The Leader Magazine

MAR 2019

Issue link:

Contents of this Issue


Page 28 of 51

the leader March 2019 29 Privacy laws vary greatly around the world, from regions like the EU, where policies are well-developed and getting stricter, to regions like the Middle East, where there are significantly fewer rules governing data privacy protection. As IoT devices capable of collecting all kinds of data at all times become more widespread, privacy laws will likely fall in line. According to a Deloitte report on big data, there were only 20 privacy laws worldwide in the '90s. Now, there are more than 100. Here's a look at some of the laws currently in place in countries and regions around the world: United s tates When it comes to privacy laws, the U.S.'s federal and state privacy laws vary widely. According to the National Conference of State Legislatures, 31 states have data-disposal laws and 47 states have security-breach- notification laws; but, the laws are not uniform. Last year, the Federal Trade Commission issued a report containing best practices for protecting user data, aimed at companies who make IoT-connected devices. The recommendations included designing devices with data security in mind, conducting tests of security measures on a regular basis, avoiding collecting more data than necessary, and displaying privacy information in a way that's easy to understand and appropriate for the device. Canada In Canada, a federal law called the Personal Information Protection and Electronic Documents Act (PIPEDA) sets rules on how companies are required to protect personal data. The law requires companies to create a privacy-management program; limit collection, use and retention of data; give users access to information the company collects; and provide a way for users to file complaints with the company. Like U.S. states, Canadian provinces can create their own privacy laws, and three of them – Alberta, British Columbia and Quebec – have done so. e U The use of personal data for purposes other than what's communicated to employees is a breach of confidence. To combat this, General Data Protection Regulation (GDPR) was recently enacted. Every processing of personal data in respect to an activity or transaction within the EU is now subject to GDPR, and the fines imposed for serious non-compliance are high, leading stakeholders to bake-in data security from the start. To achieve compliance, organizations need to map all their data- processing activities and ensure they meet GDPR requirements by doing the following: • Keep records to demonstrate compliance. • Use data encryption for enhanced security. • Aggregate or anonymize IoT data that can be directly or indirectly traced to an individual. • Limit data processing to the stated purpose. • Be transparent and clearly communicate how data is used. • Establish a lawful basis for each processing. Middle e ast Few countries in the Middle East have laws regulating privacy of data and access to information. According to the 2015 International Compendium of Data Privacy Laws, Saudi Arabia has some laws regarding privacy and data collection, but no laws about data security or notification of data breaches. a ustralia Two main federal laws apply to IoT data collected in Australia: the Privacy Act of 1988 and the Telecommunications Act passed in 1997. Under the Privacy Act, most companies are required to comply with privacy principles when collecting information that could identify a user. The privacy principles require companies to establish a privacy policy, give users the option to remain anonymous when possible, keep users' personal data secure, notify users about the information they're collecting, and provide users with access to their data. The Privacy Act of 1988 excludes employment records from its operation, which otherwise deals with the statutory requirements for the collection and use of personal information. Time will tell whether the Australian government will amend the Act to recognize the implications of the increasing collection and use of biometric information. a sia Pacific Countries in Asia/Pacific, like China, Indonesia and India, have minimal regulation related to data privacy issues; this causes problems for enterprises when data is moved or collected. China has recently invested heavily in facial-recognition technology with minimal privacy regulations attached. Banks, airports, hotels and even public toilets are all trying to verify people's identities by analyzing their faces. Security industry reports show the country will use facial recognition and AI to analyze and understand the mountain of incoming video evidence; to track suspects, spot suspicious behaviors and even predict crime; to coordinate the work of emergency services; and to monitor the comings and goings of the country's 1.4 billion people. Meanwhile, New Zealand, Singapore and Japan have data-privacy laws similar to those in the EU and Australia. Privacy laws and how they vary globally Left to right: Carl Powell is chief information officer, EMEA, at Cushman & Wakefield. Also from Cushman & Wakefield, Skender Rugova is senior managing director; Luc Hoffmann is senior managing director, head of IFM, West Region; and Tica Hessing is human geographer and tenant advisor for Strategic Consulting, Australia.

Articles in this issue

Archives of this issue

view archives of The Leader Magazine - MAR 2019