УЗНАЙТЕ ВСЁ О ВАШЕЙ ФАМИЛИИ!

[Гость arhimed]

What makes a good privacy law?

Nigel Waters, Privacy International, August 2011

1. The aim of a single law to cover all aspects of privacy is unrealistic. Need to break into appropriate and achievable components; e.g:

• Communications Surveillance law

• General information privacy or data protection law

• Statutory tort - private right of action (in common law jurisdictions) - appropriate for e.g. privacy and the media, where important balance needed with free speech

Even within information privacy/data protection sphere, both advantages and disadvantages in breaking up and addressing with separate laws for e.g. health, credit reporting, telecommunications, Spam, Do-not-call registers. History of piecemeal approach (e.g. in US) not good, but if only way of getting action, can be better than nothing?

2. Need to understand the limits of any information privacy/data protection law - will never alone stop major intrusive government projects with authorising legislation, but can help stop more minor administrative intrusions, and can deliver important safeguards. Major projects need a separate political debate and, if the project ultimately goes ahead, a separate law to regulate (e.g. ID cards). At least if government agencies have to comply with a privacy law requirements for transparency, integrity etc it may make them more cautious about introducing badly designed schemes. But also a risk of governments’ use of privacy laws to re-assure public that safeguards are in place when promoting intrusive projects.

3. Common elements to all information privacy/data protection laws, based on broadly similar principles in all international privacy instruments - OECD Guidelines, Council of Europe Convention, EU Directive and APEC Framework (and US 1970s Fair Information Principles).

Principles cover collection of personal information/data; use and disclosure (including cross border transfers; data quality; security; access and correction. Original laws applying differentially to public and private sectors gradually giving way to universal coverage of both.

Effectiveness of laws depend on how these common principles are interpreted and enforced - ‘the devil is in the detail’. Weaknesses identified over 30 years of experience are now being fed into reviews of all the major international instruments in the hope of getting improved ‘benchmarks’.

Improvements suggested include (with comment on likely reaction):

Collection:

• More and more useful information in notices to individual better delivery of notices (will be opposed by both private and public sectors)

• Explicit principles of data minimisation and proportionality (opposition mostly from public sector)

• Anonymity/pseudonymity principle (opposed by both private and public setors)

• A ‘right to be forgotten’?

Use & Disclosure

• Clarification and strengthening of role of consent and choice (opt-in or opt-out) (will be opposed mostly by private sector - public sector will get legal authority to make consent irrelevant).

• Narrowing of authorised or required by law exception (will be opposed mostly by public sector).

Cross border transfer

• Tougher limits on transfer without adequate protection in destination jurisdiction.

4. Even with best practice principles, usually a need for more specific sectoral rules for e.g. health, credit reporting - can either have separate sector specific privacy laws or provision for subordinate legislation (Regulations) or Codes of Practice under the generic law (commonly provided for but rarely taken up). Risks that Regulations or Administrative Orders can be slipped through without real scrutiny - Code provisions can at least require transparency and stakeholder consultation.

5. Good principles not enough - also need strong enforcement:

• Complaint provisions

• Remedies and sanctions

• Regulator powers

• Regulator independence

• Regulator resources (not usually quantified in legislation, so government can undermine effectiveness by starving of resources)

• Regulator accountability (can’t assume regulator will be effective)

• Pros and cons of combined Privacy and FOI/RTI regulators - probably only desirable when merging mature jurisdictions - when ‘new’ they both need independent champions.

Powers and functions

of Data Protection Authorities (DPAs) or Privacy Enforcement Authorities (PEAs)

• Licensing - requires positive approval

• Registration - default assumption that applicant is compliant

• Codes of practice/Guidelines for how to implement general privacy principles in specific situations/activities

о Binding о Advisory

• Audit and inspection

о By invitation

о With notice о Unannounced

• Complaints investigation

о Individual

о Representative (class action)

о Damage threshold - financial, emotional?

• Education and Training

• Advice to governments

• Intervention in court or tribunal cases

Sanctions

• Compensation

• Fines/civil penalties/damages

• Compliance notice/injunction

• Criminal offences - prosecution

• Name and shame - reputational damage

New tools for privacy protection

• Data security breach notification

• Privacy Impact Assessment

• Privacy by Design

[Гость Sheriff]

Есть ли возможность что либо узнать о Михайловых?