Understanding Data Privacy Laws and Regulations in Saudi Arabia

This content provides an overview of data privacy laws and regulations, focusing on the landscape of data protection laws, examples of comprehensive regulations like FIPPS and GDPR, and sector-specific laws in Saudi Arabia. It includes a homework assignment to explore Fair Information Practices Principles, HIPAA Privacy Rule, and GDPR principles, with a discussion on common concepts and principles shared by privacy laws. Legal views on privacy as a fundamental human right and the importance of protecting personal data are also explored.

• Data Privacy
• Data Protection
• Laws and Regulations
• GDPR
• Saudi Arabia

twyla Follow

Uploaded on Aug 06, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. COE 526 Data Privacy Lecture 2: Data Privacy and Protection Laws and Regulations REFERENCE: Prof. Bharat Bhargava (Purdue University) Slides on Data Protection Directives

2. Outline Framework of Data Privacy Laws Landscape of Data Privacy and Protection Laws Examples of comprehensive laws and regulation FIPPS GDPR Sectoral Data Privacy Laws in Saudi Arabia Example of data breaches and Fines 2 COE526: Lecture 2

3. Homework for Next Class Read the Fair Information Practices Principles https://www.privacyfirst.nl/acties-3/item/154-the-fair- information-principles-canada.html Read the HIPAA Privacy Rule Summary of the privacy rule https://www.hhs.gov/sites/default/files/privacysummary.pdf Read the GDPR principles https://gdpr.eu/what-is-gdpr/ Think about these questions: What are the common concepts and principles these privacy laws and regulations share? Are there parts of the policy that are too vague? If so, suggest alternatives Identify any data privacy laws and regulations in Saudi Arabia 3 COE526: Lecture 2

4. Instructions We will break out to groups, please check your group number and join the channel in the Course Team on MS TEAMS Come up with answers for the following questions What are the common concepts and principles these privacy laws and regulations share? Are there parts of the policy that are too vague? If so, suggest alternatives Identify any data privacy laws and regulations in Saudi Arabia You have about 8 minutes to discuss in the groups. I will be dropping by and be on "listen" mode Then, elect one member to share your answers with the class. Each group will have 1 minute 4 COE526: Lecture 2

5. Legal Views on Privacy Privacy is a fundamental human right that has become one of the most important rights of the modern age Each country has a provision for rights of inviolability of the home and secrecy of communications Example: In Saudi Law Article 40: "The privacy of telegraphic and postal communications, and telephone and other means of communication, shall be inviolate. There shall be no confiscation, delay, surveillance or eavesdropping, except in cases provided by the Law." 5 COE526: Lecture 2

6. Data Privacy and Protection Laws Data Privacy and Protection laws refer to legislation that is intended to: protect the right to privacy of individuals ensure that Personal Data is used appropriately by organisations that may have Personal data is any information that can be used to identify a natural person Name; Phone Number; Email address; etc Special Categories of Personal Data require more stringent measures of protection Religion; Ethnicity; Medical information; Criminal Data; Children s Data 6 COE526: Lecture 2

7. Landscape of Privacy Laws Two types of privacy laws Comprehensive Laws: General laws that govern the collection, use and dissemination of personal information by public & private sectors Require commissioners or independent enforcement body Difficulty: lack of resources for oversight and enforcement; agencies under government control 1. Sectoral Laws: Avoid general laws, focus on specific sectors instead Advantage: enforcement through a range of mechanisms Disadvantage: each new technology requires new legislation 2. 7 COE526: Lecture 2

8. Comprehensive Laws In EU European Union Council adopted the Privacy Electronic Communications Directive Prohibits secondary uses of data without informed consent No transfer of data to non EU countries unless there is adequate privacy protection 8 COE526: Lecture 2

9. Sectoral Laws in US No explicit right to privacy in the constitution A patchwork of federal laws for specific categories of personal information E.g., financial reports, credit reports, video rentals, etc. Wide belief that self-regulation is enough and that no new laws are needed (exception: medical records) 9 COE526: Lecture 2

10. EU vs. US [cf. A.M. Green, Yale, 2004] The difference between the laws in the two systems resulted in what was called the Safe Harbor Agreement US companies would voluntarily self-certify to adhere to a set of privacy principles worked out by US Department of Commerce and Internal Market Directorate of the European Commission Little enforcement: A self-regulatory system in which companies merely promise not to violate their declared privacy practices Criticized by privacy advocates and consumer groups in both US and Europe 10 COE526: Lecture 2

