Privacy Laws and Regulations 101
To end my series of posts on privacy basics I’m going to provide a brief summary of what I feel are the most important privacy laws and regulations for a non-lawyer to understand. You should work to internalize these as best you can so that future decisions take these restrictions into account.
As a baseline for your perspective it is important to understand that the US is far behind much of the world when it comes to legislation that protects its citizens’ privacy. For a visual illustration of this take a look a Forrester’s Privacy Heat map. You’ll see that the US is “cold "indeed – the US is on the same level as Russia.
Having said that the US does have an unusually long list of laws and regulations in place, but they tend to focus on very specific things rather than take a holistic view of privacy. So while most of the text of this post is devoted to US law keep in mind that the US is far more libertarian (a.k.a. "free market”) in our approach than the rest of the developed world.
United States
The Privacy Act of 1974 was established to protect citizens’ data against misuse by federal agencies. The Act governs the collection, maintenance, use, and dissemination of personally identifiable information. It prohibits the disclosure of information without the written consent of the individual although there are some exceptions. The Act also provides means for individuals to seek access to and update their records.
HIPAA - The Health Insurance Portability and Accountability Act established national standards for the protection of electronic health records. With regards to privacy the HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) by specific entities. PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. The Rule outlines specific cases where disclosure is permitted and sets requirements for obtaining written authorization from the individual for other disclosure. It also states that when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose.
Like the Privacy Act of 1974, the HIPAA Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. In addition it requires covered entities to notify individuals of uses of their PHI and keep track of disclosures of PHI and document privacy policies and procedures.
HITECH Act - Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, addresses the privacy and security concerns associated with the electronic transmission of health information. The HITECH Act requires HIPPAA covered entities to report data breaches affecting 500 or more individuals to HHS and the media, in addition to notifying the affected individuals.
GLBA - Gramm–Leach–Bliley Act, eliminated the restrictions on consolidation among commercial banks, investment banks, securities firms, and insurance companies, repealing part of the Glass–Steagall Act of 1933. Part of GLBA is The Financial Privacy Rule which requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and then annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt out of the information being shared with unaffiliated parties.
COPPA - Children’s Online Privacy Protection Act, applies to the online collection of personal information by persons or entities in the US from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing to those under 13. Under the Act children under 13 can legally give out personal information with their parents’ permission.
CAN-SPAM - Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. It bans false or misleading header information and prohibits deceptive subject lines. It requires that commercial email give recipients an opt-out method. It requires that commercial email be identified as an advertisement and include the sender’s valid physical postal address.
The Consumer Privacy Bill of Rights announced by President Obama earlier this year does not by itself establish any new laws or regulations. Rather it summarizes current law and asks Congress to consider new laws in certain areas, but most of the bill is about best practices that the FTC wants companies to follow. These best practices are organized in a three-part framework: privacy by design, which means building privacy into your products and practices from the beginning; simplified choice for consumers; and greater transparency about data practices.
European Union
I’m going to skip over the currently active Data Protection Directive in favor a summarizing the new proposed regulations since in the next year or so they will supercede the current directive.
The Data Protection Rule, announced earlier this year, outlines proposed reforms of the EU’s 1995 data protection rules. The proposed rules still have to navigate the European Parliament and EU Council of Ministers for discussion so they still may change but to follow are the basics of the proposal.
- EU rules would apply on any personal data handled abroad by organizations that are active in the EU market and offer their services to EU citizens.
- Organizations that plan on gathering personal data would have to get explicit consent from data subjects.
- Individuals will have a right to be forgotten requiring organizations to delete data on the person upon request if there are no legitimate grounds for retaining it.
- Organizations would be expected to notify the proper authorities within 24 hours of detecting a data breach and communicate to the data subjects without delay.
- Organizations would be exposed to penalties of up to €1 million or up to 2% of the global annual revenue of a company.
Canada
PIPEDA - The Personal Information Protection and Electronic Documents Act governs how private sector organizations collect, use and disclose personal information. The law gives individuals the following rights:
- Know why an organization collects, uses or discloses their personal information
- Expect an organization to collect, use or disclose their personal information reasonably and appropriately, and not use the information for any purpose other than that to which they have consented
- Expect the personal information an organization holds about them to be accurate, complete and up-to-date with access to their personal information and ask for corrections if necessary
The law also obligates organizations to the following:
- Obtain consent when they collect, use or disclose their personal information
- Supply an individual with a product or a service even if they refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction
- Have personal information policies that are clear, understandable and readily available.
The Rest of the World
It is very US-centric of me that I lump the rest of the world together, but I’m doing it anyways. Mostly because I’ve covered the large markets of my readership that have applicable privacy laws, but it is important to recognize that countries like Australia, Mexico and Argentina have very robust privacy laws in place and if you are establishing businesses in those countries, or any country for that matter, you need to understand your obligations.
I will end this round-up with a bit of perspective of how some governments view their role in protecting their citizenry. On the somewhat poorly translated greetings page of the Korean Internet Security Agency they lay out a fairly ambitious vision.
Nowadays, thanks to the internet, a variety of new services have became a part of our lives so as victims of abusive comments or false rumors has been increased. Due to the Internet’s anonymity, cyberbullying has gone beyond a tolerable level and some of victims have even committed suicide. Encouraging internet users to behave ethically on the cyberspace, and leading them to learn appropriate cyber etiquette are most needed to create a safe and firm internet world.
…
Korea has been called the courteous country in the East. From now on, our mission of the 21st century is to lead the internet culture as a globalize digital courteous country. We took over excellent cultural heritage, manner, and social order from our ancestors. It is the time that we establish the right digital culture and endeavor to leave it to our descendant.
…
We, KISA will work with our enthusiasm to build a road for people, who use internet, to enter into a warm and comfortable digital world.
Pretty heady stuff and reflects the views of the Korean government where they assume a high level of responsibility to protect their citizenry. This sentiment is shared in many places around the world, just not here in the US.