Flashcards in APEC, OECD, etc Deck (21)
What is APEC?
21 nations on the Pacific Coast in Asia and Americas, in a non-binding agreement. Formed in 1989.
What is the APEC Privacy Subgroup?
Developed in 2003, it's for "developing a framework for privacy practices"
APEC Cross-Border Privacy Enforcement Agreement
1) Facilitates info sharing among Privacy Enforcers (PEs) in APEC countries
2) promotes effective cooperation between countries for enforcement/investigation in APEC
3) "" outside of APEC
APEC Cross-Border Privacy Rules
CBPR- data privacy certification based around APEC privacy framework.
APEC CBPR Requirements
1. Enforceable standards
2. Accountability (ID one person)
3. Risk-based protections
4. Consumer friendly complaint handling
5. Consumer empowerment (access, correct data)
6. Consistent protection
7. Cross-border enforcement cooperation
Which US agency participates in APEC CBPR and CPEA?
What is the full name of the OECD Guidelines?
Guidelines Governing the Protection of privacy and Transborder Flows of Personal Data
What are the OECD Guidelines principles? (8)
- Accountability: data controller supports the above
- Collection limitation: limit collection, get consent when needed.
- Individual participation: Ppl have the right to know if someone has their data. You can ask for the data, and if they say no, challenge it and know why
- Data quality: data is relevant to the reason it was collected. It's accurate and complete
- Security Safeguards: have 'em
- Openness: Openness in development, policies, and practices
- Use limitation: Don't disclose unless you have consent/by law
- Purpose specification: Reason for collecting data shared when it's collected. Don't change reasons later
What are the OECD Guidelines based on?
FIPs- perhaps the "most widely recognized framework for FIPS"
EU-US Privacy Shield- what is it, who does it cover?
2016. Follows transfer of data from EU to US for participating companies.
Only companies under FTC jurisdiction apply. No EU coverage.
EU-US Privacy Shield- Exceptions
Healthcare, FinServ, and nonprofits are not covered.
EU-US Privacy Shield- Primary Principles (7)
Of the 23, the primary ones are:
Accountability of Transfer
Data Security/Purpose Limitation
Who enforces EU-US Privacy Shield?
Dept of Commerce, for those companies covered by the FTC.
It's in contest!
"Consumer Data Privacy in a Networked World" Paper, 2012 (7)
AKA "the White House Report." 7 focus areas:
- Focused collection
- Access and accuracy
- Transparency (privacy and sec docs should be easily understandable)
- Individual control
- Respect for context (data is used for reasonable things)
Based on FIPS
"Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers" 2012 (3)
Privacy by design, simplified consumer choice, and transparency are key.
Based on FIPS
FTC Report Priority Areas (5)
- Do Not Track- signal you don't want tracking
- Mobile- self-regulation re: location services
- Data Brokers- Support laws that give consumers access to their data if the org isn't already covered by FCRA
- Large Platform Providers- examine their "comprehensive" tracking
- Promote enforceable, self-regulatory codes
Data Protection Directive- 1995
Superceded by GDPR in 2016
Don't process PII unless:
- Transparent: Consent is given, there's a good reason to do so, etc
- Legitimate purpose: only do what's needed
- Proportionality: Processing is in line with the request
Basis for law was OECD
"Internet of Things: Privacy and Security in a Connected World"
FTC paper authored after TrendNet (IoT company with unencrypted home cameras).
Issues with IoT:
- Lax security
- Potential for physical harm (insulin pumps, door locks)
- Follow security by design
- ensure personnel training
- do security at all levels
- follow access control limitations
- monitor products throughout lifecycle and patch as needed
"Protecting Consumer Privacy in an Era of Rapid Change"
FTC Report, 2010
"No consumer choice" / "no option" - it's expected that some third party sharing will happen and it won't need opt in or notification. For example, your info is shared with shipping companies when you buy something online.
These companies should still follow secure PII programs.
GDPR- "Right to be Forgotten"
You have the right to have PI erased. You can request it verbally or in writing, and an entity has one month to respond to the request.
It is not absolute, and only applies sometimes.