Editor’s Note: I’m very pleased to be providing you with the invaluable expertise and knowledge of Judith Delaney, from TurnsonPoint Consulting. Within this page, Judith has outlined the complex (and often inadequate) online privacy and security laws from around the globe. This page will always be kept current as Judith is dedicated to keeping it updated as new laws form and pass. Be sure to bookmark it and check back periodically!
It’s No Secret.
Numerous blogs and surveys with all kinds of statistics continue to show that threats to digital privacy and security of personal information has become the number one concern of Internet users at an international and multinational level. These concerns are from the perspective of both the individual/consumer and businesses.
This privacy concern has substantially been focused on the cookie (small files that track one’s online browsing history usually using a small piece of data sent from a website and stored in a user’s web browser while a user is browsing the given website.)
The European Union in particular was so concerned about the invasion of its citizens privacy by social media sites, such as Facebook and Google, that it passed the “Cookies Legislation” in 2009, which became effective in 2011. However, as more data is collected, shared, and stored in the universe known as Cyberspace (sometimes indefinitely) the concern of additional breaches to privacy and security has expanded to the collection, processing and storing of personal data in a cross-border, multinational environment.
Why is it important for you to know of this concern?
As a consumer:
- you have the right to be able to trust that the decisions a government entity or a private/public company make, as to the protection of your privacy and the security of your data – and specifically your personal information – you digitally post or provide them with is not compromised; and
- it is your obligation and right to understand any risk to your privacy and security worldwide, if/when you agree to any website’s privacy policies
As a business:
- it is your obligation to know that the data you are collecting, processing and storing and/or sharing is in accordance and compliance with national, and if applicable, cross-border, multinational online privacy laws, in order to manage your legal risk
Therefore, the question before each of us, consumer and businesses, is not whether most countries have a common interest in protecting privacy and individual liberties, but rather do the existing laws and social actions and conventions in your country, as well as in other areas of the world, have a commonality of purpose in addressing privacy and security as they collect, process and store personal information?
Answering the Question
To begin to answer this important question, you need to first be aware of the current laws in your own country. To that end, below you will find a summary of the current state, as of 2012 and 2013, of the Privacy and Security laws in Australia, Canada, the European Union and the United States of America, as these countries are closely aligned in the use of digital communications, as well as in the economic arena.
Global Online Privacy and Security Laws
In the public sector, Australia has had privacy legislation since 1988 in the form of The Privacy Act 1988 (Cth) (as amended) which sets privacy standards for dealing with personal information and applies to Australian Government (Commonwealth) and ACT government agencies, the private sector organizations across Australia, and is administered by the Office of the Federal Privacy Commissioner; the Spam Act 2003 which specifically deals with unwanted commercial electronic messages, also known as spam or “junk mail”; and The Telecommunications (interception and Access) Act 1979 which provides protection to the privacy of those who use the Australian telecommunications system and deals with the situations where it is lawful for interception of, or access to, communications to take place. In addition to the foregoing and as applicable to New South Wales: the New South Wales Privacy and Personal Information Protection Act 1988 (NSW) which sets privacy standards for dealing with personal information, in all NSW state and local government and is administered by Privacy NSW. While the Act pertains mainly to the New South Wales public sector, it bestows upon New South Wales Privacy Commissioner the power to investigate and conciliate privacy breaches for private organizations; and The Surveillance Devices Act 2007 (NSW) covers the installation, use and maintenance of listening, optical, tracking and data surveillance devices and restricts the communication and publication of private conversations, surveillance activities and information obtained from their use.
Bottom Line: None of these current laws address the general right of an individual to privacy.
Update: As of January 25, 2013, Australia now has The Australian Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the “Act”) which will make significant changes to the Privacy Act 1988, including an expansion of obligations to the public and private sectors to give individuals information about the countries to which their personal information might be transferred, as well as to their rights of access and to have a complaint considered (APP5).
Privacy in Canada is primarily regulated through two federal laws, the Privacy Act—regulating government and public sector institutions—and the Personal Information Protection and Electronic Documents Act (PIPEDA)—regulating certain private sector, profit and not-for-profit organizations. The Privacy Act (1983) puts restrictions upon “the collection, use and disclosure of personal information” (Office of the Privacy Commissioner of Canada). This law also gives individuals the right to access and to correct any information collected about them. Similar rights are enforced upon the private sector through PIPEDA (2000) including the right of consumers to know why specific personal information is required. For the sake of both of these bills personal information is defined as “personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization” (PIPEDA). However, PIPEDA is superseded by provincial laws which are “substantially similar to the federal law” (Office of the Privacy Commissioner Of Canada). For example, British Columbia and Quebec’s private industry are largely governed by provincial laws, while in Ontario only the health care industry is provincially regulated.
Bottom Line: Canadian lawyers may argue the point, but the fact is that none of these privacy laws are targeted at online privacy specifically. Rather they are meant to be broad sweeping regulations to ensure that Canadian’s private information will not be abused.
As a result of the passing of the 1995 data privacy law (as amended) called the European Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data” (the “Directives”) the 27 countries of the European Union have enacted data privacy laws at the national/federal level that must reach both government and private entities, including businesses that process employee and consumer data.