11. Privacy Impact Assessments (PIA) An evaluation conducted to assess how the adoption of new information policies, the procurement of new computer systems, or the initiation of new data collection programs will affect individual privacy The premise: Considering privacy issues at the early stages of a project cycle will reduce potential adverse impacts on privacy after it has been implemented Will talk about it more in coming lectures 11 COE526: Lecture 2

12. Privacy Laws Framework Most data laws were developed alongside three major concepts that implicate our privacy Media Surveillance Personal data The laws revolve around privacy "torts" Intrusion upon seclusion What does "seclusion" mean? Public disclosure of private facts Misappropriation of name or likeness Placing someone in a false light Negligent handling of people's personal information 12 COE526: Lecture 2

13. Fair Information Practice Principles (1) FIPPS are a set of internationally recognized principles that inform information privacy policies both within government and the private sector The principles are Collection Limitation Data quality principle Purpose specification Use limitation principle Security safeguards principle Openness principle Individual participation principle Accountability principle 13 COE526: Lecture 2

14. General Data Protection Regulations (GDPR) The General Data Protection Regulations (GDPR) is new EU legislation that comes into effect on May 25th 2018. It very clearly sets out the ways in which the privacy rights of every EU citizen must be protected and the ways in which a person s Personal Data can and can t be used. It carries significant penalties for non-compliance 20 Millions, or 4% of the entire global revenue Whichever is higher! 19 COE526: Lecture 2

15. GDPR Entities Three entities are defined in GDPR A data subject: the person whose data is collected A data controller: the entity that collects and uses personal data A data processor: the entity that processes data on behalf of the data controller Laws and regulations impose different obligations on the controllers and processors For example, Data controller: a company has a website that collects data on the pages their visitors visit Data processor: Google Analytics 1. 2. 3. 20 COE526: Lecture 2

16. Seven Principles of Data Protection 1. Lawfulness, Fairness, Transparency 2. Purpose Limitation Use only for one or more specified purposes 3. Data Minimisation Collect only the amount of data required for the specified purpose(s) 4. Accuracy Ensure data is kept up to date, accurate and complete 5. Storage Limitation Kept for no longer than necessary for the specified purpose(s) 6. Integrity and Confidentiality Processed ensuring appropriate security of data 7. Accountability Essential not only to be compliant, but to be able to demonstrate compliance 21 COE526: Lecture 2

17. How to Comply with GDPR? GD PR The Data Protection Commissioner has issued a guide to compliance, consisting of 12 steps. 1. Becoming Aware 2. Becoming Accountable 3. Communication with members 4. Personal Privacy Rights 5. Subject Access Requests 6. Legal Basis 7. Consent 8. Children s Data 9. Reporting Breaches 10.Impact Assessments 11.Data Protection Officers 12.International Organisations 22 COE526: Lecture 2

18. Information Life Cycle 1.Capture Obtain and record information 2.Store Save the information electronically or in paper format 3.Use Use or reuse information 4.Destroy Delete, erase or shred information Capture Destroy Store Use 23 COE526: Lecture 2

19. GDPR Information Life Cycle Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Assess Retention Period Right to erasure Portability Third Party copies Data Minimisation Privacy Notices Privacy Rights Obtain Consent Destroy Capture Use Store Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Appropriate use Consent Manage Consent Restricted International Transfers 24 COE526: Lecture 2

20. The Seven GDPR Sins Seven lethal mistakes when designing a new IT system Storing data forever Data can take long time to be completely deleted Reusing data indiscriminately E.g. Google used user's data for ad personalization Walled gardens and black markets Ability to download your personal data instantly Third-party ad companies were blocked from accessing data Risk-agnostic data processing "Unless you are breaking stuff, you are not fast enough" Hiding data breaches Making unexplainable decisions Security as secondary goal 1. 2. 3. 4. 5. 6. 7. Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX HotCloud. 25 COE526: Lecture 2

