Today we are in for a special treat.
Andreas Wuchner, the Global Information Security and Risk Officer for Novartis, has agreed to pen a guest blog on the issues of global privacy. Please enjoy it below:
It is not nice, but the European Commission, the U.S., Argentina, Japan and other countries have different privacy laws and regulations. There are significant discrepancies between all of them. The big number of different laws is one of the biggest challenges a Privacy and Risk Management professional/organization must face. Many countries have privacy regulations built on similar principals, which in general, are to protect the privacy of their citizens. The differences exist in the varying degrees in which nations approach meeting regulatory compliance of such principals.
Comprehensive laws (European Union (EU)):
For historical reasons, many countries in the EU have placed a high value on personal privacy. Too many countries in Europe have experienced what a repressive Government or occupying force can do with their data for this subject to be of no concern. These values have been inherited by the EU where personal privacy is a fundamental human right (Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms). Many EU countries have had privacy laws for decades. This often includes an omnibus legislative approach, basically at least one dedicated piece of privacy legislation and sectoral related privacy regulations, such as seen in Drug Development laws.
Sectoral laws (US):
Freedom from unreasonable government intrusion into personal affairs is a fundamental Constitutional right (4th Amendment to the United States Constitution).
Relatively recent legislative started to focus on protecting individuals from private intrusions into personal affairs. Federal data privacy law in the US occurs down sectoral lines with health data and financial data being regulated by specific legislation. There is as of now no Federal privacy act for private companies, but both Federal and State laws regulate special circumstances like protection of driver license and credit card data. Akin in some ways to privacy law in its affect, the majority of US States have dedicated and different data breach notification legislation in place. Typically these laws make it necessary to tell State authorities and the people affected that a breach has happened but the consequences, the how to do it and by when can differ widely..
Even with the fact that Europe has a much longer history and more mature processes around protection of personal rights there are still significant differences in the Privacy approaches even within the EU member states. The EU Data Privacy Directive 95/46/EC is a guideline for EU nations, however each one of these 27 EU member states have their own national law and each of them has its own agency who interprets this law.
This may seem quite daunting, yet as there are many differences, there are also similarities between the privacy laws. The collection of a data subjects’ “unambiguous consent” is an example of this. The collection of consent is the backbone of any privacy legislation and the EU, US, Canadian, Australian, Japanese and many more countries share this requirement.
As there are so many possible pitfalls, it is highly recommended to familiarize yourself with the requirements of the different locations you are doing business in as you could become very quickly responsible for not following local laws. On my blog I have published a series of privacy related articles over the last three weeks. Please feel free to have a look at http://ITRiskSpace.comfor further information.
Privacy Law Links
Please also see here some links that lead to several countries’ laws:
The Swiss Law is at : http://www.admin.ch/ch/d/sr/2/235.1.de.pdf
The German law is at: http://www.gesetze-im-internet.de/bdsg_1990/index.html