DOMAIN 3-REGIONAL CONSIDERATIONS Flashcards
- PRIVACY ACT OF 1988
o 13 PRIVACY PRINCIPLES
o APPLIES TO PRIVATE, NOT-FOR-PROFITS WITH 3+MILLION, PRIVATE HEALTHCARE PROVIDERS
o CONSUMER LAW - ENTITIES MUST PROVIDE NOTIFICATION WHEN BREACHES OCCUR
- PROTECTS AGAINST FALSE/MISLEADING CONTRACTS & FAILED BREACH NOTIFICATIONS
- PRIVACY ACT APPLIES TO CUSTOMERS EVEN IF CSP IS BASED ELSEWHERE
AUSTRALIA
- 2017 CYBER SECURITY LAW GOVERNS NETWORK OPERATORS
o DATA LOCALIZATION REQUIRES CERTAIN DATA IS STORED IN THE COUNTRY - PRIVACY LANDSCAPE STILL IN TRANSITION
CHINA
- ACT ON THE PROTECTION OF PERSONAL INFO (APPI) REQUIRES PRIVATE SECTOR TO PROTECT PERSONAL INFO
- PRIOR CONSENT REQUIRED FOR DATA TRANSFERRED TO A 3RD PARTY OUTSIDE THE COUNTRY
- CONSENT IS NOT REQUIRED IF CERTAIN STANDARDS ARE MET AS OUTLINED BY THE PERSONAL INFO PROTECTION COMMISSION
JAPAN
- DATA PROTECTION LAWS REQUIRE CONSENT FOR MOST DATA PROCESSING
- COMPANIES ARE REQUIRED TO STORE PERSONAL DATA OF CITIZENS WITHIN COUNTRY
RUSSIA
- 2018 GENERAL DATA PROTECTION REGUALTION (GDPR)
o MEMEBER STATES CAN SUPPLEMENT THE GDPR - 2002 DIRECTIVE ON PRIVACY & ELECTRONIC COMMUNICATIONS (NEW E-PRIVACY REGUALTION TO REPLACE IT)
- NETWORK INFO SECURITY DIRECTIVE (NIS DIRECTIVE)
o PROTECTS CRITICAL INFASTRUCTURE & ESSENTIAL SERVICES
EMEA
is directly binding on any corporation that processes the data of EU citizens, and will be adjudicated by the data supervisory authorities or the courts of the member states that have the closest relationship with the individuals or the entities on both sides of the dispute.
GDPR
establishes a framework to enable networks and information systems to resist, at a given level of confidence, actions that compromise the availability, authenticity, integrity, or confidentiality of stored,
transmitted, or processed data, or the related services that are offered by or accessible through those networks and information systems.
NIS Directive
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU/EEA, regardless of whether the processing takes place in the EU/EEA or not.
Applicability
The processing of personal data is allowed only if (a) the data subject has freely given specific, informed and unambiguous indication of his/her consent to the processing of his/her personal data, or (b) the processing is authorized by a statutory provision.
Lawfulness
For example, the GDPR requires companies to keep records of their data processing activities. Certain categories of processing require a prior “Privacy Impact Assessment.” Companies are expected to develop and operate their products and services in accordance with “privacy by design” and “privacy by default” principles.
Accountability Obligations
Data subjects have rights to information regarding the processing of their data: the right to object to certain uses of their personal data; to have their data corrected or erased; to be compensated for damages suffered as a result of unlawful processing; ___________; and the right to data portability.
the right to be forgotten
__________of personal data outside the EU/EEA to a country that does not offer a similar range of protection of personal data and privacy rights is prohibited.
The transfer
The GDPR requires companies to report that they have suffered a ________
breach of security
Violations of the GDPR expose a company to significant sanctions. These sanctions may reach up to the greater of ________ of their global turnover or gross income, or up to EUR 20 million.
four percent
Due to its _______ approach, the United States has hundreds of federal, state and local regulations, from the details of a written information security plan to the rules for disclosing security breaches
sectoral
