Understanding Data Privacy Laws and Regulations in Saudi Arabia

 
COE 526 Data Privacy
 
Lecture 2: Data Privacy and Protection Laws and Regulations
 
 
REFERENCE:
Prof. Bharat Bhargava (Purdue University) Slides on Data Protection Directives
 
Framework of Data Privacy Laws
Landscape of Data Privacy and Protection Laws
Examples of comprehensive laws and regulation
FIPPS
GDPR
Sectoral Data Privacy Laws in Saudi Arabia
Example of data breaches and Fines
 
Outline
 
2
 
COE526: Lecture 2
 
Read the Fair Information Practices Principles
https://www.privacyfirst.nl/acties-3/item/154-the-fair-
information-principles-canada.html
Read the HIPAA Privacy Rule  Summary of the privacy
rule
https://www.hhs.gov/sites/default/files/privacysummary.pdf
Read the GDPR principles
https://gdpr.eu/what-is-gdpr/
Think about these questions:
What are the common concepts and principles these privacy
laws and regulations share?
Are there parts of the policy that are too vague? If so, suggest
alternatives
Identify any data privacy laws and regulations in Saudi Arabia
 
 
 
Homework for Next Class
 
3
 
COE526: Lecture 2
 
We will break out to groups, please check your group
number and join the channel in the Course Team on MS
TEAMS
Come up with answers for the following questions
What are the common concepts and principles these privacy
laws and regulations share?
Are there parts of the policy that are too vague? If so, suggest
alternatives
Identify any data privacy laws and regulations in Saudi Arabia
You have about 8 minutes to discuss in the groups. I will
be dropping by and be on "listen" mode
Then, elect one member to share your answers with the
class. Each group will have 
1 minute
 
Instructions
 
4
 
COE526: Lecture 2
 
Privacy is a fundamental human right that has
become one of the most important rights of the
modern age
Each country has a provision for rights of inviolability
of the home and secrecy of communications
Example: In Saudi Law
Article 40:
"
The privacy of telegraphic and postal communications, and
telephone and other means of communication, shall be
inviolate. There shall be no confiscation, delay, surveillance
or eavesdropping, except in cases provided by the Law."
Legal Views on Privacy
COE526: Lecture 2
5
 
Data Privacy and Protection laws refer to legislation that
is intended to:
protect the right to privacy of individuals
ensure that 
Personal Data 
is used appropriately by
organisations that may have
 
Personal data is any information that can be used to
identify a natural person
Name; Phone Number; Email address; etc
 
Special Categories of Personal Data require more
stringent measures of protection
Religion; Ethnicity; Medical information; Criminal Data;
Children’s Data
 
 
 
 
 
Data Privacy and Protection Laws
6
COE526: Lecture 2
 
Two types of privacy laws
1.
Comprehensive Laws: General laws that govern the
collection, use and dissemination of personal
information by public & private sectors
Require commissioners or independent enforcement body
Difficulty: lack of resources for oversight and enforcement;
agencies under government control
 
2.
Sectoral Laws: Avoid general laws, focus on specific
sectors instead
Advantage: enforcement through a range of mechanisms
Disadvantage: each new technology requires new
legislation
Landscape of Privacy Laws
COE526: Lecture 2
7
 
European Union Council adopted the Privacy
Electronic Communications Directive
Prohibits secondary uses of data without informed consent
No transfer of data to non EU countries unless there is
adequate privacy protection
 
Comprehensive Laws In EU
 
8
 
COE526: Lecture 2
 
No explicit right to privacy in the constitution
 
A patchwork of federal laws for specific categories of
personal information
E.g., financial reports, credit reports, video rentals, etc.
Wide belief that self-regulation is enough and that
no new laws are needed (exception: medical
records)
Sectoral Laws in US
COE526: Lecture 2
9
 
The difference between the laws in the two systems
resulted in what was called the “Safe Harbor
Agreement”
US companies would voluntarily self-certify to
adhere to a set of privacy principles worked out by
US Department of Commerce and Internal Market
Directorate of the European Commission
Little enforcement: A self-regulatory system in which
companies merely promise not to violate their declared
privacy practices
Criticized by privacy advocates and consumer groups in
both US and Europe
EU vs. US
[cf. A.M. Green, Yale, 2004]
COE526: Lecture 2
10
 
