Cyber-security & Privacy

FIND A SOLUTION AT Academic Writers Bay

BUSL315 Cyber-security & Privacy: Week 9
Privacy Regulation Outside of Australia (A brief sampling)
European Union’s General Data Protection Regulation
California’s Consumer Privacy Act
India: Aadhaar & High Court Recognition of a Constitutional Right to Privacy
GDPR: Transfers of EU Data to Third Countries
Data can only be transferred outside the EEA if it is transferred:
to an adequate jurisdiction (Australia has not been judged to be “adequate”);
into the US via the Privacy Shield (at risk due to Schrems2);
Via another appropriate safeguard (e.g. Binding Corporate Rules, Model Clauses); or
pursuant to a derogation (e.g. litigation; explicit consent).
GDPR: Sensitive Personal Data
Now known as Special Category Personal Data:
Racial / ethnic origin
Political opinions
Religious / Philosophical beliefs
Trade Union membership
Genetic or biometric data
Sex life / sexual orientation
Criminal offences / convictions not now included but separated out and similar extra safeguards put in place at Article 10
GDPR: Data Controllers and Data Processors
Controller says how and why personal data is processed
Processor acts on controller’s behalf
Processing includes:
GDPR: Data Collection
Data shall be:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
accurate and, where necessary, kept up to date (accuracy)
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
GDPR: Processing Data
Data shall be processed lawfully, fairly and transparently
Lawful – must not be in breach of other laws (e.g. HRA, PECR, common law duty of confidentiality) & must be lawful in accordance with Article 6 & 9 – Lawfulness of processing
Fair & Transparent – data subjects made aware (privacy notices etc); must ‘feel’ fair.
Data shall be processed with appropriate security, including protection against:
Unauthorised or unlawful processing
Accidental loss, destruction or damage (Integrity and confidentiality)
GDPR: Data Controllers are accountable
Data Controllers must:
Implement appropriate technical & organisational measure to ensure and demonstrate compliance (e.g. training, policies, audits etc)
Maintain relevant documentation (controller info, Purposes of processing, categories of data subjects / personal data, recipients of data, transfers to 3rd countries, retention schedules, and security )
Implement data protection by design (e.g. minimisation, pseudonymisation, transparency, security)
Use Data Protection Impact Assessments / Risk Assessments
Appoint a Data Protection Officer
GDPR: What is Consent?
“Consent” means:
“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”
GDPR: What is Consent?
Different types of uses require separate consent.
Bundling multiple requests for consent may not be permitted.
Implied consent or requiring consumers to “opt out” is insufficient.
Silence, pre-ticked boxes or inactivity are not consent.
Must have the right to refuse or withdraw consent at any time.
Must be as easy to withdraw consent as to give it.
GDPR: Consent vs Legitimate Interests
Organisations might be able to rely on legitimate interests for print communications only and for holding the data in the first place
Consent is necessary for marketing by email or text
Mixture of legitimate interests and consent for marketing calls
GDPR: Applicable to Australian organisations?
The GDPR extends to controllers and processors not established in the EU if they process data which relates to data subjects in the EU.
Australian organisations need to comply with the GDPR if they:
are established within the EU;
offer goods or services to individuals in the EU; or
Monitor the behaviour of individuals in the EU (e.g. by tracking or profiling those individuals).
GDPR: How does it extend beyond Australian privacy law?
Right to erasure of data (“right to be forgotten”)
Right to object to processing (including automated decision-making, direct marketing / profiling)
Right to data portability
Privacy by Design and by Default
Fines up to 20 million euro, or 4 percent of annual worldwide turnover (whichever is higher)
GDPR: Responding to Data Breaches
Personal data breach is a breach of security leading to the destruction, alteration, unauthorised disclosure or, or access to, personal data
If Data Processor breached, they must notify the Data Controller When a breach occurs, the Data Controller must:
notify an EU national data regulator (e.g. UK ICO) where it is likely to result in a risk to the rights and freedoms of individuals (within 72 hours of being aware of the breach)
notify individuals where it is likely to result in a high risk to the rights and freedoms of individuals
GDPR: Collective (~Class) Actions
Brussels subway advertisements: 30 936 people have joined a “collective action” against Facebook Each seek Euro200+ compensation
Article 80 permits representative actions for privacy breaches
US investor class action already lodged against Neilsen for failure to make a timely disclosure of its GDPR non-compliance
Californian Consumer Privacy Act of 2018
Effective: Comes into force on 1 January 2020
Grants Rights to: All natural persons resident in California, except those visiting for temporary or transitory purposes. Residents domiciled in California who are temporarily or transiting outside the State also have rights.
What does it cover: broad definition of PI: any information that relates to a particular consumer or household
Exclusions: publicly available information; commercial conduct that takes place wholly outside California
Californian Consumer Privacy Act of 2018
Thresholds: (includes parents & subsidiaries)
$25M turnover (California or worldwide?); or
PI on 50 000+ Californian residents; or
50%+ of annual revenue from selling PI of Californian residents
Challenge: can you prove your company is not “doing business in California”?

