User:Prizmic/Privacy law

IN PROGRESS

[from main page] Privacy law refers to the laws that deal with regulating, storing, and using of personally identifiable information of individuals, which can be collected by governments, public or private organizations, or by other individuals.

Privacy laws are considered in the context of an individual's privacy rights or within reasonable expectation of privacy.

Asia-Pacific Economic Cooperation (APEC)
APEC created a voluntary Privacy Framework that was adopted by all 21 member economies in 2004 in an attempt to improve general information privacy and the cross-border transfer of information. The Framework consists of nine Privacy Principles that act as minimum standards for privacy protection: Preventing harm, Notice, Collection limitation, Use of personal information, Choice, Integrity of personal information, Security safeguards, Access and correction, and Accountability.

In 2011, APEC implemented the APEC Cross Border Privacy Rules System with the goal of balancing "the flow of information and data across borders while at the same time providing effective protection for personal information, essential to trust and confidence in the online marketplace." The four agreed-upon rules of the System are based upon the APEC Privacy Framework and include: self-assessment, compliance review, recognition/acceptance, and dispute resolution and enforcement.

Council of Europe
The Council of Europe also addressed privacy protection in regards to the Internet in 1998 when it published "Draft Guidelines for the protection of individuals with regard to the collection and processing of personal data on the information highway, which may be incorporated in or annexed to Code of Conduct." The Council developed these guidelines in conjunction with the European Commission, and they were adopted in 1999.

European Union (EU)
The 1995 Data Protection Directive (officially Directive 95/46/EC) recognized the authority of National data protection authorities and required that all Member States adhere to universal privacy protection standards. Member States must adopt strict privacy laws that are no more relaxed than the framework provided by the directive. Additionally, the Directive outlines that non-EU countries must adopt privacy legislation of equal restriction in order to be allowed to exchange personal data with EU countries. Furthermore, companies in non-EU countries must also adopt privacy standards of at least equal restriction as provided in the Directive in order to do business with companies located in EU countries. Thus, the Directive has also influenced the development of privacy legislation in non-European countries. The proposed ePrivacy Regulation, which would replace the Privacy and Electronic Communications Directive 2002, also contributes to EU privacy regulations.

The General Data Protection Regulation will replace the Data Protection Directive of 1995 when it takes effect on 25 May 2018. A notable contribution that will come from the General Data Protection Regulation is its recognition of a "right to be forgotten", which requires any group that collects data on individuals to delete the data related to an individual upon that individual's request. The Regulation was influenced by the aforementioned European Convention on Human Rights.

Organization for Economic Co-operation and Development (OECD)
In 1980, the OECD adopted the voluntary OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data in response to growing concerns about information privacy and data protection in an increasingly technological and connected world. The OECD Guidelines helped establish an international standard for privacy legislation by defining the term "personal data" and outlining fair information practice principles (FIPPs) that other countries have adopted in their national privacy legislation.

In 2007, the OECD adopted the Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy. This framework is based on the OECD Guidelines and includes two cooperation based model forms to encourage the enforcement of privacy laws among member states. The Recommendation is also notable for coining the term "Privacy Enforcement Authority."

United Nations (UN)
On 18 December 2013, the United Nations General Assembly adopted resolution 68/167 on the right to privacy in the digital age. The resolution makes reference to the Universal Declaration of Human Rights and reaffirms the fundamental and protected human right of privacy.

Malaysia
After their independence from Great Britain in 1957, Malaysia's existing legal system was based primarily on English common law. The following common law torts are related to personal information privacy and continue to play a role in Malaysia's legal system: breach of confidence, defamation, malicious falsehood, and negligence. In recent years, however, the Court of Appeal in Malaysia has referred less to English common law and instead looked more toward other nations with similar colonial histories and whose written constitutions are more like the Malaysian Constitution. Unlike the courts in these other nations, such as India's Supreme Court, the Malaysian Court of Appeal has not yet recognized a constitutionally protected right to privacy.

In June 2010, the Malaysian Parliament passed the Personal Data Protection Act 2010, and it came into effect in 2013. It outlines seven Personal Data Protection Principles that entities operating in Malaysia must adhere to: the General Principle, the Notice and Choice Principle, the Disclosure Principle, the Security Principle, the Retention Principle, the Data Integrity Principle, and the Access Principle. The Act defines personal data as "'information in respect of commercial transactions that relates directly or indirectly to the data subject, who is identified or identifiable from that information or from that and other information." A notable contribution to general privacy law is the Act's distinction between personal data and sensitive personal data, which entails different protections. Personal data includes "information in respect of commercial transactions ... that relates directly or indirectly to a data subject" while sensitive personal data includes any "personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature". Although the Act does not apply to information processed outside the country, it does restrict cross-border transfers of data from Malaysia outwards. Additionally, the Act offers individuals the "right to access and correct the personal data held by data users", "the right to withdraw consent to the processing of personal data", and "the right to prevent data users from processing personal data for the purpose of direct marketing". Punishment for violating the Personal Data Protection Act can include fines or even imprisonment.

Other common law and business sector-specific laws that exist in Malaysia to indirectly protect confidential information include:
 * Official Secrets Act 1972
 * Communications and Multimedia Act 1998
 * Financial Services Act 2013
 * Islamic Financial Services Act 2013
 * Labuan Financial Services and Securities Act 2010
 * Labuan Islamic Financial Services and Securities Act 2010
 * Common law duty of bank confidentiality

Singapore
Singapore, like other Commonwealth jurisdictions, relies primarily on common law, and the law of confidence is employed for privacy protection cases. For example, privacy can be protected indirectly through various common law torts: defamation, trespass, nuisance, negligence, and breach of confidence. In February 2002, however, the Singaporean government decided that the common law approach was inadequate for their emerging globalized technological economy. Thus, the National Internet Advisory Committee published the Model Data Protection Code for the Private Sector, which set standards for personal data protection and was influenced by the EU Data Protection Directive and the OECD Guidelines on the Protection of Privacy. In the private sector, businesses can still choose to adopt the Model Code, but in 2005 Parliament decided that Singapore needed a more comprehensive legislative privacy framework.

