Privacy Program Frameworks: Chapter 3

Question 1

Argentina

Answer 1

Personal Data Protection Law No 25,326 (PDPL)

Agency for Access to Public Information (AAPI)

Question 2

Australia

Answer 2

Privacy act of 1988

Office of the Australian Information Commissioner (OAIC)

Question 3

Brazil

Answer 3

Lei Geral de Proteção de Dados (LGPD), Law No. 13.709/20183

Autoridade Nacional de Proteção de Dados (ANPD)

Question 4

Canada

Answer 4

Personal Information Protection and Electronic Documents Act (PIPEDA)4

Office of the Privacy Commissioner of Canada (OPC)

Note: Canadian provinces have their own, often stricter, privacy laws

Question 5

China

Answer 5

Cybersecurity Law of the People’s Republic of China

Cyberspace Administration of China (CAC

Data Security Law of the PRC
Personal Information Protection Law of PRC

Question 6

European Union

Answer 6

General Data Protection Regulations (GDPR)

Member state supervisory authorities

Question 7

Hong Kong

Answer 7

Personal Data (Privacy) Ordinance

Office of the Privacy Commissioner for Personal Data (PCPD)

Question 8

India

Answer 8

Information Technology Act 2000
Ministry of Electronics and Information Technology (MeitY)

Question 9

Israel

Answer 9

Protection of Privacy Law 5741-1981

Privacy Protection Authority

Question 10

Japan

Answer 10

Act on the Protection of Personal Information (APPI)

Personal Information Protection Commission (PIPC)

Question 11

GDPR

Answer 11

Passed: 12/2016. Effective: 05/25/2018

Art 1: Subject matter and objectives
1. Natural persons
2. Fundamental freedoms
3. Free movement of personal data in the Union shall not be restricted

Art 2: Material Scope
1. automated or manual data
2. Not apply in certain issues
3. all member states
4. also directive 2000

Art 3: Territorial Scope
1. All controllers or processors in the union
2. Individuals in the union
3. Anywhere else where member state laws apply

Penalty: 4% of revenue, or 20m euros

Question 12

GDPR Data subject rights

Answer 12

• withdraw consent
• request a copy of their data
• request to move their data to another org
• request to delete all their data
• object to automated decision making, profiling

Question 13

CCPA

Answer 13

Passed: June 2018. Effective Jan 1, 2020

Consumers:
- request a record for the type of data and how it is used / shared
- request erasure
- opt out of sale of data

Orgs:
- verification for consumers
- respond to DSARs within 45 days
- provide methods for receiving requests
- disclose to whom they sell their data, all do not sell
- non-discrimination for exercising these rights
- Children optin (13-16 by child, under 13 by parent)

30 days to address
Penalty: $7500 fine (intentional) or $2500 fine (unintentional)

Question 14

GDPR Org reqs

Answer 14

• Implement PbD&D
• Maintain appropriate safeguards
• Notify DPA within 72 hours of breach
• Collect consent and provide notification of processing activities
• Parental consent for under 16
• Keep records of all processing
• Appoint a DPO
• Responsibility for security and processing by vendors
• DPIA for new or high-risk processing activities
• Safeguard cross-border data transfers
• Consult regulators when necessary
• Demonstrate compliance
• Provide training for those with access

Question 15

LGPD

Answer 15

Passed Aug 2018. Effective Aug 1, 2021

Penalty: 2% of revenue in Brazil, max of 50m reals

Question 16

China Personal Info Protection Law

Answer 16

Passed Aug 2021. Effective Nov 1, 2021

Penalty: $7.7m or up to 5% of previous year revenue

Question 17

FTC Act (Section 5) of 1914

Answer 17

Unfair and deceptive practices

Question 18

Fair Credit Reporting Act (FCRA) of 1970

Answer 18

Accuracy and fairness of data with consumer reporting agencies

Question 19

FERPA of 1974

Answer 19

Protect students data

Question 20

Fed Privacy Act of 1974

Answer 20

fair information practices for fed collected PII

Question 21

Electronic Communications Privacy Act of 1986

Answer 21

fed wiretapping limits

Question 22

Video Privacy Protection Act of 1988

Answer 22

vcr rental records

Question 23

Telephone Consumer Protection Act of 1991

Answer 23

limits auto-dialing systems

Question 24

Drivers Privacy Protection Act of 1994

Answer 24

privacy for DMV collected PII

Question 25

HIPAA of 1996

Answer 25

protects PHI

Question 26

Children’s Online Privacy Protection Act of 1998 (COPPA)

Answer 26

Protects the PII of minors, specifically 12 and under

Question 27

Gramm-Leach-Bliley Act of 1999

Answer 27

consumer financial services must explain sensitive data sharing

Question 28

CAN-SPAM Act of 2003

Answer 28

controls unsolicited commercial email

Question 29

Fair and Accurate Credit Transaction Act of 2003

Answer 29

consumer protection to prevent identity theft

Question 30

National Do Not Call Registry

Answer 30

no telemarketing for numbers on the list

Question 31

Health Info Tech for Economic and Clinical Health Act of 2009

Answer 31

HHS has authority to set higher system requirements

Question 32

Self Regulations

Answer 32

PCI DSS: payment processing
DMA: data-driven marketing
Verasign, TrustArc, PaPal trust marks: vendor validation
Childrens Advertising Review Unit: target ads
Network Ad Initiative: privacy and data governance
EU Code of Conduct: B2B Cloud Serv

Question 33

GDPR Article 45

Answer 33

Adequacy for countries

Question 34

GDPR Article 46

Answer 34

Non-adequate country transfer
BCRs or SCCs