YOU MAY ALSO READ ...  Poverty-stricken childhood

Penalties: up to $7500/intentional violation & up to $750 per resident / actual damages in class actions
Amendments to the CCPA in 2019
Tech lobby (and others) have been trying to water down the CCPA’s privacy protections: see Assembly Bill 1355 – subject to Governor’s veto powers
Assembly Bill 25: A bill to exclude job applicants, employees, contractors or agents personal information from being protected – Status: compromise of partial exclusion PASSED but 2021 sunset clause, so this will be re-visited
Assembly Bill 1416: A bill to ensure the CCPA doesn’t restrict a business’ ability to comply with a civil, criminal or regulatory inquiry AND expands protections for businesses to avoid complying with consumers’ rights – Status: PASSED
PI collected in the context of B2B transactions is exempted
Assembly Bill 1202: A bill requiring data brokers to register with the state’s Attorney-General, pay a registration fee and to honour consumer request to opt-out of the sale of their PI – Status: Passed
Other bills seeking to increase consumer protections (such as adding a private right of action and set 45-day breach disclosure requirements) have been blocked in the Senate

YOU MAY ALSO READ ...  Interpersonal Conflict

Tech lobby’s end-game: lobby federal congress for a weak federal privacy law (which could over-rule any additional protections granted to Consumers under the Californian CCPA)
Is GDPR Compliance Sufficient for this Californian Law?
In short, NO
Additional Californian Law obligations:
Prescribed disclosures and communication channels (incl toll-free numbers)
Broader definition of PI
Direct deletion rights
Broader access rights (e.g. disclosures that would implicate the privacy interests of third parties)
More rigid restrictions on data sharing for commercial purposes
Companies may offer financial incentives for the collection or sale of PI, but only with prior OPT-IN consent which is revocable at any time
Mandated OPT-IN before sale of PI for a person <16yo

Will this increase pressure for federal US private-sector privacy laws?
India: Aadhaar Technology
Aadhaar’s goal: to empower residents of India with a unique identity and a digital platform to authenticate anytime, anywhere
Aadhaar ensures Uniqueness through biometric attributes: Fingerprint & Iris
Aadhaar usage among Adult population is about 90%
India: Aadhaar Technology
Aadhaar’s features:
Random 12-digit Number – No Intelligence, No Profiling
Only a Number – No Smart Cards
All Residents – Including Children
Uniqueness – Ensured through biometric attributes
No Guarantee to Citizenship, Rights, Entitlements
Security and Privacy of Information Collected
Ubiquitous Online Authentication – From no ID to Online ID
India: Aadhaar technology
How can aadhaar be updated?
All the details including demographics, biometrics and photo can be updated by the resident At certain government offices
Details can be updated after biometric authentication and with required documents at any of the PEC
Update Client Lite is available for updating mobile, email & consent
SSUP (Self Service Update Portal)
Requires registered mobile number for OTP
Demographics including mobile, email can be updated
By Post
Resident can also send demographics update request by Post
Mobile Update API
Made available to selected AUAs / Enrolment Agencies Resident can update Mobile, Email & consent easily
India: Aadhaar Technology

YOU MAY ALSO READ ...  Network security discussion | Computer Science homework help

BUT: India had no national privacy law to protect against mis-use of user data or harms arising out of loss of the user data

India: Puttaswamy decision
Privacy is a fundamental right under the Constitution of India.
Although privacy is not mentioned in the Constitution, the right emerges primarily from the guarantee of life & personal liberty.
Privacy is the constitutional core of human dignity.
But, like other fundamental freedoms, privacy is not an absolute right. Its invasion can be justified on the basis of a law which advances a legitimate state aim, which is proportional to its object.
India: Puttaswamy decision
“The Attorney General argued before us that the right to privacy must be forsaken in the interest of welfare entitlements by the State. … The refrain that the poor need no civil and political rights and are concerned only with economic well-being has been utilised through history to wreak the most egregious violations of human rights. … The pursuit of happiness is founded upon autonomy and dignity. Both are essential attributes of privacy which makes no distinction between the birth marks of individuals.”
India: After Puttaswamy decision
India’s national government had to create a regulatory framework which could protect constitutional privacy rights
Srikrishna Committee report released August 2017: A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians
Cited my Data Localization article at fn299 on p92

Draft Personal Data Protection Bill (2018) released for debate – delayed by election (Modi re-elected, MEITY held further (limited, non-public) stakeholder consultations in August 2019)
India’s business community has generally supported the Bill as they perceive it will increase trust by foreign businesses in Indian out-sourced business- processing services, which are vital to its economy (many had already become GDPR-compliant data processors)

Order from Academic Writers Bay
Best Custom Essay Writing Services