Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
cyberlaw:privacy [2019/01/24 12:30]
131.181.11.116
cyberlaw:privacy [2019/07/01 16:09] (current)
112.118.228.112
Line 5: Line 5:
  
 **Rita Matulionyte [Explains How Online Technologies Affect Our Privacy](https://​www.youtube.com/​watch?​v=67BPeCTpu10)** **Rita Matulionyte [Explains How Online Technologies Affect Our Privacy](https://​www.youtube.com/​watch?​v=67BPeCTpu10)**
 +
 +## International Law
 +**Article 12, 1948 Universal Declaration on Human Rights (UDHR)**
 +
 +‘No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence,​ nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attack.’
 + 
 +The UDHR was adopted in the General Assembly as Resolution 217 on 10 December 1948. Among the 58 members of United Nations, 48 voted in favour, 8 abstained. Honduras and Yemen failed to vote or abstain. The historical vote on adoption does not affect the application of the UDHR on other member states who joined the United Nations later.  ​
 + 
 +[The UDHR is not a treaty and therefore does not itself create legal obligations for countries](https://​www.humanrights.gov.au/​our-work/​what-universal-declaration-human-rights). It is an expression of fundamental values which are shared by all members of the international community, and therefore has arguably become binding as part of customary international law
 +
 +**Article 17, International Covenant on Civil and Political Rights (ICCPR)**
 +
 +'(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence,​ nor to unlawful attacks on his honour and reputation’
 +
 +'(2) Everyone has the right to the protection of the law against such interference or attacks’
 +
 +[There are a total of 172 parties to the ICCPR.](https://​treaties.un.org/​Pages/​ViewDetails.aspx?​src=TREATY&​mtdsg_no=IV-4&​chapter=4&​clang=_en)
 +
 +**Article 16, Convention on the Rights of the Child**
 +
 +'(1) No Child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence,​ nor to unlawful attacks on his or her honour and reputation.
 +
 +'(2) ‘The Child has the right to the protection of the law against such interference or attacks’
 +
 +Under Art 1 in the Convention, child is defined as any human being below the age of 18
 +
 +**Article 14 International Convention on the Protection of All Migrant Workers and Members of their families**
 +
 +‘No Migrant worker or member of his or her family shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home, correspondence or other communication,​ or to unlawful attacks on his or her honour and reputation. Each migrant worker and member of his or her family shall have the right to the protection of  the law against such interference or attacks’
 +
 +**Treaty No.108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data**
 +
 +This treaty is open for signature by member States of the Council of Europe and for accession by non-member states since 28 January 1981.  There are a total of 57 accessions to it.
 +In summary, it provides protection for individual against abuses arising out of collecting and processing of personal data, in order to  secure their rights and fundamental freedoms, in particular his right to privacy.
 +It imposes obligation for parties to the agreement to take appropriate security measure to prevent accidental or authorised access to personal data. It also enshrines data subject’s right to know with regards to his own personal data.
 +
 +**OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data**
 +
 +Although not binding, this serves as guidelines on all OECD Member countries to uphold human rights and prevent interruptions in international flow of data. It represents a consensus on basic principles that can be included in existing national legislations or serves as basis for legislations in those countries who do not have any yet.
 + 
 +There are 8 principles governing the protection of privacy and transborder flow of personal data. They are: collection limitation principle, data quality principle, purpose specification principle, use limitation principle, security safeguards principle, openness principle, individual participation principle and accountability principle.
 +
 +### Right to privacy and the internet ​
 +
 +Right to privacy is not confined to the physical world. In its sixty-eighth session of General Assembly, the United Nations (UN) adopted Resolution 68/177 regarding the right to privacy in the digital age. It recognized the increasing global trend of Internet usage and the advancement in information and communications technologies,​ and emphasised that the right to privacy also includes privacy in the digital world.
 + 
 +While gathering of an individual’s sensitive information may be necessary for the purpose of national and public security, it must be done in compliance with the state’s obligations in international human rights laws. [Therefore UN called upon on States to review their legislation and practices relating to communication surveillance and collection of personal data so as to protect individual’s right to privacy, which also includes digital communications](https://​www.ohchr.org/​EN/​Issues/​DigitalAge/​Pages/​DigitalAgeIndex.aspx). ​
 +
 +### Interference with privacy ​
 +
 +Under UDHR and ICCPR, the content of the right to privacy includes the term ‘interference’. What this essentially means is that the integrity ​ and confidentiality of correspondence should be guaranteed de jure and de facto, without any interception and without being opened or read.  Any capture of communication data may potentially fall under the ‘interference’. [Therefore, as suggested by the Office of UN High Commissioner for Human Rights, ​ mass surveillance programmes adopted by many states would already be amount to ‘interfering’,​ and it is on the State to prove that such interception is neither arbitrary nor unlawful.](https://​www.ohchr.org/​EN/​HRBodies/​HRC/​RegularSessions/​Session27/​Documents/​A-HRC-27-37_en.doc)
 +
 +### ‘Unlawful’ and ‘Arbitrary’ – Qualified rights
 +
 +The right to privacy under both UDHR and ICCPR is not an absolute right. It may be restricted or limited as long as it is not ‘unlawful’. This means that member states may implement laws that specifically authorize such derogation. However, member states are not unfettered. The implemented laws must not be in contravention with the provisions in the International Covenant on Civil and Political Rights, and should be ‘reasonable in particular circumstances’.
 + 
