US/EU Privacy Laws

Source: Traillhead: US Privacy Law Basics

  • List the government agencies involved in US privacy law.
  • Describe the framework of US privacy laws.
  • Explain key US privacy statutes.

Privacy Overview

  • How personal information can be collected
  • How personal information can be used
  • How and with whom personal information can be shared
  • Where an how personal information can be stored
  • How personal information must be secured
  • When to delete or amend personal information
  • If and how personal information can be transferred to other countries
  • How breaches of personal information are reported
  • Wheat rights individuals have regarding their personal information.

List of Personally Identifiable Information (PII)
* Address
* birthdate
* first last name
* SSN
* location date
* IP addresses
* Username

Federal Trade Commission (FTC)

HIPPA – Health Insurance an Accountability Act
Department of Health and Human Services (HHS)
PROTECT HEALTH INFORMATION — HHS’ HIPAA Resources for Professionals
— Access their own PHI
— Direct the disclosure of their PHI to a third party
— Request amendment of inaccurate or incomplete PHI
— Receive a list of the PHI disclosures made by the covered entity
— Request restrictions on the use or disclosure of their PHI
— Request specific requirements or restrictions on the means of communication of their PHI
Combined Text of the HIPAA Regulations (45 CFR Parts 160, 162, and 164)

Financial Service Industry
* List the types of financial services companies subject to federal privacy law
* Describe the provisions and obligations of financial services privacy laws.

Terms:
Consumer Reporting Agency (CRA)
Consumer Report
Investigative Consumer Report
User A person or an entity that purchases a consumer report from a CRA
Furnisher – An entity that provides credit history or information to a CRA for use in a consumer report
FCRA [Fair Credit Reporting Act]
FACTA [Fair and Accurate Credit Transactions Act]

Gramm-Leach-Biley Act (GLBA)
– GLBA imposed requirements on financial institutions with regard to the use and disclosure of their customers’ nonpublic, personally identifiable financial information.
Q: What is personally identifiable information [PII]?
1. It was provided by a consumer to a financial institution
2. It results from a transaction or service performed for the consumer
3. It was otherwise obtained by a financial institution
Examples of nonprublic personal information:
* Basic Contact Information
* Social Security Number
* Account Information
* Application Information
* Internet Cookie Information
* Consumer report information obtained by the financial institution
* Whether a consumer is a consumer of the financial institution.

California Online Privacy Protection Act ( CalOPPA)

the law defines personally identifiable information to include all details collected about an individual visitor to the website – everything from name to hair color.

The Shine the Light Act

When a Californian resident requests if, for profit companies must disclose any personal information they shared with third parties, and who those third parties are.

The Song-Beverly Credit Card Act

Under this law, retailers and other businesses cannot ask a customer for personal identification information during a credit card transaction, personal identification information under the law consist of any information regarding the customer other than the information on the credit card.

The California Consumer PRivacy Law (CCPA)

CCPA protects the data privacy rights of Californian residents and affects businesses that collect or use personal information of Californians

Salesforce Platforms
data processing addendum
Trust and Compliance documentation 

European Union Privacy Law

  • General Data Protection Regulation (GDPR)
  • Key privacy terms
  • How GDPR changes EU privacy law

Key Terms
Data Subject: A “natural person” who can be identified with PII data
Personal Data: Any information relating an identified or identifiable data subject
Sensitive Personal Data: Personal data pertaining to the racial or ethical origin, political opinions, or religious or philosophical beliefs, trade-union membership…
Processing: Anything that is done to or with personal data
Controller: an entity that determines the purposes and means of the processing of personal data
Processor: an entity that processes personal data based on the instructions of a controller.
Pseudonymous Data: Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data s not combined with that additional information.
Anonymous Data: Data that cannot ever be connected to an identified or identifiable person.

  1. Basis of data processing
  2. Compliance obligations
  3. Breach notification
  4. Data protection officer
  5. Enforcement
  6. Use of processors
  7. Profiling
  8. Data subject right
  9. One-stop-shop

Methods to protect personal data
1. Encryption
2. Pseudonymization
3. Anonymization
Institution’s Accountability over Personal data
1. Privacy by Design
2. Privacy by Default
3. Data Protection Impract Assessments