Written by Nisha Paul, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from Lawsikho.
This article has been edited and published by Shashwat Kaushik.
Table of Contents
What is data privacy
Data privacy involves handling personal information carefully to keep it private and secure. It includes following rules and practices to prevent unauthorised access and giving people control over how their information is used. For instance, data privacy is when a company encrypts its customers’ personal information, such as credit card details, to prevent unauthorised access in the event of a data breach. This ensures that the data is kept private and secure, in line with data privacy regulations and the expectations of the customers regarding the use of their personal information.
Why is data privacy important to us
Data privacy is a significant concern in today’s digital world due to two primary reasons.
Firstly, data has become a vital asset for companies, contributing to the rise of the data economy. Major corporations like Google, Facebook, and Amazon have successfully leveraged data to build their businesses. As a result, there is immense value in collecting, sharing, and utilising data. However, businesses must be transparent about how they obtain consent, adhere to privacy policies, and manage the data they collect. This transparency is essential for establishing trust and accountability with customers and partners who expect their privacy to be respected.
Secondly, privacy is a fundamental right that should be enjoyed, enabling them to be free from unwarranted surveillance. The ability to exist safely in one’s personal space and express opinions without fear of intrusion is crucial for upholding democratic principles in society. Upholding data privacy is not just a matter of business ethics but also a critical aspect of safeguarding individual rights and liberties.
In essence, data privacy is a complex and crucial issue that impacts both businesses and individuals. It encompasses the responsible handling of data by companies and the protection of individual privacy rights, both of which are essential for sustaining trust, accountability, and democratic values in a rapidly evolving digital landscape.
“Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy, and solitude,” says Dr. Ann Cavoukian, former Information Privacy Commissioner of Ontario, Canada. Dr. Cavoukian knows a thing or two about data privacy. She is best known for her leadership in the development of Privacy by Design (PbD), which now serves as a cornerstone for many pieces of contemporary data privacy legislation.
Data privacy laws
Recently, laws have been made to protect people’s personal information. This means that companies need to be careful with the data they collect from users. They have to know where the data comes from, what kind of personal information it has, and how they use it. Here are the four main laws that are important for data privacy.
Data privacy in healthcare
In the US, there’s a law called the Health Insurance Portability and Accountability Act of 1996 that protects people’s personal health information. It’s meant to keep patients’ data safe.
Data privacy and how it works—let’s explain with subpoints. They are-
- User consent: Companies must ask users if they’re okay with collecting their data.
- Data requests: Users can ask companies to show them the data they have.
- Data deletion: Users can ask companies to delete their data.
- Security responsibilities: Companies have to make sure they keep user data safe.
Since Congress passed HIPAA in 1996, calls for even greater data privacy protection have increased, with data breaches at an all-time high and the rate at which companies use and sell the data they collect on their patients rising fast.
In December 2000, the United States Department of Health and Human Services (HHS) took a significant step towards safeguarding the privacy of individually identifiable health information by issuing the Privacy Rule. This rule was developed to carry out the mandate of the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.
The Privacy Rule establishes national standards to protect the privacy of health information, including medical records and other protected health information (PHI). It applies to healthcare providers, health plans, healthcare clearinghouses, and business associates who handle PHI.
The Privacy Rule includes a number of key provisions, including:
- Patient rights: Patients have the right to access their PHI, request corrections to their PHI, and restrict the use and disclosure of their PHI.
- Provider responsibilities: Healthcare providers must take steps to protect the privacy of PHI, including implementing physical, technical, and administrative safeguards.
- Business associate responsibilities: Business associates who handle PHI must also take steps to protect the privacy of PHI, including entering into business associate agreements with healthcare providers.
The Privacy Rule has been instrumental in protecting the privacy of health information. It has also helped to promote the electronic exchange of health information, which can improve the quality and efficiency of healthcare.
However, the Privacy Rule has also been criticised for being too complex and burdensome. In 2020, HHS issued a proposed rule that would make a number of changes to the Privacy Rule, including simplifying the language and reducing the regulatory burden on healthcare providers. The proposed rule is currently under review.
Data Privacy for Financial Institutions
The Gramm-Leach-Bliley Act (GLBA) rules for banks and other financial companies to protect people’s financial information. It helps prevent fines and damage to a company’s reputation if sensitive financial data is shared or lost by mistake. It’s not exactly like the GDPR in Europe, but the US could have similar rules soon.