An evaluation conducted to assess how the adoption
of new information policies, the procurement of new
computer systems, or the initiation of new data
collection programs will affect individual privacy
 
The premise: Considering privacy issues at the early
stages of a project cycle will reduce potential
adverse impacts on privacy after it has been
implemented
 
Will talk about it more in coming lectures
Privacy Impact Assessments (PIA)
 
COE526: Lecture 2
11
 
Most data laws were developed alongside three
major concepts that implicate our privacy
Media
Surveillance
Personal data
The laws revolve around privacy "torts"
Intrusion upon seclusion
What does "seclusion" mean?
Public disclosure of private facts
Misappropriation of name or likeness
Placing someone in a false light
Negligent handling of people's personal information
 
 
Privacy Laws Framework
12
COE526: Lecture 2
 
 
FIPPS are a set of internationally recognized
principles that inform information privacy policies
both within government and the private sector
The principles are
Collection Limitation
Data quality principle
Purpose specification
Use limitation principle
Security safeguards principle
Openness principle
Individual participation principle
Accountability principle
 
 
 
 
 
 
Fair Information Practice Principles (1)
 
13
 
COE526: Lecture 2
 
 
FIPPS are a set of internationally recognized principles
that inform information privacy policies both within
government and the private sector
 
1.
Collection Limitation
There should be limits to the collection of personal data and
any such data should be obtained by lawful and fair means
and,  where appropriate, with the knowledge or consent of the
data  subject.
 
2.
Data quality principle
Personal data should be relevant to the purposes for which
they are to be used, and, to the extent necessary for those
purposes, should be accurate, complete and kept up-to-date.
 
 
Fair Information Practice Principles (1)
 
14
 
COE526: Lecture 2
 
3.
Purpose specification
The purposes for which personal data are collected should
be  specified not later than at the time of data collection
and the  subsequent use limited to the fulfilment of those
purposes or  such others as are not incompatible with those
purposes and  as are specified on each occasion of change
of purpose.
 
4.
Use limitation principle
Personal data should not be disclosed, made available or
otherwise used for purposes other than those specified in
accordance with Paragraph 9 except: (a) with the consent
of  the data subject; or (b) by the authority of law.
 
 
Fair Information Principles (2)
 
15
 
COE526: Lecture 2
 
5.
Security safeguards principle
Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized
access,  destruction, use, modification or disclosure of data.
 
6.
Openness principle
There should be a general policy of openness about
developments, practices and policies with respect to
personal  data. Means should be readily available of
establishing the  existence and nature of personal data, and
the main purposes  of their use, as well as the identity
about usual residence of the  data controller.
 
 
Fair Information Principles (3)
 
16
 
COE526: Lecture 2
 
7.
Individual participation principle: An individual
should have the right:
to obtain from a data controller, or otherwise, confirmation
of whether  or not the data controller has data relating to
him;
to have communicated to him, data relating to him within a
reasonable time; at a charge, if any, that is not excessive;
in a reasonable manner; and in a form that is readily
intelligible to him;
to be given reasons if a request made under subparagraphs
(a) and (b) is  denied, and to be able to challenge such
denial
to challenge data relating to him and, if the challenge is
successful, to have the data erased; rectified, completed or
amended.
 
 
Fair Information Principles (4)
 
17
 
COE526: Lecture 2
 
8.
Accountability principle
A data controller should be accountable for complying with
measures which give effect to the principles stated above.
 
 
Fair Information Principles (5)
 
18
 
COE526: Lecture 2
 
The General Data Protection Regulations (GDPR) is
new EU legislation that comes into effect on May
25
th
 2018.
It very clearly sets out the ways in which the privacy
rights of every EU citizen must be protected and the
ways in which a person’s ‘Personal Data’ can and
can’t be used.
It carries significant penalties for non-compliance
€20 Millions, or 4% of the entire global revenue
Whichever is higher!
 
