Chapter One: Intro to Privacy

Question 1

The 3 Main PRIV focuses are…

Answer 1

1.) Collection
2.) Use
3.) Transparency …. of PII

Question 2

Algorithmic Transparency is..

Answer 2

Consideration for whether AI has good inputs to make sound calculation, and the degree of bias involved.

Question 3

4 Classes of PRIV are…

Answer 3

1.) Information Privacy
2.) Bodily Privacy
3.) Territorial Privacy
4.) Communications Privacy

Question 4

Information Privacy

Answer 4

Governing the collection and maintenance of PII.

Question 5

Bodily Privacy

Answer 5

To not invade a person’s physical being.

Question 6

Territorial Privacy

Answer 6

Monitoring and environment to prevent intrusion.

Question 7

Communications Privacy

Answer 7

Protecting correspondence.

Question 8

3rd Amendment (U.S. Constitution)

Answer 8

Bans the forced quartering of soldiers in private homes.

Question 9

4th Amendment (U.S. Constitution)

Answer 9

Requires law enforcement warrants for searches of private property.

Question 10

5th Amendment (U.S. Constitution)

Answer 10

Not required to testify against self.

Question 11

California Constitution, Article 1, Section 1 (1974)

Answer 11

Codifies right to acquire and protect private properties, and maintain privacy.

Question 12

United Nations “Universal Declaration of Human Rights” (1948)

Answer 12

No arbitrary interference with privacy, family, home, and correspondence.

Question 13

European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8 (1950)

Answer 13

Declares universal right to private life, family, home, correspondence.

Question 14

Fair Information Practices (FIPs)

Answer 14

Standards for organizing the multiple individual rights and organization responsibilities with respect to privacy.

Vary by region, open to interpretation, not always legally binding.

Question 15

Four Main FIPs Categories

Answer 15

1.) Rights of Individuals
2.) Controls on Information
3.) Information Life Cycle
4.) Management

Question 16

Rights of Individual (Four Main FIPs Categories)

Answer 16

Components:
1.) Notice
2.) Choice and Consent
3.) Data subject access

Question 17

Notice (Rights of Individuals/FIPs)

Answer 17

Supply a privacy policy, disclosing purpose, use, and retention for PII.

Question 18

Choice and Consent (Rights of Individuals/FIPs)

Answer 18

Consent can be implicit or explicit.

Question 19

Data Subject Access (Rights of Individuals/FIPs)

Answer 19

Data subject should have access to review and update PII.

Question 20

Controls on Information (Four Main FIPs Categories)

Answer 20

Components:
1.) Information Security
2.) Information Quality

Question 21

Information Security (Controls on Info/FIPs)

Answer 21

Data Controller must implement admin, technical, and physical safeguards.

Question 22

Information Quality (Controls on Info/FIPs)

Answer 22

Data collection must be accurate, complete, and relevant to the stated intent.

Question 23

Information Life Cycle (Four Main FIPs Categories)

Answer 23

Components:
1.) Collection
2.) Use and Retention
3.) Disclosure

Question 24

Data Collection (Info Life Cycle/FIPs)

Answer 24

Data should be collected only for the specified purpose.

Question 25

Data Use and Retention (Info Life Cycle/FIPs)

Answer 25

Limit data use to what is in the privacy notice and has been consented to.

Question 26

Data Disclosure (Info Life Cycle/FIPs)

Answer 26

Limit data disclosure to purposes specified and consented to.

Question 27

Management (Four Main FIPs Categories)

Answer 27

Define
Document
Communicate
Assign

…accountability to PRIV processes and procedures.

Question 28

U.S. Health Education and Welfare FIPs (1973)

Answer 28

. Existence of the record set should be disclosed.

. Allow data subject access. Can contest inappropriate use, request correction.

. Data must be reliable and well protected.

Question 29

FIPs: OECD Guidelines (1980/2013)

Answer 29

. Is the most widely used FIPs framework (FTC endorsed)

1.) Collection Limitation Principle
2.) Data Quality Principle
3.) Purpose Specification Principle
4.) Use Limitation Principle
5.) Data Security Principle
6.) Openness Principle
7.) Individual Participation Principle
8.) Accountability Principle

Question 30

Collection Limitation Principle (OECD)

Answer 30

Collection must be lawful, fair, limited, consented to.

Question 31

Data Quality Principle (OECD)

Answer 31

Data must be accurate, complete, and relevant.

Question 32

Purpose Specification Principle (OECD)

Answer 32

Purpose of data should be specified no later than time of collection.

Uses outside of original should be “compatible” and “publicized.”

Question 33

Use Limitation Principle (OECD)

Answer 33

Don’t deviate from specified use.

Two exceptions: (1) Data subject consent, (2) legal authority.

Question 34

Data Security Principle (OECD)

Answer 34

Implement protection against unauthorized access and destruction.

Question 35

Openness Principle (OECD)

Answer 35

Maintain a general policy of openness about development, practices, and policies regarding PII.

Establish the existence of PII and ID the Data Controller.

Question 36

Individual Participation Principle (OECD)

Answer 36

Data subject retains right to retrieve data in an affordable and timely manner.

Denial of retrieval must be be justified and can be appealed.

Data subject can challenge to amend or erase data.

