The Edge - Volume One

PRIVACY LAWS AND HOW THEY VARY GLOBALLY

Privacy laws vary greatly around the world, from regions like the EU where policies are well-developed and getting stricter, to regions like the Middle East where there are significantly less rules governing data privacy protection. As IoT devices capable of collecting all kinds of data at all times become more widespread, privacy laws will likely fall in line. According to a Deloitte report on big data, there were only 20 privacy laws worldwide in the ‘90s. Now, there are more than 100.

AUSTRALIA Two main federal laws apply to IoT data collected in Australia: the Privacy Act of 1988, and Telecommunications Act passed in 1997. Under the Privacy Act, most companies are required to comply with privacy principles when collecting information that could identify a user. The privacy principles require companies establish a privacy policy, give users the option to remain anonymous when possible, keep users' personal data secure, notify users about the information they're collecting and provide access to their data. operation, which otherwise deals with the statutory requirements for the collection and use of personal information. Time will tell whether the Australian government will amend the Act to recognize the implications of the increasing collection and use of biometric information. ASIA PACIFIC Countries in Asia/Pacific, like China, Indonesia and India, have minimal regulation related to data privacy issues, which causes problems for enterprises when data is moved or collected. China has recently invested heavily in facial recognition technology with minimal privacy regulations attached. Banks, airports, hotels and even public toilets are all trying to verify people’s identities by analyzing their faces. Security industry reports show the country will use facial recognition and AI to analyze and understand the mountain of incoming video evidence; to track suspects, spot suspicious behaviors and even predict crime; to coordinate the work of emergency services; and to monitor the comings and goings of the country’s 1.4 billion people. Meanwhile, New Zealand, Singapore and Japan have data privacy laws similar to those in the EU and Australia. The Privacy Act of 1988 excludes employment records from its

Here’s a look at some of the laws currently in place in countries and regions around the world:

UNITED STATES When it comes to privacy laws, the U.S.’s federal and state privacy laws vary widely. According to the National Conference of State Legislatures, 31 states have data disposal laws and 47 states have security breach notification laws, but the laws are not uniform. Last year, the Federal Trade Commission issued a report containing best practices for protecting user data, aimed at companies who make IoT-connected devices. The recommendations included designing devices with data security in mind, conducting tests of security measures on a regular basis, avoiding collecting more data than necessary, and displaying privacy information in a way that's easy to understand and appropriate for the device. CANADA In Canada, a federal law called the Personal Information Protection and Electronic Documents Act (PIPEDA) sets rules on how companies are required to protect personal data. The law requires companies to create a privacy management program; limit collection, use and retention of data; give users access to information the company collects; and provide a way for users to file complaints with the company. Like U.S. states, Canadian provinces can create their own privacy laws, and three of them – Alberta, British Columbia and Quebec – have done so.

EU The use of personal data for purposes other than what’s communicated to employees is a breach of confidence. To combat this, General Data Protection Regulation (GDPR) was recently enacted. Every processing of personal data in respect to an activity or transaction within the EU is now subject to GDPR, and the fines imposed for serious non-compliance are high, leading stakeholders to bake in data security from the start. To achieve compliance, organizations need to map all their data processing activities and ensure they meet GDPR requirements by doing the following: • Keep records to demonstrate compliance. • Use data encryption for enhanced security. • Aggregate or anonymize IoT data that can be directly or indirectly traced back to an individual. • Limit data processing to the stated purpose. • Be transparent and clearly communicate how data is used. • Establish a lawful basis for each processing. MIDDLE EAST Few countries in the Middle East have laws regulating privacy of data and access to information. According to the 2015 International Compendium of Data Privacy Laws, Saudi Arabia has some laws regarding privacy and data collection, but no laws about data security or notification of data breaches.

47