File #2747: "2019_Book_DataProtectionLaw.pdf"
Testo
1|Foreword|5
1|Preface|7
1|Acknowledgements|9
1|Contents|11
1|About the Authors|18
1|List of Diagram|20
1|Part I|21
2|Chapter 1: Problem Definition, Structure and Methodology|22
3|1.1 Problem Definition|23
4|1.1.1 Privacy|23
4|1.1.2 The Modern History of the Right to Privacy|28
4|1.1.3 Data Protection as a Tool of “Privacy”|32
4|1.1.4 Internationalization and Regionalization|34
4|1.1.5 Data Protection and Privacy Is Not Limited to One Area of Law|36
3|1.2 Structure and Methodology|37
3|1.3 Limitation of this Research|39
3|1.4 Chapters|39
3|1.5 Conclusion|41
3|References|42
1|Part II|44
2|Chapter 2: Law, Technology and Digital Economy|45
3|2.1 Introduction|45
4|2.1.1 Identity in the New World|51
5|2.1.1.1 Personal Identity|53
4|2.1.2 Co-regulation [Government and Industry]|56
5|2.1.2.1 ISO – IEC – Cobit|57
3|2.2 Conclusion|58
3|References|59
1|Part III|61
2|Chapter 3: European Law|62
3|3.1 Introduction|63
3|3.2 General Data Protection Regulation|70
3|3.3 Definition of Personal Data|72
3|3.4 Controller, Processor and Officer|75
4|3.4.1 Processor|76
4|3.4.2 Data Protection Officer|77
3|3.5 Right to Be Forgotten|78
3|3.6 Agency [Regulator] – Authority|81
3|3.7 Public and Private|83
3|3.8 Consent|83
4|3.8.1 Children’s Consent|85
3|3.9 Extra-Territorial Reach|85
3|3.10 Retention|86
3|3.11 Principles and Codes|87
3|3.12 Cross Border Transfer|90
3|3.13 Breach|94
3|3.14 Cyber Security|96
3|3.15 Conclusion|96
3|References|98
2|Chapter 4: Singapore|99
3|4.1 Introduction|100
3|4.2 Definition Personal Data|102
3|4.3 Controller|106
3|4.4 Public and Private|107
3|4.5 Consent and Collection|108
3|4.6 Accuracy|113
3|4.7 Retention|114
3|4.8 Data Transferred to a Foreign Country|115
3|4.9 Enforcement|117
4|4.9.1 Notification of Breach|119
4|4.9.2 Data Protection Impact Assessments|119
3|4.10 Extraterritorial – Reach|120
3|4.11 Agency [Regulator], Principles and Codes|120
3|4.12 Do Not Call Registry|122
3|4.13 Loss or Damage|124
3|4.14 Right to Be Forgotten|125
3|4.15 Supporting Cyber Security Laws|125
3|4.16 Conclusion|127
3|References|129
2|Chapter 5: Australia|130
3|5.1 Introduction|131
3|5.2 Public and Private|140
3|5.3 Definition of Personal Information|140
3|5.4 Consent and Collection|142
4|5.4.1 Children|144
3|5.5 Extra-Territorial Reach|144
3|5.6 Regulator|146
3|5.7 Quality of Information – Accuracy|148
3|5.8 Retention|149
3|5.9 Breach & Notification|150
3|5.10 Right to Be Forgotten|151
3|5.11 Data Portability|155
3|5.12 Loss or Damage and Enforcement|156
3|5.13 Impact Assessment|157
3|5.14 Additional Legislation and Standards|158
3|5.15 Conclusion|160
3|References|161
2|Chapter 6: India|162
3|6.1 Introduction|163
3|6.2 Personal Information|169
3|6.3 Right to Be Forgotten|170
3|6.4 Grievance Officers|171
3|6.5 Public and Private|171
3|6.6 Consent and Collection|172
3|6.7 Cross-Border Transfer|173
4|6.7.1 Data Localization|174
3|6.8 Retention|174
3|6.9 Enforcement|175
3|6.10 Commissioner|177
3|6.11 Controller Functions|177
3|6.12 Codes of Practice and Standards|178
