Regulatory approaches to protection of human rights in the digital society: alternative mechanisms for personal data protection
Collecting, processing and use of personal data is one of the biggest challenges of information society. Personal data has become a foundation for new business-models, but at the same time a foundation of responsibility of companies which collect and process data about their users. In order to protect its business and users, corporations have developed alternative mechanisms for personal data protection.
One of the ways to balance between protection of the customers and protection of their data is to build strategies for risk assessment and create mechanisms for overcoming those risks. The privacy protection issue is generally discussed in the context of human rights, while the phrase “data protection” is commonly used as a technical expression. However, the link between those two concepts is undeniable and therefore better data protection means better protection of privacy. Therefore, there are three main risks that can endanger privacy. The first one is that data can be inaccurate, not kept up to date or excessive in relation to the purposes for which they are collected and/or further processed. The second risk is related to the possibility of personal control of the collected data, acquiring data without one’s consent, banning or discouraging one to start a procedure to protect personal data. The third risk refers to humiliation as a result of publishing data without a transparent procedure. The same risk can appearif the data is given although not needed for the processing, or in a case of excessive and illegitimate disclosure without the user’s consent. With risk assessment mechanisms, companies can provide a high level of data protection and avoid the costs caused by improper data control.
At the EU level, a practice of accepting Binding Corporate Rules (BCR) has been established, which makes easier for corporations from European Economic Area (EEA) to transfer data to a branch located in a non-EEA country while using BCR rules, which have been approved by Article 29 Working Party.
Binding Corporate Rules are internal rules, like the Rules of Procedure, which are adopted by multinational corporations in order to define their global policy of international personal data transactions among those within the same corporate group and those entities located in the countries which do not provide an adequate data protection. Multinational companies use these rules in order to apply adequate mechanisms on privacy protection and to show respect to fundamental human rights and freedoms in accordance with Article 26, paragraph 2 of the EU Directive 95/46/CE. The rules must include privacy protection principles (transparency, data quality, security…), efficient means of protection (audits, trainings for employees, a complaint system…) and an element which proves that the rules are binding.
On the other hand, in big market economies, corporations tend to create their own self-regulatory rules. An example of those regulation are Guidelines for Online Privacy Policies, created by a cross-industry coalition of over 80 online companies and commercial associations named Online Privacy Alliance (OPA). In accordance with the Guidelines, each member agrees to adopt and apply specific rules on the protection of personal data, which means that the companies are accepting an obligation to inform users of use of their data in detail. The notification refers to the type of personal data and type of processing, availability of data to third parties, mechanisms for data protection and users’ access to information.
Guidelines for Online Privacy Policies point out five fundamental principles on privacy protection:
Notice/Disclosure – users must be notified of data processing and the identity of the company before they give it permission to collect personal data.
Choice/Consent – there are two types of choice and consent: opt-in and opt-out. Opt-in means that individuals must be given the opportunity to give their consent for collecting and using data, while opt-out means that individuals should be given the opportunity to opt out from collecting and processing of certain data. In both cases, collected information is submitted by foreign companies.
Data quality/Access – there must be a possibility for users to access to personal data and possibility to dispute whether the data is accurate or complete.
Integrity/Data security – to ensure integrity of data, companies must take reasonable steps, such as using only reliable sources of data and the subsequent checking of data, enabling the user to access data, as well as destroying or anonymizing obsolete data.
Implementation/compensation – these fundamental principles on privacy protection will be efficient if the protection and compensation mechanism exists.
Another way for the business sector to protect personal data is introducing the ISO standard 27001, which refers to data protection. A new version of the ISO standard 27001, first published in 2005, was created in 2013 and is now harmonized with other ISO Information Security Management System standards. ISO standard 27001 has introduced the “Plan-Do-Check-Act” concept. This standard is a specification of the ISMS (Information Security Management Systems), based on which this standard is awarded.
A purpose of this system is to provide proper conditions for adoption, implementation, maintenance and constant improvement of the Information Security Management Systems. The standard comprises all types of corporations (commercial corporations, governmental, non-profit and non-governmental organizations), of all sizes (from micro-companies to multinational corporations) and every single industry (e.g. retail, banking, defense, health care, education and government). Essential part in the certification process is to carry out an objective analysis of what should a corporation do in order to implement ISMS, and at the same time, represents a basis for a proper compliance evaluation performed by certified auditors.
Necessary documents, or documented data as named by the Standard, are: analysis of the already existing ISMS, data protection policies, risk evaluations of data protection, methods for treating data protection risks, operative planning and document control, results of the risk assessment, decisions on treatment of the risks, internal auditory program of ISMS system and results of conducted audits, evidence of incompatibilities and adjustments of those incompatibilities and other related documents.
Certification brings numerous advantages to achieve the expected purpose and that is harmonization with the standard. The standards from this series tell more about corporations and their responsible policies of data treatment, and also refer to loyal competition on the market and customers’ protection.
Find out more about the certification process on http://www.27000.org/ismsprocess.htm as well as about other relevant ISO standards of privacy protection on http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=45123.
In the next article, you will have the chance to find out more about the position of a Data protection officer, read an interview with Andrej Diligenski, Data Protection Officer of the Austrian company SIMACEK and about other companies which have noticed the importance of this position.
To be continued…