General Data Protection Regulations
(GDPR)
 
19
 
COE526: Lecture 2
 
Three entities are defined in GDPR
1.
A data subject: 
the person whose data is collected
2.
A data controller: 
the entity that collects and uses
personal data
3.
A data processor: 
the entity that processes data on
behalf of the data controller
Laws and regulations impose different obligations on
the controllers and processors
For example,
Data controller: a company has a website that collects data
on the pages their visitors visit
Data processor: Google Analytics
 
GDPR Entities
 
20
 
COE526: Lecture 2
 
1.
Lawfulness, Fairness, Transparency
2.
Purpose Limitation
Use only for one or more specified purposes
3.
Data Minimisation
Collect only the amount of data required for the specified
purpose(s)
4.
Accuracy
Ensure data is kept up to date, accurate and complete
5.
Storage Limitation
Kept for no longer than necessary for the specified purpose(s)
6.
Integrity and Confidentiality
Processed ensuring appropriate security of data
7.
Accountability
 Essential not only to be compliant, but to be able to
demonstrate compliance
 
Seven Principles of Data Protection
 
21
 
COE526: Lecture 2
 
How to Comply with GDPR?
 
The Data Protection Commissioner has
issued a guide to compliance, consisting of
12 steps.
 
GD
PR
 
 
7.
Consent
8.
Children’s Data
9.
Reporting Breaches
10.
Impact Assessments
11.
Data Protection
Officers
12.
International
Organisations
 
1.
Becoming Aware
2.
Becoming Accountable
3.
Communication with
members
4.
Personal Privacy Rights
5.
Subject Access Requests
6.
Legal Basis
 
COE526: Lecture 2
 
22
 
Information Life Cycle
 
23
 
COE526: Lecture 2
 
1.
Capture
 – Obtain and
record information
2.
Store
 – Save the
information electronically
or in paper format
3.
Use
 – Use or reuse
information
4.
Destroy
 – Delete, erase
or shred information
GDPR Information Life Cycle
24
COE526: Lecture 2
 
Data Protection by Design and by Default
Data Protection Impact Assessment (DPIA)
Documentation
 
Retention Period
Right to erasure
Portability
Third Party copies
 
Appropriate use Consent
Manage Consent
Restricted International Transfers
 
Data Minimisation
Privacy Notices
Privacy Rights
Obtain Consent
 
Safe and Secure
Restricted Access
Data Inventory
Subject Access Requests
Contracts with Data Processors
 
Seven lethal mistakes when designing a new IT
system
1.
Storing data forever
Data can take long time to be completely deleted
2.
Reusing data indiscriminately
E.g. Google used user's data for ad personalization
3.
Walled gardens and black markets
Ability to download your personal data instantly
Third-party ad companies were blocked from accessing data
4.
Risk-agnostic data processing
"Unless you are breaking stuff, you are not fast enough"
5.
Hiding data breaches
6.
Making unexplainable decisions
7.
Security as secondary goal
 
The Seven GDPR Sins
 
25
 
COE526: Lecture 2
 
Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. 
USENIX
HotCloud
.
 
Seven lethal mistakes when designing a new IT
system
8.
Hiding data breaches
Prior to GDPR, victims have to check themselves whether they are
impacted or not
Now, companies must send early notifications to all impacted users
9.
Making unexplainable decisions
Taking care of privacy when using algorithmic decision making
10.
Security as secondary goal
Proactive Vs. Reactive security
 
The Seven GDPR Sins
 
26
 
COE526: Lecture 2
 
Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of
Personal-Data Processing Systems under GDPR. 
USENIX HotCloud
.
 
Companies are legally bound to comply with GDPR
Compliance with GDPR is not trivial
For example,
Three questions when designing a new storage system
1.
What features should a storage system have to be GDPR-compliant?
2.
How does compliance affect the performance of different types of
storage system?
3.
What are the technical challenges in achieving strict compliance in an
efficient manner?
 