Achieving GLBA compliance has multiple benefits. Firstly, it reduces the risk of potential fines and protects the company’s reputation by preventing the unauthorised sharing or loss of sensitive financial data. This means that the company avoids costly penalties and maintains trust with its customers.
Additionally, by safeguarding consumer financial data, the company demonstrates a commitment to protecting its clients’ privacy and security, which can enhance customer loyalty and confidence in the business. Overall, GLBA compliance helps the company ensure the safety and privacy of its customers’ financial information while also preserving its financial stability and reputation.
Innovative US private laws
In the US, data privacy is regulated by both federal and state laws. One prominent federal law is the Health Insurance Portability and Accountability Act (HIPAA), which safeguards the personal health information of patients. At the state level, California has established the California Consumer Privacy Act (CCPA) to extend data privacy protections within the state. The CCPA grants consumers in California greater control over the collection and utilisation of their data, necessitating businesses to effectively manage and protect sensitive data to adhere to its stipulations.
Similarly, the Children’s Online Privacy Protection Act (COPPA) is another significant regulation that focuses on protecting the privacy of children under 13. Originally adopted in 1998, COPPA dictates that companies must obtain parental consent before collecting data on children and outlines specific requirements for the storage and processing of such data.
COPPA mandates that websites and online services directed at children or knowingly collecting their data must obtain verifiable parental consent before doing so. This consent must be informed, meaning parents must be provided with detailed information about the types of data being collected, how it will be used, and with whom it will be shared. Additionally, businesses must take reasonable steps to protect children’s data from unauthorised access, use, or disclosure.
To ensure compliance with COPPA, businesses must develop and implement comprehensive privacy policies that outline their practices regarding children’s data. These policies must be easily accessible and written in a manner that is understandable to both parents and children. COPPA also grants parents the right to review their children’s personal information collected by websites and online services and request its deletion or modification.
COPPA’s significance lies in its pioneering approach to protecting children’s privacy in the digital age. It sets a precedent for other countries and jurisdictions to introduce similar legislation aimed at safeguarding the privacy of children online. Furthermore, COPPA has raised awareness among parents and educators about the importance of children’s privacy and has encouraged businesses to adopt more responsible data collection and handling practices.
Despite its strengths, COPPA has also faced criticism for its limitations. Some argue that it does not provide sufficient protection for children’s privacy in the ever-evolving digital landscape. Others point out that COPPA’s enforcement mechanisms are not robust enough to deter companies from violating its requirements.
Nevertheless, COPPA remains a crucial piece of legislation that has laid the groundwork for protecting children’s privacy online. It has served as a model for other jurisdictions and has contributed to raising awareness about the importance of safeguarding children’s personal information in the digital age.
It is noteworthy that several states are contemplating enacting laws akin to California’s, reflecting an overarching legislative inclination towards enhancing data security and privacy across diverse sectors. This growing trend has sparked discussions regarding the potential establishment of a Federal Department of Cybersecurity to standardise data privacy laws nationwide. However, the current regulatory landscape remains a diverse patchwork of separate regulations.
Personal Data Protection Bill, 2018
India’s first-ever data privacy law was created in 2017 after the Supreme Court determined that personal information and privacy are fundamental human rights. This legislation introduced mandatory data audits every year and set data protection and privacy standards.
This Act applies to the following key points:
- The Act pertains to the processing of personal data within India and by entities or individuals under Indian jurisdiction, encompassing collection, disclosure, sharing, or other forms of processing of personal data.
- It also extends to the processing of personal data by data fiduciaries or processors located outside India if it is related to business conducted in India, offers goods or services within India, or involves profiling individuals within India.
- However, the Act does not apply to the processing of anonymized data. In essence, this framework seeks to regulate the processing of personal data within India and by Indian entities, as well as extend its scope to certain activities of non-Indian entities that have connections to India, while excluding anonymized data from its provisions.
Other data privacy laws
The significance of understanding data privacy laws that are pertinent to specific types of companies and data storage and processing methods. It highlights the importance of considering compliance with ISO 27001, FISMA, and SOX regulations, while recommending Varonis as a provider of comprehensive data protection solutions to facilitate compliance with these frameworks. The paragraph concludes by encouraging businesses to engage with Varonis to address their data privacy requirements.