Question 37

Accountability Principle (OECD)

Answer 37

Data controllers should be accountable for complying with PRIV measures.

Question 38

FIPs: Council of Europe Convention (1981)

Answer 38

Applies to member states and allows free trans-border data flow within.

Is more less the same as OECD.

Race, political affiliation, religion, health, sex life, criminal history data cannot be collected unless protected in each country’s domestic law.

Question 39

FIPs: APEC Privacy Framework (2004)

Answer 39

Includes 21 Asia Pacific members + the Americas.

Is not legally binding.

Generally mirrors OECD but is more explicit about exceptions:
(1) w/ subject consent
(2) when necessary to provide product or service requested by subject
(3) authority of law

Question 40

FIPs: Madrid Resolution (2009)

Answer 40

The primary goal is to set principles and rights guaranteeing:
(1) Effective and internationally uniform protection of PII.
(2) Facilitation of international flows of PII.

Question 41

Proportionality Principle (Madrid Resolution)

Answer 41

Processing of PII should be limited, relevant, adequate, and not excessive in relation to stated purposes.

Question 42

The first known data law was enacted in…

Answer 42

Hesse, Germany (1970)

Question 43

Personally Identifiable Information (PII)

Answer 43

Information that makes it possible to ID an individual. Is covered by PRIV law. (U.S. definition)

Question 44

Sensitive Personally Identifiable Information (SPII)

Answer 44

A highly sensitive subset of PII that varies depending on jurisdiction and regulations:
- SSNs
- Financial Info
- Drivers License
- Health Records
- etc.

Question 45

Non-Personal Information is sometimes called…

Answer 45

De-identified, anonymized, or pseudonymized.

Question 46

Personal vs. Non-Personal Information…

Answer 46

are not always clearly distinct.

Ex.) IP Addresses are protected in the EU but not in the US 1974 Privacy Act.

Question 47

Public Records

Answer 47

Info collected and maintained by a government entity and made available to the public.

Related-laws vary by jurisdiction.

ex.) real-estate records

Question 48

Publicly Available Info

Answer 48

ex.) phone book info and search engine results

Question 49

Non-Public Information

Answer 49

Data is not generally available or easily accessed due to law or custom.

ex.) medical records, financial records, adoption records

Question 50

Processing

Answer 50

Collection, recording, maintenance, retrieval, consultation, transmission, destruction of PII.

Question 51

Data Subject

Answer 51

The person about whom the information is being processed.

Question 52

Data Controller

Answer 52

The organization with the authority to decide how and why PII is to be processed.Can be an individual, or an org legally treated as such.

Question 53

Data Processor

Answer 53

An individual or org, often 3rd party, that processes data on behalf of the Data controller.

Question 54

Sources of Privacy Protection

Answer 54

1.) Markets (i.e. consumer demand)

2.) Technological advancement (e.g. encryption software)

3.) Law (this is the traditional approach)

4.) Self and Co-Regulation

Question 55

Three Components of Self and Co- Regulation

Answer 55

1.) Legislation
2.) Enforcement
3.) Adjudication

Question 56

Legislation (Self and Co- Regulation)

Answer 56

Who defines privacy rules?

ex.) A company policy or industry association.

Question 57

Enforcement (Self and Co- Regulation)

Answer 57

Who should initiate enforcement action?

ex.) Data Protection Authorities (DPAs,) Gov’t Agencies, industry Code Enforcement, Affected Individuals

Question 58

Adjudication

Answer 58

Who should decide whether an org has violated a PRIV rule?

ex. Industry Association, Gov’t Agency, Judicial Officer

Question 59

Comprehensive Model

Answer 59

Those in which the gov’t has defined requirements throughout the economy.

No existing regime is so comprehensive all laws are written, enforced, and adjudicated by the gov’t.

ex.) DPAs in Europe

Question 60

Sectoral Model

Answer 60

When PRIV laws exist in specific market segments. This is the US standard.

Question 61

Reasons countries will create comprehensive laws include…

Answer 61

• Remedy past injustices
• Be consistent with GDRP
• Promote e-commerce

Question 62

Critiques of Comprehensive Model

Answer 62

• Regulations too costly
• One-size-fits-all approach may not be proportional to risk
• May not allow room for innovation in data processing

Question 63

Critiques of Sectoral Approach

Answer 63

• Lack on central oversight
• Inadequate execution of protections
• Legislation may lag innovation
• Industry pushback

Question 64

Co- Regulatory Model

Answer 64

The development of industry standards for PRIV against the backdrop of gov’t legal reqs.

Is standard in Australia.

Can exist under comprehensive AND sectorial models.

Question 65

U.S. Children’s Online Protection Act (COPPA)

Answer 65

Allows compliance with industry codes to satisfy PRIV statute if the code is FTC approved.

Question 66

Self Regulatory Model

Answer 66

The creation of codes of practice for the protection of PII by a company or industry.

May NOT have a legal framework.

Question 67

Seal Program

Answer 67

A form of self-regulation that requires its participants to abide by codes of information practices and some variation of monitoring compliance.

In the US, the FTC can give a seal program authority (like for COPPA).

Question 68

Technology Based Model

Answer 68

These reduce the need for administrative measures.

ex.) end-to-end encryption