Designing GDPR Compliant Systems
 
27
 
COE526: Lecture 2
 
GDPR is intentionally 
vague 
in terms of technical
specifications
Features for GDPR-Compliant storage systems
1.
Timely deletion
2.
Monitoring and logging
3.
Indexing via metadata
4.
Access control
5.
Encryption
6.
Managing data location
 
Designing for GDPR Compliance
 
28
 
COE526: Lecture 2
 
Shah, Aashaka, Vinay Banakar, Supreeth Shastri, Melissa Wasserman, and Vijay Chidambaram. "Analyzing the Impact of {GDPR} on Storage
Systems." In 
11th {USENIX} Workshop on Hot Topics in Storage and File Systems (HotStorage 19)
. 2019.
 
The Anti-Cyber Crime (2007)
A cybercrime as 'any action which involves the use of
computers or computer networks, in violation of the
provisions of this Law
Privacy-related offences under the Anti-Cyber Crime Law
include:
spying on, interception or reception of data transmitted
invasion of privacy through the misuse of camera equipped mobile
phones and the like
unlawful access to computers with the intention to delete, erase,
destroy, leak, damage, alter or redistribute private data
The Anti-Cyber Crime  penalties including imprisonment for
up to 10 years and fines of SAR 5M
 
 
Sectoral Privacy Laws in Saudi Arabia
 
29
 
COE526: Lecture 2
 
https://www.mcit.gov.sa/sites/default/files/anti_cyber_crime_law_en_0.pdf
 
Telecoms ByLaws of 2002
Privacy rights for individuals by protecting the
confidentiality of user information.
Service provider must not disclose personal information
without the user's express written consent
Banking Consumer Protection Principles of 2013
Requires banks to implement appropriate control and
protection mechanisms
Objective is to afeguard consumer financial and personal
information
 
Sectoral Privacy Laws in Saudi Arabia
 
30
 
COE526: Lecture 2
 
https://platform.dataguidance.com/legal-research/banking-consumer-protection-principles-2013
https://platform.dataguidance.com/legal-research/telecom-act-bylaws-2002
 
E-commerce Law (2019)
regulates online economic activities for the sale of products
or services, online advertising or data exchange.
Addresses the collection, use and retention of Consumer
Data by introducing European-style data protection
principles into national KSA laws for the first time.
Cloud Computing Regulatory Framework of 2019
CSPs are required to register with the CITC
The CSP must inform customers upon request of the
information security features they offer to enable the
customer to inform its decision
'Level 3' and 'Level 4' content (as defined in the Cloud
Framework) must not be transferred outside the KSA
 
Sectoral Privacy Laws in Saudi Arabia
 
31
 
COE526: Lecture 2
 
htthttps://mc.gov.sa/en/Regulations/Pages/details.aspx?lawId=aaa4d4cf-ca57-41ff-a3f9-aa8500a3512c&hw=e-commerce
ps://platform.dataguidance.com/legal-research/cloud-computing-regulatory-framework-2019
 
Marriot International Inc.
~339 million guest records leaked including payment details
~30 million are EU
fined 
£99,200,396
 for the violation
British Airways
~500K customers information leakes
Resulted in a fine of 
£183.39 million
.
Google
 failing to get valid consent from the users for personalized ads.
Google was fined 
€50 million
Facebook
Related to Cambridge
Fined 
£500,000
List of GPDR fines
https://www.nathantrust.com/gdpr-fines-penalties
https://www.cookielawinfo.com/gdpr-fines-biggest-gdpr-violation-
examples/
 
Examples of Data Laws Breaches
 
32
 
COE526: Lecture 2
 
More work to be done to ensure the security of
personal information for all individuals in all
countries
 
Technological solutions to protect privacy are
implemented to a limited extent only
 
Not enough being done to encourage the
implementation of technical solutions for privacy
compliance and enforcement
 
Conclusions
 
[cf. A.M. Green, Yale, 2004]
 
COE526: Lecture 2
 
33
Slide Note
Embed
Share

This content provides an overview of data privacy laws and regulations, focusing on the landscape of data protection laws, examples of comprehensive regulations like FIPPS and GDPR, and sector-specific laws in Saudi Arabia. It includes a homework assignment to explore Fair Information Practices Principles, HIPAA Privacy Rule, and GDPR principles, with a discussion on common concepts and principles shared by privacy laws. Legal views on privacy as a fundamental human right and the importance of protecting personal data are also explored.


