| Data privacy refers to the evolving relationship | | | | Convention on Human Rights (ECHR) provides a right |
| between technology and the legal right to, or public | | | | to respect for one's "private and family life, his home |
| expectation of privacy in the collection and sharing of | | | | and his correspondence", subject to certain restrictions. |
| data. | | | | The European Court of Human Rights has given this |
| Privacy problems exist wherever uniquely identifiable | | | | article a very broad interpretation in its jurisprudence. |
| data relating to a person or persons are collected and | | | | According to the Court's case law the collection of |
| stored, in digital form or otherwise. Improper or | | | | information by officials of the state about an individual |
| non-existent disclosure control can be the root cause | | | | without his consent always falls within the scope or |
| for privacy issues. The most common sources of data | | | | article 8. Thus, gathering information for the official |
| that are affected by data privacy issues are: | | | | census, recording fingerprints and photographs in a |
| * Health information. | | | | police register, collecting medical data or details of |
| * Criminal justice. | | | | personal expenditures and implementing a system of |
| * Financial information. | | | | personal identification have been judged to raise data |
| * Genetic information. | | | | privacy issues. Any state interference with a person's |
| * Location information. | | | | privacy is only acceptable for the Court if three |
| The challenge in data privacy is to share data while | | | | conditions are fulfilled: (1) the interference is in |
| protecting the personally identifiable information. | | | | accordance with the law, (2) pursues a legitimate goal |
| Consider the example of health data which are | | | | and (3) is necessary in a democratic society. For more |
| collected from hospitals in a district; it is standard | | | | information, please refer to Human Rights Handbook |
| practice to share this only in the aggregate. The idea | | | | no. 1 (PDF) or the Council of Europe data protection |
| of sharing the data in the aggregate is to ensure that | | | | page. |
| only non-identifiable data are shared. | | | | The government isn't the only one who might pose a |
| The legal protection of the right to privacy in general | | | | threat to data privacy, far from it. Other citizens, and |
| and of data privacy in particular varies greatly around | | | | private companies most importantly, engage in far |
| the world. | | | | more threatening activities, especially since the |
| The Universal Declaration of Human Rights states in its | | | | automated processing of data became widespread. |
| article 12 that: | | | | The Convention for the Protection of Individuals with |
| No one shall be subjected to arbitrary interference with | | | | regard to Automatic Processing of Personal Data was |
| his privacy, family, home or correspondence, nor to | | | | concluded within the Council of Europe in 1981. This |
| attacks upon his honour and reputation. Everyone has | | | | convention obliges the signatories to enact legislation |
| the right to the protection of the law against such | | | | concerning the automatic processing of personal data, |
| interference or attacks. | | | | which many duly did. |
| Protecting privacy in information systems | | | | As all the member states of the European Union are |
| Increasingly, as heterogeneous information systems | | | | also signatories of the European Convention on |
| with different privacy rules are interconnected, | | | | Human Rights and the Convention for the Protection |
| technical control and logging mechanisms (policy | | | | of Individuals with regard to Automatic Processing of |
| appliances) will be required to reconcile, enforce and | | | | Personal Data, the European Commission was |
| monitor privacy policy rules (and laws) as information is | | | | concerned that diverging data protection legislation |
| shared across systems and to ensure accountability | | | | would emerge and impede the free flow of data within |
| for information use. There are several technologies to | | | | the EU zone. Therefore the European Commission |
| address privacy protection in enterprise IT systems. | | | | decided to harmonize data protection regulation and |
| These fall into two categories: communication and | | | | proposed the Directive on the protection of personal |
| enforcement. | | | | data, which member states had to transpose into law |
| Policy Communication | | | | by the end of 1998. |
| P3P - The Platform for Privacy Preferences. P3P is a | | | | The directive contains a number of key principles |
| standard for communicating privacy practices and | | | | which must be complied with. Anyone processing |
| comparing them to the preferences of individuals. | | | | personal data must comply with the eight enforceable |
| Policy Enforcement | | | | principles of good practice. |
| XACML - The eXtensible Access Control Markup | | | | They say that data must be: |
| Language together with its Privacy Profile is a | | | | * Fairly and lawfully processed. |
| standard for expressing privacy policies in a | | | | * Processed for limited purposes. |
| machine-readable language which a software system | | | | * Adequate, relevant and not excessive. |
