the connected car. This is followed by a description of vehicular ad hoc networks and a survey of the technical proposals aimed at securing data. The privacy issues that will likely remain unsolved by enhancing individual consent are then discussed. The last section provides some direction on how a code of practice can assist in determining when individual consent will need to be enhanced and when alternatives to consent will need to be implemented.

Published

2018

39. How about me? The scope of personal information under the Australian Privacy Act 1988

Author

Joshua Yuvaraj

Subjects

Information privacy, Privacy by Design, Computer Networks and Communications, business.industry, Privacy policy, Internet privacy, FTC Fair Information Practice, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Information privacy law, General Business, Management and Accounting, Law, Political science, Data Protection Act 1998, Privacy law, business, Personally identifiable information

Abstract

A recent Australian Federal Court decision has raised the issue of the scope of information protected under the Australian Privacy Act 1988. The Court failed to adequately address this question, leaving Australians unsure as to whether sections of their information, such as the IP addresses allocated to their mobile devices, will be considered personal information under the Act. The main consideration the Court dealt with was what it means for information to be “about” an individual. In this paper I address two questions: a) how is information determined to be “about” an individual under the Act; and b) how should this determination be made in the future? I conclude that currently available guidance from the courts, the Australian Information Commissioner and scholarly commentary are inadequate to enable individuals, organisations and agencies to consistently make such determinations. Accordingly I draw on approaches to this question taken in Canada, New Zealand, the European Union and the United Kingdom to argue that the definition should be broadly interpreted in a technologically-aware manner. This will help to ensure that personal information is more comprehensively protected under the Privacy Act.

Published

2018

40. Australia’s Consumer Data Right and the uncertain role of information privacy law

Author

Burdon, Mark, Mackie, Tom, Burdon, Mark, and Mackie, Tom

Abstract

Data portability rights are viewed by policymakers worldwide as a significant legal innovation to stimulate competitive digital economies. These rights allow consumers and businesses to seamlessly receive and transfer data for commercialization and efficiency purposes. The newly implemented Australian Consumer Data Right (CDR) provides an illuminating example of the complex relationship between information privacy and competition law which is central to data portability initiatives. The CDR grants consumers and businesses access and transfer rights for consumer data in the Australian banking, energy, and telecommunications sectors, through the implementation of mandated API standards. There are three policy vectors at the heart of the CDR that parallel previous Australian, UK, and EU data portability developments. They are the type of regulated data covered by the CDR scheme, privacy and security protections and the overarching regulatory framework. We argue that the CDR, and its antecedents, primarily construct data portability as a competition law measure. However, while the general policy intention of the CDR is clear, we contend that the scheme reveals an uncertain role for information privacy law as part of its operation. Uncertainty is evident in how policymakers have considered the information privacy law issues inherent in the three policy vectors. We contend that the CDR could give rise to definitional problems with regulated data, duplicated privacy and security protections and a conceptually challenging regulatory framework. In conclusion, we suggest potential solutions that would assist with the operation of the CDR within Australia’s broader information privacy law framework, governed by the Privacy Act 1988 (Cth), which would also better align with the General Data Protection Regulation (GDPR).

Published

2020

41. Digital Data Collection and Information Privacy Law

Author

Burdon, Mark and Burdon, Mark

Abstract

In Digital Data Collection and Information Privacy Law, Mark Burdon argues for the reformulation of information privacy law to regulate new power consequences of ubiquitous data collection. Examining developing business models based on collections of sensor data – with a focus on the ‘smart home’ – Burdon demonstrates the challenges that are arising for information privacy’s control model and its application of principled protections of personal information exchange. By reformulating information privacy’s primary role of individual control as an interrupter of modulated power, Burdon provides a foundation for future law reform and calls for stronger information privacy law protections. This book should be read by anyone interested in the role of privacy in a world of ubiquitous and pervasive data collection.

Published

2020

42. Role-task conditional-purpose policy model for privacy preserving data publishing

Author

Ayman Khalafallah, Mohamed S. Abougabal, Rana A. El-Gendy, Hicham G. Elmongui, and Amr Morad

Subjects

Information privacy, Privacy by Design, business.industry, Computer science, Privacy policy, Internet privacy, General Engineering, Database administrator, Information privacy law, 02 engineering and technology, Data publishing, Engineering (General). Civil engineering (General), Computer security, computer.software_genre, Security policy, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, TA1-2040, business, Personally identifiable information, computer

Abstract

Privacy becomes a major concern for both consumers and enterprises; therefore many research efforts have been devoted to the development of privacy preserving technology. The challenge in data privacy is to share the data while assuring the protection of personal information. Data privacy includes assuring protection for both insider ad outsider threats even if the data is published. Access control can help to protect the data from outsider threats. Access control is defined as the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. This can be enforced by a mechanism implementing regulations established by a security policy. In this paper, we present privacy preserving data publishing model based on integration of CPBAC, MD-TRBAC, PBFW, protection against database administrator technique inspired from oracle vault technique and benefits of anonymization technique to protect data when being published using k-anonymity. The proposed model meets the requirements of workflow and non-workflow system in enterprise environment. It is based on the characteristics of the conditional purposes, conditional roles, tasks, and policies. It guarantees the protection against insider threats such as database administrator. Finally it assures needed protection in case of publishing the data. Keywords: Database security, Access control, Data publishing, Anonymization

