Policy actions sorted A-Z.
Policy actions sorted A-Z.
Products that meet certain requirements of transparency, privacy and security are awarded a certification mark so that people know they can trust the product.
European Union: EuroPriSe is a privacy seal for organisations in the EU.
United Kingdom: The Information Commissioners Office is developing their own privacy seal that will be awarded by other organisations.
United Kingdom: BSI, known for their Kitemark Symbol, created a standard for secure digital transactions. IF have proposed a transparency mark that acts as both a certificate and as a link to more information about a product.
Consumers may not understand what a seal means and this could create a false sense of confidence in a service.
Seals establish a lowest common denominator.
Seals prove expensive to audit.
People are able to opt-out permanently of tracking, both digitally and physically, to prevent their activity being monitored by invasive service providers, such as advertisers.
United States: There have been failed attempts at different levels of government to pass laws that regulate the online tracking of individuals.
South Korea: Websites that have more than 10,000 daily active users are not allowed to collect resident registration numbers.
Do Not Track is a feature of the standard used to serve websites in browsers. It allows users to consent to data being shared between websites for the purposes of serving adverts. Most major browsers implement this part of the standard, but there is no legal requirement to do so. The US Federal Trade Commission recommended its usage in December 2010.
Visitors to Hyde Park in London were tracked using mobile phone data. The park authority says the tracking would “inform policing of crowds at large events, tailor amenities to park usage and protect the ecology of the park”.
Commuters in London were tracked by TfL using MAC addresses from devices with Wi-Fi switched on.
Short-range transmitters like Apple iBeacon can be used to push notifications to consumers in physical stores.
A team or service exists to inform companies about best practices for digital security, consumer privacy and consent models.
United Kingdom: The National Cyber Security Centre provides guidance to organisations and government to manage their IT and information more securely. CareCert, part of NHS Digital, provides information security advice for the public health sector.
United States: The United States Computer Emergency Readiness Team, from the Department of Homeland Security, publishes advice on computer security for a non-technical audience.
Elsewhere: Various countries have computer emergency response teams that respond to information security emergencies.
Guidance is issued in specialist terms, requiring third parties to interpret it.
Guidance doesn’t adapt quickly enough to changing threats or technologies.
Promote best practices, such as strong passwords and two-factor authentication, to improve public understanding of digital security.
It is difficult to engage the general public with an issue of a technical nature.
Some campaigns may over-simplify digital security.
Legislation that allows private individuals to request a data controller removes outdated or inaccurate information that might cause personal distress.
European Union: After a Spanish national took Google to the European Courts of Justice, the court ruled that people have the “right to be forgotten”.
South Korea: The Korea Communications Commission states that citizens are able to request search engines and website administrators to restrict individuals postings from being publicly accessible.
United States: A law in California requires websites to allow people under 18 to permanently erase their content. This “Eraser Button law” aims to prevent teenagers from being tied to content when they grow older.
Regulators should be able to compel manufacturers to follow standards for privacy and security when designing Internet of Things (IoT) devices, in a similar way that regulators mandate that electrical safety standards are followed. This is important for consumers, because IoT devices collect so much data about a person and their surroundings and privacy considerations are poor at present.
European Union: A working group of European data protection regulators have published an opinion (PDF) on the privacy risks of IoT and how the current data protection framework in the EU can be applied in their context.
United States: The Federal Trade Commission have released a report (PDF) into IoT and possible regulation. It states that it may be too early to do so, as the industry is still in its infancy, but general data protection legislation should be strengthened.
David Wheeler has written about policy interventions for digital security that could apply to Internet of Things devices.
Range of devices is so broad that it’s difficult to audit them consistently.
Regulatory overhead prevents small companies from launching products.
Digital services should be forced to be limit the way they use children’s data. This ensures children’s right to privacy is maintained when they may not be in a position to make their own consent decisions.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.
Data controllers handle and protect personal data that is generated through consumer transactions to protect the privacy of consumers.
Most countries have a general right to privacy written into their national law or constitutions.
Different industries have their own data privacy laws.
Confidentiality of medical data is enforced in the United States by the Health Insurance Portability and Accountability Act. In Turkey, patient privacy is guaranteed in Articles 78 and 100 of Legal Code 5510. In Canada, medical confidentiality is protected at federal and provincial level. In Australia, it is protected under the Personally Controlled Electronic Health Records Act 2012 and the Privacy Act 1988.
Financial institutions also have implied privacy unless required to disclose transactional information to law enforcement.
UNGCP 2016 and OECD Privacy Guidelines 2013 mention recognition of right to privacy as a major element of consumer protection.
LEGO’s website, which connects children through games, has no third party cookies or connections to social media accounts, and advises users to use pseudonyms.
The same data is treated differently across industries and national borders, weakening how people perceive the right.
Challenges in identifying, defining and quantifying risks, as well as enforcing the right.
Individual services comply, but, in the aggregate, companies breach intent of privacy.
Government or industry bodies agree a set of standards for securing specific data and transaction types so that people can expect a minimum level of security.
PCI is a proprietary credit card security standard operated by the major global credit card companies.
GOV.UK Verify is a delegated method of identity verification, available from multiple providers, for use in UK government digital services.
3-D Secure is a protocol for additional identity verification when making online purchases. It is branded by Visa and MasterCard as “Verified by Visa” and “MasterCard SecureCode” respectively.
ISO/IEC 27002 is an international standard on information security, providing best practice for both digital and physical security.
Laws and processes exist to prosecute data controllers in the event of a data breach. Punitive measures are intended to incentivise data controllers to better protect consumers data to avoid punishment.
Most G20 countries have data protection laws that, at minimum, enforce a monetary fine.
European Union: The General Data Protection Regulation allows the levying of a fine for €20 million or 4% of global turnover for an organisation. Section 82 of the GDPR states that data subjects have a right to compensation for “material or nonmaterial damage”. Data controllers are exempt from liability when they can prove they are not responsible for the data breach.
Brazil: The Brazilian Regulatory Framework for the Internet enables a 10% fine on domestic gross income and a potential temporary suspension of data collection activities. This fine is proportionate to the nature of the data breach. Consumers are able to bring a data breach case to court for material and nonmaterial damages.
India: A data controller that doesn’t implement reasonable security practises is “liable to pay compensation for any wrongful loss or wrongful gain”. Claims below 50 million rupees are handled by the Department of Information Technology at state government level, claims above this are handled by civil courts. A data controller that discloses personal data without the consent of the subject may be liable to three years imprisonment, a maximum fine of around $7,500 or both.
Japan: Responsibility for data protection regulation is shared in Japan. The Ministry of Economy, Trade and Industry and the Financial Service Agency investigate companies for data protection compliance. They can issue a corrective order if they are found to be non-compliant. If a data controller fails to follow a corrective order, they may be liable for imprisonment up to six months or about a $2,600 fine.
Could drive organisations to be less transparent about breaches.
Accountability for breaches could be hard to pinpoint due to complex arrangements between service providers and third parties.
Set rules that require data to be encrypted when it’s stored by a data controller to mitigate the risks of a data breach.
Australia: Office of the Australian Information Commissioner recommends data is encrypted when stored.
United States: A law in the New Jersey state legislature prohibits health insurance companies from keeping unencrypted patient information.
Set rules that require data to be encrypted when sent across the internet to prevent it from being intercepted by an unauthorised third party.
United Kingdom: Part of the Government Digital Service Standard requires the use of HTTPS.
United States: Memorandum M-15-13 from the Federal Chief Information Officer that stated that all publicly accessible Federal websites and web services must only do so through a secure connection.
In-transit encryption is a requirement in the PCI credit card transaction standards.