| can use to enforce the policy in enterprise IT systems. | | | | * Accurate. |
| EPAL - The Enterprise Privacy Authorization | | | | * Not kept longer than necessary. |
| Language is very similar to XACML, but is not yet a | | | | * Processed in accordance with the data subject's |
| standard. | | | | rights. |
| WS-Privacy - "Web Service Privacy" will be a | | | | * Secure. |
| specification for communicating privacy policy in web | | | | * Not transferred to countries without adequate |
| services. For example, it may specify how privacy | | | | protection. |
| policy information can be embedded in the SOAP | | | | Personal data covers both facts and opinions about |
| envelope of a web service message. | | | | the individual. It also includes information regarding the |
| North America | | | | intentions of the data controller towards the individual, |
| Data privacy is not highly legislated or regulated in the | | | | although in some limited circumstances exemptions will |
| U.S.. In the United States, access to private data is | | | | apply. With processing, the definition is far wider than |
| culturally acceptable in many cases, such as credit | | | | before. For example, it incorporates the concepts of |
| reports for employment or housing purposes. Although | | | | 'obtaining', 'holding' and 'disclosing'. For more details on |
| partial regulations exist, for instance the Children's | | | | these data principles, read the article about the |
| Online Privacy Protection Act and HIPAA, there is no | | | | directive on the protection of personal data or visit the |
| all-encompassing law regulating the use of personal | | | | EU data protection page. |
| data. The culture of free speech in the U.S. may be a | | | | All EU member states adopted legislation pursuant this |
| reason for the reluctance to trust the government to | | | | directive or adapted their existing laws. Each country |
| protect personal information. In the U.S. the first | | | | also has its own supervisory authority to monitor the |
| amendment protects free speech and in many | | | | level of protection. |
| instances privacy conflicts with this amendment. In | | | | * In the United Kingdom the Data Protection Act 1984 |
| many countries privacy has been used as a tool to | | | | was repealed by the Data Protection Act 1998. For |
| suppress free speech. | | | | details, visit U.K. data protection page or read the |
| The safe harbor arrangement was developed by the | | | | article about the Information Commissioner |
| US Department of Commerce in order to provide a | | | | * France adapted its existing law (law no. 78-17 of 6 |
| means for US companies to demonstrate compliance | | | | January 1978 concerning information technology, files |
| with European Commission directives and thus to | | | | and civil liberties). More information is available on the |
| simplify relations between them and European | | | | website of the CNIL CNIL (in French only) (Commission |
| businesses. | | | | Nationale de l'Informatique et des Libertés) |
| Very few states recognize an individual's right to | | | | * In Germany both the federal government and the |
| privacy, a notable exception being California. An | | | | states enacted legislation. For details, visit the page of |
| inalienable right to privacy is enshrined in the California | | | | the Federal Data Protection Commissioner |
| Constitution's article 1, section 1, and the California | | | | (Bundesbeauftragter für den Datenschutz). |
| legislature has enacted several pieces of legislation | | | | Safe Harbor Program |
| aimed at protecting this right. The California Online | | | | The US Department of Commerce created the Safe |
| Privacy Protection Act (OPPA) of 2003 requires | | | | Harbor certification program in response to the 1995 |
| operators of commercial web sites or online services | | | | Directive on Data Protection (Directive 95/46/EC) of |
| that collect personal information on California residents | | | | the European Commission. Directive 95/46/EC |
| through a web site to conspicuously post a privacy | | | | declares in Chapter IV Article 25 that personal data |
| policy on the site and to comply with its policy. | | | | may only be transferred from the EU to countries |
| In Canada, the Personal Information Protection and | | | | which provide a level of privacy protection equivalent |
| Electronic Documents Act (PIPEDA) went into effect | | | | to that of the EU. This introduced a legal risk to |
| in relation to federally regulated organizations on 1 | | | | organizations which transfer the personal data of |
| January 2001, and in relation to all other organizations | | | | European citizens to servers in the USA. Such |
| on 1 January 2004. It brings Canada into compliance | | | | organizations could be penalized under EU laws if the |
| with the requirements of the European Commission's | | | | privacy protection of the USA were to be deemed |
| directive. For more information, visit the website of the | | | | weaker than that of the EU. The Safe Harbor |
| Privacy Commissioner of Canada. | | | | program addresses this issue. Under this program, the |
| Europe | | | | European Commission agreed to forbid European |
| The right to data privacy is heavily regulated and rigidly | | | | citizens from suing US companies for transmitting |
| enforced in Europe. Article 8 of the European | | | | personal data into the USA. |