ONLINE PRIVACY ONLINE PRIVACY & DATA & DATA

PROTECTION PROTECTION

VERINE ETSEBETHVERINE ETSEBETH

INTRODUCTION

TRADITIONAL VERSUS ONLINE DATA PROTECTION

“We leave data everywhere we go”

“What happens to our data happens to ourselves”

Who controls our data controls our lives”

CHALLENGES FACING ONLINE DATA PROTECTION

INTERNATIONAL LEGISLATIVE DEVELOPMENTS IN RESPONSE TO ONLINE PRIVACY CONCERNS Individual country response:

1. EU 2. UK 3. CANADA 4. AUSTRALIA 5. USA

ESSENTIAL MEASURES INTRODUCED BY COUNTRIES:1. Consent requirement mechanism

2. Access requirement mechanism

3. Onward transfer provisions

4. Notice requirement mechanism

5. Information security mechanism

6. Spam regulation

importance of online privacy physical world privacy vs. online privacy past – personal information kept under lock & key in

offices now – electronically available, anywhere, anytime,

anyplace

Problem (1) electronic data is easily transferable (2) businesses share information in-discriminatorily

Solution to the problem = Legislature introduced PROTECTION OF PERSONAL

INFORMATION BILL (PPI Bill)

Natural persons &

Juristic persons

any individualindividual

any business entitybusiness entity For example: Close Corporations Private & Public Companies Partnerships Businesses that have been incorporated

personal information

information about an identifiable person – e.g.:

gender, religion, race, etc

fingerprints, blood type (DNA)

medical records

data subject the person who provides information about

himself/herself

data controller the person who collects, processes, stores and

uses information

third party person to whom data is disclosed

SA does not have separate legislation dealing exclusively with privacy protection

Applicable law is fragmented

Mirrors the EU Data Protection Directive

The data controller must disclose to data subject the purpose(s) for which it is going to use the collected information Purpose must be stated with relative degree of certainty Purpose may not be defined in general, vague terms

Before the data controller will be entitled to collect, use or process any personal information, it must obtain the prior written consent from the data subject to do so Consent requirement = key feature of PPI Bill Without consent no data that might have been

collected may be used in any manner Unlawful usage can result in huge fines &

possibility of imprisonment

Data controller must ensure that data which is collected is accurate, current and up-to-dateTwo token identification generally required

in SA

When collecting, using and/or processing the personal information the data controller must at all relevant times inform the data subject of his/her rights This would entail informing the data subject

EXACTLY which statutes protect him/her & what remedies are available to him/her if they feel their rights have been violated

A data controller may not retain the personal information collected for any period longer than is necessary for the stated purpose

The period for which the data controller decides to retain the information must therefore be reasonable & justifiable.

KEY QUESTION = can you motivate why you are still retaining the data collected to a court of law?

Position in America

• A data controller must destroy any collected information that is no longer needed or used by them.

•Destruction ≠ deletion

8. CROSS-BORDER TRANSFER OF INFO

data controller must take adequate security measures to protect the confidentiality, integrity and availability of the information (cia)

confidentiality: no unauthorised persons should be permitted to view the information encryption and cryptography

integrity: no unauthorised person may alter the information encryption and digital signatures

availability: information must be readily available on demand

digital signatures & pki

any questions???any questions???