Bottom Line: the Directives clearly state the online privacy rights of the individual.
Update: The European Union’s continuance of its 2012 introduction of a new data protection regulation the “European Data Protection Regulation” (The Regulation”), which is scheduled to be put before the European Parliament and Council in the very near future, represents substantial restrictions on how companies handle personal data. The proposals set out in the Regulation as amendments would severely curtail the ability of services (e.g. Facebook, Instagram, Twitter, Google, etc.) to claim they have legitimate grounds for collecting, analyzing or selling the personal data of their users. They also make it far more difficult for services to claim they have a user’s consent for processing their data, even where a user has signed up to a site’s terms and conditions.
The European Parliament and Council will then decide and vote on the final text of the Regulation. Once the final text of the Regulation has been agreed, it is expected to come into force this year (2013), after which European member states will have two years before they need to enforce the legislation at a local level.
In the United States, the regulation of online privacy is complicated by the fact that Federal laws sometimes differ from state laws. Online privacy is generally seen as falling under the Fourth Amendment, or the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures (none of which appears to address the “new” issue of online privacy). Since the Constitution is generally not amended, new issues, such as Internet privacy, incent the states to pass their own State laws. Currently, “ten states have constitutional provisions that expressly provide greater privacy protections than those provided for in the U.S. Constitution” (NCLS). Until 2011, the most important Federal U.S. law governing wire, oral and electronic communications was the Electronic Communications Privacy Act (ECPA) of 1986. This Act was mostly concerned with pre-internet wiretapping and bugging, but is an important legal document which has served as the foundation for later electronic privacy legislation.
Another law linked to monitoring of online information of private individuals is the 2001 Patriot Act, which allows for wiretaps of U.S. citizens suspected of being connected to terrorist activities. This law “modified portions of numerous electronic communications laws, including the ECPA and FISA, expanding the authority of federal law enforcement to combat terrorism” (Cornell Law). In more recent years, namely 2011, two bills attempting to regulate internet piracy – the PROTECT IP Act of 2011 (Protect IP) in the Senate and the Stop Online Piracy Act (SOPA) – were passed and later put on hold. The two represented “the latest legislative attempts to address a serious global problem: large-scale online copyright and trademark infringement” (Lemley et al. 34).
Bottom line: In the United States, while there are some separate laws to protect medical privacy (HIPPA) and children (Children’s online Privacy Protection (COPPA)) as amended in December, 2012 (“COPPA RULE”) there is no federal law that brings consistency across the country as to the control and use of online data, inclusive of personal information.
To see which U.S. states currently restrict employers and academic institutions from requesting access to employees’ and students’ personal social media accounts, click here.
There are huge gaps in these laws
Wow! Except for the European Union, all of the laws summarized above:
- either do not address the digital protection and security of personal information or do so in a fragmented manner ; and
- the laws passed were at the federal or state levels with no consideration whether these laws can be applied consistently across the country itself, never mind internationally or multinationally.
For example, In 2010, a bill was approved by Germany’s cabinet to be presented to the German Parliament that would have restricted employers’ use of social media content posted by an employee or a job applicant unless that employee or applicant makes such information publicly available. In January of this year in the United states, several states passed laws that make it illegal for companies and/or academic institutions to request social networking passwords or nonpublic online account information from behind the “social media wall”. Most would agree that this is a good step forward. However, the common concern of consumers and businesses is that the laws that were being considered, or that passed, were at the national and state levels with no consideration of whether these laws can be applied to protect and secure the personal information of non German and U.S. employees worldwide, as communications networks and data transfers in areas, including but not limited to, human resources, financial, education, and health are now an integral part of the worldwide economy.
There is no doubt that, given the ease with which information can be instantly transferred at anytime to any place, countries are starting to recognize the need to address the privacy and protection of personal information at a federal/national level, for consistency of compliance throughout a country. Furthermore, there is a realization that countries need to work together on an international level to address and implement a commonality in terms of a “worldwide and systematic approach to cross-border online privacy law enforcement”.
To continue to answer the above question:
Do the existing laws and social actions and conventions in my country, or in other areas of the world, have a commonality of purpose in addressing privacy and security as they collect, process and store personal information?
I will continue to follow and update this web page on the developments around the roll out of the Australia Amendment and the EU data protection reform, as well as all global developments in 2013 and beyond, as it relates to the protection and security of personal information so that:
- you as a consumer will better understand how such reforms may significantly impact your rights of privacy;
- businesses will better understand how such reforms may significantly impact their current types of policies and practices that need to change to be in compliance with the law with respect to privacy.
So please visit this site regularly for timely updates.
Disclaimer: The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.
About the author, Judith Delaney
Founder and Principal at TurnsonPoint Consulting, Judith is a hands-on leader in the importance of integrating legal strategy with business strategy, in order to manage risk in the world of social media. A sought after speaker, she shares her expertise through presentations and workshops on how to manage compliance and legal risks in social media. Be sure to visit Judith’s blog on Minimizing Social Media Legal Risks.