Introduction and US Legal Framework Flashcards
Data protection authority (DPA)
Official or agency that enforces privacy or data protection laws and regulations.
U.S. has no national data protection authority per se, but several groups oversee privacy matters (FTC, state attorneys general, federal financial regulators).
Data controller
An organization or individual with the authority to decide how and why information about data subjects is to be processed
This entitty is the focus of most obligations under privacy and data protection laws (usually a corporation)
Data subject
An individual about whom information is being processed. E.g. consumer, employee, patient
Data processor
An organization or individual, often a third-party outsourcing service that processes data on behalf of the data controller
- HIPAA - known as “business associates”
- Can delegate out to subsequent data processor
- No data processor or subsequent data processor can exceed scope of processing authority given by data controller
Information privacy
Establishes rules that govern the collection and handling of personal info, such as financial and medical info, government records, or internet activity
Communications privacy
Establishes protection of the means of correspondence, such as postal mail, telephone conversations, and e-mail
Bodily privacy
Establishes protections of a person’s physical being and any invasion thereof, such as genetic and drug testing; body cavity searches; and birth control, adoption, and abortion.
Territorial privacy
Establishes placing limits on the ability to intrude into another individual’s environment, including the home, workplace, and public space.
Fair information practices (FIPs)
Guidelines for handling, storing, and managing personal info properly
Categories of principals and practices associated with each principal:
- The rights of individuals
- Notice
- Choice and consent
- Data subject access
- Controls on the info
- Info security
- Info quality
- The information lifecycle
- Collection
- Use and retention
- Disclosure
- Management
- Management and administration
- Monitoring and enforcement
OECD Guidelines (1980)
Updated in 2013. OECD is an international org including US, Europe, and others.
Most widely recognized framework for FIPs and have been endorsed by the US FTC and many other government orgs.
Examples of personal info and sensitive personal info
Examples of personal info
SSNs, passport numbers, names; street address, telephone number, e-mail address
Examples of sensitive personal info (definition depends on JX and particular regulations)
SSNs, financial info, drivers license numbers, health info
IP addresses are context-dependent – federal agencies operating under Privacy Act don’t consider IP addresses to be personal info, but the FTC says it is personal info when it comes to breaches of healthcare information
Classes of Privacy (Table)
Information privacy
Collection and handling of personal info
Financial info, medical info, government records, internet activity
Bodily privacy
Person’s physical being and any invasion thereof
Genetic testing, drug testing, body cavity searches; birth control, abortion, adoption
Territorial privacy
Intrusion into individual’s environment
Home, workplace, or public place; monitoring via video surveillance, ID checks, use of similar tech and procedures
Communications privacy
Means of correspondence
Postal mail, telephone convos, e-mail
Processing (definition)
Collection, recording, organization, storage, updating or modification, retrieval, consultation and use of personal info
Disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of personal info
Sources of personal info
- Public records
- Publicly available info - names and addresses in phone boks ad info published in newspapers and/or other public media (e.g. search engines)
- Non-public info - not generally available or easily accessed due to law or custom; company’s customer or employee database usually contains non-public info
Self-regulation and co-regulation
Legislation: who defines privacy rules?
- Privacy policy of a company or other entity
- Industry association
Enforcement: who initiates enforcement action?
- Data protection authorities
- Other government agencies
- Industry code enforcement
- Affected individuals
Adjudication: who decides whether an org has violated a privacy rule?
- Industry association
- Government agency
- Judicial officer
Privacy professionals should consider all 3 for clear understanding of data privacy responsibilities
Comprehensive vs sectoral data protection laws
Comprehensive - gov has defined requirements throughout the economy
Sectoral - laws exist in selected market segments, often in response to particular need or problem (like in US)
Co-regulatory model
Industry development of enforceable codes or standards for privacy and data protection
e.g. Children’s Online Privacy Protection Act (COPPA) - allows compliance with codes to be sufficient for compliance with statute once codes have been approved by FTC
Self-regulatory model
Company, industry or independent body creates codes of practice for protection of personal info; no generally applicable legal framework in place
e.g.
- Payment Card Industry Data Security Standard (PCI-DSS) - enhances cardholder data security and facilitates broad adoption of consistent data security measures globally
- Seal programs
Seal programs
When a company abides by codes of information practices and submits to some variation of monitoring to ensure compliance, it is allowed to display the program’s privacy seal on website
Consent decree (definition)
Agreements or settlements that resolve a dispute between 2 parties w/o admission of guilt or liability
Thru legal doc approved by a judge, defendant may have to take specific action, such as agreeing to stop the alleged illegal activity or pay money to gov and agree not to violate relevant law in future
Role of Federal Trade Commission (FTC)
- General authority to enforce rules against unfair and deceptive trade practices
- Can bring deception enforcement actions where an organization has broken a privacy promise
- Has statutory responsibility for issues such as children’s online privacy and commercial e-mail marketing
Role of Dept of Health and Human Services (DHHS)
- Created regulations to protect privacy and security of healthcare information
- Responsible for enforcement of HIPAA laws
- Shares rulemaking and enforcement power with FTC for data breaches related to medical records under Health Information Technology for Economic and Clinical Health (HITECH) Act
Role of Federal Communications Commission (FCC)
- Governs communication industry (tv, radio, telemarketing, online marketing)
- Online marketing laws: Telemarketing Sales Rule, CAN-SPAM Act
- Enforces privacy law w/ FTC
Role of Department of Commerce (DOC)
- Leading role in federal privacy policy development and administers Privacy Shield Framework b/w US and EU
- Works w/ FTC on enforcement of privacy and security standards set by organizations, particularly those with self-regulatory programs
Role of Federal Reserve Board
- Federal financial regulator
- Enforces provisions by specific federal mandates like Gramm-Leach-Bliley Act (GLBA)
- Contains CFPB, which has rulemaking authority for laws related to financial privacy and oversees the relationship b/w consumers and financial product and service providers
Role of State Attorney General
- Chief legal advisor to state government and state’s chief law enforcement officer
- May take enforcement action on:
- state’s unfair and deceptive practice laws
- HIPAA
- GLBA
- Telemarketing Sales Rule
- violations of breach notification laws
Role of Office of the Comptroller of the Currency (OCC)
- Independent bureau of US Treasury
- Regulates and supervises all national and federal banks and savings institutions, including agencies of foreign banks
- Ensures fair access to financial services and compliance w/ financial privacy laws and regulations