Uploaded on Aug 06, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. COE 526 Data Privacy Lecture 2: Data Privacy and Protection Laws and Regulations REFERENCE: Prof. Bharat Bhargava (Purdue University) Slides on Data Protection Directives

  2. Outline Framework of Data Privacy Laws Landscape of Data Privacy and Protection Laws Examples of comprehensive laws and regulation FIPPS GDPR Sectoral Data Privacy Laws in Saudi Arabia Example of data breaches and Fines 2 COE526: Lecture 2

  3. Homework for Next Class Read the Fair Information Practices Principles https://www.privacyfirst.nl/acties-3/item/154-the-fair- information-principles-canada.html Read the HIPAA Privacy Rule Summary of the privacy rule https://www.hhs.gov/sites/default/files/privacysummary.pdf Read the GDPR principles https://gdpr.eu/what-is-gdpr/ Think about these questions: What are the common concepts and principles these privacy laws and regulations share? Are there parts of the policy that are too vague? If so, suggest alternatives Identify any data privacy laws and regulations in Saudi Arabia 3 COE526: Lecture 2

  4. Instructions We will break out to groups, please check your group number and join the channel in the Course Team on MS TEAMS Come up with answers for the following questions What are the common concepts and principles these privacy laws and regulations share? Are there parts of the policy that are too vague? If so, suggest alternatives Identify any data privacy laws and regulations in Saudi Arabia You have about 8 minutes to discuss in the groups. I will be dropping by and be on "listen" mode Then, elect one member to share your answers with the class. Each group will have 1 minute 4 COE526: Lecture 2

  5. Legal Views on Privacy Privacy is a fundamental human right that has become one of the most important rights of the modern age Each country has a provision for rights of inviolability of the home and secrecy of communications Example: In Saudi Law Article 40: "The privacy of telegraphic and postal communications, and telephone and other means of communication, shall be inviolate. There shall be no confiscation, delay, surveillance or eavesdropping, except in cases provided by the Law." 5 COE526: Lecture 2

  6. Data Privacy and Protection Laws Data Privacy and Protection laws refer to legislation that is intended to: protect the right to privacy of individuals ensure that Personal Data is used appropriately by organisations that may have Personal data is any information that can be used to identify a natural person Name; Phone Number; Email address; etc Special Categories of Personal Data require more stringent measures of protection Religion; Ethnicity; Medical information; Criminal Data; Children s Data 6 COE526: Lecture 2

  7. Landscape of Privacy Laws Two types of privacy laws Comprehensive Laws: General laws that govern the collection, use and dissemination of personal information by public & private sectors Require commissioners or independent enforcement body Difficulty: lack of resources for oversight and enforcement; agencies under government control 1. Sectoral Laws: Avoid general laws, focus on specific sectors instead Advantage: enforcement through a range of mechanisms Disadvantage: each new technology requires new legislation 2. 7 COE526: Lecture 2

  8. Comprehensive Laws In EU European Union Council adopted the Privacy Electronic Communications Directive Prohibits secondary uses of data without informed consent No transfer of data to non EU countries unless there is adequate privacy protection 8 COE526: Lecture 2

  9. Sectoral Laws in US No explicit right to privacy in the constitution A patchwork of federal laws for specific categories of personal information E.g., financial reports, credit reports, video rentals, etc. Wide belief that self-regulation is enough and that no new laws are needed (exception: medical records) 9 COE526: Lecture 2

  10. EU vs. US [cf. A.M. Green, Yale, 2004] The difference between the laws in the two systems resulted in what was called the Safe Harbor Agreement US companies would voluntarily self-certify to adhere to a set of privacy principles worked out by US Department of Commerce and Internal Market Directorate of the European Commission Little enforcement: A self-regulatory system in which companies merely promise not to violate their declared privacy practices Criticized by privacy advocates and consumer groups in both US and Europe 10 COE526: Lecture 2