 +In determining the reasonableness of such limitation, references may be drawn from [//Siracusa Principles//​](https://​www.uio.no/​studier/​emner/​jus/​humanrights/​HUMR5503/​h09/​undervisningsmateriale/​SiracusaPrinciples.pdf) and case law. In short, they all emphasise the principles of legality, necessity and proportionality. Such a law has to be readily accessible and clear. It must be necessary and should be the least intrusive option to pursue the legitimate aim.
 +
 +## Privacy Protection in the European Union
 +
 +Enshrined under Art 8(1) Charter of Fundamental Rights of the European Union and Art 16(1) Treaty of the Functioning of the European Union, data protection is recognized as a fundamental right in the European Union (EU). To facilitate the increase of trade and digital activities between Member States, the General Data Protection Regulation (GDPR) was enacted in 2016 and came into force in May 2018 to replace the previous Data Protection Directives. This creates a more comprehensive coverage of enhanced rights and protections of individual’s personal data.
 +
 +### General Data Protection Regulation
 +
 +#### Legal Basis for data processing
 +
 +The GDPR formalizes 6 legal basis for personal data collection under Art 6(1). This includes:
 +  * Consent
 +  * Performance of contract
 +  * Compliance with legal obligations
 +  * Protection of vital interests of data subject
 +  * Performance for public interest
 +  * Legitimate interests pursued by the controller or by a third party
 + 
 +##### Consent requirement
 +
 +Of the 6 legal bases for data collection, consent is the most common one since it can be applied to almost every situation, unlike the other 5 where data processor is required to reach a rigorous situational threshold.
 + 
 +Consent is only valid only if it is freely given, specific, informed and is unambiguous. As to the practical operation of consent required, Art 29 Working Party (WP 29) has provided further clarification on its Guidelines on Consent. While WP 29 was an advisory body replaced by the European Data Protection Board (EDPB) under GDPR, since EDPB so far has not issued anything in replacement,​ the WP29 document continues to serve as an interpretive guideline for GDPR and EDPB under Art 94(2) GDPR since EDPB has not issued any superseding guidelines. The Guidelines analyzed the requirements under Art 4(11) GPDR, and considered what constitutes valid consent under different situations – such as imbalance of power, bundled consent, performance of a contract etc.
 +
 +###### Situation - Bundled consent
 +
 +Bundled consent refers to consent that is given via a written declaration that contains multiple data processing purposes. For example, a mobile application asks for consent to collect data for GPS localization in their service agreement, which may also contain a clause stating that the data will be transferred to 3rd parties for advertising purpose. By signing the agreement, the data subject consents to a ‘bundle’ of data processing purposes. Although not explicitly spelt out in the law itself, it entrenched in the ‘freely given’ element and therefore bundled consent is invalid under GDPR.
 + 
 +In order to determine whether the situation render consent not freely given, it is essential to determine the scope of the contract and whether the collection of data is necessary for the performance of the contract. For example, by denying the unnecessary data processing, the data subject will act to their detriment since he will also deny the processing of data for the enforcement of the contract. Thus, such consent is not ‘freely given’.#
 +
 +###### Situation - Employment
 +
 +A lot of data processing arises out of employment context, no matter whether it is for application for jobs, promotion, removal or monitoring systems in the workplace. Given the imbalance of power, employees are unlikely able to respond to their employer’s request for consent freely, since they are in fear of the detrimental effect for their refusal.
 + 
 +Consent is freely given if three is a real choice, and no risk of deception, intimidation,​ coercion or significant negative consequences if data subject does not consent. Given the inherent dominance of employer in the employer-employee relationship,​ it is very unlikely there is no pressure when the employee gives consent. Thus, consent should not be the legal basis for processing personal data in an employment context.
 + 
 +Nevertheless,​ processing of personal data may still likely to be legitimate under Art6(1)(b) if the employer can show that the processing is necessary for the performance of the employment contract.
 +
 +###### Situation - Granularity
 +
 +Granularity refers to cases where there are multiple purposes for multiple collection of personal data. For example, service application forms may incorporate both terms and conditions of provision of the data user’s services and statements relating to the use of data collected for marketing products or services.
 +
 +For multiple purpose collection, Art 7(2) and Recital 32 GDPR require consent to be given distinguishably. What this essentially means is that data subject should be given the choice to accept or reject a particular purpose, rather than having to consent to a bundle of processing purposes. ​ A lack of granularity may invalidate consent given since it is not specific, as required under Art 6(1)(a), which is closely linked to the requirement of a freely given consent.
 +
 +###### Performance of a Contract
 +
 +Performance of a contact forms a legal basis for processing personal data where it is necessary in the context of a contract or the intention to enter into a contract.
 +
 +##### Fulfillment of Legal Obligation
 +
 +This requirement does not require a specific law for each individual processing. It is sufficient if the data user can demonstrate that the processing is necessary for the performance of a task carried out in the public interest or for official authority to exercise their power.
 +
 +##### Vital Interest of the data subject
 +
 +As suggested in Recital 46, this basis should come last in line and other legal bases under Art 6 should be exhausted first.
 +
 +##### Legitimate interest
 +
 +Personal data may be disclosed if it is of the legitimate interest of data controller, provided that the interests or fundamental rights and freedoms of the data subject are not overriding. This has to take into account of the reasonable expectations of data subjects based on their relationship with the controller
 +
 +
 +
 +
 +## Privacy Protection in the United States of America
 +
 +
  