3|6.13 Proposed New Privacy and Protection Law & Supporting Laws|179
3|6.14 Conclusion|182
3|References|183
2|Chapter 7: Indonesia|184
3|7.1 Introduction|185
3|7.2 Definition of Personal Information|190
3|7.3 Public and Private|191
3|7.4 Controller or Officer|191
3|7.5 Commissioner, Agency[Regulator], Principles and Codes|192
3|7.6 Cross Border Transfer|193
3|7.7 Right to Be Forgotten|194
3|7.8 Consent|195
3|7.9 Collection|196
3|7.10 Retention [Storage]|197
3|7.11 Breach|197
3|7.12 Enforcement|197
3|7.13 Supporting Laws & Proposed New Data Protection Laws|198
4|7.13.1 Proposed New Data Protection Law|199
5|7.13.1.1 Defining Personal Data|200
5|7.13.1.2 Controller and Processor|200
5|7.13.1.3 Consent|201
5|7.13.1.4 Data Transfer|202
5|7.13.1.5 Commission|202
5|7.13.1.6 Enforcement & Breach Notification|203
5|7.13.1.7 Deletion – Destroying Personal Data|203
3|7.14 Conclusion|204
3|References|206
2|Chapter 8: Malaysia|207
3|8.1 Introduction|208
3|8.2 Definitions of Personal Data|213
3|8.3 Consent & Principles|214
3|8.4 Commissioner – Agency [Regulator]|218
3|8.5 Public and Private|220
3|8.6 Extra-territorial Reach|220
3|8.7 Certificates of Registration|221
3|8.8 Data Officer|223
3|8.9 Code of Practice|223
3|8.10 Breach and Notification|225
3|8.11 Enforcement|225
3|8.12 Right to be Forgotten|226
3|8.13 Retention|227
3|8.14 Supporting Cyber Security Laws|228
3|8.15 Conclusion|228
3|References|229
2|Chapter 9: Thailand|230
3|9.1 Introduction|231
3|9.2 Definitions|236
3|9.3 Public and Private|237
3|9.4 Retention & Consent|237
3|9.5 Commission – Agency [Regulator], Principles, Codes|238
3|9.6 Enforcement|239
3|9.7 Right to Be Forgotten|240
3|9.8 Proposed Data Protection Law|241
4|9.8.1 Potential Issues Concerning the Current Draft Bill – January 2018|245
5|9.8.1.1 Consent|245
5|9.8.1.2 Processors|246
5|9.8.1.3 Cross Border Transfer|246
5|9.8.1.4 Public Sector|247
5|9.8.1.5 Breach|247
5|9.8.1.6 Commission Powers|248
3|9.9 Conclusion|248
3|References|250
2|Chapter 10: Japan|251
3|10.1 Introduction|252
4|10.1.1 Personal Data Protection|252
3|10.2 Definition of Personal Information|257
3|10.3 Business Operator [Data Controller]|261
3|10.4 Extra Territorial Reach|263
3|10.5 Right to be Forgotten|265
3|10.6 Commissioner – Regulator|266
3|10.7 Public and Private|268
3|10.8 Retention|269
3|10.9 Collection [Acquisition] and Consent|270
3|10.10 Notification|271
3|10.11 Enforcement & Breach|272
3|10.12 Supporting Laws and Policy|272
3|10.13 Conclusion|273
3|References|274
1|Part IV|275
2|Chapter 11: Jurisdictional [Comparative] Differences|276
3|11.1 Introduction|276
3|11.2 The Definition of Personal Data and Personal Information|277
4|11.2.1 Sensitive Information [Data]|279
4|11.2.2 Anonymization and Pseudonymization|281
3|11.3 Private and Public|281
3|11.4 Controllers & Enforcement|282
4|11.4.1 Notification of Breach|283
4|11.4.2 Complaints Mechanism|284
4|11.4.3 Penalties|284
4|11.4.4 Compensation|285
3|11.5 Consent & Collection|286
3|11.6 Storage & Localisation|288
4|11.6.1 Storage Limitation|289
3|11.7 International – Transfer|290