In January 2013, Singapore's Personal Data Protection Act 2012 came into effect in three separate but related phases. The phases continued through July 2014 and dealt with the creation of the Personal Data Protection Commission, the national Do Not Call Registry, and general data protection Rules. The Act's general purpose "is to govern the collection, use and disclosure of personal data by organisations" while acknowledging the individual's right to control their personal data and the organizations' legal needs to collect this data. It imposes eight obligations on those organizations that use personal data: consent, purpose limitation, notification, access, correction, accuracy, protection/security, and retention. The Act prohibits transfer of personal data to countries with privacy protection standards that are lower than those outlined in the general data protection rules. The Personal Data Protection Commission is responsible for enforcing the Act, which is based primarily on a complaints-based system. The punishments for violating the Act can include being ordered by the Commission to stop collecting and using personal data, to destroy the data, or to pay a penalty of up to $1 million.

Singapore has also passed various sector-specific statutes that more indirectly deal with privacy and personal information, including: There are also more specific acts for electronically stored information:
 * Banking Act
 * Statistics Act
 * Official Secrets Act
 * Statutory Bodies and Government Companies Act
 * Central Provident Fund Act
 * Telecommunications Act
 * Spam Control Act 2007
 * Electronic Transactions Act
 * National Computer Board Act
 * Computer Misuse Act

Taiwan
The right to privacy is not explicitly mentioned in the Republic of China Constitution, but it can be protected indirectly through judicial interpretation. For example, article 12 of the Constitution states "the people shall have freedom of confidentiality of correspondence" while article 10 states "the people shall have freedom of residence and of change of residence." Along with several other articles that assert the Constitution's protection of freedoms and rights of the people, the Grand Justices are able to decide how privacy protection fits into the legal system. The Justices first made reference to privacy being a protected right in the 1992 "Interpretation of Council of Grand Justices No. 293 on Disputes Concerning Debtors' Rights," but it was not directly or explicitly declared to be a right.

In 1995, Taiwan passed the Computer-Processed Personal Data Protection Act which was influenced by the OECD Guidelines and enforced by each separate Ministry depending on their industry sector responsibility. It has also only protected personal information managed by government agencies and certain industries. In 2010, Taiwan enacted the Personal Data Protection Act that laid out more comprehensive guidelines for the public and private sectors and was still enforced by individual Ministries. In the 2010 Act, personal data is protected and defined as any "data which is sufficient to, directly or indirectly, identify that person", and includes data such as name, date of birth, fingerprints, occupation, medical records, and financial status, among many others.

A few other administrative laws also deal with communication-specific personal privacy protection: Additionally, chapter 28 of the Criminal Code outlines punishments for privacy violations in article 315, sections 315-1 and 315-2. The sections primarily address issues of search and seizure and criminal punishment for wrongful invasion of privacy.
 * Telecommunications Act
 * Communications Protection and Surveillance Act

Finally, articles 18(I),184(I), and 195(I) of the Taiwanese Civil Code address the "personality right" to privacy and the right to compensation when one injures the "rights" of another, such as when someone uses another's name illegally.

Thailand
Thailand's unique history of being an authoritarian buffer state during the Cold War and being under the constant threat of a coup d'état means that privacy laws have so far been limited in order to preserve national security and public safety. Thailand uses bureaucratic surveillance to maintain national security and public safety, which explains the 1991 Civil Registration Act that was passed to protect personal data in computerized record-keeping and data-processing done by the government.

The legislature passed the Official Information Act 1997 to provide basic data protection by limiting personal data collection and retention in the public sector. It defines personal information in a national context in relation to state agencies. Two communication technology related laws, the Electronic Transactions Act 2001 and the Computer Crime Act 2007, provide some data privacy protection and enforcement mechanisms. Nevertheless, Thailand still lacks legislation that explicitly addresses privacy security.

Thus, with the need for a more general and all-encompassing data protection law, the legislature proposed the Personal Data Protection Bill in 2013, which is heavily influenced by the OECD Guidelines and the EU Directive. The draft law is still under evaluation and its enactment date is not yet finalized.

Vietnam
Vietnam, lacking a general data protection law, relies on Civil Code regulations relating to personal data protection. Specifically, the Code "protects information relating to the private life of a person." The 2006 Law on Information Technology protects personal information, such as name, profession, phone number, and email address, and declares that organizations may only use this information for a "proper purpose". The legislation, however, does not define what qualifies as proper. The 2005 Law on Electronic Transactions protects personal information during electronic transactions by prohibiting organizations and individuals from disclosing "part or all of information related to private and personal affairs ... without prior agreement." These laws do not provide a precise framework for what type of personal data is protected. The 2010 Law on Protection of Consumers' Rights provides further protection for consumer information, but it does not define the scope of that information or create a data protection authority; additionally, it is only applicable in the private sector.

In 2015, the Vietnam legislature introduced the Law on Information Security, which ensures better information safety and protection online and in user's computer software. It took effect on 1 July 2016 and is Vietnam's first overarching data protection legislation.

Related pages

 * Information Privacy
 * Information Privacy Law
 * APEC
 * Council of Europe
 * EU
 * OECD
 * UN
 * Personal Data Protection Act 2012 (Singapore)


 * Malaysian Parliament
 * Global Privacy Enforcement Network