Are you in the midst of a breaking crisis? Call +1 (514) 458-7101

Global Online Privacy Laws

Global Online Privacy Laws

It’s No Secret.

Numerous blogs and surveys with all kinds of statistics continue to show that threats to digital privacy and security of personal information has become the number one concern of Internet users at an international and multinational level. These concerns are from the perspective of both the individual/consumer and businesses.

This privacy concern has substantially been focused on the cookie (small files that track one’s online browsing history, usually using a small piece of data sent from a website and stored in a user’s web browser while a user is browsing the given website.)

The European Union in particular was so concerned about the invasion of its citizens privacy by social media sites, such as Facebook and Google+ (who is owned by Google, just saying!), that it passed the “Cookies Legislation” in 2009, which became effective in 2011. However, as more data is collected, shared, and stored in the universe known as Cyberspace (sometimes indefinitely) the concern of additional breaches to privacy and security has expanded to the collection, processing and storing of personal data in a cross-border, multinational environment.

Why is it important for you to know about online privacy issues?

As a consumer:

  • You have the right to trust that the information you post on, or provide to, a private/public company (such as social media site) is not compromised; and
  • It is your obligation and right to understand any risk to your privacy and security worldwide, if/when you agree to any website’s privacy policies.

As a business:

  • It is your obligation to know if the data you are collecting, processing and storing and/or sharing is in accordance and compliance with national, and if applicable, cross-border, multinational online privacy laws, in order to manage your legal risk.

The Question

Therefore, the question before each of us, consumers and businesses, is not whether most countries have a common interest in protecting privacy and individual liberties, but rather do the existing laws and social actions and conventions in your country, as well as in other areas of the world, have a commonality of purpose in addressing privacy and security as they collect, process and store personal information?

Answering the Question

To begin to answer this important question, you need to first be aware of the current laws in your own country. To that end, to the right you will find a summary of the current state, as of 2012, 2013 and 2014, of the Privacy and Security laws in Australia, Canada, the European Union and the United States of America, as these countries are closely aligned in the use of digital communications, as well as in the economic arena.

You will notice that there are huge gaps in these laws

After reviewing the laws of your country, except for the European Union, you will notice that all of the laws summarized on the right:

  • Either do not address the digital protection and security of personal information or do so in a fragmented manner ; and
  • The laws passed were at the federal or state levels with no consideration as to whether these laws can be applied consistently across the country itself, never mind internationally or multinationally.

About the author of this page

Judith Delaney The information within this page has been provided to us by our colleague and friend, Judith Delaney. Judith is an attorney who specializes in global online privacy laws and issues and social media law. A member of Agnes + Day’s Crisis Intelligence Team, Judith helps organizations integrate new media strategies with business strategies to effectively manage risk associated with online compliance such as the HIPPA Omnibus Rule, global social media private and data protections and contract risk management. Click here to learn more about Judith.

Disclaimer: The information contained on this page is provided only as general information and may or may not reflect the most current developments, legal or otherwise, pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.

AUSTRALIA

In the public sector, Australia has had privacy legislation since 1988 in the form of The Privacy Act 1988 (Cth) (as amended).The Privacy Act sets privacy standards for dealing with personal information and applies to Australian Government (Commonwealth) and ACT government agencies, and the private sector organizations across Australia.This Act is administered by the Office of the Federal Privacy Commissioner; the Spam Act 2003 which specifically deals with unwanted commercial electronic messages, also known as spam or “junk mail”; and The Telecommunications (interception and Access) Act 1979, which provides protection to the privacy of those who use the Australian telecommunications system and deals with the situations where it is lawful for interception of, or access to, communications to take place.

In addition to the foregoing and as applicable to New South Wales: the New South Wales Privacy and Personal Information Protection Act 1988 (NSW) sets privacy standards for dealing with personal information in all NSW state and local government, and is administered by Privacy NSW. While the Act pertains mainly to the New South Wales public sector, it bestows upon New South Wales Privacy Commissioner the power to investigate and conciliate privacy breaches for private organizations. The Surveillance Devices Act 2007 (NSW) covers the installation, use and maintenance of listening, optical, tracking and data surveillance devices, and restricts the communication and publication of private conversations, surveillance activities and information obtained from their use.

The Bottom Line: None of these current laws address the general right of an individual to privacy.

Update: As of January 25, 2013, Australia now has The Australian Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the “Act”) which will make significant changes to the Privacy Act 1988, including an expansion of obligations to the public and private sectors to give individuals information about the countries to which their personal information might be transferred, as well as to their rights of access and to have a complaint considered (APP5).

CANADA

Privacy in Canada is primarily regulated through two federal laws:

  • The Privacy Act: regulating government and public sector institutions; and
  • The Personal Information Protection and Electronic Documents Act (PIPEDA): regulating certain private sector, profit and not-for-profit organizations.

The Privacy Act (1983) puts restrictions upon “the collection, use and disclosure of personal information” (Office of the Privacy Commissioner of Canada). This law also gives individuals the right to access and to correct any information collected about them.

