Combating Computer Crime in Africa, Proposal for a Pan-African Cyber Crime Legal Framework -Part 2

Read Part 1 Here Data Protection and Privacy Laws Data Protection involves the protection of personal data, which covers both facts and opinions about an individual. It includes …

976
976

Read Part 1 Here

Franklin-16-225x300Data Protection and Privacy Laws

Data Protection involves the protection of personal data, which covers both facts and opinions about an individual. It includes the implementation of administrative, technical and or physical measures to guard against unauthorized access to personally identifiable data.

In Europe, Data Protection stems from legislative requirements such as the European Convention of Human Rights, and has with the advancement in automated processing of data been influenced by new legislation such as the European Data Protection Directive  and the Directive on Privacy and Electronic Communications.

It involves the protection of personal data, which covers both facts and opinions about an individual.

Anyone who processes personal information must comply with the following eight data protection principles:

Personal Information must be processed:

  • Fairly and lawfully
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept- longer than necessary
  • Processed in accordance with the data subject’s rights
  • securely
  • Not transferred to countries without adequate protection.

Note on the last Principle

The last Principle should not be taken likely; this is due to the fact that many African countries want to partake in outsourcing. Now given the fact that a lot of outsourcing involves the processing of personal data, African countries who wish to be considered as outposts for outsourcing services should note that it is the development of sufficient laws and practices similar to those of the European Union that need to be put in place prior to trying to figure out what technologies are relevant for outsourcing.

US Privacy laws

In the US, the Personal Data Privacy and Security Act US (2005 updated 2009) was enacted after security breaches at ChoicePoint and LexisNexis.

The Act provides criminal penalties for identity theft involving electronic personal data by:  increasing penalties for computer fraud when such fraud involves personal data. It also adds fraud involving unauthorized access to personal information as a predicate offence.  The Act also makes it a crime to intentionally or willfully conceal a security breach involving personal data.

It gives individuals access to, and the opportunity to correct, any personal information held by data brokers; and

  • Requires entities that maintain personal data to establish internal policies that protect such data and vet third-parties they hire to process that data;
  • Requires entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data;
  • Limits the buying, selling or displaying of a social security number without consent from the individual whose number it is, prohibits companies from requiring individuals to use social security numbers as their account numbers and places limits on when companies can force individuals to turn over those numbers in order to obtain goods or services, and bars government agencies from posting public records that contain Social Security numbers on the Internet;
  • Requires the government to establish rules protecting privacy and security when it uses data broker information, to conduct audits of government contracts with data brokers and imposes penalties on government contractors that fail to meet data privacy and security requirements.

Consumer data broker ChoicePoint, Inc., which in 2005 year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026

Related to the Data Protection Directive is the Privacy of Electronic Communications Directive (EU 2002) which lays certain obligations on telecommunications companies and service providers. A new development within this Directive is that it extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones.

The Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community.

A brief introduction of the salient points reveals the following in the Directives aims in ensuring fundamental human rights and freedoms particularly the right to privacy for subscribers of electronic communications:

·         Security Measures

The Directive provides that communication service providers should adopt adequate security measures both from a technical and organisational point of view that are commensurate with the risks that can accrue. With the spate of recent high profile security breaches that have occurred it is paramount that telecommunications providers implement adequate logical and physical security measures to ensure data under their control is safe from unauthorised access, which may lead to loss of privacy. It goes further to provides that users should be made aware of risks that are beyond the control of the service provider.

·         Confidentiality of Communications

In its attempt to maintain privacy of personal information, the directive requires service providers to ensure confidentiality of communications. This directive states can be attained by making sure that communication over public telecommunications lines are free from interception and tapping save in the instance of lawful interception. The article also provides that where communication networks are used in the processing of data, the data subject shall be informed why this is being carried out. The data subject has a right to refuse such processing.
· Caller and Called Line Identification

It is to be noted that an individual’s telephone number is personal data going by the meaning given to data protection legislation. In order to protect this, the directive further provides privacy rules in relation to caller and connected line identification. Here the directive states that subscribers must be issued with the possibility of withholding the identification of their telephone numbers when making a call along with being able to reject incoming calls where the incoming caller has refused showing their number.

  • Location Data Restrictions

Where the repealed telecommunications privacy directive only related to calls in circuit switched connections such as is found in traditional voice telephony, the new directive covers all kinds of traffic data as generated by users of mobile communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify the location of an individual,its use can be illustrated in the Danielle Jones case in the hunt for a missing child in the UK it was identified that calls purportedly from the girls phone to her uncle (later convicted for her murder) were in fact being made by her uncle from one location.

  • Emergency and Nuisance Calls

An exception to the privacy of caller line and location data is provided for in article 10 where the elimination of calling line identification and location data is sanctioned to trace nuisance calls and in relation to location data for it to be revealed on a temporary basis only to emergency services.

  • SPAM
    Unsolicited mail (also known as Spam) has become a major problem it causes loss of work productivity and also is an invasion of privacy.

The directive in recognising the harmful effects of Spam provides that there shall be no automated communication using electronic mail or faxes for the purpose of direct marketing without the consent of the data owner. The purpose of the directive in relation to SPAM is to make sure that EU member states strengthen data protection measures in relation to SPAM. The EU legislation supports the opt-in rather than the opt-out approach.

  • National Security

There are certain situations that may lead to events that make safeguarding privacy of communications a secondary issue. Such situations are where national security is at risk and where criminal investigations are being carried out. Where these are determined to be taking place, law enforcement agencies may on having obtained permission by appropriate bodies breach the data subjects’ right to privacy of communications in their investigations of such events. It is to be noted that the legislation also allows for data to be retained for limited periods of time during the investigation of such situations.

Lawful Interception Laws

While the privacy laws above stipulate that privacy must be guaranteed during communications, there are certain instances where law enforcement agencies are allowed to gain access to communications data without the consent of the data subject.

These instances occur when law enforcement agencies are investigating serious criminal activities or activities that may constitute a risk to national security.

In the process of undertaking these investigations, communication service providers will invariably be asked to allow these law enforcement agencies to either intercept the data or gather information about the individual’s activity from data that has been retained by their systems in relation to the individual’s communication.

Lawful interception in the UK is primarily governed by the Regulation of

Investigatory Powers Act 2000 (RIPA) and the Telecoations Lawful business

Practice Interception of Communications Regulations 2000.

In the United States interception of communications is illegal unless authorised by stringent rules that have been designed to protect privacy and allow the investigation of crime.

There are two basic pieces of Federal legislation: Electronic Communications Privacy

Act (ECPA), which concerns criminal investigations, and the Foreign Intelligence

Surveillance Act (FISA), which concerns intelligence and counter intelligence operations.

Data Retention Laws

Data retention laws are designed to ensure a uniform approach to keeping communications data across the telecommunications industry.

Data Retention laws are also implemented to ensure law enforcement agencies have a reliable log of mobile and fixed-line phone calls. This is done in order that data, which can identify the caller, the time and the type of communication made, is available for the purpose of the investigation, detection and prosecution of serious crime

It should be noted that the retention does not relate to the content of calls but only to records of their occurrence.

In Europe, the Data Retention Directive states that telecommunication companies must keep details necessary to identify the caller, sender or recipient of telephone calls and e-mails for between 6 to 24 months. The UK requires data to be kept for 12 months, this replaces the 6 months for email data in the current voluntary code of conduct. The data must also be stored in such a way that it can be accessed and transmitted without delay.

Under the Directive, all European countries are required to adopt measures that ensure the data can only be used by competent national authorities. Given the nature of this data, consumers and telecoms companies would expect safeguards so that it can only be obtained to fight crime or safeguard national security

Listed below are the headings of some of the salient articles within the Directive:

  • Obligations to retain data
  • Access to data
  • Categories of data to be retained
  • Periods of Retention
  • Data Protection and Security
  • Storage Requirements
  • Supervisory Authority

Information Security Laws

Information security relates to the protection of data to ensure its confidentiality, integrity and availability.

Increasing attention is being bought to the adequacy of information security measures deployed by corporate organisations and government institutions. This is being driven by the increasing number of successful breaches to customer information in corporate customer databases.

These incidents have led to a flurry of legislations and regulations, which, mandate appropriate information security measures being adopted. The legislations tend to influence information security management practices within these environments.

A key feature of these legislations is that they have sections in them that require organisations to adopt measures that will make it difficult for criminals to be successful in their attempts at breaching their environments. The net effect of which is that organisations that have had their systems breached now come under scrutiny and have to prove that they were not partly responsible for the breach due to their lapse or ineffective controls.

An example of some information security legislations are outlined below.

Security Breach Legislation US (2002)

In the United States, security breach notification laws have been enacted in most states since 2002. These laws were enacted in response to the escalating number of breaches to personally identifiable information located in consumer databases.

The first of such laws, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. This law requires state agencies, businesses or people who conduct business in California that own or license computerised data which includes personal information to disclose in specified ways, any breach of the security of such data, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorised person.

In general, most state laws follow the basic principles of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing.  California has since broadened its law to include compromised medical and health insurance information

In this article

Join the Conversation