4|11.7.1 Adequacy Test and Privacy Shield|292
3|11.8 Codes of Practice|293
3|11.9 Data Portability|293
3|11.10 Right to Be Forgotten|294
4|11.10.1 Adoption of the Right to Be Forgotten|299
3|11.11 Conclusion|300
3|References|301
1|Part V|302
2|Chapter 12: Intellectual Property|303
3|12.1 Introduction|304
4|12.1.1 Internet Systems, Platforms and Infrastructure|305
4|12.1.2 Economic Value Personal Data|308
3|12.2 Consent & Personal Data|312
4|12.2.1 Withdrawal of Consent|314
4|12.2.2 Sensitive – Personal Data|315
3|12.3 Data Portability|319
3|12.4 Emerging Case Law|320
3|12.5 Moving Forward|321
3|12.6 Conclusion|323
3|References|324
2|Chapter 13: Competition Law and Personal Data|326
3|13.1 Introduction|326
3|13.2 Data Protection and Competition|330
3|13.3 Issue & Solution|337
3|13.4 Data Portability|340
4|13.4.1 Abuse of Power and the Consumer|342
4|13.4.2 Web Browser|344
4|13.4.3 Mergers and Acquisitions|345
4|13.4.4 Predatory Pricing|349
3|13.5 Conclusion|351
3|References|354
2|Chapter 14: Conflict of Laws, Transnational Contracts in Personal Data|356
3|14.1 Introduction|356
4|14.1.1 Conflict of Laws|360
4|14.1.2 CISG – UPICC|373
3|14.2 Conclusion|381
3|References|382
2|Chapter 15: Personal Data and Cybersecurity [Crime]|383
3|15.1 Introduction|384
4|15.1.1 Technology|387
4|15.1.2 Data Protection & Cybersecurity|389
3|15.2 Conclusion|403
3|References|405
1|Part VI|406
2|Chapter 16: International & Regional Institutions|407
3|16.1 Introduction|408
3|16.2 International Law and Regional Programs|408
3|16.3 United Nations|409
3|16.4 Organization for Economic Development [OECD]|411
3|16.5 International Conference of Data Protection and Privacy Commissioners [ICDPPC]|414
3|16.6 International Law Commission [ICL] – Associations and Organizations|415
3|16.7 World Economic Forum|416
3|16.8 Regional Programs|417
4|16.8.1 Asia-Pacific Economic Cooperation [APEC]|417
5|16.8.1.1 Asia Pacific Privacy Authorities|419
3|16.9 Association of South East Nations [ASEAN]|420
3|16.10 African Union|422
3|16.11 Commonwealth of Nations|422
3|16.12 European Union|423
3|16.13 Trade Agreements|424
4|16.13.1 United States of America (US) and Korean Free Trade Agreement|425
4|16.13.2 Proposed Australia and the European Union Free Trade Agreement|425
4|16.13.3 Potential Australian and United Kingdom Free Trade Agreement|426
3|16.14 Conclusion|426
3|References|427
2|Chapter 17: What Is at Issue and A Possible Pathway Forward|428
3|17.1 Introduction|429
3|17.2 Technology and Regulation|430
3|17.3 International & Regional Institutions|432
3|17.4 Current Data Protection and Privacy Regulation|433
3|17.5 Convergence or Disconnection of Data Protection and Privacy?|434
3|17.6 Case Law|435
3|17.7 Data Localization|435
3|17.8 Storage Limitation|437
3|17.9 Consent|437
3|17.10 Definition of Personal Data and Personal Information|438
4|17.10.1 Ownership|439
3|17.11 Adequacy|440
3|17.12 Measuring the Harm in Data Breaches|441
4|17.12.1 What Is a Privacy Harm?|441
4|17.12.2 Penalties & Enforcement|443
3|17.13 Pathway Forward|445
