2. 1973 HEW Report
Records, Computers and the Rights of Citizens: report
of the Secretary’s Advisory Committee on Automated
Personal Data Systems – U.S. Department of Health
Education & Welfare
Safeguards for personal privacy
based on our concept of
mutuality in record-keeping
would require adherence by
record-keeping organizations to
certain fundamental principles
of fair information practice.
2
3. 1980’s
OECD Guidelines
OECD 7 Principals
• Notice—data subjects should be given notice when
their data is being collected;
• Purpose—data should only be used for the purpose
stated and not for any other purposes;
• Consent—data should not be disclosed without the
data subject’s consent;
• Security—collected data should be kept secure from
any potential abuses;
• Disclosure—data subjects should be informed as to
who is collecting their data;
• Access—data subjects should be allowed to access
their data and make corrections to any inaccurate
data
• Accountability—data subjects should have a method
available to them to hold data collectors accountable
for not following the above principles.
3
4. 1990’s
Industry Measures
• Privacy safeguards were enacted in the
health care and financial sectors through
passage of the Health Insurance Portability
and Accountability Act (HIPAA) in 1996 and
Gramm-Leach-Bliley Act in 1999.
• In Europe, the European Union adopted its
Data Protection Directive in 1995.
• US-EU Safe Harbor Framework approved in
2000 to permit cross-continental data
sharing.
4
5. 2000
FTC Calls for Regulation
• After series of studies and reports to Congress, Clinton FTC proposes
that websites adhere to four privacy principles
• Notice Web sites would be required to provide consumers clear and
conspicuous notice of their information practices, including what
information they collect, how they collect it (e.g., directly or through
non-obvious means such as cookies), how they use it, how they
provide Choice, Access, and Security to consumers, whether they
disclose the information collected to other entities, and whether
other entities are collecting information through the site.
• Choice Web sites would be required to offer consumers choices as to
how their personal identifying information is used beyond the use for
which the information was provided (e.g., to consummate a
transaction). Such choice would encompass both internal secondary
uses (such as marketing back to consumers) and external secondary
uses (such as disclosing data to other entities).
• Access Web sites would be required to offer consumers reasonable
access to the information a Web site has collected about them,
including a reasonable opportunity to review information and to
correct inaccuracies or delete information.
• Security Web sites would be required to take reasonable steps to
protect the security of the information they collect from consumers.
5
6. BUSH ERA
Privacy Legislation on Hold
• Bush FTC drops call for privacy
legislation
• 2002 – California enacts first data
breach notification law
• 2003 – California Online Privacy
Protection Act requires websites
to post privacy policy if they
collect personally identifiable
information
7. OBAMA ERA - 1
FTC Revisits Privacy Regulation
• Obama FTC launches series of privacy roundtable that
leads to several key recommendations.
• PRIVACY BY DESIGN: Companies should promote
consumer privacy throughout their organizations and at
every stage of the development of their products and
services. Companies should incorporate substantive
privacy protections into their practices, such as data
security, reasonable collection limits, sound retention
practices, and data accuracy.
• SIMPLIFIED CHOICE: Companies should simplify
consumer choice. Companies do not need to provide
choice before collecting and using consumers’ data for
commonly accepted practices, such as product
fulfillment. For practices requiring choice, companies
should offer the choice at a time and in a context in
which the consumer is making a decision about his or
her data.
• GREATER TRANSPARENCY: Companies should increase
the transparency of their data practices. Privacy notices
should be clearer, shorter, and more standardized, to
enable better comprehension and comparison of
privacy practices
8. OBAMA ERA - 2
Privacy Bill of Rights
• Principal Element – Concise and Easily Understandable Disclosures
• (a) In General. Each covered entity shall provide individuals in concise and
easily understandable language, accurate, clear, timely, and conspicuous
notice about the covered entity’s privacy and security practices. Such
notice shall be reasonable in light of context. Covered entities shall provide
convenient and reasonable access to such notice, and any updates or
modifications to such notice, to individuals about whom it processes
personal data.
• (b) Contents of Notice. The notice required by subsection (a) shall include
but is not limited to (1) the data collected; (2) the purpose it is collected
for; (3) the persons to whom it is disclosed; (4) how long the data is
retained; (5) how a consumer may access his data and revoke consent; 6)
where to send complaints; and (7) data security measures.
• Additional Elements:
• Consumer Control
Covered entities would be required to allow consumers to exercise control
over what data is collected about them and how it is used;
• Respect for Context
Covered entities collect and use data in ways that are consistent with the
context in which consumers provide such data. Would require internal
reviews of privacy and security practices for data collected outside of such
contexts.
• Security
Covered entities would be required to identify reasonable risks and
implement safeguards designed to protect against breach, theft, loss, etc.
of personal data.
• Access and Accuracy
Covered entities would be required to grant individuals access to, or an
accurate representation of, data collected about them upon request. The
consumer would have the right to correct or amend the data.
9. OBAMA ERA - 3
EU Developments
• 2014 – Edward Snowden
revelations re NSA data collection.
• 2015 - EU Court of Justice
invalidates Safe Harbor program
• 2016 – US-EU Agree to Privacy
Shield
• 2016 – EU approves General Data
Protection Regulation – effective
2018
10. TRUMP ERA
Privacy Happens
• May 2018 – EU GDPR goes into
effect
• June 2018 – California passes
Consumer Privacy Act.
• Industry seeks Federal solution to
preempt California law.