Week 12 Flashcards
What are the four major categories of issues because of the internet?
– Information rights – your personal info
– Property rights – how can it be enforced
– Governance –is internet subject to public law?
– Public safety and welfare; gambling, porn, child
safety, bullying
why when dealing with IT must there be legal protections?
Information technology is designed to transmit and associate data. This efficient
movement of data presents problems, as previously privacy relied partly on the
sheer difficulty of getting comprehensive information about a person.
Define privacy
Moral right of individuals to be left alone, free from
surveillance or interference from other individuals
or organizations
What is information privacy
Subset of privacy
The claim that certain information should not be
collected at all
The claim of individuals to control the use of
whatever information is collected about them
What is a web cookie?
A web cookie is a small piece of data stored on the user’s computer by the web
browser while browsing a website. Cookies can also be used to remember
pieces of information that the user previously entered such as names,
addresses, passwords, phone numbers, etc. While cookies offer convenience for users, they also facilitate tracking of users
and so have data protection implications
What does GDPR say about cookies
GDPR does not prohibit cookies, but requires users to give permission to use
them when they first visit a website.
What sort of data is collected at e commerce sites
Personally identifitable information
– Name, address, phone, e-mail, social security
– Bank & credit accounts, gender, age, occupation,
education
– Preference data (from your browsing habits), transaction data, clickstream
data, browser type
What effect does social networks have on a persons privacy
Encourages sharing personal details
Poses unique challenge to maintaining privacy
Social networks mean that people post information about themselves and this
information may not be restricted to a limited group.
Cross-referencing of this data can lead to useful information about peopl
What si profiling
Creation of digital images that characterize online
individual and group behavior
How do advertising networks work on the internet and give an example
– Track consumer and browsing behavior on Web
– Dynamically adjust what user sees on screen
– Build and refresh profiles of consumers
Google Adwords - Businesses pay to get their advertisements ranked at the top
of the search results page, based on the keywords that want to target
What are some top adwords
Insurance
Loan
Mortgage
Attorney
Credit
Lawyer
Donate
What is cyberlaw
Laws intended to regulate activities over the
Internet or via the use of electronic data
communications and storage
– Intellectual property
– Privacy
– Freedom of expression
– Jurisdiction
What are the issues with cyberlaw
Identifying the jurisdiction - usually law is national. Technology changes very quickly
What si the law in ireland to do with privacy? - When was it written
Data Protection Act (1984,1988,2002) Irish Data protection acts originate in EU directives
The principles have been the same from the beginning, but each act has
tightened up the restrictions
What rights are in the data protection act
Obtain and process data fairly
* Specified purpose
* Disclose only if compatible with purpose
* Keep safe and secure
* Accurate, complete and up to date
* Relevant and not excessive
* Retain only as long as necessary
* Comply with access request
What are the law in the data protection act in relation to data holders
– Give individuals access to their personal data
– Allow individuals to correct or delete any
information thats incorrect/ireleant
– Obtain information fairly, openly and transparently
– Use it only forpurpose for
which it was originally collected
– Secure it against unauthorised access or loss
– Ensure that it is kept accurate and up to date
- Must not further process data or retain it longer for which it was given
Why can adhering to the data protection act be difficult and give an example
– Conflicts with other legislation
– Lack of clear guidelines
E.G retention of data may be desirable for any possible future criminal
investigation, but this may conflict with data protection law
Why can adhering to the data protection act be difficult and give an example
– Conflicts with other legislation
- The internet is international
– Lack of clear guidelines
E.G retention of data may be desirable for any possible future criminal
investigation, but this may conflict with data protection law
Explain opt-in and opt- out policies and where they are used
Opt in is the EU standard -You must give your
explicit consent to
have data compiled
about you
Opt out is the US standard - Data can be compiled
about you unless you
specifically request
otherwise
What regulates government agencies in the US in relation to information systems security
Federal Information Security Management Act of 2002 in the US updated in 2014
by the Federal Information Security Modernization Act and also in 2022 regulates
government agencies in the USA.
Explain informed consent int he US
U.S. firms can gather and redistribute transaction
information without individual’s informed consent – Illegal in Europe
– Opt-in (EU)
– Opt-out (US)
–Many U.S. e-commerce firms merely publish
information practices as part of privacy policy
without providing for any form of informed consent
Explain the European data protection in place
Rules data controllers must adhere to
– Your rights as a data subject
– What can you do if your rights are violated
* Regulates data transfers to non-EU countries - there are some approved countires automatically
What have been some agreements and protections in place between the EU and the US? Explain the current one
Originally Safe Harbour Agreement
– Overturned by Schrems vs Irish DPC 2015
* Then EU-U.S. Privacy Shield
– Schrems II case 2020 invalidated this
* Trans-Atlantic Data Privacy Framework 2022. Components of this:
– US data access restricted to necessary and proportionate
– new two-tier redress system
– Data Protection Review Court
What does GDPR stand for
General Data Protection
Regulation
What is the jurisdiction of the GDPR law and what are fines
International scope
– All organisations providing service in EU whether
paid or not. Fine are 4% of annual global turnover or €20 million
What does personal data mean in GDPR
personal data’ means any information, including
data that can be combined with other
information, relating to an identified or
identifiable natural person (‘data subject’)
Define naturla person in GDPR
natural person’ is one who can be identified,
directly or indirectly, in particular by reference to
Natural person
- You have to be alive
- It does not refer to companies etc
Personal data can include things that can identify a natural person
- Biometric data e.g. fingerprints
- Car reg number
What is the concept of pseudo anonymization in GDPR
Processing personal data in such a way that it can’t
be attributed to a specific individual, without the
use of additional information kept separately.