  11. Privacy Impact Assessments (PIA) An evaluation conducted to assess how the adoption of new information policies, the procurement of new computer systems, or the initiation of new data collection programs will affect individual privacy The premise: Considering privacy issues at the early stages of a project cycle will reduce potential adverse impacts on privacy after it has been implemented Will talk about it more in coming lectures 11 COE526: Lecture 2

  12. Privacy Laws Framework Most data laws were developed alongside three major concepts that implicate our privacy Media Surveillance Personal data The laws revolve around privacy "torts" Intrusion upon seclusion What does "seclusion" mean? Public disclosure of private facts Misappropriation of name or likeness Placing someone in a false light Negligent handling of people's personal information 12 COE526: Lecture 2

  13. Fair Information Practice Principles (1) FIPPS are a set of internationally recognized principles that inform information privacy policies both within government and the private sector The principles are Collection Limitation Data quality principle Purpose specification Use limitation principle Security safeguards principle Openness principle Individual participation principle Accountability principle 13 COE526: Lecture 2

  14. General Data Protection Regulations (GDPR) The General Data Protection Regulations (GDPR) is new EU legislation that comes into effect on May 25th 2018. It very clearly sets out the ways in which the privacy rights of every EU citizen must be protected and the ways in which a person s Personal Data can and can t be used. It carries significant penalties for non-compliance 20 Millions, or 4% of the entire global revenue Whichever is higher! 19 COE526: Lecture 2

  15. GDPR Entities Three entities are defined in GDPR A data subject: the person whose data is collected A data controller: the entity that collects and uses personal data A data processor: the entity that processes data on behalf of the data controller Laws and regulations impose different obligations on the controllers and processors For example, Data controller: a company has a website that collects data on the pages their visitors visit Data processor: Google Analytics 1. 2. 3. 20 COE526: Lecture 2

  16. Seven Principles of Data Protection 1. Lawfulness, Fairness, Transparency 2. Purpose Limitation Use only for one or more specified purposes 3. Data Minimisation Collect only the amount of data required for the specified purpose(s) 4. Accuracy Ensure data is kept up to date, accurate and complete 5. Storage Limitation Kept for no longer than necessary for the specified purpose(s) 6. Integrity and Confidentiality Processed ensuring appropriate security of data 7. Accountability Essential not only to be compliant, but to be able to demonstrate compliance 21 COE526: Lecture 2

  17. How to Comply with GDPR? GD PR The Data Protection Commissioner has issued a guide to compliance, consisting of 12 steps. 1. Becoming Aware 2. Becoming Accountable 3. Communication with members 4. Personal Privacy Rights 5. Subject Access Requests 6. Legal Basis 7. Consent 8. Children s Data 9. Reporting Breaches 10.Impact Assessments 11.Data Protection Officers 12.International Organisations 22 COE526: Lecture 2

  18. Information Life Cycle 1.Capture Obtain and record information 2.Store Save the information electronically or in paper format 3.Use Use or reuse information 4.Destroy Delete, erase or shred information Capture Destroy Store Use 23 COE526: Lecture 2

  19. GDPR Information Life Cycle Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Assess Retention Period Right to erasure Portability Third Party copies Data Minimisation Privacy Notices Privacy Rights Obtain Consent Destroy Capture Use Store Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Appropriate use Consent Manage Consent Restricted International Transfers 24 COE526: Lecture 2

  20. The Seven GDPR Sins Seven lethal mistakes when designing a new IT system Storing data forever Data can take long time to be completely deleted Reusing data indiscriminately E.g. Google used user's data for ad personalization Walled gardens and black markets Ability to download your personal data instantly Third-party ad companies were blocked from accessing data Risk-agnostic data processing "Unless you are breaking stuff, you are not fast enough" Hiding data breaches Making unexplainable decisions Security as secondary goal 1. 2. 3. 4. 5. 6. 7. Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX HotCloud. 25 COE526: Lecture 2

  21. The Seven GDPR Sins Seven lethal mistakes when designing a new IT system Hiding data breaches Prior to GDPR, victims have to check themselves whether they are impacted or not Now, companies must send early notifications to all impacted users Making unexplainable decisions Taking care of privacy when using algorithmic decision making 10. Security as secondary goal Proactive Vs. Reactive security 8. 9. Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX HotCloud. 26 COE526: Lecture 2