3|17.14 Conclusion|449
3|References|451
1|Preface|7
1|Acknowledgements|9
1|Contents|11
1|About the Authors|18
1|List of Diagram|20
1|Part I|21
2|Chapter 1: Problem Definition, Structure and Methodology|22
3|1.1 Problem Definition|23
4|1.1.1 Privacy|23
4|1.1.2 The Modern History of the Right to Privacy|28
4|1.1.3 Data Protection as a Tool of “Privacy”|32
4|1.1.4 Internationalization and Regionalization|34
4|1.1.5 Data Protection and Privacy Is Not Limited to One Area of Law|36
3|1.2 Structure and Methodology|37
3|1.3 Limitation of this Research|39
3|1.4 Chapters|39
3|1.5 Conclusion|41
3|References|42
1|Part II|44
2|Chapter 2: Law, Technology and Digital Economy|45
3|2.1 Introduction|45
4|2.1.1 Identity in the New World|51
5|2.1.1.1 Personal Identity|53
4|2.1.2 Co-regulation [Government and Industry]|56
5|2.1.2.1 ISO – IEC – Cobit|57
3|2.2 Conclusion|58
3|References|59
1|Part III|61
2|Chapter 3: European Law|62
3|3.1 Introduction|63
3|3.2 General Data Protection Regulation|70
3|3.3 Definition of Personal Data|72
3|3.4 Controller, Processor and Officer|75
4|3.4.1 Processor|76
4|3.4.2 Data Protection Officer|77
3|3.5 Right to Be Forgotten|78
3|3.6 Agency [Regulator] – Authority|81
3|3.7 Public and Private|83
3|3.8 Consent|83
4|3.8.1 Children’s Consent|85
3|3.9 Extra-Territorial Reach|85
3|3.10 Retention|86
3|3.11 Principles and Codes|87
3|3.12 Cross Border Transfer|90
3|3.13 Breach|94
3|3.14 Cyber Security|96
3|3.15 Conclusion|96
3|References|98
2|Chapter 4: Singapore|99
3|4.1 Introduction|100
3|4.2 Definition Personal Data|102
3|4.3 Controller|106
3|4.4 Public and Private|107
3|4.5 Consent and Collection|108
3|4.6 Accuracy|113
3|4.7 Retention|114
3|4.8 Data Transferred to a Foreign Country|115
3|4.9 Enforcement|117
4|4.9.1 Notification of Breach|119
4|4.9.2 Data Protection Impact Assessments|119
3|4.10 Extraterritorial – Reach|120
3|4.11 Agency [Regulator], Principles and Codes|120
3|4.12 Do Not Call Registry|122
3|4.13 Loss or Damage|124
3|4.14 Right to Be Forgotten|125
3|4.15 Supporting Cyber Security Laws|125
3|4.16 Conclusion|127
3|References|129
2|Chapter 5: Australia|130
3|5.1 Introduction|131
3|5.2 Public and Private|140
3|5.3 Definition of Personal Information|140
3|5.4 Consent and Collection|142
4|5.4.1 Children|144
3|5.5 Extra-Territorial Reach|144
3|5.6 Regulator|146
3|5.7 Quality of Information – Accuracy|148
3|5.8 Retention|149
3|5.9 Breach & Notification|150
3|5.10 Right to Be Forgotten|151
3|5.11 Data Portability|155
3|5.12 Loss or Damage and Enforcement|156
3|5.13 Impact Assessment|157
3|5.14 Additional Legislation and Standards|158
3|5.15 Conclusion|160
3|References|161
2|Chapter 6: India|162
3|6.1 Introduction|163
3|6.2 Personal Information|169
3|6.3 Right to Be Forgotten|170
3|6.4 Grievance Officers|171
3|6.5 Public and Private|171
3|6.6 Consent and Collection|172
3|6.7 Cross-Border Transfer|173
4|6.7.1 Data Localization|174
3|6.8 Retention|174
3|6.9 Enforcement|175
3|6.10 Commissioner|177
3|6.11 Controller Functions|177
3|6.12 Codes of Practice and Standards|178