 ## Privacy Protection in Australia ## Privacy Protection in Australia
Line 117: Line 239:
 ## Government Surveillance ## Government Surveillance
  
-Surveillance is the monitoring of behaviour, activities, or other changing information,​ usually of people for the purposes of influencing/​managing/​directing/​protecting them (Lyon 2007).+Surveillance is the monitoring of behaviour, activities, or other changing information,​ usually of people for the purposes of influencing/​managing/​directing/​protecting them (Lyon 2007). For a glossary of commonly-used terms in surveillance studies, have a look at [this open access book edited by Guy McHendry](https://​surveillancestudies.pressbooks.com/​).
  
-Surveillance is by governments for intelligence gathering, prevention of crime, protection of process/​group/​person/​object or for investigation of crime.+Surveillance is by governments for intelligence gathering, prevention of crime, protection of process/​group/​person/​object or for investigation of crime. ​
  
 The extent of government surveillance powers go to heart of issues about appropriate role of the state in our lives, including: The extent of government surveillance powers go to heart of issues about appropriate role of the state in our lives, including:
Line 178: Line 300:
 ## The SPAM Act ## The SPAM Act
  
-**Video Overview of the The SPAM Act by [Rita Matulionyte](https://​www.youtube.com/​watch?​v=7mR87qJ0Ipg)** and [Anna Hall](https://​www.youtube.com/​watch?​v=cb8q7hiyj9I)** ​+**Video Overview of the The SPAM Act by [Rita Matulionyte](https://​www.youtube.com/​watch?​v=7mR87qJ0Ipg)** and **[Anna Hall](https://​www.youtube.com/​watch?​v=cb8q7hiyj9I)** ​
  
 The SPAM Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia. The SPAM Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages with an Australian link. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.
Line 189: Line 311:
  
 The financial penalties for breaching the SPAM Act are steep. A single day's contravention may result in a penalty of up to $220,000, and repeated breaches of the Act may give rise to penalties of up to $1.1 million. The financial penalties for breaching the SPAM Act are steep. A single day's contravention may result in a penalty of up to $220,000, and repeated breaches of the Act may give rise to penalties of up to $1.1 million.
 +
 +
 +## Privacy Protection in China
 +
 +
 +## Privacy Protection in Hong Kong
 +
 +
 +## Privacy Protection in India
 +
 +### Constitution ​
 +
 +**Art 21 Constitution of India**
 +‘No person shall be deprived of his life or personal liberty except according to procedure established by law.’
 +
 +There is no express provision for the right to privacy in the Constitution of India. Over the past 60 years, there was a divergence of opinion as to whether the right to privacy is a fundamental right in India, resulting in inconsistent judgments being laid down.
 + 
 +In 2017, it was unanimously held in //Justice KS Puttaswamy (Retd) v Union of India & Ors// that the right to privacy is protected as a fundamental constitutional right under the right to life or personal liberty in Art 21 of the Constitution of India. This case serves as a landmark judgment and it explicitly overrules previous judgments where it was held that there is no fundamental right to privacy.
 + 
 +The right to privacy under the Indian Constitution is not an absolute right. An invasion of personal liberty must pass through the 3 fold test of legality, necessity, and proportionality.
 + 
 +
 +### Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011
 + 
 +The Rules is a subordinate legislation which regulates the collection and disclosure of information by any bodies corporate. It provides for a consent requirement where businesses must obtain consent in writing through letter or fax or email from the provider of sensitive personal data or information before any collection of such information. Businesses must take reasonable steps to ensure that the person has sufficient knowledge regarding the collection.
 + 
 +The rules also control the disclosure and transfer of information. They are permissible in cases where prior permission is obtained from the provider or when it is necessary for the performance of the lawful contract between the business and the provider of information.
 + 
 +Although the implementation of security practices and standards are not mandatory under the Rules, in the event of an information security breach, businesses are required to demonstrate that they have implemented security control measures.
 +
  
  
  • cyberlaw/privacy.1548293400.txt.gz
  • Last modified: 9 months ago
  • by 131.181.11.116