Data privacy is the confidentiality and protection of personal information and the right to access and transfer that data when desired. Personal data is information applicable to one specific person that identifies or clearly refers to them. Some organizations that process data may not consider it personal if it can be applied to multiple people (such as a shared home or IP address). Protected personal data refers to data handed to a controller, either given directly by the owner or taken from the owner’s Internet traffic or general activity.
Many national and state governments have regulations for data privacy. Though security (such as encryption) is one component of privacy, it is not the same. Privacy includes an individual’s secrecy, right to choose where their data is stored and transferred, and personal freedom (which, over time, lack of data privacy can erode). Organizations often must create a privacy policy or statement, which details how they use customer data. Privacy statements are very thorough documents that help protect the business and the customer alike and explain to third parties how data may and may not be used.
Data protection laws and regulations
The GDPR (General Data Protection Regulation), introduced in the European Union in 2018, is the best example thus far of legal strictures applied to data protection. Though it isn’t perfect, the GDPR lays down thorough data privacy laws that bind all businesses that have EU customers. This includes any companies in the U.S. and elsewhere with customers that live in the European Union (which is most large companies). Under the GDPR:
- Businesses must explain how they use data and be open in providing data to its owners. This typically means creating a privacy statement that is available for all users.
- Individuals have the right to erasure, which can mean deleting their data from a database or fixing/deleting inaccurate data.
- Individuals have the right to portability (moving or transferring data that was provided to a controller).
In the U.S., the California Consumer Privacy Act (CCPA) that went into effect in 2020 has requirements similar to GDPR. HIPAA protects medical wellness data for healthcare patients, and PCI DSS requires businesses to employ adequate encryption and security measures when processing card payments. Though these laws do not ensure perfect data protection, they attempt to provide privacy for customers through stringent regulations. Regardless, data breaches occur regularly. Millions of customers’ data is compromised on a monthly basis. Companies such as Microsoft and Walgreens saw data breaches in the earlier months of 2020.
Data privacy and advanced technology
Intelligent devices in individuals’ homes further complicate data privacy. Ubiquitous computing is the unobtrusive technology within our smartphones and devices that smoothly collects data and learns from it. This helps devices learn more about users and suggest things like appropriate songs, restaurants, and fitness techniques for them, but it also means that devices are gathering ever more data about their users. Webcams that gather physical data and microphones that listen to conversations cause reasonable concern about privacy.
Facial recognition is another concern: it can assist in locating criminals, but it can also fail to accurately identify people. Facial recognition technology is advancing significantly, but it has little legal regulation thus far. Some regulations have been suggested for mass surveillance, as it limits personal privacy and secrecy and can be misused in the process of identifying criminals.