Published

2017

43. A new computing environment for collective privacy protection from constrained healthcare devices to IoT cloud services

Author

Seungmin Rho, Mohamed Aborizka, and Ahmed M. Elmisery

Subjects

Service (business), Health professionals, Computer Networks and Communications, Computer science, business.industry, Internet privacy, 020206 networking & telecommunications, Information privacy law, Cloud computing, 02 engineering and technology, Service provider, computer.software_genre, Computer security, Preventive care, Server, Middleware, Middleware (distributed applications), Health care, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, business, computer, Software

Abstract

The Internet of healthcare things is essentially a new model that changes the way of the delivery and management of healthcare services. It utilizes digital sensors and cloud computing to present a quality healthcare service outside of the classical hospital environment. This resulted in the emergence of a new class of online web 4.0 services, which are termed “cloud healthcare services”. Cloud healthcare services offer a straightforward opportunity for patients to communicate with healthcare professionals and utilize their personal IoHT devices to obtain timely and accurate medical guidance and decisions. The personal IoHT devices integrate sensed health data at a central cloud healthcare service to extract useful health insights for wellness and preventive care strategies. However, the present practices for cloud healthcare services rely on a centralized approach, where patients’ health data are collected and stored on servers, located at remote locations, which might be functioning under data privacy laws somewhat different from the ones applied where the service is running. Promoting a privacy respecting cloud services encourages patients to actively participate in these healthcare services and to routinely provide an accurate and precious health data about themselves. With the emergence of fog computing paradigm, privacy protection can now be enforced at the edge of the patient’s network regardless of the location of service providers. In this paper, a framework for cloud healthcare recommender service is presented. We depicted the personal gateways at the patients’ side act as intermediate nodes (called fog nodes) between IoHT devices and cloud healthcare services. A fog-based middleware will be hosted on these fog nodes for an efficient aggregation of patients generated health data while maintaining the privacy and the confidentiality of their health profiles. The proposed middleware executes a two-stage concealment process that utilizes the hierarchical nature of IoHT devices. This will unburden the constrained IoHT devices from performing intensive privacy preserving processes. At that, the patients will be empowered with a tool to control the privacy of their health data by enabling them to release their health data in a concealed form. The further processing at the cloud healthcare service continues over the concealed data by applying the proposed protocols. The proposed solution was integrated into a scenario related to preserving the privacy of the patients’ health data when utilized by a cloud healthcare recommender service to generate health insights. Our approach induces a straightforward solution with accurate results, which are beneficial to both patients and service providers.

Published

2017

44. Should Fundamental Rights to Privacy and Data Protection be a Part of the EU's International Trade ‘Deals’?

Author

Svetlana Yakovleva

Subjects

050502 law, Economics and Econometrics, Information privacy, business.industry, Privacy policy, 05 social sciences, Information privacy law, International trade, Political science, 0502 economics and business, Political Science and International Relations, media_common.cataloged_instance, Data Protection Act 1998, Privacy law, 050207 economics, General Agreement on Trade in Services, European union, business, Law, Free trade, 0505 law, media_common

Abstract

This article discusses ways in which the General Agreement on Trade in Services (GATS) and post-GATS free trade agreements may limit the EU's ability to regulate privacy and personal data protection as fundamental rights. After discussing this issue in two dimensions – the vertical relationship between trade and national and European Union (EU) law, and the horizontal relationship between trade and human rights law – the author concludes that these limits are real and pose serious risks.Inspired by recent developments in safeguarding labour, and environmental standards and sustainable development, the article argues that privacy and personal data protection should be part of, and protected by, international trade deals made by the EU. The EU should negotiate future international trade agreements with the objective of allowing them to reflect the normative foundations of privacy and personal data protection. This article suggests a specific way to achieve this objective.

Published

2017

45. Privacy Shields for Whom? Key Actors and Privacy Discourses on Twitter and in Newspapers

Author

Aphra Kerr and Cristín O'Rourke

Subjects

Cultural Studies, data protection, Information privacy, Privacy by Design, internet governance, Privacy Shield, business.industry, Communication, Privacy policy, Communication. Mass media, Internet privacy, Information privacy law, privacy, Public relations, P87-96, lcsh:P87-96, lcsh:Communication. Mass media, Newspaper, Internet governance, Sociology, Media and Communication, Framing (social sciences), Data Protection Act 1998, Business

Abstract

The sharing of data across borders is core in informational economies. However, the Schrems case against Facebook in 2014 raised important questions about the capacity of existing ‘safe harbour’ policies and practices of multinational corporations in Europe and North America to protect the privacy of individuals’ data. The EU–US ‘Privacy Shield’ framework was subsequently developed to increase data privacy protections. This paper draws upon a sample of English language newspapers and Twitter accounts in Europe and the US from the summer of 2016 to identify the key actors and discourses surrounding the introduction of the Privacy Shield framework. The findings reveal a dominance of trade, market and security language, a focus on individual informational privacy and the dominance of state and legal actors. We argue that privacy is not being redefined in the context of intercontinental data transfers but rather narrowed to a neoliberal free trade framing of information privacy.

