On Demand Library
Created in partnership with
Overview of Data Privacy Law Principles
8:43
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of Major Global Privacy Laws
General Privacy Law Principles
What Kinds of Companies Need to Worry About Health Data?
Overview of US Privacy Laws
Who Engages in a Data Breach?
Transcript

00:08
Adam Stofsky
Shannon, I'm going to ask you a very broad and big picture question today. What is data privacy law and why is it important? 


00:17
Shannon Yavorsky
That is a really big question. Privacy legislation is the laws that govern the collection and use of personal information. So every time a company collects, stores or uses your personal information, they have to comply with privacy laws. And it's really important because every company has some kind of personal information, whether it's just employee data. If they're not providing goods or services to consumers, they will at least have employee data. They'll also have oftentimes consumer data or they'll be processing personal information for another company. So basically every company has to think about personal information that they're collecting and using and they have to look at what privacy laws apply to them. And the privacy laws generally say a lot of the same things. 


01:13
Shannon Yavorsky
And it arises out of OECD principles that were developed in the late seventy s and early 1980s and they're really aligned around a couple of really core principles. The first one is lawfulness of processing, which is a little bit of a term of art. But what that means is that there are a couple of grounds on which you are allowed to process personal information. Consent is the one that everybody really thinks of, like I consent to you company collecting my data to use it for a particular purpose. But there are lots of other lawful bases of processing. Another one is called vital interest. So where the processing of the data is in the vital interest of the data subject. 


02:02
Shannon Yavorsky
And an example of that is if your company needs to send you an emergency text message because there's a wildfire or tornado, they can do that because it's in the vital interest of the person. So that's lawfulness of processing, which is a really core principle as part of that set of OECD principles. The next principle is purpose limitation, which really means that if a company collects your data, they have to limit the use of that data to the purpose that they described in their privacy notice. So for example, if they said we're only going to collect your data and use it to provide you with the services sending you a widget, they can't then go and use your personal information for another purpose. Another really core principle is transparency. And that's really about providing individuals with a privacy notice. 


02:57
Shannon Yavorsky
And you'll have probably seen that at the footer of websites there's a link to a privacy notice and that describes what information the company is collecting, what they're going to use it for, and how they're sharing it with any third parties. And that's a really core part of the transparency principle. 


03:16
Adam Stofsky
Hang on, before you move on, it sounds like so far we've covered three principles and they have some fancy, they're called fancy words, but they're actually pretty straightforward, right? We've got lawful basis of processing. So there's got to be some lawful reason why you're processing data. You can't just do it because you feel like it or because you like data. You have to have some reason to do it. 


03:36
Shannon Yavorsky
That's exactly right. 


03:37
Adam Stofsky
You can only use it for what you say you're going to do with it and you got to tell people what you're doing with it, basically. 


03:44
Shannon Yavorsky
Yeah, which makes sense, right? It all kind of follows logically. Tell people what you're going to do with their data and then only use it for the thing that you told them that you were going to use it for. 


03:55
Adam Stofsky
So that's lawful basis of processing data, purpose limitation and transparency are the buzzwords for those the legal terms of art, right? 


04:03
Shannon Yavorsky
That's right. 


04:04
Adam Stofsky
Okay, what's next? 


04:05
Shannon Yavorsky
I'm going to run through a couple more. The next one is accuracy, which also makes a lot of sense. The company has to make sure that the information they hold about you remains accurate. They have to make sure they have the right email address and the right mailing address for you. And in many cases you're allowed to ask them to correct that if they have inaccurate data about you. The next one is storage limitation. So don't store the data for longer than you need to, which also makes a lot of sense for companies and also reduces cybersecurity risk. So if you have less data, there's less data that can actually be subject of a data breach. So that one makes a lot of sense for consumers, but also for companies. And then security, and this is data security is a really core principle. 


04:56
Shannon Yavorsky
It underlies most privacy laws around the world. And it really means just making sure that personal information is kept secure from unauthorized access or unauthorized use. So that's a really critical principle. And there are two more that I want to talk about, and I touched one a little bit before, individual rights. So I talked about the ability to correct inaccurate data that a company holds about you. But there are a couple more. I'm not going to go through all of them, but a few that are really important are access. 


05:31
Shannon Yavorsky
So your right to access data that a company holds about you and to know what categories of data that they're collecting and the right to deletion, which is sometimes called the right to be forgotten, which is where consumers have the right to ask a company to delete the data that it holds about them, subject to certain exceptions. But broadly, you're allowed to ask a company to delete data that they hold about you. Another one is Data Portability, which is being able to take your data from one company whatever data they've collected and say, I want you to transfer this data to this other company. So think about you want to transfer all your photos or comments from a social media platform to a new one. And Data Portability allows you to do that. 


06:19
Shannon Yavorsky
And then the final principle that I want to talk about is one of my favorites, accountability. And accountability is really about telling your privacy compliance story. So being able to show how the company has complied with the law, like, what are the steps that you took to comply? Did you memorialize your decision making process in relation to why you retained certain data or the purposes for which you were using the data? So accountability I really think about as telling your privacy compliance story. Another principle is data minimization, which means only collecting the data that you actually need in order to fulfill whatever purpose you're collecting it for. And a good example of that is if you're selling someone a widget, you don't need their Social Security number, hopefully not. So you shouldn't collect it. 


07:11
Shannon Yavorsky
You should really just collect their name, their email address, if you need to send them shipping updates, and potentially their mailing address. So really limit the data to what you actually need to fulfill the purpose. 


07:25
Adam Stofsky
Okay, so we talked about this lawful basis of processing data. You have to have some lawful reason for collecting data. We have purpose limitation. You can only use the data for the reason why it was collected. And data minimization seems like it's kind of related to that. You can only actually collect the data you need in the first place to do the thing you say you're going to do with it. 


07:47
Shannon Yavorsky
Yeah, you got it. 


07:49
Adam Stofsky
Okay. And then we talked about transparency. Companies have to tell the person who owns the data or whose data it is, the data subject, what they're collecting, accuracy, it has to be kept up to date and accurate storage limitation, you can't keep it any longer than you need it, and then you have security has to be kept safe. And then those other two you mentioned, if I'm remembering now, it's individual rights and accountability, and those are almost like the mechanisms by which companies are held to abiding by the rest of these standards. Is that a good way of thinking about it? 


08:25
Shannon Yavorsky
That's a good way of thinking about the accountability standard, yeah. 


08:29
Adam Stofsky
Great. All right. Chen and thank you for that very concise but deep overview of global privacy law principles. Thanks so much. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy