Basic Terms/Privacy Overview

Question 1

EU - U.S. Safe Harbor Agreement

Answer 1

An agreement between the EU and US, invalidated by the Court of Justice of the EU in 2015, that allowed for the legal transfer of PI between the EU and US in absence of a comprehensive adequacy decision for the US. It was replaced by the EU-US Privacy Shield

Question 2

Privacy Shield

Answer 2

Created in 2016 to replace the invalidated EU-US Safe Harbor agreement, the Privacy Shield is an adequacy agreement that allows for the transfer of personal data from the EU to the US for companies participating in the program. Only those companies that fall under the jurisdiction of the US FTC may certify to the Shield principles and participate, which notably excludes health care, financial services, and non-profit institutions.

Question 3

Binding Corporate Rules (BCRs)

Answer 3

An appropriate safe guard allowed by GDPR to facilitate cross-border transfers of PI between the various entities of a corporate group worldwide. They do so by ensuring that the same high-level of protection of personal data is complied with by all members of the organizational ground by means of a single set of binding, and enforcement rules.

Question 4

Standard Contractual Clauses

Answer 4

Adopted either directly by the European Commission or by a supervisory authority. Contractual clauses or mechanisms by which organizations can commit to protect personal data to facilitate ongoing and systematic cross-border personal data transfers.

Question 5

Certification Mechanisms

Answer 5

Introduced by GDPR, a new valid adequacy mechanism for the transfer of personal information outside of the EU in the absence of an adequacy decision and instead of other mechanisms such as BCRs or contractual clauses. Certification Mechanisms must be developed by certifying bodies, approved by data protection authorities or the European Data Protection Board, and have a methodology for auditing compliance.

Question 6

Electronic Discovery (e-Discovery)

Answer 6

Requires civil litigants to turn over large volumes of a company’s electronic records in litigation

Question 7

EU Data Protection Directive

Answer 7

Replaced by GDPR in 2018, the directive was adopted in 1995, effective in 1998 and was the first EU-wide legislation that protected individuals’ privacy and personal data use

Question 8

APEC Privacy Framework

Answer 8

A set of non-binding principles adopted by APEC that mirror the OECD Fair Information Privacy Practices. They seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs
iii. Note: The details of GDPR and the APEC framework are outside the scope of CIPP/US. Just need to understand the high-level concept.

Question 9

Right to Financial Privacy Act of 1978

Answer 9

Summary:
1. Request must reasonably identify the records
2. Requests must be justified by one of the following:
o Customer authorization
o Admin subpoena or summons
o Judicial subpoena or summons
o Written law enforcement request
3. Agencies must provide the customers written notice of the request and wait 10 days from service or 14 days from mailing to access records

Detail:
Governs the release of customer financial information to federal government authorities. The act defines both the circumstances under which a financial institution can volunteer information about a customers’ financial records to federal government authorities and the applicable procedures and requirements to follow when the federal government is requesting customers’ financial information.

Question 10

Bank Secrecy Act of 1970 (BSA)

Answer 10

Summary:

1. Requires financial institutions to maintain records for customer activity for five years
2. Currency Transaction Reports (CTR) – must report cash transactions totaling more than $10,000 in a single day
3. Suspicious Activity Report (SAR) – institutions must report suspected money laundering, or a customer is deliberately taking actions to miss the CTR limits.

Detail:
A US federal law that requires US financial institutions and money services businesses (MSBs), which are entities that sell money orders or provide cash transfer services, to record, retain and report certain financial transactions to the federal government. This requirement is meant to assist the government in the investigation of money laundering, tax evasions, terrorist financing, and various other domestic and international criminal activities.

Question 11

First privacy text in us

Answer 11

1890 HBS the right to privacy by Samuel Warren and Louis Brandeis

Question 12

FCRA

Answer 12

Fair credit reporting act

Question 13

FACTA

Answer 13

Fair and accurate credit transactions act

Question 14

GLBA

Answer 14

Gramm-leach-bliley act

Question 15

FERPA

Answer 15

Family educational rights and privacy act

Question 16

PPRA

Answer 16

Protection of pupil rights amendment

Question 17

COPPA

Answer 17

Children’s online privacy protection act

Question 18

When did UN take privacy into account?

Answer 18

Art. 12 of Universal Declaration of Human rights in 1948

Question 19

When was the FCRA?

Answer 19

1970

Question 20

When US DoH FIPS?

Answer 20

1973

Question 21

What is personal data?

Answer 21

Identified or identifiable individual

Question 22

What is a privacy policy?

Answer 22

It is an internal statement governing privacy practices in a company.

Question 23

What are the four classes of privacy?

Answer 23

Information
Bodily
Territorial
Communication

Question 24

In the US and other countries, laws about the protection of information about individuals is known as what?

Answer 24

• Privacy law
• Data privacy law
• Information privacy law

Question 25

In the EU and other countries, laws about the protection of information about individuals is known as what?

Answer 25

Data protection law

Question 26

How did Samuel Warren and Louis Brandeis define privacy in their 1890 Harvard Law Review article, “The Right to Privacy”?

Answer 26

The right to be let alone

Question 27

What is information privacy concerned with?

Answer 27

Establishing rules that govern the collection and handling of personal information

Question 28

What is bodily privacy concerned with?

Answer 28

A person’s physical being and any invasion thereof

Question 29

What is territorial privacy concerned with?

Answer 29

Placing limits on the ability to intrude into another individual’s environment

Question 30

What is communications privacy concerned with?

Answer 30

Protection of the means of correspondence

Question 31

In what year did the California add an explicit “right to privacy” guarantee to the California Constitution?

Answer 31

1974

Question 32

In what year did the General Assembly of the United Nations adopt and proclaim the Universal Declaration of Human Rights, which formally announced that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”?

Answer 32

1948

Question 33

What type of practices have been a significant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information?

Answer 33

• Fair Information Practices (FIPs)

* Sometimes called fair information privacy practices or principles (FIPPs)

Question 34

What are 5 examples of codifications of Fair Information Practices (FIPs)?

Answer 34

• The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles
• The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”)
• The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (“Convention 108”)
• The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework
• The 2009 Madrid Resolution—International Standards on the Protection of Personal Data and Privacy

Question 35

What is a Fair Information Practices (FIP)?

Answer 35

FIPs are guidelines for handling, storing and managing data with privacy, security and fairness in an information society that is rapidly evolving.