The U.S. and European Union (EU) have vastly differing views of what privacy is. In the U.S. companies who collect the information own the information. In the EU the individuals own their own information collected by companies like Facebook or Google. Microsoft says Azure supports the Safe harbor Act which acts like a bridge of the differing view on privacy but what do we need to know?
The Safe harbor is designed to protect privacy of individuals by legislating the manner in which personal data is processed including storage, collection, etc. A high overview of the safe harbor principles is as follows:
- Notice – Organizations must inform individuals as to the purposes for which information about them is being collected and used, and the types of third parties to whom the organization may disclose information. Individuals must be informed how they can contact the organization with inquires or complaints as well as the choices they have with respect to limiting the use and disclosure of information about them.
- Choice – Individuals must be provided the opportunity to “opt out” of allowing their information to be disclosed to a third party or to be used for a purpose incompatible with the purpose for which it was originally collected.
- Safe Harbor Sensitive Information Principle – For sensitive personal information, such as that specifying medical conditions, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation, individuals must explicitly “opt in” before such information can be disclosed to a third party or be used in a manner other than for which it was originally collected.
- Onward Transfer – Prior to disclosing information to a third party, the organization must ensure that the third party provides the same level of privacy protection as required by the safe harbor principles. Having done this, the organization will not be held responsible should the third party process the data in a manner contrary to the safe harbor privacy principles.
- Security – Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Data Integrity– Organizations must take reasonable steps to ensure that data is accurate, complete, current, relevant, and reliable for its intended use.
- Access – Organizations must provide individuals with access to personal information collected about them. Individuals must be allowed to correct, amend, or delete such information if it is inaccurate. Exceptions to this principle may be allowed where the burden or expense of providing such access is considered disproportionate to the risks to the individual’s privacy.
- Enforcement – Organizations must define procedures and mechanisms for assuring compliance with the principles. These mechanisms must also include a means by which complaints and disputes raised will be investigated and resolved, and obligations whereby sanctions will be applied should the organization fail to be compliant.
Another important fact we should consider is having our data stored in a foreign country doesn’t put us outside of the U.S. laws. The USA Patriot Act can give our government access to expat data stored outside the US.
Plus now we add state privacy laws from California, New York, and Massachusetts. Massachusetts has new regulations that went into on March 1, 2010. Significantly, the new regulations are not restricted to companies that are located or operate in Massachusetts. Instead, they apply to businesses located anywhere in the United States that store or maintain “personal information” about a Massachusetts resident. By default this means any data on Massachusetts’s residents no matter where the data is stored subject to Massachusetts’s privacy laws.