Archive

Posts Tagged ‘PIPA’

Privacy versus Data Protection

November 27, 2012 6 comments

Today, E-Crime Expert presents the main similarities and differences between privacy and data protection concepts mainly from two different legislative perspectives:  Canada and the European Union (EU), and briefly from the United States (US).

Also, this blog post provides the main privacy and data protection legislative acts from Canada and EU as a useful resource for those interested or working in this field.

Last but not least, you could find bellow the full EU Data protection revision 2012 package.

I.      US versus EU versus Canada

-The United States (US) and European Union (EU) have different concepts regarding personal information and private data, such as Privacy in the US versus Data Protection in the EU.

-US’s approach to privacy focuses on narrowly applicable legislation.

  • sector-based,
  • with a mix of legislation,
  • regulation and self-regulation,
  • focusing on the protection of personal information by specifically addressing a particular industry sector (i.e. medical information, online transactions, credit check, etc)
  • regulating data collected by the federal government

- EU has a more comprehensive approach.

  • set of rights and principles for personal data treatment (processing),
  • without considering that the data is held in the public or private sector,
  • protects just natural persons not legal entities
  • the relation between data protection and the economic value as a proper balance between fundamental rights and free flow of information (which has economic value).
  • by granting data protection as a fundamental right, the aim is to protect the individuals but also to encourage the free flow of information, giving data subjects legal certainty and encouraging them to not negatively affect the exchange of information and data

-Canada – similar level of protection to the EU one.

  • Privacy is regulated by the government at the federal and provincial level:
    • The Privacy Act (federal level for private information held by the gov),
    • PIPEDA (federal level for private sector),
    • PIPA (provincial level for private sector, Alberta for example),
    • FOIP (provincial level for public sector, Alberta for example),
    • HIPA (federal level for health information),
    • HIA (provincial level for health information, Alberta for example)
  • The difference between Canada and EU
    • Canada’s legislation regulates both organizations and individuals privacy rights and access
    • EU’s legislation regulates the individuals’ rights (no organizations)
    • Canada gives to the individual the right to access their data or other individuals’ or organizations data along with their privacy protection right under the same Act (The Privacy Act, FOIP)
    • EU gives to the data subject the right to protection of their personal data under one single act (Directive 95) and to access data for public interest under the Transparency Regulation (1049)-no others personal data could be accessed in the private sector (just for law enforcement)
  • Canada enacted different acts for different data categories (private-PIPA, public-FOIP, health-HIA, children-Child, Youth&family enhancement act, etc)
  • EU has the same Legislative Act (e.g. Directive) but with different degrees of protection and limitations based on the data categories sensitivity (identification, medical, criminal, etc).
  • Canada sets forth a minimum time for information retention when EU sets forth a maximum time for data retention
  • in Canada information sharing is done based on Information Sharing Agreements (local, federal, international)
  • in EU the data transfer has three layers of protection for exchange locally within the same institutions, bodies, organizations, between EU member states, or internationally (with third countries).

 II.      Privacy versus data protection

  • The concept of privacy and data protection is not the same.
  • Data protection has a privacy dimension, but it is narrower in scope than the privacy concept, “as the privacy encloses more than personal data” (i.e. private life, private home, private correspondence, etc.)
  • From a different angle, it encloses a wider area, “since personal data are protected not only to enhance the privacy of the subject, but also to guarantee other fundamental rights, such as the right to freedom of expression, or the right to know what data is gathered about you,  to have access to your data, to ask for modification or deletion of your data, etc”
    • Furthermore, data protection gives individuals the right to know
  • What personal data is collected,
  • on what legal grounds,
  • how it is used, for how long it used and kept,
  • and by whom.
    • specifically grants data subjects with the rights to access, modify,   update or ask for deletion of such data

 III.      EU legislative framework

IV.      EU Data protection revision 2012 (to reflect the new technological developments and to provide a consistent legislative framework across EU):

Click here to access the new proposed EU Data Protection regulation

  • It was proposed a Regulation versus the existing Directive. A Regulation is better, as it is immediately and more uniformly implemented into the Member States national law.
  • Data subjects
    • increasing responsibility and accountability – companies would have to notify their clients of any theft or accidental release of personal data
    • clarifying that where someone’s consent is required before a company reuses their personal data, they need to give that consent explicitly – people would also have access to their own private data and be able to transfer it to another service provider more easily
    • reinforcing the ‘right to be forgotten’ – people will be able to have their personal data deleted if a business or other organization has no legitimate reasons for keeping it
    • applying EU rules when personal data is processed outside Europe – people would be able to involve the national data protection authority in their country, even when their data is processed by a company based outside the EU
    • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services
  • Good for business
    • A single set of rules would encourage a more consistent application of the law across the EU. Businesses would have clear rules on how to treat personal data
    • Companies would only have to deal with a single national data protection authority in the EU country where they have their main operations (saving businesses an estimated €2.3bn a year)
    • The obligation of appointment of a data protection officer for organizations with 250 employees and over (private sector
    • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data
    • Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours)
    • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed
    • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens
    • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company
  • Better enforcement
    • The new rules would give national data protection authorities powers to enforce the EU rules more rigorously
    • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. For the new Directive click here.
  • Next steps
    • The proposals is aimed to encourage more online commerce by improving consumer trust – contributing to economic growth and job creation. The new Data protection proposed legal framework (Regulation+Directive) must be approved by the European Parliament and Council before becoming law.
  • Commission Proposals on the data protection reform: legislative texts

Source: Directorat General Justice of the European Commission

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

Follow

Get every new post delivered to your Inbox.

Join 410 other followers

%d bloggers like this: