Personal Data Privacy: What the Regulations Really Say

Personal data privacy is a topic that stirs hot debate between so-called repressive and permissive systems. But are they really all that different? In fact, the principal regulations are based on similar principles.

Let us take, for example, the new European Union General Data Protection Regulation (GDPR), adopted in April 2016. Its main principles are enumerated in Article 5-1a: lawfulness, fairness and transparency, purpose limitation, data minimization and accuracy, storage limitation, integrity and confidentiality.

Although each of these concepts is open to varying interpretations, the same common core is found everywhere.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ten principles: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

In the United States, too, various bills govern personal data processing. They usually focus on specific categories or sectors, such as children, drivers, health-related data and banking data. Although the general principles are rarely spelled out, they are the same.


The Most Commonly Shared Principles

  • Transparency or openness: Businesses that use personal data agree to inform the public of their practices and of any dangers incurred as a result of misuse of the personal data collected.
  • Consent: Prior consent to the collection or use of any personal data.
  • Purpose: The data is collected for a specific purpose and will only be used for that purpose.
  • Relevance (and minimization): Only the data specifically required for the stated purpose will be collected.
  • Quality: The personal data must be accurate and stored in a manner consistent with the stated purpose. In particular, it must be anonymized when the storage period is longer than initially set.
  • Control: Individuals have the right to access and modify, delete or correct their personal data. In some circumstances, they can review their consent depending on the processing that the data will undergo.
  • Accountability: The company that holds the data is accountable for its security, as well as compliance with all principles governing personal data privacy management.
  • The right to challenge or raise alerts: Individuals have the right to request data and to challenge or raise alerts regarding data privacy management.

In practice, any differences, especially between Europe, Asia and North America, concern whether these principles are incorporated into binding regulations or the market is left to regulate itself.

aThe E.U. regulation contains other fundamental principles in addition to those spelled out in Article 5-1: the principle of accountability, which extends beyond security, consent and other legitimate purposes to lawfully process personal data, specific protection for sensitive data and more.