Hello. It's been sometime since my last post. I've used my time away to revisit how I will be using this website moving forward, as I step back from privacy consulting.
I've decided to maintain my website and keep blogging mainly about privacy, but also on developments in law and technology. As I try to get back on track with my blogging, I am sharing with you this resource on privacy legislation in different jurisdictions. The table also shows information on the following:
title of the key law
years of the original law and the current version
membership of the country in regional groupings
sector coverage (whether public, private, or both)
name of the data protection authority
membership of the data protection authority in data protection groupings
The resource was prepared by Graham Greenleaf, Professor of Law & Information Systems, University of New South Wales. This link brings you to the SSRN page of the document. You may need an account to download.
Yesterday, a data breach complaint was filed with several data protection authorities in the European Union by Dr Johnny Ryan of Brave (the private web browser); Jim Killock, Executive Director of the Open Rights Group; and Michael Veale of University College London. A post on the Brave website explains the basis of the action as follows:
"Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies.
"Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful."
How the data protection authorities will resolve this complaint will have significant implications not only on data privacy online but also on the business models of advertising technology companies and platforms such as Google and Facebook.
For more information about this case, please see the links below:
I read the news reports yesterday where Defense Secretary Lorenzana admitted to giving Solicitor General Calida the amnesty files of Senator Trillanes and the hundreds of other soldiers who availed of the amnesty in 2011. In the same news reports, Secretary Lorenzana said that SolGen Calida merely asked for the files but did not tell him of the purpose for the request. Lorenzana gave the files to Calida anyway.
I’ve been thinking about this since yesterday and I remain bothered by the readiness of Secretary Lorenzana to disclose personal data of hundreds of people without an ostensible lawful basis for the disclosure.
This question of whether government agencies can share personal data of individuals with each other has already been touched upon by the National Privacy Commission.
In NPC Advisory Opinion No. 2018-007, the NPC discussed whether the Department of Health may share the list of students vaccinated with Dengvaxia with the Public Attorney’s Office. The NPC stated that while the PAO was mandated to assist indigent victims in filing cases, the PAO needs to show lawful basis for the access to the DOH records, such as—in this instance—consent from the Dengvaxia victims. The NPC further made this important pronouncement:
“[W]e take time to emphasize that the government is one of the biggest repositories of the personal data of citizens. The government or its agencies, however, do not have the blanket authority to access or use the information about private individuals under the custody of another agency.” <Emphasis mine.>
True, as Solicitor General, it may have been within Calida’s office to investigate the propriety of the availment of the amnesty. But from Lorenzana’s statement, it is not apparent that Calida’s request was pursuant to his official duties as Solicitor General. In fact, Lorenzana claims that Calida did not give any reason for the request at all. Under the circumstances, the Department of National Defense—as personal information controller of the personal data submitted by the Magdalo soldiers in reference to their amnesty applications—may have been remiss in its duties to safeguard the personal data of data subjects.
In NPC Advisory Opinion 2018-007, the NPC issued this reminder to the DOH,
“We urge the DOH to be circumspect in releasing information relating to sensitive personal information of individuals. It should do so only if it is satisfied that such release is authorized under law, adheres to data privacy principles and reasonable and appropriate security measures are in place for the protection of said data.”
It is advice that the DND—and all other government agencies—would do well to heed.
Want to read the NPC Advisory in full? Here's the link.