Fundamentals Unit 1 ABC II Flashcards
What was struck down by Court of Justice of EU (CJEU) on 16 July 2020?
Privacy Shield was invalidated by CJEU.
What is the difference between Europe vs US approach to privacy/data protection?
Europe:
- Privacy is a human right
- Default = No processing of personal info
- Processors must meet strict guidelines
US:
- Individuals have some constitutional rights to privacy
- Privacy is a consumer protection issue
- Acceptable = Commercial use of personal information
- Processing is limited by sectoral laws
EU Data Protection Directive/GDPR:
- Emphasizes employee rights
- Privacy predominates over security
- Employee monitoring is permitted only with specific, legal justification
- Background checks of employees are limited
- Employees often required to consult with regulatory bodies and comply with trade union / works council agreements
US Safe Harbour/Privacy Shield:
- Adequacy approach
- Participation limited
- Participation voluntary
- Requirements based on FIPs
- Violations enforced by Federal Trade Commission and Department of Transportation
Note: A safe harbor is a legal provision in a statute or regulation that provides protection from a legal liability or another penalty when certain conditions are met.
What are sensitive personal information vs special categories of data?
United States - Sensitive Personal Information:
- Social Security number
- Financial information
- Driver’s license number
- Medical records
Europe - Special Categories of Data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Health or sex life
- Criminal convictions or offences
What are the terms used in US, EU for information relating to an individual?
US - Personally identifiable information = any information relating to an identified or identifiable individual
EU - Personal data = any information relating to an identified or identifiable natural person (data subject)
What is the difference between Anonymisation and Pseudonymisation?
Anonymisation - refers to the process of removing identifying information, such that the remaining data does not identify any particular individual.
Pseudonymisation - an anonymisation techniques that replaces personal identifiers with other references.
Other anonymisation techniques:
- Replacement = replacing values or a subset of the values with a computed average or a number derived from the values
- Data reduction = removing values that are not required for the purpose
- Data suppression = banding or hiding the value within a given range
- Data shuffling = mixing up or replacing values with those of the same type so that the information looks similar but is unrelated to the actual details
- Masking = removing certain details while preserving the look and feel of the data
What is re-identification vs de-identification?
Re-identification = the process by which anonymised data is combined with other information such that an individual can be identified. The information then becomes personal data again.
Lowering re-identification risks:
- Limiting disclosure to restricted persons
- Imposing additional enforceable restrictions on the use and subsequent disclosure of the data
- Implementing processes to govern proper use of the anonymised data in line with the restrictions, including access restrictions
- Implementing processes and measures for the destruction of data as soon as possible
De-identification of data refers to the process used to prevent personal identifiers from being connected with information. It is not a single technique, but rather a collection of approaches, tools, and algorithms that can be applied to different kinds of data with differing levels of effectiveness.
