Jump to content

Data Privacy: Difference between revisions

From ICANNWiki
Jessica (talk | contribs)
Jessica (talk | contribs)
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''Data privacy''' concerns the handling of sensitive information.
'''Data privacy''' concerns the handling of sensitive information, and consumer rights to privacy of their personal information.  


==Legislation==
==Legislation & Regulation==
* [[California Consumer Privacy Act]] (CCPA)  
* [[General Data Protection Regulation]] (GDPR) - EU regulation, applicable to all member nations and anyone with a nexus with the European Economic Area.
* [[GDPR]]
* The [[Health Insurance Portability and Accountability Act]] (HIPAA) - U.S. federal law governing the privacy and security of personal health information.
* The [[Children's Online Privacy Protection Act]] (COPPA) - U.S. federal law governing the privacy of children and minors online.
* [[California Consumer Privacy Act]] (CCPA) - California state privacy statute that includes online privacy protection.


==Privacy Automation==
==ICANN Policy and PDPs==
* The ICANN Board approved the [[Temporary Specification for gTLD Registration Data]] in response to conflicts between its existing registration policies and the GDPR.<ref>[https://www.icann.org/resources/pages/gtld-registration-data-specs-en ICANN.org - Temporary Specification for gTLD Registration Data], effective as of May 27, 2018</ref> The specification was intended to be supplanted within a year by consensus policy developed through an [[Expedited Policy Development Process]] (see next bullet). Under these terms, the Temporary Specification expired in May 2019.<ref name="interim">[https://www.icann.org/resources/pages/interim-registration-data-policy-en ICANN.org - Interim Registration Data Policy], May 17, 2019</ref>
* The [[Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (EPDP)]] is concerned with enabling the provision of registration data while maintaining compliance with data protection laws. The EPDP was broken into three phases (Phase 1, Phase 2, and Phase 2A). While all of the phases have resulted in final reports to the board, the implementation of policy resulting from the EPDP is ongoing as of December 2021.
* As part of Phase 1 of the EPDP, the [[Interim Registration Data Policy]] was approved by the board in May 2019.<ref name="interim blog">[https://www.icann.org/en/announcements/details/icann-gtld-registries-and-registrars-required-to-implement-new-interim-registration-data-policy-by-20-may-2019-17-5-2019-en ICANN.org - gTLD Registries and Registrars Required to Implement New Interim Registration Data Policy], May 17, 2019</ref> The interim policy requires registries and registrars to comply with the Temporary Specification until the Data Registration Policy recommended by EPDP Phase 1 is implemented.<ref name="interim" /> It was recommended by the EPDP Phase 1 team that the Data Registration Policy be rolled out by February 2020.
* The [[SSAD|System for Standardized Access/Disclosure]] was the main focus of the recommendations from the final report of the EPDP Phase 2 working group. The system would permit accredited parties access to protected, anonymized, or proxied registration data upon request, presuming that the request stemmed from a legitimate need for the information.


==Overlaps with Cybersecurity==
==Means and Methods==
===Privacy Automation===
Privacy automation refers to the non-manual handling of data, notice, consent, and regulatory obligations.<ref>[https://martechlive.com/data-privacy-automation-and-importance/ What Is Data Privacy Automation and Why Is It Important, MarTechLive]</ref>
===Virtual Private Network===
A [[Virtual Private Network]] (VPN) creates an encrypted tunnel between the user and a remote server operated by the VPN service. All of that user's internet traffic and data are routed through this tunnel. As the traffic exits the VPN server, the true IP address is hidden, masking the user's identity and location.<ref>[https://www.pcmag.com/how-to/what-is-a-vpn-and-why-you-need-one What is a VPN and Why you need one, PC Magazine]</ref>
===Tor Project===
[[The Tor Project]] is a 501(c)(3) nonprofit organization that develops free, open-source software for privacy and freedom online from tracking, surveillance, and censorship. Tor bounces communications around a distributed network of relays run by volunteers worldwide and prevents sites from learning end user's physical location. The Onion Router is a network of servers that connects through a series of virtual tunnels rather than direct connections.<ref>[https://2019.www.torproject.org/about/overview.html.en#overview Overview, Tor Project]</ref>


