| Data privacy refers to the evolving | | | | Convention on Human Rights (ECHR) |
| relationship between technology and the | | | | provides a right to respect for one's |
| legal right to, or public expectation of | | | | "private and family life, his home and |
| privacy in the collection and sharing of | | | | his correspondence", subject to certain |
| data. | | | | restrictions. The European Court of |
| Privacy problems exist wherever uniquely | | | | Human Rights has given this article a |
| identifiable data relating to a person | | | | very broad interpretation in its |
| or persons are collected and stored, in | | | | jurisprudence. According to the Court's |
| digital form or otherwise. Improper or | | | | case law the collection of information |
| non-existent disclosure control can be | | | | by officials of the state about an |
| the root cause for privacy issues. The | | | | individual without his consent always |
| most common sources of data that are | | | | falls within the scope or article 8. |
| affected by data privacy issues are: | | | | Thus, gathering information for the |
| * Health information. | | | | official census, recording fingerprints |
| * Criminal justice. | | | | and photographs in a police register, |
| * Financial information. | | | | collecting medical data or details of |
| * Genetic information. | | | | personal expenditures and implementing a |
| * Location information. | | | | system of personal identification have |
| The challenge in data privacy is to | | | | been judged to raise data privacy |
| share data while protecting the | | | | issues. Any state interference with a |
| personally identifiable information. | | | | person's privacy is only acceptable for |
| Consider the example of health data | | | | the Court if three conditions are |
| which are collected from hospitals in a | | | | fulfilled: (1) the interference is in |
| district; it is standard practice to | | | | accordance with the law, (2) pursues a |
| share this only in the aggregate. The | | | | legitimate goal and (3) is necessary in |
| idea of sharing the data in the | | | | a democratic society. For more |
| aggregate is to ensure that only | | | | information, please refer to Human |
| non-identifiable data are shared. | | | | Rights Handbook no. 1 (PDF) or the |
| The legal protection of the right to | | | | Council of Europe data protection page. |
| privacy in general and of data privacy | | | | The government isn't the only one who |
| in particular varies greatly around the | | | | might pose a threat to data privacy, far |
| world. | | | | from it. Other citizens, and private |
| The Universal Declaration of Human | | | | companies most importantly, engage in |
| Rights states in its article 12 that: | | | | far more threatening activities, |
| No one shall be subjected to arbitrary | | | | especially since the automated |
| interference with his privacy, family, | | | | processing of data became widespread. |
| home or correspondence, nor to attacks | | | | The Convention for the Protection of |
| upon his honour and reputation. Everyone | | | | Individuals with regard to Automatic |
| has the right to the protection of the | | | | Processing of Personal Data was |
| law against such interference or | | | | concluded within the Council of Europe |
| attacks. | | | | in 1981. This convention obliges the |
| Protecting privacy in information | | | | signatories to enact legislation |
| systems | | | | concerning the automatic processing of |
| Increasingly, as heterogeneous | | | | personal data, which many duly did. |
| information systems with different | | | | As all the member states of the European |
| privacy rules are interconnected, | | | | Union are also signatories of the |
| technical control and logging mechanisms | | | | European Convention on Human Rights and |
| (policy appliances) will be required to | | | | the Convention for the Protection of |
| reconcile, enforce and monitor privacy | | | | Individuals with regard to Automatic |
| policy rules (and laws) as information | | | | Processing of Personal Data, the |
| is shared across systems and to ensure | | | | European Commission was concerned that |
| accountability for information use. | | | | diverging data protection legislation |
| There are several technologies to | | | | would emerge and impede the free flow of |
| address privacy protection in enterprise | | | | data within the EU zone. Therefore the |
| IT systems. These fall into two | | | | European Commission decided to harmonize |
| categories: communication and | | | | data protection regulation and proposed |
| enforcement. | | | | the Directive on the protection of |
| Policy Communication | | | | personal data, which member states had |
| P3P - The Platform for Privacy | | | | to transpose into law by the end of |
| Preferences. P3P is a standard for | | | | 1998. |
| communicating privacy practices and | | | | The directive contains a number of key |
| comparing them to the preferences of | | | | principles which must be complied with. |
| individuals. | | | | Anyone processing personal data must |
| Policy Enforcement | | | | comply with the eight enforceable |
| XACML - The eXtensible Access Control | | | | principles of good practice. |
| Markup Language together with its | | | | They say that data must be: |
| Privacy Profile is a standard for | | | | * Fairly and lawfully processed. |
| expressing privacy policies in a | | | | * Processed for limited purposes. |
| machine-readable language which a | | | | * Adequate, relevant and not excessive. |
| software system can use to enforce the | | | | * Accurate. |
