Basic Terms/Privacy Overview Flashcards
EU - U.S. Safe Harbor Agreement
An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield
Privacy Shield
Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.
Binding Corporate Rules (BCRs)
An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.
Standard Contractual Clauses
Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.
Certification Mechanisms
Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.
Electronic Discovery (e-Discovery)
Requires civil litigants to turn over large volumes of a company’s electronic records in litigation
EU Data Protection Directive
Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use
APEC Privacy Framework
A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.
Right to Financial Privacy Act of 1978
Summary:
1. Request must reasonably identify the records
2. Requests must be justified by one of the following:
o Customer authorization
o Admin subpoena or summons
o Judicial subpoena or summons
o Written law enforcement request
3. Agencies must provide the customers written notice of the request and wait 10 days from service or 14 days from mailing to access records
Detail:
Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about a customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.
Bank Secrecy Act of 1970 (BSA)
Summary:
- Requires financial institutions to maintain records for customer activity for five years
- Currency Transaction Reports (CTR) – must report cash transactions totaling more than $10,000 in a single day
- Suspicious Activity Report (SAR) – institutions must report suspected money laundering, or a customer is deliberately taking actions to miss the CTR limits.
Detail:
A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasions, terrorist financing, and various other domestic and international criminal activities.
First privacy text in us
1890 HBS the right to privacy by Samuel Warren and Louis Brandeis
FCRA
Fair credit reporting act
FACTA
Fair and accurate credit transactions act
GLBA
Gramm-leach-bliley act
FERPA
Family educational rights and privacy act