Pseudoanonymised data is still a form of personal
data but its use is encouraged
– extra security of the data
– used for statistical purposes
What is GDPR sesnitive personal data
– racial or ethnic origin,
– political opinions
– religious or philosophical beliefs
– trade union membership
– processing of genetic data
– biometric data
– data concerning health
– data concerning a natural person’s sex life
What does processing mean as per GDPR
Performing any operations/
set of operations on personal data, including:
– obtaining, recording or keeping data;
– organising or altering the data;
– retrieving, consulting or using the data;
– disclosing the data to a third party (including
publication);
– erasing or destroying the data
Define data controller as per GDPR
Data Controller: is the person or organisation
who decides the purposes for which, and the
means by which, personal data is processed. The
purpose of processing data involves ‘why’ the
personal data is being processed and the ‘means’
involves ‘how’ the data is processed
Define data processor as per GDPR
Data Processor: A person or organisation that
processes personal data on behalf of a data
controller, but is not an employee of the DC above
Data might be outsourced to an external company EX: marketing strategist, data entry, analaysts
What are the main principles of GDPR
Data is processed lawfully, fairly, in transparent way
Its collected for a specified, explicit and legitimate purpose
It is limited to what is relevant and necessary for the purposes of colelciton
It’s accurate and kept up to date
Data is kept no longer than necessary
It’s processed in a manner ensuring security of the data
What are the different reasons an employee may interact with processing of data
Contract
Legal obligation
Vital interest
Public task
Legitimate interests
What are the GDPR Controller obligations
- Privacy by design
- Ensure processors are GDPR compliant
- Keep data control records
- Keep data secure
- Report data breaches
- Carry out impact assessments
- Appoint a data protection officer (DPO)
- Comply with certification
- Ensure data transfer outside the EU is sufficiently
compliant
What are the rights we have under GDPR
- Transparency
- Subject access rights (no fee)
- Right to rectify
- Right to erasure
- Right to restriction of processing
- Right to data portability (new)- right of data transfer in machine readable format
- Right to object
- Right not to be subject to automated decision
taking
What are the GDPR requirements of data holders
Make an inventory of all personal data you hold
and examine it under the following headings:
– Why are you holding it?
– How did you obtain it and why?
– How long will you retain it and how to dispose of it?
– How secure is it?
– Do you share it with 3rd parties and on what basis?
* Many organisation don’t really know what data
they have
Give an example of a current data breaching case
Luxembourg fined Amazon €746 million
– Details unclear until appeal
– But involves cookie consent.
* Amazon was given until 15 January 2022 to
ensure that its processing is GDPR compliant.
– On appeal, it was ruled that Amazon had not been
given enough clarity on what was required
Give an example of a past data breaching/ GDPR investigation case
On 21/9/2020 the Irish DPC started investigating
Instagram re insufficient controls on under 18s
opening accounts
– Certain data on U-18s made public
– European countries did not agree on penalty
EU Data Protection Boards amended decision
– €405 million fine imposed.
How do actuaries interact with GDPR
Actuaries must ensure that customers have given
consent for any analysis that they wish to
conduct.
– Consent policies have to be updated
* Actuaries must be careful of local stores of data
* Pseudonymisation should be systematic
* Customers have a right to know how their data is
processed
What does the DMA stand for
Digital markets act
What is the EU DMA
DMA regulates large gatekeeper businesses
– Allow users install apps from other sources than
the gatekeeper provider
– Prohibit the gatekeeper from favouring its services
– Prohibit data that is not available to third parties
DMA rules enter force in november of this year
What is the EU digital services act
Regulates Very Large Online Platforms 45m users
– illegal content
– transparent advertising
– disinformation
* Companies are required to be transparent in what
they are doing about illegal content
* Companies are required to be transparent in why
people see certain advertisements
What does the criminal justice act 2001 say about computer crime
A person who dishonestly, whether within or
outside the State, operates or causes to be
operated a computer within the State with the
intention of making a gain for himself or herself
or another, or of causing loss to another, is guilty
of an offence
Can employees have their computers monitored?
Yes only is they know about it though - mponitors the employees productivity and behaviour. Employee needs to know:
– That they are being
monitored
– the reasons and
purposes why they
are monitored.
– How the information
is to be used
What can automating process lead to (positives and negative)
- Improved work
conditions - Higher quality
products - Lower (unit) cost
- deskilling of workforce
- elimination of jobs