  22. Designing GDPR Compliant Systems Companies are legally bound to comply with GDPR Compliance with GDPR is not trivial For example, Three questions when designing a new storage system What features should a storage system have to be GDPR-compliant? How does compliance affect the performance of different types of storage system? What are the technical challenges in achieving strict compliance in an efficient manner? 1. 2. 3. 27 COE526: Lecture 2

  23. Designing for GDPR Compliance GDPR is intentionally vague in terms of technical specifications Features for GDPR-Compliant storage systems Timely deletion Monitoring and logging Indexing via metadata Access control Encryption Managing data location 1. 2. 3. 4. 5. 6. Shah, Aashaka, Vinay Banakar, Supreeth Shastri, Melissa Wasserman, and Vijay Chidambaram. "Analyzing the Impact of {GDPR} on Storage Systems." In 11th {USENIX} Workshop on Hot Topics in Storage and File Systems (HotStorage 19). 2019. 28 COE526: Lecture 2

  24. Sectoral Privacy Laws in Saudi Arabia The Anti-Cyber Crime (2007) A cybercrime as 'any action which involves the use of computers or computer networks, in violation of the provisions of this Law Privacy-related offences under the Anti-Cyber Crime Law include: spying on, interception or reception of data transmitted invasion of privacy through the misuse of camera equipped mobile phones and the like unlawful access to computers with the intention to delete, erase, destroy, leak, damage, alter or redistribute private data The Anti-Cyber Crime penalties including imprisonment for up to 10 years and fines of SAR 5M https://www.mcit.gov.sa/sites/default/files/anti_cyber_crime_law_en_0.pdf 29 COE526: Lecture 2

  25. Sectoral Privacy Laws in Saudi Arabia Telecoms ByLaws of 2002 Privacy rights for individuals by protecting the confidentiality of user information. Service provider must not disclose personal information without the user's express written consent Banking Consumer Protection Principles of 2013 Requires banks to implement appropriate control and protection mechanisms Objective is to afeguard consumer financial and personal information https://platform.dataguidance.com/legal-research/banking-consumer-protection-principles-2013 https://platform.dataguidance.com/legal-research/telecom-act-bylaws-2002 30 COE526: Lecture 2

  26. Sectoral Privacy Laws in Saudi Arabia E-commerce Law (2019) regulates online economic activities for the sale of products or services, online advertising or data exchange. Addresses the collection, use and retention of Consumer Data by introducing European-style data protection principles into national KSA laws for the first time. Cloud Computing Regulatory Framework of 2019 CSPs are required to register with the CITC The CSP must inform customers upon request of the information security features they offer to enable the customer to inform its decision 'Level 3' and 'Level 4' content (as defined in the Cloud Framework) must not be transferred outside the KSA htthttps://mc.gov.sa/en/Regulations/Pages/details.aspx?lawId=aaa4d4cf-ca57-41ff-a3f9-aa8500a3512c&hw=e-commerce ps://platform.dataguidance.com/legal-research/cloud-computing-regulatory-framework-2019 31 COE526: Lecture 2

  27. Examples of Data Laws Breaches Marriot International Inc. ~339 million guest records leaked including payment details ~30 million are EU fined 99,200,396 for the violation British Airways ~500K customers information leakes Resulted in a fine of 183.39 million. Google failing to get valid consent from the users for personalized ads. Google was fined 50 million Facebook Related to Cambridge Fined 500,000 List of GPDR fines https://www.nathantrust.com/gdpr-fines-penalties https://www.cookielawinfo.com/gdpr-fines-biggest-gdpr-violation- examples/ 32 COE526: Lecture 2

  28. Conclusions [cf. A.M. Green, Yale, 2004] More work to be done to ensure the security of personal information for all individuals in all countries Technological solutions to protect privacy are implemented to a limited extent only Not enough being done to encourage the implementation of technical solutions for privacy compliance and enforcement 33 COE526: Lecture 2

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#