Almost every state in the United States has a breach notification law that generally requires private or government entities to notify individuals of personal data breaches and determine what constitutes a security breach, notification requirements (e.g., timing and method), and exceptions (e.g., for encrypted information). In South Africa, the Protection of Personal Information Act 4 of 2013 (most of which were not yet in force as of August 2018) requires the information regulator, the national supervisory authorities, to notify breaches of breaches as soon as possible after discovering the breach – taking into account the legitimate needs of law enforcement authorities or any action: reasonably necessary to determine the extent of the compromise and the integrity of the responsible party`s information system. The notification must contain sufficient information to enable the data subject to take protective measures against the possible consequences of the data breach. The information regulator may order the responsible party to disclose information about the security breach if doing so would protect those who may be affected (South African Personal Information Protection Act 4 of 2013, section 22). However, due to uncertainty about data protection standards abroad, many countries restrict the offshore transfer of personal data. Such transfers may be permitted in certain circumstances or where data protection standards are considered adequate in a third country. This is particularly sensitive when it comes to personal data for national identification, civil registration and voter registration systems. In addition to cross-border data transfer, the legal framework may also include rules on regional or international interoperability or mutual recognition of their identification systems. However, the exchange of information between government agencies, if not well regulated, can become a “back door” that bypasses individual data protection regulations.
Comprehensive demographic databases, such as those set up as part of identification systems, are a tempting resource for law enforcement, especially if they contain biometric data. The collection of DNA data which, like other biometric data, can be used not only to identify an individual, but also as evidence in an investigation to determine whether they have committed a crime. Box 9. Examples of data protection supervisory authorities With the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and new laws coming into effect in Colorado and Virginia in 2023, Congress and (more importantly) different districts are paying attention to states. With each state law, the basis of a possible data protection law increases (which means that the price of the right of first refusal increases). In addition to user consent, numerous legal and regulatory frameworks – including the OECD Data Protection Framework, Chapter 3 (OECD 2013) and the International Covenant on Civil and Political Rights, General Comment 16 on Article 17 (UN 1988), Council of Europe Convention 108+ (CoE 2018) and the APEC Data Protection Framework, Article 23c (APEC 2004) – include the rights of access of individuals, Review, rectify and delete personal data concerning them. Even in a mandatory identification system, the “right to erasure” or the “right to be forgotten” could arise in relation to certain aspects of personal data, such as biometric data (in particular genetic material), a previous married surname or the names of the biological parents of an adopted child (see, for example, Kelly & Satola 2017, Kindt 2013, Chadwick 2014). Legal measures ensuring the right of access, review, rectification and erasure of personal data should be put into practice through clear administrative procedures and technical measures of personal control and redress in the event of complaints. Under new leadership, the Federal Trade Commission has committed to taking a wide range of actions to expand its global reach for privacy, security, and a wide range of other areas of consumer protection. This may include an expanded rule-making process to develop privacy infringement principles related to its Section 5 power under the FTC Act. In terms of existing frameworks, the European Union`s (EU) General Data Protection Regulation (GDPR) of 2016 is the latest example of comprehensive data protection and privacy regulation, setting a new threshold for international best practice. Building on existing principles (e.g.
the OECD Principles on Data Protection), it has become an important reference point for global work in this area. Article 5 of the GDPR enshrines the basic principles described above and requires that the collection, storage and use of personal data be carried out as follows: Kirk J. Nahra is a partner at WilmerHale in Washington, D.C., where he is co-chair of the company`s global cybersecurity and privacy practice. He teaches privacy issues at several law schools, is a member of the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis, and as a fellow of the Institute for Critical Infrastructure Technology. Article 4(2) of the 2016 EU Police and Criminal Justice Data Protection Directive 2016 requires that personal data collected for other purposes – such as an identification system or civil registration – may only be processed by the same controller or another controller for criminal purposes to the extent that (a) there is a legal authorisation to do so, and (b) such processing for that purpose; for which the personal data is used, is necessary and proportionate. was collected.
Comments are closed.