==Organizations & Groups==
===Global===
* [[Digital Privacy Alliance]]
* [[Electronic Frontier Foundation]]
* [[Electronic Privacy Information Center]]
* [[Identity Theft Resource Center]]
* [[International Association of Privacy Professionals]]
* [[Privacy International]]
* [[Privacy Rights Clearing House]]
* [[World Privacy Forum]]
===Regional===
* [[Californians for Consumer Privacy]]
==Overlaps with [[Cybersecurity]]==
[[Sebastian Schonfeld]] and [[Natalie Dunleavy Campbell]] argued [[Cryptographyy|encryption]] protects children and proposals such as the U.S. EARN IT Act, the STOP CSAM Act, and the Kids Online Safety Act pose a serious threat to cybersecurity.<ref>[https://www.internetsociety.org/blog/2023/05/encryption-keeps-kids-safe-online/ Encryption Keeps Kids Safe Online, Internet Society Blog, 3 May 2023 ]</ref> By contrast, [[Paul Vixie]] replied that "an internet without disruption or intermediation gives the same rights to an intruder that are meant for family members, employees, or customers. privacy vs. security isn't a strict bimodal solution space." [[Andrew Campling]] agreed with Vixie, stating that "Too often encryption and security are erroneously conflated when they are quite separate...[for] stopping the dissemination of [[CSAM]], options already exist for privacy-preserving content filtering at endpoints. Experts in organisations like the [[Internet Watch Foundation]] (IWF) can provide advice on this topic and can also test the effectiveness of applications etc.''
Data security is a central theme of privacy regulations. In addition to codifying an expectation of privacy, most regulations set minimum standards for the treatment, uses, and protection of personal information. Many regulations also specify how companies and organizations should deal with data breaches. Personal information, particularly personally identifying information or financial information is a prime target of cybercriminals. However, whereas data security protects data from leaks caused by (internal or external) malicious actors, data privacy controls the processes involved in data collection, sharing, and usage.<ref>[https://martechlive.com/data-privacy-automation-and-importance/ What Is Data Privacy Automation and Why Is It Important, MarTechLive]</ref>
==References==
{{reflist}}
[[Category:Concepts]]
[[Category:Concepts]]

Latest revision as of 19:32, 4 May 2023

Data privacy concerns the handling of sensitive information, and consumer rights to privacy of their personal information.

Legislation & Regulation[edit | edit source]

ICANN Policy and PDPs[edit | edit source]

  • The ICANN Board approved the Temporary Specification for gTLD Registration Data in response to conflicts between its existing registration policies and the GDPR.[1] The specification was intended to be supplanted within a year by consensus policy developed through an Expedited Policy Development Process (see next bullet). Under these terms, the Temporary Specification expired in May 2019.[2]
  • The Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (EPDP) is concerned with enabling the provision of registration data while maintaining compliance with data protection laws. The EPDP was broken into three phases (Phase 1, Phase 2, and Phase 2A). While all of the phases have resulted in final reports to the board, the implementation of policy resulting from the EPDP is ongoing as of December 2021.
  • As part of Phase 1 of the EPDP, the Interim Registration Data Policy was approved by the board in May 2019.[3] The interim policy requires registries and registrars to comply with the Temporary Specification until the Data Registration Policy recommended by EPDP Phase 1 is implemented.[2] It was recommended by the EPDP Phase 1 team that the Data Registration Policy be rolled out by February 2020.
  • The System for Standardized Access/Disclosure was the main focus of the recommendations from the final report of the EPDP Phase 2 working group. The system would permit accredited parties access to protected, anonymized, or proxied registration data upon request, presuming that the request stemmed from a legitimate need for the information.

Means and Methods[edit | edit source]

Privacy Automation[edit | edit source]

Privacy automation refers to the non-manual handling of data, notice, consent, and regulatory obligations.[4]

Virtual Private Network[edit | edit source]

A Virtual Private Network (VPN) creates an encrypted tunnel between the user and a remote server operated by the VPN service. All of that user's internet traffic and data are routed through this tunnel. As the traffic exits the VPN server, the true IP address is hidden, masking the user's identity and location.[5]

Tor Project[edit | edit source]

The Tor Project is a 501(c)(3) nonprofit organization that develops free, open-source software for privacy and freedom online from tracking, surveillance, and censorship. Tor bounces communications around a distributed network of relays run by volunteers worldwide and prevents sites from learning end user's physical location. The Onion Router is a network of servers that connects through a series of virtual tunnels rather than direct connections.[6]

Organizations & Groups[edit | edit source]

Global[edit | edit source]

Regional[edit | edit source]

Overlaps with Cybersecurity[edit | edit source]

Sebastian Schonfeld and Natalie Dunleavy Campbell argued encryption protects children and proposals such as the U.S. EARN IT Act, the STOP CSAM Act, and the Kids Online Safety Act pose a serious threat to cybersecurity.[7] By contrast, Paul Vixie replied that "an internet without disruption or intermediation gives the same rights to an intruder that are meant for family members, employees, or customers. privacy vs. security isn't a strict bimodal solution space." Andrew Campling agreed with Vixie, stating that "Too often encryption and security are erroneously conflated when they are quite separate...[for] stopping the dissemination of CSAM, options already exist for privacy-preserving content filtering at endpoints. Experts in organisations like the Internet Watch Foundation (IWF) can provide advice on this topic and can also test the effectiveness of applications etc.

Data security is a central theme of privacy regulations. In addition to codifying an expectation of privacy, most regulations set minimum standards for the treatment, uses, and protection of personal information. Many regulations also specify how companies and organizations should deal with data breaches. Personal information, particularly personally identifying information or financial information is a prime target of cybercriminals. However, whereas data security protects data from leaks caused by (internal or external) malicious actors, data privacy controls the processes involved in data collection, sharing, and usage.[8]

References[edit | edit source]