3|6.13 Proposed New Privacy and Protection Law & Supporting Laws|179
3|6.14 Conclusion|182
3|References|183
2|Chapter 7: Indonesia|184
3|7.1 Introduction|185
3|7.2 Definition of Personal Information|190
3|7.3 Public and Private|191
3|7.4 Controller or Officer|191
3|7.5 Commissioner, Agency[Regulator], Principles and Codes|192
3|7.6 Cross Border Transfer|193
3|7.7 Right to Be Forgotten|194
3|7.8 Consent|195
3|7.9 Collection|196
3|7.10 Retention [Storage]|197
3|7.11 Breach|197
3|7.12 Enforcement|197
3|7.13 Supporting Laws & Proposed New Data Protection Laws|198
4|7.13.1 Proposed New Data Protection Law|199
5|7.13.1.1 Defining Personal Data|200
5|7.13.1.2 Controller and Processor|200
5|7.13.1.3 Consent|201
5|7.13.1.4 Data Transfer|202
5|7.13.1.5 Commission|202
5|7.13.1.6 Enforcement & Breach Notification|203
5|7.13.1.7 Deletion – Destroying Personal Data|203
3|7.14 Conclusion|204
3|References|206
2|Chapter 8: Malaysia|207
3|8.1 Introduction|208
3|8.2 Definitions of Personal Data|213
3|8.3 Consent & Principles|214
3|8.4 Commissioner – Agency [Regulator]|218
3|8.5 Public and Private|220
3|8.6 Extra-territorial Reach|220
3|8.7 Certificates of Registration|221
3|8.8 Data Officer|223
3|8.9 Code of Practice|223
3|8.10 Breach and Notification|225
3|8.11 Enforcement|225
3|8.12 Right to be Forgotten|226
3|8.13 Retention|227
3|8.14 Supporting Cyber Security Laws|228
3|8.15 Conclusion|228
3|References|229
2|Chapter 9: Thailand|230
3|9.1 Introduction|231
3|9.2 Definitions|236
3|9.3 Public and Private|237
3|9.4 Retention & Consent|237
3|9.5 Commission – Agency [Regulator], Principles, Codes|238
3|9.6 Enforcement|239
3|9.7 Right to Be Forgotten|240
3|9.8 Proposed Data Protection Law|241
4|9.8.1 Potential Issues Concerning the Current Draft Bill – January 2018|245
5|9.8.1.1 Consent|245
5|9.8.1.2 Processors|246
5|9.8.1.3 Cross Border Transfer|246
5|9.8.1.4 Public Sector|247
5|9.8.1.5 Breach|247
5|9.8.1.6 Commission Powers|248
3|9.9 Conclusion|248
3|References|250
2|Chapter 10: Japan|251
3|10.1 Introduction|252
4|10.1.1 Personal Data Protection|252
3|10.2 Definition of Personal Information|257
3|10.3 Business Operator [Data Controller]|261
3|10.4 Extra Territorial Reach|263
3|10.5 Right to be Forgotten|265
3|10.6 Commissioner – Regulator|266
3|10.7 Public and Private|268
3|10.8 Retention|269
3|10.9 Collection [Acquisition] and Consent|270
3|10.10 Notification|271
3|10.11 Enforcement & Breach|272
3|10.12 Supporting Laws and Policy|272
3|10.13 Conclusion|273
3|References|274
1|Part IV|275
2|Chapter 11: Jurisdictional [Comparative] Differences|276
3|11.1 Introduction|276
3|11.2 The Definition of Personal Data and Personal Information|277
4|11.2.1 Sensitive Information [Data]|279
4|11.2.2 Anonymization and Pseudonymization|281
3|11.3 Private and Public|281
3|11.4 Controllers & Enforcement|282
4|11.4.1 Notification of Breach|283
4|11.4.2 Complaints Mechanism|284
4|11.4.3 Penalties|284
4|11.4.4 Compensation|285
3|11.5 Consent & Collection|286
3|11.6 Storage & Localisation|288
4|11.6.1 Storage Limitation|289
3|11.7 International – Transfer|290
