Basic Terms/Privacy Overview Flashcards
EU - U.S. Safe Harbor Agreement
An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield
Privacy Shield
Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.
Binding Corporate Rules (BCRs)
An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.
Standard Contractual Clauses
Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.
Certification Mechanisms
Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.
Electronic Discovery (e-Discovery)
Requires civil litigants to turn over large volumes of a company’s electronic records in litigation
EU Data Protection Directive
Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use
APEC Privacy Framework
A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.
Right to Financial Privacy Act of 1978
Summary:
1. Request must reasonably identify the records
2. Requests must be justified by one of the following:
o Customer authorization
o Admin subpoena or summons
o Judicial subpoena or summons
o Written law enforcement request
3. Agencies must provide the customers written notice of the request and wait 10 days from service or 14 days from mailing to access records
Detail:
Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about a customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.
Bank Secrecy Act of 1970 (BSA)
Summary:
- Requires financial institutions to maintain records for customer activity for five years
- Currency Transaction Reports (CTR) – must report cash transactions totaling more than $10,000 in a single day
- Suspicious Activity Report (SAR) – institutions must report suspected money laundering, or a customer is deliberately taking actions to miss the CTR limits.
Detail:
A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasions, terrorist financing, and various other domestic and international criminal activities.
First privacy text in us
1890 HBS the right to privacy by Samuel Warren and Louis Brandeis
FCRA
Fair credit reporting act
FACTA
Fair and accurate credit transactions act
GLBA
Gramm-leach-bliley act
FERPA
Family educational rights and privacy act
PPRA
Protection of pupil rights amendment
COPPA
Children’s online privacy protection act
When did UN take privacy into account?
Art. 12 of Universal Declaration of Human rights in 1948
When was the FCRA?
1970
When US DoH FIPS?
1973
What is personal data?
Identified or identifiable individual
What is a privacy policy?
It is an internal statement governing privacy practices in a company.
What are the four classes of privacy?
Information
Bodily
Territorial
Communication
In the US and other countries, laws about the protection of information about individuals is known as what?
- Privacy law
- Data privacy law
- Information privacy law
In the EU and other countries, laws about the protection of information about individuals is known as what?
Data protection law
How did Samuel Warren and Louis Brandeis define privacy in their 1890 Harvard Law Review article, “The Right to Privacy”?
The right to be let alone
What is information privacy concerned with?
Establishing rules that govern the collection and handling of personal information
What is bodily privacy concerned with?
A person’s physical being and any invasion thereof
What is territorial privacy concerned with?
Placing limits on the ability to intrude into another individual’s environment
What is communications privacy concerned with?
Protection of the means of correspondence
In what year did the California add an explicit “right to privacy” guarantee to the California Constitution?
1974
In what year did the General Assembly of the United Nations adopt and proclaim the Universal Declaration of Human Rights, which formally announced that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”?
1948
What type of practices have been a significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information?
- Fair Information Practices (FIPs)
* Sometimes called fair information privacy practices or principles (FIPPs)
What are 5 examples of codifications of Fair Information Practices (FIPs)?
- The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles
- The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”)
- The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”)
- The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework
- The 2009 Madrid Resolution—International Standards on the Protection of Personal Data and Privacy
What is a Fair Information Practices (FIP)?
FIPs are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.