Data privacy : how to protect your data
In response to the increasing demands of compliance laws like GDPR, there’s a growing need for stringent data security measures. Individuals and industries can contribute to this process by utilising various personal data security solutions. These measures underscore the significance of data privacy and security for both consumers and service providers, ultimately enhancing their security and compliance standing.
Anti-virus software
Anti-virus software plays a critical role in detecting and removing malicious codes, heuristics, and signatures, protecting against rootkits, trojans, and other harmful viruses that can compromise sensitive data. It stands as one of the most widely used security tools for safeguarding consumer and personal information against privacy breaches.
Firewalls
Firewalls act as the initial line of defence, preventing unwanted traffic from infiltrating a network and serving as a shield against malware. By segregating networks and regulating port access, firewalls provide a robust layer of protection. Organisations can customise firewall policies to block or verify specific traffic, offering enhanced control and security.
Backup and recovery systems
In the event of accidental or deliberate data deletion or destruction, a reliable backup and recovery system is indispensable. It enables swift data restoration, ensuring minimal disruption in the face of data loss resulting from cyber threats or system malfunctions.
Access control
Access control mechanisms empower remote data manipulation, limiting the capability of users to copy or store sensitive information locally on portable devices. Through mandatory logins and predefined conditions to detect unusual or suspicious access attempts, access control ensures heightened security across all systems.
Additionally, most industries implement specialised systems to strictly regulate access to personal data, typically employing an Access Control List (ACL). This list precisely outlines authorised individuals and the specific levels of access they are granted. ACLs are commonly based on whitelist and blacklist parameters to control the accessibility of information, bolstering data security within organisations.
Data privacy news and resources
Data privacy has gained widespread attention in the past year, making headlines in major newspapers and media outlets. For the latest developments and breaking news in the data privacy domain, it is essential to also consider specialised sources such as WIRED, HackerNoon, and InfoSecurity Magazine, as they frequently cover pertinent stories in this field.
Here are some of the biggest stories in data privacy at the moment:
California’s CCPA
The California Consumer Protection Act (CCPA), slated to take effect on January 1, 2023, will usher in the most comprehensive data privacy protections in the United States. Enacted in 2018, the CCPA grants consumers sweeping rights to control and protect their personal information, including the right to know what data is being collected, the right to opt-out of the sale of their data, and the right to request that their data be deleted.
In anticipation of the CCPA’s implementation, companies have been scrambling to bring their data practices into compliance. This has sparked discussions about the potential nationwide applicability of the CCPA, as other states consider adopting similar laws.
Several factors contribute to the CCPA’s significance in the landscape of data privacy law. First, its broad scope encompasses a wide range of personal information, including not only traditional identifiers like names and addresses but also online identifiers like IP addresses and cookies. Second, the CCPA’s opt-out provision gives consumers a powerful tool to prevent companies from selling their data without their consent. Third, the CCPA’s private right of action allows consumers to seek damages from companies that violate the law.
The CCPA’s potential nationwide applicability is also a matter of significant interest. While the CCPA is a California law, it has extraterritorial reach, meaning that it applies to businesses that collect the personal information of California residents, regardless of where those businesses are located. This has led some experts to believe that the CCPA could serve as a model for a federal data privacy law.
The CCPA’s potential impact on businesses is significant. Companies that are not in compliance with the CCPA may face hefty fines and penalties. Additionally, the CCPA’s private right of action could lead to a wave of lawsuits against businesses that violate the law.
As the CCPA’s effective date approaches, businesses must take steps to ensure that they are in compliance. This includes developing and implementing a comprehensive data privacy programme, training employees on the CCPA’s requirements, and providing consumers with clear and concise privacy notices.
Google’s Project Nightingale
Recent attention has been focused on “Project Nightingale,” a data-sharing collaboration between Google and Ascension, the USA’s second-largest healthcare provider. Although the data exchange was lawful, it has reignited public concerns regarding the extent of personal data sharing and its processing.
References
- https://www.easyllama.com/blog/what-is-data-privacy/
- https://www.cloudflare.com/learning/privacy/what-is-data-privacy/
- https://www.varonis.com/blog/data-privacy