4|11.7.1 Adequacy Test and Privacy Shield|292
3|11.8 Codes of Practice|293
3|11.9 Data Portability|293
3|11.10 Right to Be Forgotten|294
4|11.10.1 Adoption of the Right to Be Forgotten|299
3|11.11 Conclusion|300
3|References|301
1|Part V|302
2|Chapter 12: Intellectual Property|303
3|12.1 Introduction|304
4|12.1.1 Internet Systems, Platforms and Infrastructure|305
4|12.1.2 Economic Value Personal Data|308
3|12.2 Consent & Personal Data|312
4|12.2.1 Withdrawal of Consent|314
4|12.2.2 Sensitive – Personal Data|315
3|12.3 Data Portability|319
3|12.4 Emerging Case Law|320
3|12.5 Moving Forward|321
3|12.6 Conclusion|323
3|References|324
2|Chapter 13: Competition Law and Personal Data|326
3|13.1 Introduction|326
3|13.2 Data Protection and Competition|330
3|13.3 Issue & Solution|337
3|13.4 Data Portability|340
4|13.4.1 Abuse of Power and the Consumer|342
4|13.4.2 Web Browser|344
4|13.4.3 Mergers and Acquisitions|345
4|13.4.4 Predatory Pricing|349
3|13.5 Conclusion|351
3|References|354
2|Chapter 14: Conflict of Laws, Transnational Contracts in Personal Data|356
3|14.1 Introduction|356
4|14.1.1 Conflict of Laws|360
4|14.1.2 CISG – UPICC|373
3|14.2 Conclusion|381
3|References|382
2|Chapter 15: Personal Data and Cybersecurity [Crime]|383
3|15.1 Introduction|384
4|15.1.1 Technology|387
4|15.1.2 Data Protection & Cybersecurity|389
3|15.2 Conclusion|403
3|References|405
1|Part VI|406
2|Chapter 16: International & Regional Institutions|407
3|16.1 Introduction|408
3|16.2 International Law and Regional Programs|408
3|16.3 United Nations|409
3|16.4 Organization for Economic Development [OECD]|411
3|16.5 International Conference of Data Protection and Privacy Commissioners [ICDPPC]|414
3|16.6 International Law Commission [ICL] – Associations and Organizations|415
3|16.7 World Economic Forum|416
3|16.8 Regional Programs|417
4|16.8.1 Asia-Pacific Economic Cooperation [APEC]|417
5|16.8.1.1 Asia Pacific Privacy Authorities|419
3|16.9 Association of South East Nations [ASEAN]|420
3|16.10 African Union|422
3|16.11 Commonwealth of Nations|422
3|16.12 European Union|423
3|16.13 Trade Agreements|424
4|16.13.1 United States of America (US) and Korean Free Trade Agreement|425
4|16.13.2 Proposed Australia and the European Union Free Trade Agreement|425
4|16.13.3 Potential Australian and United Kingdom Free Trade Agreement|426
3|16.14 Conclusion|426
3|References|427
2|Chapter 17: What Is at Issue and A Possible Pathway Forward|428
3|17.1 Introduction|429
3|17.2 Technology and Regulation|430
3|17.3 International & Regional Institutions|432
3|17.4 Current Data Protection and Privacy Regulation|433
3|17.5 Convergence or Disconnection of Data Protection and Privacy?|434
3|17.6 Case Law|435
3|17.7 Data Localization|435
3|17.8 Storage Limitation|437
3|17.9 Consent|437
3|17.10 Definition of Personal Data and Personal Information|438
4|17.10.1 Ownership|439
3|17.11 Adequacy|440
3|17.12 Measuring the Harm in Data Breaches|441
4|17.12.1 What Is a Privacy Harm?|441
4|17.12.2 Penalties & Enforcement|443
3|17.13 Pathway Forward|445
3|17.14 Conclusion|449
3|References|451