21. The Seven GDPR Sins Seven lethal mistakes when designing a new IT system Hiding data breaches Prior to GDPR, victims have to check themselves whether they are impacted or not Now, companies must send early notifications to all impacted users Making unexplainable decisions Taking care of privacy when using algorithmic decision making 10. Security as secondary goal Proactive Vs. Reactive security 8. 9. Shastri, S., Wasserman, M. and Chidambaram, V., 2019. The Seven Sins of Personal-Data Processing Systems under GDPR. USENIX HotCloud. 26 COE526: Lecture 2

22. Designing GDPR Compliant Systems Companies are legally bound to comply with GDPR Compliance with GDPR is not trivial For example, Three questions when designing a new storage system What features should a storage system have to be GDPR-compliant? How does compliance affect the performance of different types of storage system? What are the technical challenges in achieving strict compliance in an efficient manner? 1. 2. 3. 27 COE526: Lecture 2

23. Designing for GDPR Compliance GDPR is intentionally vague in terms of technical specifications Features for GDPR-Compliant storage systems Timely deletion Monitoring and logging Indexing via metadata Access control Encryption Managing data location 1. 2. 3. 4. 5. 6. Shah, Aashaka, Vinay Banakar, Supreeth Shastri, Melissa Wasserman, and Vijay Chidambaram. "Analyzing the Impact of {GDPR} on Storage Systems." In 11th {USENIX} Workshop on Hot Topics in Storage and File Systems (HotStorage 19). 2019. 28 COE526: Lecture 2

24. Sectoral Privacy Laws in Saudi Arabia The Anti-Cyber Crime (2007) A cybercrime as 'any action which involves the use of computers or computer networks, in violation of the provisions of this Law Privacy-related offences under the Anti-Cyber Crime Law include: spying on, interception or reception of data transmitted invasion of privacy through the misuse of camera equipped mobile phones and the like unlawful access to computers with the intention to delete, erase, destroy, leak, damage, alter or redistribute private data The Anti-Cyber Crime penalties including imprisonment for up to 10 years and fines of SAR 5M https://www.mcit.gov.sa/sites/default/files/anti_cyber_crime_law_en_0.pdf 29 COE526: Lecture 2

25. Sectoral Privacy Laws in Saudi Arabia Telecoms ByLaws of 2002 Privacy rights for individuals by protecting the confidentiality of user information. Service provider must not disclose personal information without the user's express written consent Banking Consumer Protection Principles of 2013 Requires banks to implement appropriate control and protection mechanisms Objective is to afeguard consumer financial and personal information https://platform.dataguidance.com/legal-research/banking-consumer-protection-principles-2013 https://platform.dataguidance.com/legal-research/telecom-act-bylaws-2002 30 COE526: Lecture 2

26. Sectoral Privacy Laws in Saudi Arabia E-commerce Law (2019) regulates online economic activities for the sale of products or services, online advertising or data exchange. Addresses the collection, use and retention of Consumer Data by introducing European-style data protection principles into national KSA laws for the first time. Cloud Computing Regulatory Framework of 2019 CSPs are required to register with the CITC The CSP must inform customers upon request of the information security features they offer to enable the customer to inform its decision 'Level 3' and 'Level 4' content (as defined in the Cloud Framework) must not be transferred outside the KSA htthttps://mc.gov.sa/en/Regulations/Pages/details.aspx?lawId=aaa4d4cf-ca57-41ff-a3f9-aa8500a3512c&hw=e-commerce ps://platform.dataguidance.com/legal-research/cloud-computing-regulatory-framework-2019 31 COE526: Lecture 2

27. Examples of Data Laws Breaches Marriot International Inc. ~339 million guest records leaked including payment details ~30 million are EU fined 99,200,396 for the violation British Airways ~500K customers information leakes Resulted in a fine of 183.39 million. Google failing to get valid consent from the users for personalized ads. Google was fined 50 million Facebook Related to Cambridge Fined 500,000 List of GPDR fines https://www.nathantrust.com/gdpr-fines-penalties https://www.cookielawinfo.com/gdpr-fines-biggest-gdpr-violation- examples/ 32 COE526: Lecture 2

28. Conclusions [cf. A.M. Green, Yale, 2004] More work to be done to ensure the security of personal information for all individuals in all countries Technological solutions to protect privacy are implemented to a limited extent only Not enough being done to encourage the implementation of technical solutions for privacy compliance and enforcement 33 COE526: Lecture 2