| policy in enterprise IT systems. | | | | * Not kept longer than necessary. |
| EPAL - The Enterprise Privacy | | | | * Processed in accordance with the data |
| Authorization Language is very similar | | | | subject's rights. |
| to XACML, but is not yet a standard. | | | | * Secure. |
| WS-Privacy - "Web Service Privacy" will | | | | * Not transferred to countries without |
| be a specification for communicating | | | | adequate protection. |
| privacy policy in web services. For | | | | Personal data covers both facts and |
| example, it may specify how privacy | | | | opinions about the individual. It also |
| policy information can be embedded in | | | | includes information regarding the |
| the SOAP envelope of a web service | | | | intentions of the data controller |
| message. | | | | towards the individual, although in some |
| North America | | | | limited circumstances exemptions will |
| Data privacy is not highly legislated or | | | | apply. With processing, the definition |
| regulated in the U.S.. In the United | | | | is far wider than before. For example, |
| States, access to private data is | | | | it incorporates the concepts of |
| culturally acceptable in many cases, | | | | 'obtaining', 'holding' and 'disclosing'. |
| such as credit reports for employment or | | | | For more details on these data |
| housing purposes. Although partial | | | | principles, read the article about the |
| regulations exist, for instance the | | | | directive on the protection of personal |
| Children's Online Privacy Protection Act | | | | data or visit the EU data protection |
| and HIPAA, there is no all-encompassing | | | | page. |
| law regulating the use of personal data. | | | | All EU member states adopted legislation |
| The culture of free speech in the U.S. | | | | pursuant this directive or adapted their |
| may be a reason for the reluctance to | | | | existing laws. Each country also has its |
| trust the government to protect personal | | | | own supervisory authority to monitor the |
| information. In the U.S. the first | | | | level of protection. |
| amendment protects free speech and in | | | | * In the United Kingdom the Data |
| many instances privacy conflicts with | | | | Protection Act 1984 was repealed by the |
| this amendment. In many countries | | | | Data Protection Act 1998. For details, |
| privacy has been used as a tool to | | | | visit U.K. data protection page or read |
| suppress free speech. | | | | the article about the Information |
| The safe harbor arrangement was | | | | Commissioner |
| developed by the US Department of | | | | * France adapted its existing law (law |
| Commerce in order to provide a means for | | | | no. 78-17 of 6 January 1978 concerning |
| US companies to demonstrate compliance | | | | information technology, files and civil |
| with European Commission directives and | | | | liberties). More information is |
| thus to simplify relations between them | | | | available on the website of the CNIL |
| and European businesses. | | | | CNIL (in French only) (Commission |
| Very few states recognize an | | | | Nationale de l'Informatique et des |
| individual's right to privacy, a notable | | | | Libertés) |
| exception being California. An | | | | * In Germany both the federal government |
| inalienable right to privacy is | | | | and the states enacted legislation. For |
| enshrined in the California | | | | details, visit the page of the Federal |
| Constitution's article 1, section 1, and | | | | Data Protection Commissioner |
| the California legislature has enacted | | | | (Bundesbeauftragter für den |
| several pieces of legislation aimed at | | | | Datenschutz). |
| protecting this right. The California | | | | Safe Harbor Program |
| Online Privacy Protection Act (OPPA) of | | | | The US Department of Commerce created |
| 2003 requires operators of commercial | | | | the Safe Harbor certification program in |
| web sites or online services that | | | | response to the 1995 Directive on Data |
| collect personal information on | | | | Protection (Directive 95/46/EC) of the |
| California residents through a web site | | | | European Commission. Directive 95/46/EC |
| to conspicuously post a privacy policy | | | | declares in Chapter IV Article 25 that |
| on the site and to comply with its | | | | personal data may only be transferred |
| policy. | | | | from the EU to countries which provide a |
| In Canada, the Personal Information | | | | level of privacy protection equivalent |
| Protection and Electronic Documents Act | | | | to that of the EU. This introduced a |
| (PIPEDA) went into effect in relation to | | | | legal risk to organizations which |
| federally regulated organizations on 1 | | | | transfer the personal data of European |
| January 2001, and in relation to all | | | | citizens to servers in the USA. Such |
| other organizations on 1 January 2004. | | | | organizations could be penalized under |
| It brings Canada into compliance with | | | | EU laws if the privacy protection of the |
| the requirements of the European | | | | USA were to be deemed weaker than that |
| Commission's directive. For more | | | | of the EU. The Safe Harbor program |
| information, visit the website of the | | | | addresses this issue. Under this |
| Privacy Commissioner of Canada. | | | | program, the European Commission agreed |
| Europe | | | | to forbid European citizens from suing |
| The right to data privacy is heavily | | | | US companies for transmitting personal |
| regulated and rigidly enforced in | | | | data into the USA. |
| Europe. Article 8 of the European | | | | |