Published

2017

46. Abuse of Dominance in Non-Negotiable Privacy Policy in the Digital Market

Author

Sih Yuliana Wahyuningtyas

Subjects

European Union law, Information privacy, Privacy by Design, business.industry, Privacy policy, 05 social sciences, Internet privacy, Big data, Information privacy law, Public relations, Competition law, Dominance (economics), 0502 economics and business, Political Science and International Relations, Economics, 050207 economics, Business and International Management, business, Law

Abstract

Personal data and its use have become the front-line of businesses in the digital market. With the potential to be extracted for information, making this available for various purposes, big data transforms into a powerful tool for data controllers for effective marketing, defining strategic business decisions, and establishing a strong foothold in the market. The use of personal data for targeted marketing exemplifies this. While privacy has been subject to the regime of privacy protection, privacy violation might entangle competition law analysis when it involves abuse of market dominance. This paper addresses these problems by discussing three key issues: first, how competition law addresses the use of personal data as the new frontier of innovation and competition; second, whether big data plays a role to qualify dominance; and third, if non-negotiable policy on privacy infringes the prohibition of dominance abuse under competition law.

Published

2017

47. Strengthening data privacy: the obligation of organisations to notify affected individuals of data breaches

Author

Niloufer Selvadurai, Nazzal M. Kisswani, and Yaser Khalaileh

Subjects

Information privacy, business.industry, personal data, Data_MISCELLANEOUS, 05 social sciences, Internet privacy, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 050801 communication & media studies, Information privacy law, 06 humanities and the arts, Data breach, 0603 philosophy, ethics and religion, Computer security, computer.software_genre, notifiable data breaches, Computer Science Applications, 0508 media and communications, Privacy, ComputingMilieux_COMPUTERSANDSOCIETY, 060301 applied ethics, Obligation, business, Law, computer

Abstract

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) introduced a new Part IIIC into the Privacy Act to strengthen the existing information privacy laws by requiring the designated organisations to notify the Information Commissioner and affected individuals of data breaches that are likely to cause serious harm. The objective of this article is to consider the proper public policy basis for data breach notification laws, the likely ambit of operation of the new provisions and the merits of the law in enhancing data security. Whilst the article focuses on the Australian legislative framework, the provisions European Union’s new General Data Protection Regulation 2016/679, 27 April 2016, will also be considered to extend the discussion of appropriate law in this area. The article will conclude by identifying continuing areas of concern and suggesting initiatives to further strengthen the data privacy of individuals.

Published

2017

48. Data privacy law in Singapore: the Personal Data Protection Act 2012

Author

Benjamin Wong YongQuan

Subjects

Information privacy, business.industry, Privacy policy, Internet privacy, FTC Fair Information Practice, Information privacy law, National data protection authority, Computer security, computer.software_genre, Political science, Data Protection Act 1998, Privacy law, business, Law, Personally identifiable information, computer

Published

2017

49. A Case Study on the Information Privacy Laws in Insurance Industry

Author

Jungsoon Shin, Lim Ye Jin, and Park Kyung Hee

Subjects

business.industry, Internet privacy, Information privacy law, Privacy law, business, Insurance industry

Published

2017

50. CRITICAL ANALYSIS OF DIVERGENT APPROACHES TO PROTECTION OF PERSONAL DATA

Author

Sandeep Mittal

Subjects

Information privacy, Privacy by Design, business.industry, Computer science, media_common.quotation_subject, Privacy policy, Privacy laws of the United States, FTC Fair Information Practice, Information privacy law, Computer security, computer.software_genre, Internet governance, Negotiation, Globalization, media_common.cataloged_instance, Data Protection Act 1998, The Internet, European union, business, Free trade, computer, Right to privacy, Law and economics, media_common

Abstract

The protection of privacy and confidentiality of personal data generated on internet at residence and in motion within and across the border is a cause of concern. The European Union and United States have adopted divergent approaches to this issue mainly due to varying socio-cultural backgrounds. With the globalisation of businesses facilitated by internet revolution, the economic considerations out-weighed the rights consideration, and the right based approach started buckling the pressure of economic based approach but was checked by the Schrem’s case. The negotiation under TTP and TTIP has a tendency to forgo the privacy rights of the individuals over business considerations in tune with the US tactics of weakening the privacy laws through Free Trade Agreements. It has been demonstrated that a balanced approach in which individual control over data is desirable but should not be absolute, control rights are reinforced by structural safeguards or architectural controls would be desirable.

Published

2017