Similar rights are enforced upon the private sector through PIPEDA (2000), including the right of consumers to know why specific personal information is required. For the sake of both of these bills, personal information is defined as follows: “Personal Information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization ( source: PIPEDA). However, PIPEDA is superseded by provincial laws which are “substantially similar to the federal law” (Office of the Privacy Commissioner Of Canada). For example, British Columbia and Quebec’s private industry are largely governed by provincial laws, while in Ontario only the health care industry is provincially regulated.

The Bottom Line: Canadian lawyers may argue the point, but the fact is that none of these privacy laws are targeted at online privacy specifically. Rather they are meant to be broad sweeping regulations to ensure that Canadian’s private information will not be abused.

Update: Several important cases regarding data protection, such as United Food and Commercial Workers, Local 401 v. Alberta (Attorney General), and Citi Cards Canada v. Pleasance are being monitored as to their potential impact on how Canada protects personal data.

EUROPE

As a result of the passing of the 1995 data privacy law (as amended) called the “European Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data” (the “Directives”), the 27 countries of the European Union have enacted data privacy laws at the national/federal level that must reach both government and private entities, including businesses that process employee and consumer data.

The Bottom Line: The Directives clearly state the online privacy rights of the individual.

Update: The European Union’s continuance of its 2012 introduction of a new data protection regulation, the “European Data Protection Regulation” (The Regulation”), which is scheduled to be put before the European Parliament and Council in the very near future, represents substantial restrictions on how companies handle personal data. The proposals set out in the Regulation as amendments would severely curtail the ability of services (e.g. Facebook, Instagram, Twitter, Google, etc.) to claim that they have legitimate grounds for collecting, analyzing or selling the personal data of their users. They also make it far more difficult for services to claim that they have a user’s consent for processing their data, even where a user has signed up to a site’s terms and conditions.

The European Parliament and Council will then decide and vote on the final text of the Regulation. Once the final text of the Regulation has been agreed upon, it is expected to come into force in 2013, after which European member states will have two years before they need to enforce the legislation at a local level.

Update: There is a new EU Data Protection Regulation which will replace the existing EU data protection directives. The EU Parliament on Wednesday, April 17th 2013, postponed until later in May 2013, a final vote on the proposed overhaul of the European Union’s data protective regime, as companies and regulators continue to push lawmakers to loosen restrictions on the collection and use of consumer personal data.

Part of the “push” by lawmakers has to do with The Article 29 Working Party (WP29) adopted – on April 2, 2013 – Opinion 03/2013 (‘the Opinion’) which analyzes the purpose limitation principle and calls for it to be strengthened under the Draft EU Data Protection Regulation (Draft Regulation), particularly with the increasing ubiquity of big data and open data. “The traditional approach to ‘purpose limitation’ is only truly relevant to data provided directly and voluntarily by the data subject”, stated Eduardo Ustaran, Partner and Head of the Privacy and Information Law Group at Field Fisher Waterhouse. “But ‘purpose limitation’ is not that relevant as a mechanism to prevent misuses of big data, which appears to be a key concern for the regulators.”

UNITED STATES

In the United States, the regulation of online privacy is complicated by the fact that Federal laws sometimes differ from state laws. Online privacy is generally seen as falling under the Fourth Amendment, or the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures (none of which appear to address the “new” issue of online privacy). Since the Constitution is generally not amended, new issues, such as Internet privacy, incent the states to pass their own State laws. Currently, “ten states have constitutional provisions that expressly provide greater privacy protections than those provided for in the U.S. Constitution” (NCLS).

Until 2011, the most important Federal U.S. law governing wire, oral and electronic communications was the Electronic Communications Privacy Act (ECPA) of 1986. This Act was mostly concerned with pre-internet wiretapping and bugging, but is an important legal document which has served as the foundation for later electronic privacy legislation.

Another law linked to monitoring of online information of private individuals, is the 2001 Patriot Act, which allows for wiretaps of U.S. citizens suspected of being connected to terrorist activities. This law “modified portions of numerous electronic communications laws, including the cECPA and FISA, expanding the authority of federal law enforcement to combat terrorism” (Cornell Law). In more recent years, namely 2011, two bills attempting to regulate internet piracy – the PROTECT IP Act of 2011 (Protect IP) in the Senate, and the Stop Online Piracy Act (SOPA) – were passed and later put on hold. The two represented “the latest legislative attempts to address a serious global problem: large-scale online copyright and trademark infringement” (Lemley et al. 34).

The Bottom Line: In the United States, while there are some separate laws to protect medical privacy (HIPPA) and children (Children’s online Privacy Protection (COPPA)) as amended in December, 2012 (“COPPA RULE”), there is no federal law that brings consistency across the country as to the control and use of online data, inclusive of personal information.

Further updates and more information

For more on Internet law and its related issues and topics, visit the “social media law” section of Agnes + Day’s Crisis Intelligence Blog.