Data Privacy and Regulations

- Overview

Data privacy is a crucial aspect of data science. Data privacy is the ability to control how sensitive data is collected, analyzed, and stored. It's also a branch of data management that involves handling personal data in compliance with data protection laws and regulations. 

The Privacy Act of 1974 (U.S. Privacy Act of 1974) establishes rules for collecting, maintaining, using, and disseminating personal information by all federal agencies. Individuals have the right to know what information is being collected, how that data is being utilized, and the ability to request corrections.

In general, personal information should be lawfully obtained (usually through freely given consent) for a specific purpose, and not be used for unauthorized surveillance or profiling by governments or third parties or used for unconnected purposes without consent (unless otherwise required under the law). Finally, users should have certain rights over data about them, including the ability to obtain and correct erroneous data about them, and to have mechanisms to seek redress to secure these rights.

Please refer to the following for more information:

• Wikipedia: Information Privacy Law

- International Standards on Privacy and Data Protection

In line with international standards for privacy and data protection, these laws often set out broad terms and principles for the collection, storage and use of personal information, including:

• Purpose Limitation: The collection and use of personal data should be limited to the following purposes: (1) Purposes specified by law and therefore known to the individual at the time of collection (at least in theory); (2) Purposes for which the individual's consent has been obtained.
• Proportionality and minimization: The data collected must be proportionate to the purpose of the ID system to avoid unnecessary data collection and “functional creep”, both of which can create privacy risks. This is often expressed as requiring the collection of only the "minimum necessary" data (including transaction metadata) to achieve the intended purpose.
• Lawfulness: The collection and use of personal data shall be based on lawful grounds, for example involving consent, contractual necessity, compliance with legal obligations, protection of vital interests, public interest and/or legitimate interests.
• Fairness and transparency: The collection and use of personal data should be fair and transparent.
• Accuracy: Personal data should be accurate and up-to-date, and inaccurate information should be corrected promptly.
• Storage Limitation: Personal data (including transaction metadata) should not be kept longer than necessary for the purposes for which it was collected and processed. For transaction metadata, one can choose how long to retain such data.
• Privacy-Enhancing Technologies (PET): Requires the use of privacy-preserving technologies (e.g., tokenization of unique identification numbers) that eliminate or reduce the collection of personal data, prevent unnecessary or unnecessary processing of personal data, and promote compliance with data protection rules.
• Accountability: The processing of personal data in accordance with the above principles should be overseen by appropriate, independent supervisory authorities, as well as by the data subjects themselves.

- US Information Privacy Laws and Procedures

Data privacy regulations, also known as information privacy laws and procedures, protect the rights of individuals to keep their personal information safe and private. 

Here are some data privacy regulations: 

• California Consumer Privacy Act (CCPA): Requires organizations to disclose the types of personal data they collect, how it is used, and to whom it is sold. It also gives individuals the right to request access to their personal data, have it deleted, and opt out of its sale.
• 2023 Consumer Data Privacy Legislation: Establishes a framework to regulate controllers and processors with access to personal consumer data, establishes penalties, establishes a new consumer privacy special fund, and appropriates funds to the Department of the Attorney General.
• American Data Privacy and Protection Act (ADPPA): Became the first federal online privacy bill to pass committee in July 2022.
• EU general data protection regulation (GDPR): The strongest privacy and security law in the world. It was adopted in 2016 and entered into application on 25 May 2018.

Other data privacy regulations include: HIPAA, PCI-DSS, PIPEDA, POPI, LGPD.
Some new privacy laws include: 

• The right to object to processing based on the controller's or public interests.
• An obligation to notify DPAs and data subjects about data breach.
• Stronger consent requirements.
• Including biometric and/or genetic data in the definition of sensitive data.

- Data Privacy Laws around the World

Data privacy laws are present in almost all major countries around the world. 

Some major world privacy laws include: 

• The European Union's General Data Protection Regulation (GDPR): Considered one of the most comprehensive data protection laws in the world, with strict rules on how companies can collect, use, and share personal data. The GDPR also prohibits transfers outside the EU without adequate safeguards.
• The ePrivacy Directive (ePD): An older piece of legislation enacted in 2002 and amended in 2009. It requires each EU Member State to pass their own national laws on data protection and privacy.
• The Privacy Act 1988: One of the precursors of data privacy laws in the world, it addresses the core concerns of protection and promotion of the right of an individual to their data privacy.
• The Argentinian Personal Data Protection Act: Prohibits the transfer of personal data to countries that do not have an adequate level of protection in place.
• The Health Insurance Portability and Accountability Act of 1996: United States legislation that provides data privacy and security provisions for safeguarding medical information.

Other major world privacy laws include:

• Brazil's General Data Protection Law
• China's Personal Information Protection Law (PIPL)
• California Consumer Privacy Act (CPRA)
• Utah Consumer Privacy Act (UCPA)